Hash pin workflows and config dependabot (#5412)
* Step Security: hash pin and dependabot
Signed-off-by: Joyce Brum <joycebrum@google.com>
* add license to dependabot.yml
Signed-off-by: Joyce <joycebrum@google.com>
---------
Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Joyce <joycebrum@google.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..dca857a
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,25 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 2
+updates:
+ - package-ecosystem: github-actions
+ directory: /
+ schedule:
+ interval: daily
+ groups:
+ github-actions:
+ patterns:
+ - "*"
+ open-pull-requests-limit: 3
diff --git a/.github/workflows/autoroll.yml b/.github/workflows/autoroll.yml
index e5a7ee0..ab38975 100644
--- a/.github/workflows/autoroll.yml
+++ b/.github/workflows/autoroll.yml
@@ -16,7 +16,7 @@
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
# Checkout the depot tools they are needed by roll_deps.sh
- name: Checkout depot tools
diff --git a/.github/workflows/bazel.yml b/.github/workflows/bazel.yml
index 5c35371..7ab0f0e 100644
--- a/.github/workflows/bazel.yml
+++ b/.github/workflows/bazel.yml
@@ -18,13 +18,13 @@
runs-on: ${{matrix.os}}
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
fetch-depth: '0'
- name: Download dependencies
run: python3 utils/git-sync-deps
- name: Mount Bazel cache
- uses: actions/cache@v3
+ uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
path: ~/.bazel/cache
key: bazel-cache-${{ runner.os }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ada9431..ac8bade 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,7 +12,7 @@
prepare-release-job:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Prepare CHANGELOG for version
run: |
python utils/generate_changelog.py CHANGES "${{ github.ref_name }}" VERSION_CHANGELOG
diff --git a/.github/workflows/wasm.yml b/.github/workflows/wasm.yml
index 62c9af3..f031e6c 100644
--- a/.github/workflows/wasm.yml
+++ b/.github/workflows/wasm.yml
@@ -9,7 +9,7 @@
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
fetch-depth: '0'
- name: Build web