From b8da6cabdd35b4c686baa49ea30b35bcf7251db5 Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Thu, 13 Jun 2024 11:21:04 -0700
Subject: [PATCH] [actions] github actions updates

- Move dependabot to common workflow
- add github actions to dependabot
- Move away from deprecated create-release action
- use SHAs for external actions
---
 .github/dependabot.yml                      |  4 ++++
 .github/workflows/dependabot-auto-merge.yml | 17 +++--------------
 .github/workflows/release.yml               |  8 ++++----
 3 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index e0871f9..a9618d0 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,7 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 471eeda..c0b39e0 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -6,17 +6,6 @@ permissions:
   pull-requests: write
 
 jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@v1.1.1
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - name: Enable auto-merge for Dependabot PRs
-        run: gh pr merge --auto --merge "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+  dependabot-auto-merge:
+    uses: smallstep/workflows/.github/workflows/dependabot-auto-merge.yml@main
+    secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5797401..05f553d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
     env:
       DOCKER_IMAGE: smallstep/step-kms-plugin
       CLOUD_TAG: cloud
-      DEBIAN_TAG: bookworm 
+      DEBIAN_TAG: bookworm
       WOLFI_TAG: wolfi
     outputs:
       version: ${{ steps.extract-tag.outputs.VERSION }}
@@ -56,12 +56,12 @@ jobs:
           echo "DOCKER_TAGS_WOLFI=${{ env.DOCKER_IMAGE }}:${WOLFI_TAG}" >> "${GITHUB_ENV}"
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
+        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
+          name: Release ${{ github.ref }}
           draft: false
           prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
 
@@ -71,7 +71,7 @@ jobs:
     needs: create_release
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
       - name: setup release environment