From 120af706eb9849fa028274b064f7666d7ad63ba2 Mon Sep 17 00:00:00 2001
From: Avri Chen-Roth <the-mentor@users.noreply.github.com>
Date: Sun, 28 Jun 2026 21:27:21 +0300
Subject: [PATCH] CI: Improve GitHub Actions security (#24)

* ci: add dependabot config for github-actions

* ci: update github actions to their latest version and pin them to sha to prevent github action supply-chain attacks.
---
 .github/dependabot.yml        |  4 ++++
 .github/workflows/ci-test.yml |  6 +++---
 .github/workflows/release.yml | 10 +++++-----
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6824826..0e0bb22 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,3 +8,7 @@ updates:
   directory: "/src/PSTui.Models/"
   schedule:
     interval: weekly
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml
index 014d7da..dec878b 100644
--- a/.github/workflows/ci-test.yml
+++ b/.github/workflows/ci-test.yml
@@ -20,10 +20,10 @@ jobs:
       DOTNET_GENERATE_ASPNET_CERTIFICATE: false
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Install dotnet
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0
         with:
           global-json-file: global.json
           cache: true
@@ -60,7 +60,7 @@ jobs:
 
       - name: Upload module
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: PSTui-module-${{ matrix.os }}
           path: module
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 489d9ed..2c301fa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -50,12 +50,12 @@ jobs:
       prerelease: ${{ steps.version.outputs.prerelease }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0   # need full tag history for version resolution
 
       - name: Install dotnet
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0
         with:
           cache: true
           cache-dependency-path: '**/*.csproj'   # SDK version comes from global.json
@@ -177,7 +177,7 @@ jobs:
 
       - name: Tag and create GitHub Release
         if: env.HAS_PSGALLERY_KEY == 'true' && github.ref == 'refs/heads/main'
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
         with:
           tag_name: v${{ steps.version.outputs.version }}
           prerelease: ${{ steps.version.outputs.prerelease == 'true' }}
@@ -186,7 +186,7 @@ jobs:
 
       - name: Upload artifact (always)
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: PSTui-${{ steps.version.outputs.version }}
           path: module
@@ -199,7 +199,7 @@ jobs:
       issues: write
     steps:
       - name: Open or update failure issue
-        uses: actions/github-script@v7
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         with:
           script: |
             const title = 'Release workflow failed';