tighten security for dependency updates (#1685)

Author: romainmenke

.github/dependabot.yml

@@ -2,19 +2,28 @@ version: 2
 updates:
 - package-ecosystem: "npm"
   directory: "/"
+  cooldown:
+    default-days: 7
   schedule:
     interval: weekly
     time: "01:00"
     timezone: "Europe/Brussels"
   groups:
     production-dependencies:
       dependency-type: "production"
+      exclude-patterns:
+        - "@webref/css"
       patterns:
         - "*"
     development-dependencies:
       dependency-type: "development"
+      exclude-patterns:
+        - "@webref/css"
       patterns:
         - "*"
+    webref-css:
+      patterns:
+        - "@webref/css"
   open-pull-requests-limit: 5
   versioning-strategy: increase
   rebase-strategy: auto
@@ -23,6 +32,8 @@ updates:
   - "/e2e"
   - "/e2e-package-managers/yarn"
   - "/sites"
+  cooldown:
+    default-days: 7
   schedule:
     interval: weekly
     time: "01:00"
@@ -36,6 +47,8 @@ updates:
   rebase-strategy: auto
 - package-ecosystem: "github-actions"
   directory: "/"
+  cooldown:
+    default-days: 7
   schedule:
     interval: weekly
     time: "01:00"

.github/workflows/codeql.yml

@@ -21,10 +21,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3
       with:
         languages: ${{ matrix.language }}
         queries: security-extended
@@ -39,4 +39,4 @@ jobs:
     - run: npm run build --workspaces --if-present
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3

.github/workflows/deploy-preset-env.yml

@@ -17,10 +17,10 @@ jobs:
     name: Request Netlify Webhook
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
         with:
           node-version: 24
 

.github/workflows/labeler.yml

@@ -10,7 +10,7 @@ jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v6
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
 

.github/workflows/lint.yml

@@ -14,10 +14,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
         with:
           node-version: 24
 

.github/workflows/test.yml

@@ -31,10 +31,10 @@ jobs:
         - node: 24
           is_base_node_version: true
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v5
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
         with:
           node-version: ${{ matrix.node }}