bitset already hash-pins its GitHub Actions (done in #136), which is great. However, hashes are hard to update manually, so we could use dependabot to do this work automatically.
We can set up dependabot to send a single periodic PR to update all the hashes. This will help keep your CI up-to-date. If you'd rather keep the Actions fixed at these trusted versions, that's understandable.
In any case, I'll also suggest enabling Dependabot security updates (if you haven't already – that information isn't visible from outside). These are PRs sent by Dependabot whenever a vulnerability is reported on a dependency. This will ensure that, should a vulnerability be discovered in the hash-pinned version of an Action, bitset will immediately receive a PR to migrate to a patched version. To enable security updates:
bitset already hash-pins its GitHub Actions (done in #136), which is great. However, hashes are hard to update manually, so we could use dependabot to do this work automatically.
We can set up dependabot to send a single periodic PR to update all the hashes. This will help keep your CI up-to-date. If you'd rather keep the Actions fixed at these trusted versions, that's understandable.
In any case, I'll also suggest enabling Dependabot security updates (if you haven't already – that information isn't visible from outside). These are PRs sent by Dependabot whenever a vulnerability is reported on a dependency. This will ensure that, should a vulnerability be discovered in the hash-pinned version of an Action, bitset will immediately receive a PR to migrate to a patched version. To enable security updates:
In the meantime, I'll send a PR adding dependabot so you can take a look.