From 1cff07c00ab434b57c64779b0bd70e53c011e663 Mon Sep 17 00:00:00 2001
From: Becky Sweger <rsweger@umass.edu>
Date: Tue, 25 Feb 2025 14:44:31 -0500
Subject: [PATCH] Add dependabot dependency scanning for GitHub actions

This commmit also switches a few third-party actions specifying versions
via commit hash instead of tag (per security recommendations).

The commit hashes tag slightly older version of the actions so we can
verify whether or not dependabot will flag them as outdated (the docs
are not clear on this matter).
---
 .github/dependabot.yml                   | 8 ++++++++
 .github/workflows/publish-pypi-test.yaml | 6 ++----
 2 files changed, 10 insertions(+), 4 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..2202dc4
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+# instruct GitHub dependabot to scan github actions for updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/publish-pypi-test.yaml b/.github/workflows/publish-pypi-test.yaml
index 38b95ec..f1a6b05 100644
--- a/.github/workflows/publish-pypi-test.yaml
+++ b/.github/workflows/publish-pypi-test.yaml
@@ -24,9 +24,7 @@ jobs:
         uses: actions/setup-python@v5
 
       - name: Install uv 🌟
-        uses: astral-sh/setup-uv@v5
-        with:
-          version: ">=0.0.1"
+        uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v5.1.0
 
       - name: Build package for distribution 🛠️
         run: |
@@ -56,6 +54,6 @@ jobs:
         name: cladetime-package-distribution
         path: dist/
     - name: Publish distribution to TestPyPI 🚀
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.1.12
       with:
         repository-url: https://test.pypi.org/legacy/