Is your feature request related to a problem? Please describe.
J2CL's GitHub workflow uses hash-pinned Actions, which protects the project from supply-chain attacks. However, it currently has no way of updating those Actions.
Describe the solution you'd like
J2CL can set up dependabot to receive a single periodic PR updating all Actions with new versions. The PR will also update the "version comment" describing the respective version. For an example, see this example PR: https://github.com/pnacht/libarchive/pull/9.
I'll send a PR adding Dependabot.
Describe alternatives you've considered
If you'd rather keep the Actions fixed at their current version, that works too. However, I recommend that you at least enable Dependabot Security Updates (if you haven't already). These are PRs that are immediately sent whenever a vulnerability is reported in a dependency. These can be enabled in the project settings, under "Code security & analysis".
Additional context
My name is Pedro and I'm working with Google and the OpenSSF to improve the supply-chain security of projects critical to the open-source ecosystem.
Is your feature request related to a problem? Please describe. J2CL's GitHub workflow uses hash-pinned Actions, which protects the project from supply-chain attacks. However, it currently has no way of updating those Actions.
Describe the solution you'd like J2CL can set up dependabot to receive a single periodic PR updating all Actions with new versions. The PR will also update the "version comment" describing the respective version. For an example, see this example PR: https://github.com/pnacht/libarchive/pull/9.
I'll send a PR adding Dependabot.
Describe alternatives you've considered If you'd rather keep the Actions fixed at their current version, that works too. However, I recommend that you at least enable Dependabot Security Updates (if you haven't already). These are PRs that are immediately sent whenever a vulnerability is reported in a dependency. These can be enabled in the project settings, under "Code security & analysis".
Additional context My name is Pedro and I'm working with Google and the OpenSSF to improve the supply-chain security of projects critical to the open-source ecosystem.