From 0e24aec424630547a02b24e82f30965e638a0f33 Mon Sep 17 00:00:00 2001 From: Allen Byrd <125306425+allenfbyrd@users.noreply.github.com> Date: Mon, 22 Jun 2026 14:59:59 -0400 Subject: [PATCH] ci: pin GitHub Actions to commit SHAs + add Dependabot Pin actions to immutable commit SHAs (with # vX comments) to defend against mutable-tag supply-chain attacks; add/extend a github-actions Dependabot config so the pins still receive reviewed update PRs. --- .github/dependabot.yml | 6 ++++++ .github/workflows/pester.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5ace460 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/pester.yml b/.github/workflows/pester.yml index 31f0038..26580fe 100644 --- a/.github/workflows/pester.yml +++ b/.github/workflows/pester.yml @@ -11,7 +11,7 @@ jobs: name: Pester (Windows, no elevation) runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install Pester 5 shell: pwsh