From 8c35fcdd086691484a8136305362cab1e743474f Mon Sep 17 00:00:00 2001 From: Mahangu Weerasinghe Date: Sun, 31 May 2026 15:54:54 +0530 Subject: [PATCH 1/4] chore: pin third-party GitHub Actions to SHAs + enable Dependabot Hardens against supply-chain risk on mutable tags. Dependabot keeps the pinned SHAs fresh weekly, with major bumps held under cooldown. Tracking: DEVPROD-1072 --- .github/dependabot.yml | 23 +++++++++++++++++++++++ .github/workflows/gardening.yml | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8c19cc9 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 10 + groups: + actions-minor-patch: + patterns: + - "*" + update-types: + - "minor" + - "patch" + actions-major: + patterns: + - "*" + update-types: + - "major" + cooldown: + default-days: 7 + semver-major-days: 14 diff --git a/.github/workflows/gardening.yml b/.github/workflows/gardening.yml index 81580c3..e0b9c83 100644 --- a/.github/workflows/gardening.yml +++ b/.github/workflows/gardening.yml @@ -31,7 +31,7 @@ jobs: node-version: lts/* - name: Wait for prior instances of the workflow to finish - uses: softprops/turnstyle@v1 + uses: softprops/turnstyle@8db075d65b19bf94e6e8687b504db69938dc3c65 # v0.1.5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 8884c2b5bbed094266c73da1e3b0c114b047e8a6 Mon Sep 17 00:00:00 2001 From: Mahangu Weerasinghe Date: Sun, 31 May 2026 17:41:31 +0530 Subject: [PATCH 2/4] chore: correct misleading version comment (# v0.1.5 -> # v1) The SHA pin is correct (softprops/turnstyle@v1 dereferences to that commit). pinact wrote # v0.1.5 because v1 and v0.1.5 share the same underlying commit on this action; this changes the comment to reflect the original intent (@v1) so reviewers and Dependabot see the right version label. Tracking: DEVPROD-1072 --- .github/workflows/gardening.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gardening.yml b/.github/workflows/gardening.yml index e0b9c83..40768d6 100644 --- a/.github/workflows/gardening.yml +++ b/.github/workflows/gardening.yml @@ -31,7 +31,7 @@ jobs: node-version: lts/* - name: Wait for prior instances of the workflow to finish - uses: softprops/turnstyle@8db075d65b19bf94e6e8687b504db69938dc3c65 # v0.1.5 + uses: softprops/turnstyle@8db075d65b19bf94e6e8687b504db69938dc3c65 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From ee9643a22806b9c637601caf1e294d544f9265ce Mon Sep 17 00:00:00 2001 From: Mahangu Weerasinghe Date: Sun, 31 May 2026 20:24:57 +0530 Subject: [PATCH 3/4] chore: use specific # v0.1.5 label for softprops/turnstyle pin softprops/turnstyle has not released past v0.1.5 (the v1 tag was last moved in 2022; v1 and v0.1.5 are the SAME underlying commit). Use the specific # v0.1.5 label so the version is explicit. SHA unchanged. Verified via gh api: both refs/tags/v1 and refs/tags/v0.1.5 dereference to commit 8db075d65b19bf94e6e8687b504db69938dc3c65. Tracking: DEVPROD-1072 --- .github/workflows/gardening.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gardening.yml b/.github/workflows/gardening.yml index 40768d6..e0b9c83 100644 --- a/.github/workflows/gardening.yml +++ b/.github/workflows/gardening.yml @@ -31,7 +31,7 @@ jobs: node-version: lts/* - name: Wait for prior instances of the workflow to finish - uses: softprops/turnstyle@8db075d65b19bf94e6e8687b504db69938dc3c65 # v1 + uses: softprops/turnstyle@8db075d65b19bf94e6e8687b504db69938dc3c65 # v0.1.5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 07f57c44a787363d07d738cad08e6c8d7b0f7abc Mon Sep 17 00:00:00 2001 From: Mahangu Weerasinghe Date: Tue, 2 Jun 2026 14:04:51 +0530 Subject: [PATCH 4/4] fix: use supported GitHub Actions Dependabot cooldown config --- .github/dependabot.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8c19cc9..7ddd384 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,4 +20,3 @@ updates: - "major" cooldown: default-days: 7 - semver-major-days: 14