From afdbae36b9e1868f2c2fe51ce5b7ab52fecb06ad Mon Sep 17 00:00:00 2001
From: Mahangu Weerasinghe <mahangu.weerasinghe@automattic.com>
Date: Mon, 8 Jun 2026 15:37:27 +0530
Subject: [PATCH] chore: pin third-party GitHub Actions to commit SHAs

Tracking: DEVPROD-1072
---
 .github/dependabot.yml     | 22 ++++++++++++++++++++++
 .github/workflows/test.yml |  4 ++--
 2 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..7ddd384
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,22 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    groups:
+      actions-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      actions-major:
+        patterns:
+          - "*"
+        update-types:
+          - "major"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 73e1400..a96b2b9 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
         python-version: ${{ matrix.python-version }}
     
     - name: Install Poetry
-      uses: snok/install-poetry@v1
+      uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1.4.2
       with:
         version: "1.8.3"
         virtualenvs-create: true
@@ -55,7 +55,7 @@ jobs:
         python-version: "3.11"
     
     - name: Install Poetry
-      uses: snok/install-poetry@v1
+      uses: snok/install-poetry@a783c322200f0519c7926aa6faa857c4e23e9263 # v1.4.2
       with:
         version: "1.8.3"
         virtualenvs-create: true