From 920fa4eed7d4db5faaff1f8815cd6caa34d4f582 Mon Sep 17 00:00:00 2001 From: William Allen <16820599+williamjallen@users.noreply.github.com> Date: Tue, 6 Jan 2026 15:17:44 -0500 Subject: [PATCH 1/2] Pin GHA dependencies by hash Hash-pinned dependencies are an important requirement enforced by the OpenSSF scorecard tool: https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies This commit pins all GitHub Actions workflows to a commit hash. --- .github/workflows/mac_mpich.yml | 2 +- .github/workflows/mac_mpich_lustre.yml | 2 +- .github/workflows/mac_openmpi.yml | 2 +- .github/workflows/mac_openmpi_lustre.yml | 2 +- .github/workflows/ubuntu_mpich.yml | 2 +- .github/workflows/ubuntu_mpich_lustre.yml | 2 +- .github/workflows/ubuntu_openmpi.yml | 2 +- .github/workflows/ubuntu_openmpi_adios.yml | 2 +- .github/workflows/ubuntu_openmpi_lustre.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/mac_mpich.yml b/.github/workflows/mac_mpich.yml index bd52d5ac8..d51ff5593 100644 --- a/.github/workflows/mac_mpich.yml +++ b/.github/workflows/mac_mpich.yml @@ -34,7 +34,7 @@ jobs: runs-on: macos-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up dependencies run: | # brew install gcc diff --git a/.github/workflows/mac_mpich_lustre.yml b/.github/workflows/mac_mpich_lustre.yml index 444449a4a..e72899c7e 100644 --- a/.github/workflows/mac_mpich_lustre.yml +++ b/.github/workflows/mac_mpich_lustre.yml @@ -34,7 +34,7 @@ jobs: runs-on: macos-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up dependencies run: | # brew install gcc diff --git a/.github/workflows/mac_openmpi.yml b/.github/workflows/mac_openmpi.yml index b0fdfd66d..72896a659 100644 --- a/.github/workflows/mac_openmpi.yml +++ b/.github/workflows/mac_openmpi.yml @@ -34,7 +34,7 @@ jobs: runs-on: macos-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up dependencies run: | # brew install gcc diff --git a/.github/workflows/mac_openmpi_lustre.yml b/.github/workflows/mac_openmpi_lustre.yml index f90fc8b2b..fba79468b 100644 --- a/.github/workflows/mac_openmpi_lustre.yml +++ b/.github/workflows/mac_openmpi_lustre.yml @@ -34,7 +34,7 @@ jobs: runs-on: macos-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up dependencies run: | # brew install gcc diff --git a/.github/workflows/ubuntu_mpich.yml b/.github/workflows/ubuntu_mpich.yml index 5a41e36b7..d7efa7303 100644 --- a/.github/workflows/ubuntu_mpich.yml +++ b/.github/workflows/ubuntu_mpich.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up dependencies run: | sudo apt-get update diff --git a/.github/workflows/ubuntu_mpich_lustre.yml b/.github/workflows/ubuntu_mpich_lustre.yml index 6472279d4..2e00a4895 100644 --- a/.github/workflows/ubuntu_mpich_lustre.yml +++ b/.github/workflows/ubuntu_mpich_lustre.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up dependencies run: | sudo apt-get update diff --git a/.github/workflows/ubuntu_openmpi.yml b/.github/workflows/ubuntu_openmpi.yml index b12d389b9..62f8b77b0 100644 --- a/.github/workflows/ubuntu_openmpi.yml +++ b/.github/workflows/ubuntu_openmpi.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up dependencies run: | sudo apt-get update diff --git a/.github/workflows/ubuntu_openmpi_adios.yml b/.github/workflows/ubuntu_openmpi_adios.yml index 71b735e40..37e0d4ce5 100644 --- a/.github/workflows/ubuntu_openmpi_adios.yml +++ b/.github/workflows/ubuntu_openmpi_adios.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up dependencies run: | sudo apt-get update diff --git a/.github/workflows/ubuntu_openmpi_lustre.yml b/.github/workflows/ubuntu_openmpi_lustre.yml index 76faecc52..2a2a39189 100644 --- a/.github/workflows/ubuntu_openmpi_lustre.yml +++ b/.github/workflows/ubuntu_openmpi_lustre.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 120 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up dependencies run: | sudo apt-get update From 2e8dc2ba1a6adaecaad43986692b86c49493bdcd Mon Sep 17 00:00:00 2001 From: William Allen <16820599+williamjallen@users.noreply.github.com> Date: Tue, 6 Jan 2026 15:39:43 -0500 Subject: [PATCH 2/2] Configure Dependabot updates for GitHub Actions This commit adds a basic Dependabot configuration for GitHub Actions workflow updates. In addition to keeping dependencies fresh, adding a Dependabot configuration allows the project to receive Dependabot security alerts if configured in the project settings: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates --- .github/dependabot.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..cdced8f1b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + cooldown: + default-days: 7 \ No newline at end of file