From 0fb57f3d05fa4f7517390aadd0ea7065852c545d Mon Sep 17 00:00:00 2001
From: Tom Longridge <tom.longridge@smartbear.com>
Date: Fri, 7 Feb 2025 15:12:24 +0000
Subject: [PATCH] build: add dependabot config for dependency updates and pin
 exisiting

---
 .github/workflows/dependabot.yml | 14 ++++++++++++++
 .github/workflows/scorecard.yml  |  2 +-
 .github/workflows/signing.yml    |  2 +-
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/dependabot.yml

diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
new file mode 100644
index 0000000000..060b4c590b
--- /dev/null
+++ b/.github/workflows/dependabot.yml
@@ -0,0 +1,14 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+version: 2
+updates:
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 709ce1ee26..189fdccf1d 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/signing.yml b/.github/workflows/signing.yml
index ec28f82d84..c1497c4076 100644
--- a/.github/workflows/signing.yml
+++ b/.github/workflows/signing.yml
@@ -23,7 +23,7 @@ jobs:
         run: |
           echo "${{ secrets.PLATFORMS_GPG_KEY_BASE64 }}" | base64 --decode | gpg --batch --import
       - name: Sign assets
-        uses: bugsnag/platforms-release-signer@main
+        uses: bugsnag/platforms-release-signer@4d88944b11e503624f8a511cf6d0fa2901822b60 # v1.0.0
         with:
           github_token: ${{ secrets.PLATFORMS_SIGNING_GITHUB_TOKEN }}
           full_repository: ${{ github.repository }}