From 2643764c5520fd9696da822a06ea45a839c506dd Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 2 Oct 2024 10:50:21 +0000
Subject: [PATCH] [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/dependabot.yml                | 11 +++++++++++
 .github/workflows/release-builder.yml | 10 +++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..26da661
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/release-builder.yml b/.github/workflows/release-builder.yml
index a93d027..0f3b3be 100644
--- a/.github/workflows/release-builder.yml
+++ b/.github/workflows/release-builder.yml
@@ -19,18 +19,18 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set Release Version
         run: echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: '1.22.4'
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.6.0
+        uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
         with:
           cosign-release: 'v2.4.0'
 
@@ -61,11 +61,11 @@ jobs:
                 --output-certificate="release/kubectl-nginx_supportpkg_${VERSION}_checksums.txt.pem" -y
 
       - name: Upload release binaries
-        uses: alexellis/upload-assets@0.4.1
+        uses: alexellis/upload-assets@13926a61cdb2cb35f5fdef1c06b8b591523236d3 # 0.4.1
         env:
           GITHUB_TOKEN: ${{ github.token }}
         with:
           asset_paths: '["./release/*.gz", "./release/*.txt", "./release/*.sig", "./release/*.pem"]'
 
       - name: Update new version in krew-index
-        uses: rajatjindal/krew-release-bot@v0.0.46
\ No newline at end of file
+        uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46
\ No newline at end of file