From a3587c1417414c26ea3142559fd23429f1d4ff98 Mon Sep 17 00:00:00 2001
From: Souradeep De <souradeep.de@jimdo.com>
Date: Tue, 12 May 2026 16:47:55 +0200
Subject: [PATCH] ktlo: pin GitHub actions to commit SHAs

---
 .github/dependabot.yml   | 8 ++++++++
 .github/workflows/ci.yml | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..effccfd
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 3
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3c9f467..6be722f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,10 +12,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: ${{ matrix.php-versions }}