From 97dcc1f430eefa1e7973564e395e94e4f32fa473 Mon Sep 17 00:00:00 2001
From: asraa <asraa@google.com>
Date: Tue, 8 Jun 2021 13:24:36 -0400
Subject: [PATCH] [ci] Pin CodeQL workflow dependencies by hash (#16581)

* pin actions
* add depenadbot

Signed-off-by: Asra Ali <asraa@google.com>
---
 .github/dependabot.yml             | 5 +++++
 .github/workflows/codeql-daily.yml | 6 +++---
 .github/workflows/codeql-push.yml  | 6 +++---
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index f2f567dddaa3..c53bb224efa6 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -95,3 +95,8 @@ updates:
   directory: "/.devcontainer"
   schedule:
     interval: daily
+
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: daily
diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml
index d266b56ccc5d..33d278163b6b 100644
--- a/.github/workflows/codeql-daily.yml
+++ b/.github/workflows/codeql-daily.yml
@@ -13,7 +13,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -26,7 +26,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@cb5810848de15b695cd9ef3b559dd178c43c7df3 # v1
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -52,4 +52,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@cb5810848de15b695cd9ef3b559dd178c43c7df3 # v1
diff --git a/.github/workflows/codeql-push.yml b/.github/workflows/codeql-push.yml
index 84e8e3a008e6..53ab04c3be07 100644
--- a/.github/workflows/codeql-push.yml
+++ b/.github/workflows/codeql-push.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -34,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@cb5810848de15b695cd9ef3b559dd178c43c7df3 # v1
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -63,4 +63,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: env.BUILD_TARGETS != ''
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@cb5810848de15b695cd9ef3b559dd178c43c7df3 # v1