From 26e66fd15fe8ab5ac842fc3385a2becaa70eb11b Mon Sep 17 00:00:00 2001
From: Brett Graham <brettgraham@gmail.com>
Date: Tue, 8 Oct 2024 16:27:03 -0400
Subject: [PATCH] Add Dependabot to update github actions and pin actions to
 hash (#163)

* enable dependabot for github actions workflows

* pin github actions to hash
---
 .github/dependabot.yml        | 15 +++++++++++++++
 .github/workflows/build.yml   |  2 +-
 .github/workflows/ci.yml      |  4 ++--
 .github/workflows/ci_cron.yml |  2 +-
 .github/workflows/data.yml    |  6 +++---
 5 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..1a218f5e
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions" # See documentation for possible values
+    directory: ".github/workflows" # Location of package manifests
+    schedule:
+      interval: "monthly"
+    groups:
+      actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4545fe0f..5f3a87e9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   build:
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@v1
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/publish.yml@924441154cf3053034c6513d5e06c69d262fb9a6  # v1.13.0
     with:
       env: |
         FFTW_DIR: /opt/homebrew/opt/fftw/lib/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0b01d3b6..69e534a4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ concurrency:
 
 jobs:
   check:
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v1
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@924441154cf3053034c6513d5e06c69d262fb9a6  # v1.13.0
     with:
       envs: |
         - linux: check-style
@@ -29,7 +29,7 @@ jobs:
     uses: ./.github/workflows/retrieve_cache.yml
   test:
     needs: [ latest_data_cache ]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v1
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@924441154cf3053034c6513d5e06c69d262fb9a6  # v1.13.0
     with:
       libraries: |
         brew:
diff --git a/.github/workflows/ci_cron.yml b/.github/workflows/ci_cron.yml
index 15a9df91..cbb25b3a 100644
--- a/.github/workflows/ci_cron.yml
+++ b/.github/workflows/ci_cron.yml
@@ -18,7 +18,7 @@ jobs:
     uses: ./.github/workflows/retrieve_cache.yml
   test:
     needs: [ latest_data_cache ]
-    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@v1
+    uses: OpenAstronomy/github-actions-workflows/.github/workflows/tox.yml@924441154cf3053034c6513d5e06c69d262fb9a6  # v1.13.0
     with:
       libraries: |
         brew:
diff --git a/.github/workflows/data.yml b/.github/workflows/data.yml
index 87aadea3..775c4782 100644
--- a/.github/workflows/data.yml
+++ b/.github/workflows/data.yml
@@ -13,7 +13,7 @@ on:
 
 jobs:
   download_webbpsf_data:
-    uses: spacetelescope/webbpsf/.github/workflows/download_data.yml@develop
+    uses: spacetelescope/webbpsf/.github/workflows/download_data.yml@beda656c80a0254e6f80649d9c9c49235634522f  # v1.4.0
     with:
       minimal: ${{ github.event_name != 'workflow_dispatch' && true || inputs.webbpsf_minimal }}
   combine_data_cache:
@@ -36,7 +36,7 @@ jobs:
           mv ./galsim_data/* ${{ env.GALSIM_PATH }}
       - run: echo GALSIM_CAT_PATH=${{ env.GALSIM_PATH }}real_galaxy_catalog_23.5_example.fits >> $GITHUB_ENV
       - name: retrieve cached WebbPSF data
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9  # v4.0.2
         with:
           path: ${{ needs.download_webbpsf_data.outputs.cache_path }}
           key: ${{ needs.download_webbpsf_data.outputs.cache_key }}
@@ -44,7 +44,7 @@ jobs:
       - run: echo WEBBPSF_PATH=/tmp/data/webbpsf-data/ >> $GITHUB_ENV
       # save a new cache to the same generalized data directory, combined with extra data
       - name: save a single combined data cache
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9  # v4.0.2
         with:
           path: /tmp/data/
           key: data-${{ needs.download_webbpsf_data.outputs.cache_key }}-galsim-data-${{ steps.galsim_data.outputs.hash }}