From 39ef4cdd21d1e4a05b3b5f7621790534cbc0199b Mon Sep 17 00:00:00 2001 From: Stephanie Ginovker <40722898+sginovker@users.noreply.github.com> Date: Wed, 8 Apr 2026 17:58:09 -0400 Subject: [PATCH 1/2] Pin GitHub Actions to commit SHAs and update dependabot config --- .github/dependabot.yml | 13 +++++++++++++ .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/node.js.yml | 4 ++-- 3 files changed, 19 insertions(+), 6 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8518bf5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: +- package-ecosystem: "github-actions" + directory: "/" + commit-message: + prefix: "[bot] " + cooldown: + default-days: 7 + schedule: + interval: "weekly" + day: "wednesday" + time: "11:00" + timezone: "America/Los_Angeles" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 24e47fa..4db75c0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,11 +36,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@231aa2c8a89117b126725a0e11897209b7118144 # v1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -51,7 +51,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@231aa2c8a89117b126725a0e11897209b7118144 # v1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -65,4 +65,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@231aa2c8a89117b126725a0e11897209b7118144 # v1 diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index c971db8..10c726b 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -20,9 +20,9 @@ jobs: # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v2 + uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2 with: node-version: ${{ matrix.node-version }} cache: 'npm' From 5f9f4c5d5ca9948693eb8c1b6b07ecda77023851 Mon Sep 17 00:00:00 2001 From: Stephanie Ginovker <40722898+sginovker@users.noreply.github.com> Date: Wed, 22 Apr 2026 17:17:04 -0700 Subject: [PATCH 2/2] Bump actions/setup-node v2 -> v6.4.0 (legacy cache service retired) --- .github/workflows/node.js.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index 10c726b..5e6116a 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} cache: 'npm' @@ -30,4 +30,3 @@ jobs: - run: echo "${{ secrets.SERVICE_ACCOUNT }}" | gpg --quiet --batch --yes --decrypt --passphrase="${{ secrets.KEY }}" --output test-storage.json - run: npm test - run: rm -f ./test-storage.json -