From 31f75cce559e28d420f6f2bc54308d57954e59e3 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Fri, 20 Mar 2026 20:29:46 +0100
Subject: [PATCH] fix: SHA-pin GitHub Actions and add Dependabot for actions
 updates

This hardens the repository against supply chain attacks like the
aquasecurity/trivy-action compromise (2026-03-19).

Changes:
- Pin all GitHub Actions to immutable commit SHAs
- Add/update Dependabot configuration for github-actions ecosystem

Ref: https://github.com/netresearch/ofelia/issues/535
Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
---
 .github/dependabot.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..6c5049e
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      github-actions:
+        patterns:
+          - "*"