From 2080bfec6a1bfa96974147086139f17eee0223f3 Mon Sep 17 00:00:00 2001
From: Rafael Matias <rafael@skyle.net>
Date: Mon, 24 Mar 2025 13:37:30 +0100
Subject: [PATCH 1/4] Update GitHub Actions in .github/workflows/docs.yml to
 use pinned hashes

---
 .github/workflows/docs.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 930781e77c..45958f7296 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -10,13 +10,13 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Build docs
         run: make _copy_docs
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: 3.x
-      - uses: actions/cache@v2
+      - uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2
         with:
           key: ${{ github.ref }}
           path: .cache

From 9b9662bddcb556964c628f6f6a02c504b09d94c1 Mon Sep 17 00:00:00 2001
From: Rafael Matias <rafael@skyle.net>
Date: Mon, 24 Mar 2025 13:37:31 +0100
Subject: [PATCH 2/4] Update GitHub Actions in
 .github/workflows/generate_vectors.yml to use pinned hashes

---
 .github/workflows/generate_vectors.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/generate_vectors.yml b/.github/workflows/generate_vectors.yml
index 7e13f5f837..b0615733d5 100644
--- a/.github/workflows/generate_vectors.yml
+++ b/.github/workflows/generate_vectors.yml
@@ -21,13 +21,13 @@ jobs:
     runs-on: [self-hosted-ghr-custom, size-xl-x64, profile-consensusSpecs]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: 'ethereum/consensus-specs'
           path: 'consensus-specs'
           ref: ${{ inputs.ref || 'dev' }}
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.12.4'
           cache: ''
@@ -55,22 +55,22 @@ jobs:
           tar -czvf minimal.tar.gz tests/minimal
           tar -czvf mainnet.tar.gz tests/mainnet
       - name: Upload general.tar.gz
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: General Test Configuration
           path: consensus-spec-tests/general.tar.gz
       - name: Upload minimal.tar.gz
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: Minimal Test Configuration
           path: consensus-spec-tests/minimal.tar.gz
       - name: Upload mainnet.tar.gz
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: Mainnet Test Configuration
           path: consensus-spec-tests/mainnet.tar.gz
       - name: Upload consensustestgen
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: consensustestgen.log
           path: consensustestgen.log

From b0670c460d187619beabb2a08641c55d8fb02c93 Mon Sep 17 00:00:00 2001
From: Rafael Matias <rafael@skyle.net>
Date: Mon, 24 Mar 2025 13:37:32 +0100
Subject: [PATCH 3/4] Update GitHub Actions in .github/workflows/run-tests.yml
 to use pinned hashes

---
 .github/workflows/run-tests.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
index c4e6e78043..0be5da76c2 100644
--- a/.github/workflows/run-tests.yml
+++ b/.github/workflows/run-tests.yml
@@ -28,14 +28,14 @@ jobs:
     runs-on: [self-hosted-ghr-custom, size-l-x64, profile-consensusSpecs]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: '20'
           cache: ''
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.12.4'
           cache: ''
@@ -48,7 +48,7 @@ jobs:
     runs-on: [self-hosted-ghr-custom, size-l-x64, profile-consensusSpecs]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Check for trailing whitespace
         run: |
           if git grep -n '[[:blank:]]$'; then
@@ -64,11 +64,11 @@ jobs:
         version: ["phase0", "altair", "bellatrix", "capella", "deneb", "electra", "fulu", "eip7441", "eip7732"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Rust for dependencies
-        uses: actions-rust-lang/setup-rust-toolchain@v1
+        uses: actions-rust-lang/setup-rust-toolchain@9399c7bb15d4c7d47b27263d024f0a4978346ba4 # v1.11.0
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.12.4'
           cache: ''
@@ -90,7 +90,7 @@ jobs:
           echo "spec_test_preset_type=mainnet" >> $GITHUB_ENV
       - name: test-${{ matrix.version }}
         run: make test fork=${{ matrix.version }} preset=${{ env.spec_test_preset_type }}
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: always()
         with:
           name: test-reports-${{ matrix.version }}
@@ -100,9 +100,9 @@ jobs:
    runs-on: [self-hosted-ghr-custom, size-s-x64, profile-consensusSpecs]
    steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: '3.12.4'
           cache: ''

From 1a6e9be3ab18ce275ab99459e9aa4618ffee4350 Mon Sep 17 00:00:00 2001
From: Rafael Matias <rafael@skyle.net>
Date: Mon, 24 Mar 2025 14:34:21 +0100
Subject: [PATCH 4/4] feat(ci): add dependabot to check for github-actions
 updates weekly

---
 .github/dependabot.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..e642810bbb
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+   - package-ecosystem: github-actions
+     directory: /
+     schedule:
+        interval: weekly
+     groups:
+        actions:
+           patterns:
+              - '*'