Update GitHub workflows

* Upgrade pre-commit dependencies
* Add GitHub action pinning workflow
* Add Dependabot configuration

Author: replaceafill

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 1
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/test.yml

@@ -1,25 +1,28 @@
 ---
 name: "Test"
 on:
+  workflow_dispatch:
   pull_request:
   push:
+    branches:
+      - "0.[0-9][0-9]"
 jobs:
   test:
     name: "Test"
-    runs-on: "ubuntu-22.04"
+    runs-on: "ubuntu-24.04"
     steps:
       - name: "Check out repository"
-        uses: "actions/checkout@v4"
+        uses: "actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8" # v5.0.0
       - name: "Set up Python"
-        uses: "actions/setup-python@v5"
+        uses: "actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c" # v6.0.0
         with:
-          python-version: "3.10"
+          python-version: "3.12"
       - name: "Get pip cache dir"
         id: "pip-cache"
         run: |
           echo "dir=$(pip cache dir)" >> $GITHUB_OUTPUT
       - name: "Cache pip packages"
-        uses: "actions/cache@v3"
+        uses: "actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830" # v4.3.0
         with:
           path: "${{ steps.pip-cache.outputs.dir }}"
           key: "${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}"
@@ -37,8 +40,8 @@ jobs:
           make linkcheck
   lint:
     name: "Linting"
-    runs-on: "ubuntu-22.04"
+    runs-on: "ubuntu-24.04"
     steps:
-      - uses: "actions/checkout@v4"
-      - uses: "actions/setup-python@v5"
-      - uses: "pre-commit/action@v3.0.1"
+      - uses: "actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8" # v5.0.0
+      - uses: "actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c" # v6.0.0
+      - uses: "pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd" #v3.0.1

.github/workflows/validate-action-pinning.yml

@@ -0,0 +1,24 @@
+name: "Validate GitHub Action pinning"
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+  push:
+    branches:
+      - "0.[0-9][0-9]"
+    paths:
+      - ".github/workflows/**"
+
+permissions:
+  contents: "read"
+
+jobs:
+  enforce-pinning:
+    name: "Enforce commit SHA pinning"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Check out repository"
+        uses: "actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8" # v5.0.0
+      - name: "Ensure SHA-pinned Actions"
+        uses: "zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74" # v4.0.0

.pre-commit-config.yaml

@@ -1,18 +1,18 @@
 repos:
 - repo: "https://github.com/sphinx-contrib/sphinx-lint"
-  rev: "v0.9.1"
+  rev: "v1.0.1"
   hooks:
   - id: "sphinx-lint"
 - repo: "https://github.com/igorshubovych/markdownlint-cli"
-  rev: "v0.39.0"
+  rev: "v0.45.0"
   hooks:
   - id: "markdownlint"
 - repo: "https://github.com/adrienverge/yamllint"
-  rev: "v1.34.0"
+  rev: "v1.37.1"
   hooks:
   - id: "yamllint"
 - repo: "https://github.com/pre-commit/pre-commit-hooks"
-  rev: "v4.5.0"
+  rev: "v6.0.0"
   hooks:
   - id: "trailing-whitespace"
   - id: "end-of-file-fixer"