ci(gh-actions): bash strict mode

Author: thomasleplus

.github/workflows/automerge.yml

@@ -15,6 +15,8 @@ jobs:
       - name: Enable auto-merge for Dependabot PRs
         shell: bash
         run: |
+          set -euo pipefail
+          IFS=$'\n\t'
           # Checking the PR title is a poor substitute for the actual PR changes
           # but as long as this is used only with dependabot PRs,
           # it should be safe to assume that the title is not misleading.

.github/workflows/codeql-analysis.yml

@@ -48,7 +48,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       # Add any setup steps before running the `github/codeql-action/init` action.
       # This includes steps like installing compilers or runtimes (`actions/setup-node`

.github/workflows/dependency-review.yml

@@ -10,6 +10,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: "Dependency Review"
         uses: actions/dependency-review-action@0659a74c94536054bfa5aeb92241f70d680cc78e # v4

.github/workflows/devskim.yml

@@ -26,7 +26,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16

.github/workflows/msdo.yml

@@ -24,7 +24,7 @@ jobs:
       security-events: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Run Microsoft Security DevOps scanner
         uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1.12.0

.github/workflows/yamllint.yml

@@ -16,16 +16,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Install YAMLLint
-        shell: bash
-        run: |
-          pip install yamllint==1.37.1
-          msg="$(pip list --outdated | grep -e yamllint || true)"
-          if [ -n "${msg}" ]; then
-            >&2 echo "ERROR: outdated: ${msg}"
-            exit 1
-          fi
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run YAMLLint
         shell: bash
-        run: "yamllint -d '{extends: default, rules: {line-length: disable}}' ."
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          yamllint -d '{extends: default, rules: {line-length: disable}}' .