From da6494cbd89f1cc8d31b40fb78d4cb7173d24457 Mon Sep 17 00:00:00 2001
From: Julien Herr <julien@herr.fr>
Date: Wed, 20 May 2026 23:34:59 +0200
Subject: [PATCH] ci: pin action versions to SHA + add github-actions to
 Dependabot

Dependabot will now open PRs when new versions of actions/checkout and
actions/setup-node are released, keeping the pinned SHAs up to date.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/dependabot.yml        | 5 +++++
 .github/workflows/release.yml | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ae59785..3fb5fe0 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,3 +7,8 @@ updates:
     groups:
       dev-dependencies:
         dependency-type: "development"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2255133..d478ae9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,9 +12,9 @@ jobs:
       contents: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
           cache: npm