security(ci): pin mislav/bump-homebrew-formula-action to SHA (#187)

* security(ci): pin third-party GitHub Action

Pin mislav/bump-homebrew-formula-action to a full commit SHA and add Dependabot updates for GitHub Actions.

* ci: fix checkout for fork PRs

Use merge ref for forked pull requests and skip auto-commit when the PR comes from a fork.

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/quality.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.head_ref }}
+          ref: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.head_ref) || github.ref }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Cache Homebrew
@@ -48,6 +48,7 @@ jobs:
           echo "✓ All code formatted"
 
       - name: Commit formatting changes
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         run: |
           git config user.name "Tw93"
           git config user.email "tw93@qq.com"
@@ -69,7 +70,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.head_ref }}
+          ref: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.head_ref) || github.ref }}
 
       - name: Cache Homebrew
         uses: actions/cache@v4

.github/workflows/release.yml

@@ -87,7 +87,7 @@ jobs:
           echo "Releasing version: $VERSION (tag: $TAG)"
 
       - name: Update Homebrew formula
-        uses: mislav/bump-homebrew-formula-action@v3
+        uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6
         with:
           formula-name: mole
           formula-path: Formula/mole.rb