From bfdeaf40c8568b25188934be7d49393b43786ab1 Mon Sep 17 00:00:00 2001
From: Huy Pham <huypham@google.com>
Date: Thu, 16 Apr 2026 10:03:41 -0700
Subject: [PATCH 1/2] fix: use commit SHA instead of tags for actions

I think k8s repos started to enforce using commit SHA (which makes sense from security perspective) because the workflow is currently failing with `The action actions/checkout@v4 is not allowed in kubernetes/cloud-provider-gcp because all actions must be pinned to a full-length commit SHA.`

Also update dependabot to handle github actions.
---
 .github/dependabot.yml                | 9 +++++++++
 .github/workflows/auto-tag.yml        | 2 +-
 .github/workflows/dependabot-sync.yml | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 4dbec43ee..db4a922e9 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,5 +1,14 @@
 version: 2
 updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+    day: "sunday"
+  labels:
+  - "ok-to-test"
+  - 'area/dependency'
+  - 'release-note-none'
 - package-ecosystem: gomod
   directories:
   - "/"
diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index d127e7685..e4d2e2fe5 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -12,7 +12,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0 # Fetch all history and tags
 
diff --git a/.github/workflows/dependabot-sync.yml b/.github/workflows/dependabot-sync.yml
index ecbac61f0..bef2decb4 100644
--- a/.github/workflows/dependabot-sync.yml
+++ b/.github/workflows/dependabot-sync.yml
@@ -15,7 +15,7 @@ jobs:
     if: github.actor == 'dependabot[bot]'
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           

From 1b4555895f8e5444a3b04b29ab7239ee01a2d6b4 Mon Sep 17 00:00:00 2001
From: Huy Pham <huypham@google.com>
Date: Thu, 16 Apr 2026 10:25:06 -0700
Subject: [PATCH 2/2] fix: use commit SHA for actions/setup-go

---
 .github/workflows/dependabot-sync.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot-sync.yml b/.github/workflows/dependabot-sync.yml
index bef2decb4..a8ae841a8 100644
--- a/.github/workflows/dependabot-sync.yml
+++ b/.github/workflows/dependabot-sync.yml
@@ -20,7 +20,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version-file: 'go.work'