From 9ec55353c073dc5385398112a8941875a71fbcb9 Mon Sep 17 00:00:00 2001
From: Ladislav Sulak <laco.sulak@gmail.com>
Date: Mon, 22 Dec 2025 17:22:03 +0100
Subject: [PATCH 1/3] just following a common practice we agreed upon a while
 ago

---
 .github/workflows/build.yml         | 11 ++++++++---
 .github/workflows/format_check.yml  |  9 ++++++---
 .github/workflows/jacoco_check.yml  | 18 +++++++++++++-----
 .github/workflows/licence_check.yml |  8 ++++++--
 .github/workflows/release.yml       | 11 +++++++++--
 5 files changed, 42 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7b6bc5b..c99de79 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -32,11 +32,16 @@ jobs:
     name: Scala ${{matrix.scala}}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
-      - uses: coursier/cache-action@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+
+      - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v14
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
+
       - name: Build and run tests
         run: sbt ++${{matrix.scala}} test doc
diff --git a/.github/workflows/format_check.yml b/.github/workflows/format_check.yml
index 4b83a8e..26bf2c0 100644
--- a/.github/workflows/format_check.yml
+++ b/.github/workflows/format_check.yml
@@ -26,13 +26,16 @@ jobs:
     name: Scalafmt Check
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
+          persist-credentials: false
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref }}
-      - uses: coursier/cache-action@v6
+
+      - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v14
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
 
diff --git a/.github/workflows/jacoco_check.yml b/.github/workflows/jacoco_check.yml
index 3a228b1..436fa86 100644
--- a/.github/workflows/jacoco_check.yml
+++ b/.github/workflows/jacoco_check.yml
@@ -37,17 +37,23 @@ jobs:
             changed: 80.0
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
-      - uses: coursier/cache-action@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+
+      - uses: coursier/cache-action@bebeeb0e6f48ebad66d3783946588ecf43114433
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v14
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
+
       - name: Build and run tests
         run: sbt ++${{matrix.scala}} jacoco
+
       - name: Add coverage to PR
         id: jacoco
-        uses: madrapps/jacoco-report@v1.3
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: ${{ github.workspace }}/target/scala-${{ matrix.scalaShort }}/jacoco/report/jacoco.xml
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -55,13 +61,15 @@ jobs:
           min-coverage-changed-files: ${{ matrix.changed }}
           title: JaCoCo code coverage report - scala ${{ matrix.scala }}
           update-comment: true
+
       - name: Get the Coverage info
         run: |
           echo "Total coverage ${{ steps.jacoco.outputs.coverage-overall }}"
           echo "Changed Files coverage ${{ steps.jacoco.outputs.coverage-changed-files }}"
+
       - name: Fail PR if changed files coverage is less than ${{ matrix.changed }}%
         if: ${{ steps.jacoco.outputs.coverage-changed-files < 80.0 }}
-        uses: actions/github-script@v6
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             core.setFailed('Changed files coverage is less than ${{ matrix.changed }}%!')
diff --git a/.github/workflows/licence_check.yml b/.github/workflows/licence_check.yml
index 472a6c5..2d1c436 100644
--- a/.github/workflows/licence_check.yml
+++ b/.github/workflows/licence_check.yml
@@ -27,11 +27,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+
       - name: Setup Scala
-        uses: olafurpg/setup-scala@v10
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
         with:
           java-version: "adopt@1.8"
+
       # note, that task "headerCheck" defaults to just "compile:headerCheck" - see https://github.com/sbt/sbt-header/issues/14
       - name: SBT src licence header check
         run: sbt Compile/headerCheck
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e15fbdd..d69928a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,10 +22,17 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2.3.4
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           fetch-depth: 0
-      - uses: olafurpg/setup-scala@v13
+          persist-credentials: false
+
+      - name: Setup Scala
+        uses: olafurpg/setup-scala@32ffa16635ff8f19cc21ea253a987f0fdf29844c
+        with:
+          java-version: "adopt@1.8"
+
       - run: sbt ci-release
         env:
           PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}

From c5105db8b63b612cc4b26a09aaa87152797ed637 Mon Sep 17 00:00:00 2001
From: Ladislav Sulak <laco.sulak@gmail.com>
Date: Mon, 29 Dec 2025 11:45:06 +0100
Subject: [PATCH 2/3] Aquasec related automation we implement in each repo as
 our standard (just PR generation, not auto merge, frequency: each Sunday)

---
 .github/workflows/dependabot.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/workflows/dependabot.yml

diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
new file mode 100644
index 0000000..dc34bf2
--- /dev/null
+++ b/.github/workflows/dependabot.yml
@@ -0,0 +1,31 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    target-branch: "master"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+    labels:
+      - "auto update"
+      - "infrastructure"
+      - "no RN"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+
+  - package-ecosystem: "sbt"
+    directory: "/"
+    target-branch: "master"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+    labels:
+      - "auto update"
+      - "dependencies"
+      - "no RN"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "chore"
+      include: "scope"

From 0dbf23b0d95599462ad027570f8155f06936abbe Mon Sep 17 00:00:00 2001
From: Ladislav Sulak <laco.sulak@gmail.com>
Date: Mon, 29 Dec 2025 12:55:02 +0100
Subject: [PATCH 3/3] fixing the location for Dependabot - this is the
 standard, it's not a workflow per se but something GH runs internally

---
 .github/{workflows => }/dependabot.yml | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename .github/{workflows => }/dependabot.yml (100%)

diff --git a/.github/workflows/dependabot.yml b/.github/dependabot.yml
similarity index 100%
rename from .github/workflows/dependabot.yml
rename to .github/dependabot.yml