Use Github actions via sha1 (not tags) and keep them updated via dependabot

Tags are mutable and can change unexpectedly. Referencing actions via sha1 is more secure in that regard. Dependabot helps to automatically update to newer versions.
2024-11-19 01:41:11 +01:00 · 2021-12-30 09:45:24 +01:00 · 2021-12-30 09:45:24 +01:00 · 32ddd4dbf9
commit 32ddd4dbf9
parent 2c43cfb56f
2 changed files with 9 additions and 3 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -15,14 +15,14 @@ jobs:
            java: [ '11', '11.0.3', '15', '15.0.5']
    name: Test Java ${{ matrix.Java }}, ${{ matrix.os }}
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
      with:
        fetch-depth: 0
        ref: ${{ github.event.pull_request.head.sha }}
        lfs: true

    - name: Set up JDK
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@5f00602cd1b2819185d88dc7a1b1985f598c6705
      with:
        java-version: ${{ matrix.java }}
        distribution: 'zulu'
@ -31,7 +31,7 @@ jobs:
      run: chmod +x gradlew

    - name: Validate Gradle Wrapper JAR files
-      uses: gradle/wrapper-validation-action@v1
+      uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b

    - name: Build with Gradle
      run: ./gradlew build