Trigger GHA release immutability check on dependabot branches only

Avoid skipped status check when it not necessary by pulling the branch-
based filtering up to the workflow trigger.

Also, merge two Dependabot-related jobs into one workflow.

Author: ericcornelissen

.github/workflows/checks.yml

@@ -72,71 +72,6 @@ jobs:
           languages: ${{ matrix.what }}
       - name: Perform CodeQL analysis
         uses: github/codeql-action/analyze@v4.32.0
-  gha-release:
-    name: GitHub Actions Release Immutability
-    runs-on: ubuntu-24.04
-    if: ${{ github.event_name == 'pull_request' && startsWith(github.event.pull_request.head.ref || github.ref_name, 'dependabot/github_actions/') }}
-    permissions:
-      pull-requests: write # To comment on a Pull Request
-    steps:
-      - name: Parse
-        id: parse
-        shell: bash
-        env:
-          TITLE: ${{ github.event.pull_request.title }}
-        run: |
-          REPO=$(echo "${TITLE}" | awk -F' ' '{print $2}')
-          OLD=$(echo "${TITLE}" | awk -F' ' '{print $4}')
-          NEW=$(echo "${TITLE}" | awk -F' ' '{print $6}')
-
-          {
-            echo "repo=$REPO"
-            echo "new=$NEW"
-            echo "old=$OLD"
-          } >>"$GITHUB_OUTPUT"
-      - name: Check
-        id: check
-        shell: bash
-        env:
-          GH_TOKEN: ${{ github.token }}
-          NEW: ${{ steps.parse.outputs.new }}
-          OLD: ${{ steps.parse.outputs.old }}
-          REPO: ${{ steps.parse.outputs.repo }}
-        run: |
-          set -euo pipefail
-
-          WAS_IMMUTABLE=$(gh release view "v${OLD}" --repo "${REPO}" --json isImmutable | jq .isImmutable)
-          IS_IMMUTABLE=$(gh release view "v${NEW}" --repo "${REPO}" --json isImmutable | jq .isImmutable)
-
-          echo "::debug::was ${WAS_IMMUTABLE}; is ${IS_IMMUTABLE}"
-          {
-          case "${WAS_IMMUTABLE};${IS_IMMUTABLE}" in
-          'true;true')
-            echo "comment="
-            ;;
-          'false;false')
-            echo "comment=${OLD} was not an immutable release and ${NEW} still is not. :neutral_face:"
-            ;;
-          'true;false')
-            echo "comment=${OLD} was an immutable release but ${NEW} is not. :cry:"
-            ;;
-          'false;true')
-            echo "comment=${OLD} was not an immutable release but ${NEW} is! :smile:"
-            ;;
-          esac
-          } >>"$GITHUB_OUTPUT"
-      - name: Comment
-        if: ${{ steps.check.outputs.comment != '' }}
-        shell: bash
-        env:
-          GH_TOKEN: ${{ github.token }}
-          GH_URL: ${{ github.server_url }}
-          COMMENT: ${{ steps.check.outputs.comment }}
-          NUMBER: ${{ github.event.pull_request.number }}
-          REPO: ${{ github.repository }}
-        run: |
-          URL="${GH_URL}/${REPO}/pull/${NUMBER}"
-          gh pr comment "${URL}" --body "${COMMENT}"
   reproducible:
     name: Reproducible build
     runs-on: ubuntu-24.04

