chore: improve workflows (#1394)

ldez · web-flow · commit 97c8387e660f · 2026-05-22T02:32:02.000+02:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -3,9 +3,13 @@ updates:
   - package-ecosystem: github-actions
     directory: "/"
     schedule:
-      interval: weekly
+      interval: monthly
     cooldown:
       default-days: 7
+    groups:
+      github-actions:
+        patterns:
+          - "*"  # Group all updates into a single larger pull request.
   - package-ecosystem: npm
     directory: "/"
     groups:
@@ -14,6 +18,6 @@ updates:
       dependencies:
         dependency-type: production
     schedule:
-      interval: weekly
+      interval: monthly
     cooldown:
       default-days: 7
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -5,25 +5,21 @@ on:
     branches:
       - main
   pull_request:
-    # The branches below must be a subset of the branches above
     branches:
       - main
   schedule:
     - cron: '0 17 * * 5'
 
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
 jobs:
   codeQL:
-    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
     runs-on: ubuntu-latest
-
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head of the pull request.
@@ -39,7 +35,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4.35.4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         # Override language selection by uncommenting this and choosing your languages
         with:
           languages: 'javascript-typescript'
@@ -49,4 +45,4 @@ jobs:
           npm run all
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4.35.4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,18 +8,17 @@ on:
     branches:
       - main
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   # make sure build/ci work properly
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24.x
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - run: |
@@ -42,20 +41,17 @@ jobs:
         version:
           - ""
           - "latest"
-          - "v2.10"
-          - "v2.10.1"
+          - "v2.12"
+          - "v2.12.2"
     runs-on: ${{ matrix.os }}
-    permissions:
-      contents: read
-      pull-requests: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24.x
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: oldstable
       - uses: ./
@@ -77,20 +73,17 @@ jobs:
         version:
           - ""
           - "latest"
-          - "v2.10.1"
-          - "f8861ca84d805a673945d037bae1559c3567aadc"
+          - "v2.12.1"
+          - "c0d3ddc9cf3faa61a4e378e879ece580256d76e5"
     runs-on: ${{ matrix.os }}
-    permissions:
-      contents: read
-      pull-requests: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24.x
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: oldstable
       - uses: ./
@@ -113,16 +106,14 @@ jobs:
           - fixtures/go-mod
           - fixtures/go-tool
     runs-on: ${{ matrix.os }}
-    permissions:
-      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24.x
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: oldstable
       - uses: ./
@@ -143,20 +134,17 @@ jobs:
         version:
           - ""
           - "latest"
-          - "v2.10"
-          - "v2.10.1"
+          - "v2.12"
+          - "v2.12.1"
     runs-on: ${{ matrix.os }}
-    permissions:
-      contents: read
-      pull-requests: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24.x
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: oldstable
       - uses: ./
@@ -175,17 +163,14 @@ jobs:
           - macos-latest
           - windows-latest
     runs-on: ${{ matrix.os }}
-    permissions:
-      contents: read
-      pull-requests: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24.x
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: oldstable
       - uses: ./
