From 600afbbee8d91b25c461ec052ce62eeef243efbd Mon Sep 17 00:00:00 2001
From: Aman Thanvi <22306104+amanthanvi@users.noreply.github.com>
Date: Mon, 29 Dec 2025 03:50:47 -0500
Subject: [PATCH] security(ci): pin mislav/bump-homebrew-formula-action to SHA
 (#187)

* security(ci): pin third-party GitHub Action

Pin mislav/bump-homebrew-formula-action to a full commit SHA and add Dependabot updates for GitHub Actions.

* ci: fix checkout for fork PRs

Use merge ref for forked pull requests and skip auto-commit when the PR comes from a fork.
---
 .github/dependabot.yml        | 6 ++++++
 .github/workflows/quality.yml | 5 +++--
 .github/workflows/release.yml | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..5ace460
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index 1838311..0c202f4 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.head_ref }}
+          ref: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.head_ref) || github.ref }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Cache Homebrew
@@ -48,6 +48,7 @@ jobs:
           echo "✓ All code formatted"
 
       - name: Commit formatting changes
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         run: |
           git config user.name "Tw93"
           git config user.email "tw93@qq.com"
@@ -69,7 +70,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.head_ref }}
+          ref: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.head_ref) || github.ref }}
 
       - name: Cache Homebrew
         uses: actions/cache@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index be69ded..678d08b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -87,7 +87,7 @@ jobs:
           echo "Releasing version: $VERSION (tag: $TAG)"
 
       - name: Update Homebrew formula
-        uses: mislav/bump-homebrew-formula-action@v3
+        uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6
         with:
           formula-name: mole
           formula-path: Formula/mole.rb