From 630afd952eb7751bf1c4a8a050f1a0e1bf40b1a0 Mon Sep 17 00:00:00 2001
From: William Correa <wilcorrea@gmail.com>
Date: Fri, 19 Jun 2026 12:51:19 -0300
Subject: [PATCH] chore(actions): pin all uses to commit SHA and add dependabot

- Replace every github actions tag pin (e.g. actions/checkout@v4) with
  the immutable commit SHA across build-images.yml, validate.yml, and
  copilot-sandbox.yml. The original semver tag is kept as an inline
  comment so Dependabot can read and update both at once.
- Add .github/dependabot.yml so SHAs stay current automatically via
  weekly grouped PRs (docker/* and actions/* grouped separately).
---
 .github/dependabot.yml                | 16 ++++++++++++++++
 .github/workflows/build-images.yml    | 14 +++++++-------
 .github/workflows/copilot-sandbox.yml | 12 ++++++------
 .github/workflows/validate.yml        |  4 ++--
 4 files changed, 31 insertions(+), 15 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..06ff060
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      docker-actions:
+        patterns:
+          - "docker/*"
+      actions-org:
+        patterns:
+          - "actions/*"
+    commit-message:
+      prefix: chore
+      include: scope
diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
index 486f99d..25ee290 100644
--- a/.github/workflows/build-images.yml
+++ b/.github/workflows/build-images.yml
@@ -27,12 +27,12 @@ jobs:
       builds: ${{ steps.list.outputs.builds }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Get changed files
         id: changed
         if: github.event_name == 'push'
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@2d756ea4c53f7f6b397767d8723b3a10a9f35bf2 # v44.0.0
 
       - name: Build matrix
         id: list
@@ -157,22 +157,22 @@ jobs:
         build: ${{ fromJson(needs.detect.outputs.builds) }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ./${{ matrix.build.context }}
           target: ${{ matrix.build.target }}
diff --git a/.github/workflows/copilot-sandbox.yml b/.github/workflows/copilot-sandbox.yml
index 3a74757..ed696c0 100644
--- a/.github/workflows/copilot-sandbox.yml
+++ b/.github/workflows/copilot-sandbox.yml
@@ -21,16 +21,16 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -38,7 +38,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.IMAGE_NAME }}
           tags: |
@@ -46,7 +46,7 @@ jobs:
             type=sha,prefix=,format=short
 
       - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: ./copilot-sandbox
           platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 160b905..fbba5bc 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -13,11 +13,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Get changed variants.yaml files
         id: changed
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@2d756ea4c53f7f6b397767d8723b3a10a9f35bf2 # v44.0.0
         with:
           files: '*/*/variants.yaml'