Update ci jobs and dependabot config (#84)

* use git hashes instead of git tag

Signed-off-by: cpanato <[email protected]>

* update dependabot config to group dependecies updates

Signed-off-by: cpanato <[email protected]>

---------

Signed-off-by: cpanato <[email protected]>

Author: cpanato

.github/dependabot.yml

@@ -1,20 +1,26 @@
 version: 2
 updates:
   - package-ecosystem: gomod
-    directory: /pkg # Location of package manifests
+    directories:
+      - /pkg
+      - /tools
     schedule:
       interval: daily
     labels:
-    - dependencies
-  - package-ecosystem: gomod
-    directory: /tools # Location of package manifests
-    schedule:
-      interval: weekly
-    labels:
-    - dependencies
+      - dependencies
+    groups:
+      gomod:
+        update-types:
+          - "patch"
+
   - package-ecosystem: "github-actions"
     # Workflow files stored in the
     # default location of `.github/workflows`
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/ci.yml

@@ -13,23 +13,30 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
+
     env:
       GOPATH: /home/runner/go
+
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         submodules: recursive
+
     - name: Setup Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
-        go-version: 1.21
+        go-version: '1.21'
+        check-latest: true
+
     - name: Format check
       run: make fmt
+
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@v6
+      uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
       with:
-        version: v1.59.1
+        version: v1.59
         args: --build-tags testonly
+
     - name: Check generated code
       run: make generate

.github/workflows/codeql.yml

@@ -16,10 +16,8 @@ jobs:
     permissions:
       # required for all workflows
       security-events: write
-
       # required to fetch internal or private CodeQL packs
       packages: read
-
       # only required for workflows in private repositories
       actions: read
       contents: read
@@ -33,17 +31,17 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
         queries: security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/coverage.yml

@@ -16,20 +16,26 @@ on:
 jobs:
   coverage:
     runs-on: ubuntu-latest
+
     env:
       GOPATH: /home/runner/go
+
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         submodules: recursive
+
     - name: Setup Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
-        go-version: 1.21
+        go-version: '1.21'
+        check-latest: true
+
     - name: Generate coverage report
       run: make test
+
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@v4
+      uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
       with:
         token: ${{ secrets.CODECOV_TOKEN }}