See the commit messages for additional information.
Pinning the GitHub actions to a commit hash is recommended for increased security, in case a malicious user gains write access to the repository of an action and changes the Git tags. Though for most of the actions we use the risk of this seems rather low since the actions are maintained by GitHub.
Using Dependabot for the GitHub actions makes sure no deprecated versions are used by accident (such as the recently deprecated CodeQL Action v2). We will have to make sure though that Dependabot version updates don't contain any breaking changes, but hopefully the maintainers follow SemVer, so this should hopefully be easy to notice.
Purpose
Description
See the commit messages for additional information.
Pinning the GitHub actions to a commit hash is recommended for increased security, in case a malicious user gains write access to the repository of an action and changes the Git tags. Though for most of the actions we use the risk of this seems rather low since the actions are maintained by GitHub.
Using Dependabot for the GitHub actions makes sure no deprecated versions are used by accident (such as the recently deprecated CodeQL Action v2). We will have to make sure though that Dependabot version updates don't contain any breaking changes, but hopefully the maintainers follow SemVer, so this should hopefully be easy to notice.