Add dependabot dependency scanning for GitHub actions

This commmit also switches a few third-party actions specifying versions via commit hash instead of tag (per security recommendations). The commit hashes tag slightly older version of the actions so we can verify whether or not dependabot will flag them as outdated (the docs are not clear on this matter).
reichlab · Feb 26, 2025 · 1cff07c · 1cff07c
1 parent 34ed6fc
commit 1cff07c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+# instruct GitHub dependabot to scan github actions for updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/publish-pypi-test.yaml b/.github/workflows/publish-pypi-test.yaml
@@ -24,9 +24,7 @@ jobs:
         uses: actions/setup-python@v5
 
       - name: Install uv 🌟
-        uses: astral-sh/setup-uv@v5
-        with:
-          version: ">=0.0.1"
+        uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v5.1.0
 
       - name: Build package for distribution 🛠️
         run: |
@@ -56,6 +54,6 @@ jobs:
         name: cladetime-package-distribution
         path: dist/
     - name: Publish distribution to TestPyPI 🚀
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.1.12
       with:
         repository-url: https://test.pypi.org/legacy/