Merge pull request #2 from SilverAssist/copilot/pin-github-actions-shas

miguelcolmenares · web-flow · commit 84d4f614cf64 · 2025-11-14T11:56:51.000-05:00
Pin GitHub Actions to commit SHAs with Dependabot automation
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,41 @@
+# Dependabot configuration for automated dependency updates
+# This configuration enables automatic updates for GitHub Actions
+# with SHA pinning support for enhanced security
+
+version: 2
+updates:
+  # GitHub Actions dependency updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Mexico_City"
+    labels:
+      - "dependencies"
+      - "github-actions"
+      - "automated"
+    reviewers:
+      - "copilot"
+    open-pull-requests-limit: 10
+    
+    # Group all GitHub Actions updates together
+    groups:
+      github-actions-updates:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    
+    # Ignore major updates for critical actions (manual review required)
+    ignore:
+      - dependency-name: "actions/checkout"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "shivammathur/setup-php"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "actions/upload-artifact"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "actions/github-script"
+        update-types: ["version-update:semver-major"]
diff --git a/.github/workflows/check-size.yml b/.github/workflows/check-size.yml
@@ -12,11 +12,12 @@ jobs:
         permissions:
             contents: read
             issues: write
+            pull-requests: write
         runs-on: ubuntu-latest
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Calculate package size
               id: size
@@ -61,7 +62,7 @@ jobs:
 
             - name: Comment on PR
               if: github.event_name == 'pull_request'
-              uses: actions/github-script@v6
+              uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v6.4.1
               with:
                   script: |
                       const { data: comments } = await github.rest.issues.listComments({
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -19,10 +19,10 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Setup PHP
-              uses: shivammathur/setup-php@v2
+              uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2.35.5
               with:
                   php-version: ${{ matrix.php-version }}
                   extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite
@@ -49,10 +49,10 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Setup PHP
-              uses: shivammathur/setup-php@v2
+              uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2.35.5
               with:
                   php-version: 8.0
 
@@ -105,10 +105,10 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Setup PHP
-              uses: shivammathur/setup-php@v2
+              uses: shivammathur/setup-php@bf6b4fbd49ca58e4608c9c89fba0b8d90bd2a39f # v2.35.5
               with:
                   php-version: 8.0
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,7 +19,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Extract version from tag or input
               id: version
@@ -199,7 +199,7 @@ jobs:
                   EOF
 
             - name: Create GitHub Release
-              uses: softprops/action-gh-release@v1
+              uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v1.0.0
               with:
                   tag_name: ${{ steps.version.outputs.tag }}
                   name: "LeadGen App Form Plugin v${{ steps.version.outputs.version }}"
@@ -212,7 +212,7 @@ jobs:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Upload package as artifact
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@b4b15b8a3f9cc9c8cf4a19c2dd8b63ccbac371af # v4.4.3
               with:
                   name: leadgen-app-form-v${{ steps.version.outputs.version }}
                   path: ${{ steps.package.outputs.zip_path }}
