From 5dcdee538323662d1a98234b3684f065a776b486 Mon Sep 17 00:00:00 2001
From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
Date: Thu, 30 Jan 2025 19:57:07 -0500
Subject: [PATCH 1/2] ci: Update workflows to match main repo

---
 .github/workflows/circleci.yml |  3 ++-
 .github/workflows/lint.yml     | 20 +++++++++++---------
 .github/workflows/release.yml  | 29 +++++++++++++++++------------
 3 files changed, 30 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml
index 481368d..a28d267 100644
--- a/.github/workflows/circleci.yml
+++ b/.github/workflows/circleci.yml
@@ -10,7 +10,8 @@ jobs:
     name: Run CircleCI artifacts redirector
     steps:
       - name: GitHub Action step
-        uses: larsoner/circleci-artifacts-redirector-action@master
+        uses:
+          scientific-python/circleci-artifacts-redirector-action@4e13a10d89177f4bfc8007a7064bdbeda848d8d1  # v1.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           api-token: ${{ secrets.CIRCLECI_TOKEN }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index f3866b4..5a9e426 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,28 +3,30 @@
 name: Linting
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   flake8:
     name: flake8
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3
-        uses: actions/setup-python@v1
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38  # v5.4.0
         with:
-          python-version: 3.8
+          python-version: '3.x'
 
       - name: Install flake8
         run: pip3 install 'flake8>=3.8'
 
       - name: Set up reviewdog
-        run: |
-          mkdir -p "$HOME/bin"
-          curl -sfL \
-            https://github.com/reviewdog/reviewdog/raw/master/install.sh | \
-              sh -s -- -b "$HOME/bin"
-          echo "$HOME/bin" >> $GITHUB_PATH
+        uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887  # v1.3.9
 
       - name: Run flake8
         env:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 88954a9..f359bc2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,20 +6,24 @@ on:
     types:
       - published
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build Release Packages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
-          fetch-depth: 10
+          fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Python
         id: setup
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38  # v5.4.0
         with:
-          python-version: 3.x
+          python-version: '3.x'
 
       - name: Install build tools
         run: |
@@ -30,7 +34,7 @@ jobs:
         run: python -m build
 
       - name: Save built packages as artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08  # v4.6.0
         with:
           name: packages-${{ runner.os }}-${{ steps.setup.outputs.python-version }}
           path: dist/
@@ -43,15 +47,16 @@ jobs:
     runs-on: ubuntu-latest
     environment: release
     permissions:
+      attestations: write
+      contents: read
       id-token: write
     steps:
       - name: Download packages
-        uses: actions/download-artifact@v3
-
-      - name: Consolidate packages for upload
-        run: |
-          mkdir dist
-          cp packages-*/* dist/
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16  # v4.1.8
+        with:
+          pattern: packages-*
+          path: dist
+          merge-multiple: true
 
       - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e # v1.8.10
+        uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70  # v1.12.3

From 4f1df713781916b362324de6929a8efea7ca428e Mon Sep 17 00:00:00 2001
From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
Date: Thu, 30 Jan 2025 19:57:33 -0500
Subject: [PATCH 2/2] Enable dependabot for GitHub Actions

---
 .github/dependabot.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..34902e5
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"