From 1e0c815962920ac430f2922464f85305f5af3876 Mon Sep 17 00:00:00 2001
From: Sushant Ipte <techapdev@gmail.com>
Date: Thu, 4 Jun 2026 23:59:39 +0530
Subject: [PATCH] Pin GitHub Actions to commit SHAs and add Dependabot config

Addresses the OSSF Scorecard Pinned-Dependencies finding. Every `uses:` in
ci.yml and release.yml now points at a full commit SHA with the version pinned
in a trailing comment so reviewers (and Dependabot) can still see what's pinned.

Adds .github/dependabot.yml configured for npm + github-actions on a weekly
cadence with grouped minor/patch PRs, so future updates arrive as reviewable
PRs rather than silent floating-tag rolls.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml        | 29 +++++++++++
 .github/workflows/ci.yml      |  6 +--
 .github/workflows/release.yml | 92 +++++++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+), 3 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..63a9ba7
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,29 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 8
+    groups:
+      npm-dev-minor:
+        dependency-type: development
+        update-types: [minor, patch]
+      npm-prod-minor:
+        dependency-type: production
+        update-types: [minor, patch]
+    ignore:
+      - dependency-name: '@types/node'
+        update-types: [version-update:semver-major]
+      - dependency-name: typescript
+        update-types: [version-update:semver-major]
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 3
+    groups:
+      actions-minor:
+        patterns: ['*']
+        update-types: [minor, patch]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0569176..31b2383 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,13 +21,13 @@ jobs:
       matrix:
         node: [20, 22]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
 
       - name: Use Node.js ${{ matrix.node }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node }}
           cache: pnpm
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..805d22a
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,92 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  verify:
+    name: Verify (typecheck + tests + build)
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '20'
+          cache: pnpm
+          registry-url: 'https://registry.npmjs.org'
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+      - name: Tests
+        run: pnpm test
+
+      - name: Build
+        run: pnpm build
+
+  check-versions:
+    name: Tag matches all package versions
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Compare versions
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          echo "git tag: $TAG_VERSION"
+          FAILED=0
+          for pkg in packages/types packages/sdk packages/player packages/react; do
+            PKG_VERSION="$(node -p "require('./$pkg/package.json').version")"
+            echo "$pkg: $PKG_VERSION"
+            if [ "$PKG_VERSION" != "$TAG_VERSION" ]; then
+              echo "::error::$pkg/package.json version $PKG_VERSION does not match tag $TAG_VERSION"
+              FAILED=1
+            fi
+          done
+          exit $FAILED
+
+  publish:
+    name: Publish to npm
+    needs: [verify, check-versions]
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version: '20'
+          cache: pnpm
+          registry-url: 'https://registry.npmjs.org'
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Build all packages
+        run: pnpm build
+
+      - name: Publish all workspace packages
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: 'true'
+        run: |
+          pnpm -r --filter './packages/*' publish \
+            --access public \
+            --no-git-checks