From fe38c7e66f0b7333d0d44e10a0f4ec629bdaa531 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Fri, 26 Jun 2026 16:41:53 +0100
Subject: [PATCH] Add Dependabot and hash-pin GHA

---
 .github/dependabot.yml                | 26 ++++++++++++++++++++++++++
 .github/workflows/benchmark.yml       |  8 ++++----
 .github/workflows/ci.yml              | 10 +++++-----
 .github/workflows/daily-benchmark.yml |  8 ++++----
 4 files changed, 39 insertions(+), 13 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..776d165
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,26 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/frontend"
+    schedule:
+      interval: "quarterly"
+    cooldown:
+      default-days: 7
+    groups:
+      # Batch low-risk minor/patch bumps into a single PR to cut review noise;
+      # major bumps open as individual PRs.
+      npm-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "quarterly"
+    cooldown:
+      default-days: 7
+    groups:
+      github-actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 0664116..ad08d95 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -42,10 +42,10 @@ jobs:
     
     steps:
     - name: Checkout memory tracker
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
       with:
         python-version: '3.11'
         
@@ -111,7 +111,7 @@ jobs:
           
     - name: Upload benchmark results (if failed)
       if: failure()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: benchmark-logs
         path: |
@@ -121,7 +121,7 @@ jobs:
         
     - name: Upload benchmark results (on success)
       if: success()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: benchmark-results
         path: ./benchmark_results/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f236c19..a04379d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ jobs:
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
       - name: Ensure lockfiles are updated when .in files change
@@ -45,7 +45,7 @@ jobs:
     name: Backend tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
       - name: Check for backend changes
@@ -61,7 +61,7 @@ jobs:
           if echo "$CHANGED" | grep -Eq '^(backend/|\.github/workflows/ci\.yml$)'; then
             echo "backend=true" >> "$GITHUB_OUTPUT"
           fi
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         if: steps.changes.outputs.backend == 'true'
         with:
           python-version: "3.13"
@@ -87,8 +87,8 @@ jobs:
       run:
         working-directory: frontend
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
           cache: npm
diff --git a/.github/workflows/daily-benchmark.yml b/.github/workflows/daily-benchmark.yml
index 0e71999..1b74b4c 100644
--- a/.github/workflows/daily-benchmark.yml
+++ b/.github/workflows/daily-benchmark.yml
@@ -57,10 +57,10 @@ jobs:
     
     steps:
     - name: Checkout memory tracker
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
       with:
         python-version: '3.11'
         
@@ -151,7 +151,7 @@ jobs:
           
     - name: Upload benchmark results (if failed)
       if: failure()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: benchmark-logs-${{ matrix.build_config.binary_id }}
         path: |
@@ -161,7 +161,7 @@ jobs:
         
     - name: Upload benchmark results (on success)
       if: success()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: benchmark-results-${{ matrix.build_config.binary_id }}
         path: ./benchmark_results/