chore(ci): workflow maintenance (#1611)

Author: hgw77

.github/renovate.json

@@ -0,0 +1,51 @@
+{
+  "enabled": true,
+  "schedule": ["before 3am on the first day of the month"],
+  "extends": ["config:base"],
+  "unicodeEmoji": true,
+  "prHourlyLimit": 15,
+  "labels": ["dependencies"],
+
+  "separateMinorPatch": false,
+  "separateMajorMinor": true,
+  "major": {
+    "enabled": false
+  },
+
+  "ruby-version": { "enabled": false },
+  "ruby": { "enabled": true },
+  "bundler": { "enabled": true },
+  "docker": { "enabled": false },
+  "github-actions": {
+    "enabled": true,
+    "fileMatch": ["^\\.github/workflows/.*\\.ya?ml$"]
+  },
+
+  "rangeStrategy": "update-lockfile",
+  "packageRules": [
+    {
+      "groupName": "github actions",
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["major", "minor", "patch"],
+      "extends": ["helpers:pinGitHubActionDigests"],
+      "minimumReleaseAge": "14 days"
+    },
+    {
+      "depTypeList": ["peerDependencies"],
+      "enabled": true,
+      "rangeStrategy": "replace"
+    },
+    {
+      "depTypeList": ["devDependencies"],
+      "enabled": true,
+      "rangeStrategy": "pin"
+    }
+  ],
+
+  "ignoreDeps": ["react-bootstrap", "@nivo/bar"],
+
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "labels": ["security"]
+  }
+}

.github/workflows/checks.yaml

@@ -55,11 +55,11 @@ jobs:
           apt-get install -y nodejs
 
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Gem cache
         id: cache-bundle
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: vendor/bundle
           key: bundle-${{ hashFiles('**/Gemfile.lock') }}
@@ -84,7 +84,7 @@ jobs:
           bundle exec rspec
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: "20.x"
           registry-url: "https://npm.pkg.github.com"
@@ -101,7 +101,7 @@ jobs:
 
       - name: Yarn cache
         id: cache-yarn
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: ${{ steps.yarn-cache-dir.outputs.dir }}
           key: yarn-${{ hashFiles('**/yarn.lock') }}

.github/workflows/close-stale-issues.yml .github/workflows/close-stale-issues.yaml.github/workflows/close-stale-issues.yml renamed to .github/workflows/close-stale-issues.yaml

@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           # https://github.com/actions/stale?tab=readme-ov-file#all-options
           exempt-issue-labels: "neverstale"

.github/workflows/codeql.yml .github/workflows/codeql.yaml.github/workflows/codeql.yml renamed to .github/workflows/codeql.yaml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Load config
         id: load_config
@@ -39,7 +39,7 @@ jobs:
           echo "Done!"
 
       - name: CI Check Title
-        uses: amannn/action-semantic-pull-request@v5
+        uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         # skip if the PR is comming from a forked repository
         # reason: the action needs the GITHUB_TOKEN to be able to comment on the PR
         #         and the secret is not available in forked repositories