chore: harden actions (#313)

lwasser · web-flow · commit c6cf9c1d9e45 · 2025-10-08T17:27:05.000-06:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,11 +1,15 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
+
 updates:
-  - package-ecosystem: "" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
-      interval: "monthly"
+      interval: monthly
+    labels:
+      - dependencies
+      - github-actions
+    commit-message:
+      prefix: "chore: bump GitHub Actions"
+      include: "scope"
+    open-pull-requests-limit: 5
+    rebase-strategy: auto
diff --git a/.github/workflows/add-help-wanted.yml b/.github/workflows/add-help-wanted.yml
@@ -16,7 +16,7 @@ jobs:
     steps:
       - name: Add issue to project
         id: add-to-project
-        uses: actions/add-to-project@v1.0.1
+        uses: actions/add-to-project@9bfe908f2eaa7ba10340b31e314148fcfe6a2458 # v1.0.1
         with:
           project-url: https://github.com/orgs/pyOpenSci/projects/3
           # This is a organization level token so it can be used across all repos in our org
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -15,11 +15,10 @@ jobs:
     runs-on: ubuntu-latest
     # This ensures that the publish action only runs in the main repository
     # rather than forks
-    # Environment is encouraged so adding
     environment: build
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           # This fetch element is only important if you are use SCM based
           # versioning (that looks at git tags to gather the version)
@@ -31,7 +30,7 @@ jobs:
         run: git fetch origin 'refs/tags/*:refs/tags/*'
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.10"
       - name: Install Hatch
@@ -47,7 +46,7 @@ jobs:
           ls -lh dist/
       # Store an artifact of the build to use in the publish step below
       - name: Store the distribution packages
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: python-package-distributions
           path: dist/
@@ -62,10 +61,10 @@ jobs:
       name: pypi
       url: https://pypi.org/p/pyosmeta
     permissions:
-      id-token: write  # this permission is mandatory for pypi publishing
+      id-token: write  # this permission is mandatory for PyPI publishing
     steps:
       - name: Download all the dists
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: python-package-distributions
           path: dist/
diff --git a/.github/workflows/run-script.yml b/.github/workflows/run-script.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       # TODO: consider replacing python/pip/update-web-metadata installs with docker image
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       - name: Upgrade pip
         run: |
           # install pip=>20.1 to use "pip cache dir"
@@ -20,7 +20,7 @@ jobs:
         run: python -m pip install git+https://github.com/pyopenSci/update-web-metadata
 
       - name: Check out the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -15,14 +15,12 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           persist-credentials: false
-
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.10"
-
       - name: Install Hatch
         run: pipx install hatch
       - name: Run tests
diff --git a/.github/workflows/test-update-contribs.yml b/.github/workflows/test-update-contribs.yml
@@ -16,9 +16,9 @@ jobs:
       - name: Check out the code
         with:
           persist-credentials: false
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.10"
       - name: Upgrade pip
