chore(ci): harden and upgrade

Author: avivkeller

.github/dependabot.yml

@@ -1,5 +1,9 @@
 version: 2
 updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
   - package-ecosystem: npm
     directory: /
     schedule:

.github/workflows/dist.yml

@@ -22,9 +22,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 16.x
 
@@ -35,13 +37,13 @@ jobs:
       - id: diff
         run: |
           if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
-            echo "Detected uncommitted changes after build.  See status below:"
+            echo "Detected uncommitted changes after build. See status below:"
             git diff
             exit 1
           fi
 
       # If index.js was different than expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

.github/workflows/test.yml

@@ -11,6 +11,8 @@ jobs:
   units:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - run: npm ci
     - run: npm test

autodeploy.js

@@ -2,7 +2,7 @@ const { HttpClient } = require("@actions/http-client");
 const {
   BasicCredentialHandler,
   PersonalAccessTokenCredentialHandler,
-} = require("@actions/http-client/auth");
+} = require("@actions/http-client/lib/auth");
 
 function parseToken(token) {
   const separator = token.indexOf(":");