chore: modernize GitHub Actions infrastructure (#2)

Copilot · shenxianpeng · web-flow · commit 61b84681ea02 · 2026-04-09T15:12:43.000+03:00
- Pin all GitHub Actions to commit SHAs for supply-chain security - Add explicit `permissions` blocks (least-privilege principle) - Add `concurrency` groups to all reusable workflows - Add missing `env: GITHUB_TOKEN` to release-drafter step - Fix `config-name` leading slash in release-drafter and pr-labeler - Migrate legacy probot `stale.yml` config → `actions/stale` workflow - Add `dependabot.yml` for automated weekly Actions dependency updates Agent-Logs-Url: https://github.com/commit-check/.github/sessions/cc1f1a40-13f2-447b-8820-b26e1959a320 Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: shenxianpeng <3353385+shenxianpeng@users.noreply.github.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "dependencies"
diff --git a/.github/stale.yml b/.github/stale.yml
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -3,6 +3,10 @@ name: PR Labeler
 on:
   workflow_call:
 
+concurrency:
+  group: pr-labeler-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   label_pr:
     permissions:
@@ -16,4 +20,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          config-name: github:commit-check/.github:/.github/release-drafter.yml
+          config-name: github:commit-check/.github:.github/release-drafter.yml
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -2,27 +2,33 @@ name: Run pre-commit
 
 on:
   workflow_call:
-     inputs:
+    inputs:
       commands:
         required: false
         type: string
         default: ""
         description: run additional commands for preparing the environment
 
+concurrency:
+  group: pre-commit-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         id: python-setup
         with:
           python-version: '3.x'
       - name: Run commands
         if: inputs.commands
         run: ${{ inputs.commands }}
       - name: Cache pre-commit environments
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: '~/.cache/pre-commit'
           key: pre-commit-${{ steps.python-setup.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -3,6 +3,10 @@ name: Release Drafter
 on:
   workflow_call:
 
+concurrency:
+  group: release-drafter-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   update_release_draft:
     permissions:
@@ -14,6 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Draft your next Release notes as Pull Requests are merged into the default branch
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          config-name: github:commit-check/.github:/.github/release-drafter.yml
+          config-name: github:commit-check/.github:.github/release-drafter.yml
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -0,0 +1,35 @@
+name: Mark stale issues and pull requests
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: stale
+  cancel-in-progress: true
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
+        with:
+          days-before-stale: 60
+          days-before-close: 7
+          exempt-issue-labels: 'pinned,security,bug'
+          stale-issue-label: 'wontfix'
+          stale-issue-message: >
+            This issue has been automatically marked as stale because it has not had
+            recent activity. It will be closed if no further activity occurs. Thank you
+            for your contributions.
+          close-issue-message: false
+          stale-pr-label: 'wontfix'
+          stale-pr-message: >
+            This pull request has been automatically marked as stale because it has not had
+            recent activity. It will be closed if no further activity occurs. Thank you
+            for your contributions.
+          close-pr-message: false
