feature(79894): add dependabot configuration and pinact step in ci.yml

bogdandina · bogdandina · commit a203e055d5a2 · 2026-05-19T22:15:26.000+03:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+
+version: 2
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,6 +10,19 @@ on:
       - main
 
 jobs:
+  check-pinned-actions:
+    name: Check actions are SHA-pinned
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Check actions are SHA-pinned
+        uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
+        with:
+          skip_push: "true"
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+
   test-scripts:
     name: Test Python scripts
     runs-on: ubuntu-latest
