From abfe3705b353facbd6d4ec4cfed6b21c36e29b77 Mon Sep 17 00:00:00 2001
From: Jonathan Stairs <jonathan.stairs@rewind.io>
Date: Mon, 23 Mar 2026 14:22:46 -0400
Subject: [PATCH] chore(): pin GitHub Actions to commit SHAs

---
 .github/dependabot.yml      | 9 +++++++--
 .github/workflows/style.yml | 6 +++---
 .github/workflows/tests.yml | 8 ++++----
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 45323ad..7d34406 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,5 +1,4 @@
 version: 2
-
 updates:
   # Maintain dependencies for GitHub Actions
   - package-ecosystem: "github-actions"
@@ -7,5 +6,11 @@ updates:
     schedule:
       interval: "weekly"
     labels:
-      - "appsec"
+      - appsec
     open-pull-requests-limit: 10
+    groups:
+      minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - patch
+          - minor
diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml
index 356bbf1..1981ed7 100644
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
           ruby-version: 3.4.1
 
@@ -30,7 +30,7 @@ jobs:
     name: runner / shellcheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: shellcheck
         uses: reviewdog/action-shellcheck@4c07458293ac342d477251099501a718ae5ef86e # v1.32.0
         with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index ec4d8a3..647cd08 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Install Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
           ruby-version: 3.4.1
           bundler-cache: true
@@ -25,7 +25,7 @@ jobs:
           bundle exec rspec
 
       - name: Upload coverage results
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           include-hidden-files: 'true'
           name: coverage-results
@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download coverage results
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: coverage-results
           path: coverage