.github/workflows/dependabot.yml

@@ -0,0 +1,102 @@
+name: ghasum
+on:
+  push:
+    branches:
+      - dependabot/github_actions/**
+
+permissions: read-all
+
+jobs:
+  gha-release:
+    name: GitHub Actions Release Immutability
+    runs-on: ubuntu-24.04
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    permissions:
+      pull-requests: write # To comment on a Pull Request
+    steps:
+      - name: Parse
+        id: parse
+        shell: bash
+        env:
+          TITLE: ${{ github.event.pull_request.title }}
+        run: |
+          REPO=$(echo "${TITLE}" | awk -F' ' '{print $2}')
+          OLD=$(echo "${TITLE}" | awk -F' ' '{print $4}')
+          NEW=$(echo "${TITLE}" | awk -F' ' '{print $6}')
+
+          {
+            echo "repo=$REPO"
+            echo "new=$NEW"
+            echo "old=$OLD"
+          } >>"$GITHUB_OUTPUT"
+      - name: Check
+        id: check
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+          NEW: ${{ steps.parse.outputs.new }}
+          OLD: ${{ steps.parse.outputs.old }}
+          REPO: ${{ steps.parse.outputs.repo }}
+        run: |
+          set -euo pipefail
+
+          WAS_IMMUTABLE=$(gh release view "v${OLD}" --repo "${REPO}" --json isImmutable | jq .isImmutable)
+          IS_IMMUTABLE=$(gh release view "v${NEW}" --repo "${REPO}" --json isImmutable | jq .isImmutable)
+
+          echo "::debug::was ${WAS_IMMUTABLE}; is ${IS_IMMUTABLE}"
+          {
+          case "${WAS_IMMUTABLE};${IS_IMMUTABLE}" in
+          'true;true')
+            echo "comment="
+            ;;
+          'false;false')
+            echo "comment=${OLD} was not an immutable release and ${NEW} still is not. :neutral_face:"
+            ;;
+          'true;false')
+            echo "comment=${OLD} was an immutable release but ${NEW} is not. :cry:"
+            ;;
+          'false;true')
+            echo "comment=${OLD} was not an immutable release but ${NEW} is! :smile:"
+            ;;
+          esac
+          } >>"$GITHUB_OUTPUT"
+      - name: Comment
+        if: ${{ steps.check.outputs.comment != '' }}
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_URL: ${{ github.server_url }}
+          COMMENT: ${{ steps.check.outputs.comment }}
+          NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
+        run: |
+          URL="${GH_URL}/${REPO}/pull/${NUMBER}"
+          gh pr comment "${URL}" --body "${COMMENT}"
+  ghasum:
+    name: Update gha.sum
+    runs-on: ubuntu-24.04
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    permissions:
+      contents: write # To push a commit
+    steps:
+      - name: Create automation token
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0
+        id: automation-token
+        with:
+          app-id: ${{ secrets.AUTOMATION_APP_ID }}
+          private-key: ${{ secrets.AUTOMATION_APP_PRIVATE_KEY }}
+      - name: Checkout repository
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          token: ${{ steps.automation-token.outputs.token }}
+      - name: Install ghasum
+        uses: ./.github/actions/ghasum
+        with:
+          mode: install
+      - name: Update gha.sum
+        run: ghasum update
+      - name: Commit gha.sum
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
+        with:
+          commit_message: Update ghasum checksums
+          file_pattern: .github/workflows/gha.sum

.github/workflows/ghasum.yml

@@ -1,37 +0,0 @@
-name: ghasum
-on:
-  push:
-    branches:
-      - dependabot/github_actions/**
-
-permissions: read-all
-
-jobs:
-  update:
-    name: Update gha.sum
-    runs-on: ubuntu-24.04
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    permissions:
-      contents: write # To push a commit
-    steps:
-      - name: Create automation token
-        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2.2.0
-        id: automation-token
-        with:
-          app-id: ${{ secrets.AUTOMATION_APP_ID }}
-          private-key: ${{ secrets.AUTOMATION_APP_PRIVATE_KEY }}
-      - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-        with:
-          token: ${{ steps.automation-token.outputs.token }}
-      - name: Install ghasum
-        uses: ./.github/actions/ghasum
-        with:
-          mode: install
-      - name: Update gha.sum
-        run: ghasum update
-      - name: Commit gha.sum
-        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
-        with:
-          commit_message: Update ghasum checksums
-          file_pattern: .github/workflows/gha.sum