From 32ddd4dbf94e036388c3179395c4f2ff6007e139 Mon Sep 17 00:00:00 2001
From: Daniel Bast <2790401+dbast@users.noreply.github.com>
Date: Thu, 30 Dec 2021 09:45:24 +0100
Subject: [PATCH] Use Github actions via sha1 (not tags) and keep them updated
 via dependabot

Tags are mutable and can change unexpectedly. Referencing actions via sha1
is more secure in that regard. Dependabot helps to automatically update to
newer versions.
---
 .github/dependabot.yml      | 6 ++++++
 .github/workflows/build.yml | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..5ace4600a1
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7db5baae69..6a59d3f5b7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,14 +15,14 @@ jobs:
             java: [ '11', '11.0.3', '15', '15.0.5']
     name: Test Java ${{ matrix.Java }}, ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
       with:
         fetch-depth: 0
         ref: ${{ github.event.pull_request.head.sha }}
         lfs: true
 
     - name: Set up JDK
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@5f00602cd1b2819185d88dc7a1b1985f598c6705
       with:
         java-version: ${{ matrix.java }}
         distribution: 'zulu'
@@ -31,7 +31,7 @@ jobs:
       run: chmod +x gradlew
 
     - name: Validate Gradle Wrapper JAR files
-      uses: gradle/wrapper-validation-action@v1
+      uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b
 
     - name: Build with Gradle
       run: ./gradlew build