From bf142ab17e4ad4de7400c405d69a8da0e1b246dd Mon Sep 17 00:00:00 2001
From: Ben Brandt <benjamin.j.brandt@gmail.com>
Date: Tue, 23 Jun 2026 12:20:07 +0200
Subject: [PATCH] Pin GitHub Actions to commit SHAs

Also sets up dependabot for just actions
---
 .github/dependabot.yml             | 11 +++++++++++
 .github/workflows/ci.yml           |  4 ++--
 .github/workflows/codex-update.yml | 17 ++++++++---------
 3 files changed, 21 insertions(+), 11 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..bb9dcf0a
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 96963afe..2372d7d5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,8 +17,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v6
         with:
-          node-version: '24'
-      - uses: oven-sh/setup-bun@v2
+          node-version: "24"
+      - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6
         with:
           bun-version: 1.3.11
       - name: Install dependencies
diff --git a/.github/workflows/codex-update.yml b/.github/workflows/codex-update.yml
index eba8d87f..d26db41b 100644
--- a/.github/workflows/codex-update.yml
+++ b/.github/workflows/codex-update.yml
@@ -2,7 +2,7 @@ name: Codex Update
 
 on:
   schedule:
-    - cron: '0 5 * * *' 
+    - cron: "0 5 * * *"
   workflow_dispatch:
 
 permissions:
@@ -10,9 +10,9 @@ permissions:
   packages: read
 
 env:
-  CODEX_PACKAGE: '@openai/codex'
-  CODEX_UPDATE_LABEL: 'codex-update'
-  GITHUB_BOT_USERNAME: 'github-actions[bot]'
+  CODEX_PACKAGE: "@openai/codex"
+  CODEX_UPDATE_LABEL: "codex-update"
+  GITHUB_BOT_USERNAME: "github-actions[bot]"
 
 jobs:
   check:
@@ -83,7 +83,7 @@ jobs:
 
       - name: Finalize update with Codex
         id: codex-finalize
-        uses: openai/codex-action@v1
+        uses: openai/codex-action@10cb888d2ed3b99867f7e7ccff174a861a75aeb6
         with:
           openai-api-key: ${{ secrets.OPENAI_API_KEY }}
           codex-version: ${{ env.VERSION }}
@@ -91,12 +91,12 @@ jobs:
           codex-args: >-
             -c sandbox_workspace_write.writable_roots=["${{ github.workspace }}/.git"]
           prompt: >
-            Finalize the update using codex-update-compat skill. 
-            Commit the changes, the message should mention that types or/and tests after the update were fixed. 
+            Finalize the update using codex-update-compat skill.
+            Commit the changes, the message should mention that types or/and tests after the update were fixed.
             When creating the final message do not mention:
             * Validation run details.
             * Commits.
-            * Hyperlinks. 
+            * Hyperlinks.
             Mention only previously failed tests with failure reasons, also what you changed and why.
 
       - name: Push branch updates
@@ -143,4 +143,3 @@ jobs:
             gh pr close "$pr_number" \
               --comment "Closing obsolete update PR"
           done
-