Pin actions to SHAs and use dependabot

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+updates:
+  # For GitHub Actions updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      day: "monday"
+      timezone: "America/Detroit"
+    commit-message:
+      prefix: "fix: "
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+    groups:
+      all:
+        patterns:
+          - "*"
+    cooldown: 
+      default-days: 7

build/action.yml

@@ -75,7 +75,7 @@ runs:
         fi
 
   - name: Clone latest repository
-    uses: actions/checkout@v6
+    uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     with:
       ref: ${{ steps.set_inputs.outputs.ref }}
       submodules: ${{ inputs.submodules }}
@@ -87,7 +87,7 @@ runs:
       tag: ${{ steps.set_inputs.outputs.ref }}
 
   - name: Log into container registry
-    uses: docker/login-action@v4
+    uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
     with:
       registry: ${{ inputs.registry }}
       username: ${{ inputs.registry_username }}
@@ -111,7 +111,7 @@ runs:
   - name: Check whether to push latest tag
     if: ${{ steps.image_check.outputs.image_exists != 'true' || inputs.rebuild }}
     id: latest_push
-    uses: actions/github-script@v9
+    uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
     env:
       INPUT_PUSH_LATEST: ${{ steps.set_inputs.outputs.push_latest }}
       INPUT_IMAGE: ${{ inputs.image }}
@@ -126,16 +126,16 @@ runs:
   - name: Set up QEMU
     if: ${{ steps.image_check.outputs.image_exists != 'true' || inputs.rebuild }}
     # QEMU emulation for the Arm portion of our multi-platform Docker image build. Intel Machines
-    uses: docker/setup-qemu-action@v4
+    uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
 
   - name: Set up Docker Buildx
     if: ${{ steps.image_check.outputs.image_exists != 'true' || inputs.rebuild }}
     # Required for multi-platform Docker image builds in GitHub Actions that use docker/build-push-action.
-    uses: docker/setup-buildx-action@v4
+    uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
   - name: Build image and push to GHCR
     if: ${{ steps.image_check.outputs.image_exists != 'true' || inputs.rebuild }}
-    uses: docker/build-push-action@v7
+    uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
     with:
       context: .
       push: true

deploy/action.yml

@@ -28,7 +28,7 @@ inputs:
 runs:
   using: composite
   steps:
-  - uses: actions/checkout@v6
+  - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     with:
       fetch-depth: 0
   - name: Set environment variables
@@ -52,13 +52,13 @@ runs:
       fi
   - name: Generate app token
     id: generate_token
-    uses: actions/create-github-app-token@v3
+    uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
     with:
       app-id: ${{ env.CONFIG_REPO_RW_APP_ID }}
       private-key: ${{ inputs.CONFIG_REPO_RW_KEY }}
       owner: ${{ github.repository_owner }}
   - name: Send the message
-    uses: peter-evans/repository-dispatch@v4
+    uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
     with:
       event-type: update-image
       token: ${{ steps.generate_token.outputs.token }}

scan-image/action.yml

@@ -13,7 +13,7 @@ runs:
   using: composite
   steps:
   - name: Run Trivy vulnerability scanner
-    uses: aquasecurity/trivy-action@0.28.0
+    uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
     env:
       TRIVY_DISABLE_VEX_NOTICE: true
     with:
@@ -44,7 +44,7 @@ runs:
 
   - name: Comment on PR
     if: github.event_name == 'pull_request'
-    uses: actions/github-script@v9
+    uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
     with:
       script: |
         const fs = require('fs')

tag-release/action.yml

@@ -36,7 +36,8 @@ runs:
   using: composite
   steps:
   - name: Log into container registry
-    uses: docker/login-action@v4
+    uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+
     with:
       registry: ${{ inputs.registry }}
       username: ${{ inputs.registry_username }}

update-image/action.yml

@@ -19,7 +19,7 @@ runs:
   using: composite
   steps:
   - name: Clone latest repository
-    uses: actions/checkout@v6
+    uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
   - name: dump github event
     shell: bash
     env: