From 68443875970ef3d21883928979fef2f2477d2fae Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Fri, 20 Mar 2026 20:21:00 +0100
Subject: [PATCH] fix: SHA-pin GitHub Actions and add Dependabot for actions
 updates

This hardens the repository against supply chain attacks like the
aquasecurity/trivy-action compromise (2026-03-19).

Changes:
- Pin all GitHub Actions to immutable commit SHAs
- Add/update Dependabot configuration for github-actions ecosystem

Ref: https://github.com/netresearch/ofelia/issues/535
Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
---
 .github/dependabot.yml              | 10 ++++++++++
 .github/workflows/documentation.yml |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..6c5049e2
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      github-actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 10cc6d5f..75dd5eaa 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Test if the documentation will render without warnings
         run: |