From 079b69e124e5cb3756b190c7b2853deb7c6d1955 Mon Sep 17 00:00:00 2001
From: Dilum Aluthge <dilum@aluthge.com>
Date: Sun, 28 Jul 2024 17:26:41 -0400
Subject: [PATCH] CI: Use Dependabot to update GitHub Actions in this repo, and
 pin all external GitHub Actions to full-length commit hashes (#55283)

---
 .github/dependabot.yml           | 11 +++++++++++
 .github/workflows/LabelCheck.yml |  2 +-
 .github/workflows/Typos.yml      |  4 ++--
 .github/workflows/cffconvert.yml |  4 ++--
 4 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000000..2ad7fdc1efa0a
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 100
+    labels:
+      - "dependencies"
+      - "github-actions"
+      - "domain:ci"
diff --git a/.github/workflows/LabelCheck.yml b/.github/workflows/LabelCheck.yml
index 0ff56f4b9dfdc..c966e478e3fe0 100644
--- a/.github/workflows/LabelCheck.yml
+++ b/.github/workflows/LabelCheck.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 2
     steps:
-    - uses: yogevbd/enforce-label-action@2.2.2
+    - uses: yogevbd/enforce-label-action@a3c219da6b8fa73f6ba62b68ff09c469b3a1c024 # 2.2.2
       with:
         # REQUIRED_LABELS_ANY: "bug,enhancement,skip-changelog"
         # REQUIRED_LABELS_ANY_DESCRIPTION: "Select at least one label ['bug','enhancement','skip-changelog']"
diff --git a/.github/workflows/Typos.yml b/.github/workflows/Typos.yml
index da5a6a550abe8..6c9eeacc21800 100644
--- a/.github/workflows/Typos.yml
+++ b/.github/workflows/Typos.yml
@@ -11,11 +11,11 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout the JuliaLang/julia repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           persist-credentials: false
       - name: Check spelling with typos
-        #uses: crate-ci/typos@master
+        #uses: crate-ci/typos@c7af4712eda24dd1ef54bd8212973888489eb0ce # v1.23.5
         env:
           GH_TOKEN: "${{ github.token }}"
         run: |
diff --git a/.github/workflows/cffconvert.yml b/.github/workflows/cffconvert.yml
index 751476865ae4c..4c9debb246f3f 100644
--- a/.github/workflows/cffconvert.yml
+++ b/.github/workflows/cffconvert.yml
@@ -23,11 +23,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out a copy of the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           persist-credentials: false
 
       - name: Check whether the citation metadata from CITATION.cff is valid
-        uses: citation-file-format/cffconvert-github-action@2.0.0
+        uses: citation-file-format/cffconvert-github-action@4cf11baa70a673bfdf9dad0acc7ee33b3f4b6084 # 2.0.0
         with:
           args: "--validate"