Lock Github Actions & manage with dependabot

(cherry picked from commit 7c730e5)

Author: chadlwilson

.github/dependabot.yml

@@ -0,0 +1,28 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: monthly
+    groups:
+      actions-deps:
+        patterns: [ "*" ]
+  - package-ecosystem: maven
+    directory: "/"
+    schedule:
+      interval: monthly
+    groups:
+      maven-deps:
+        dependency-type: "production"
+      maven-dev-deps:
+        dependency-type: "development"
+  - package-ecosystem: bundler
+    directories:
+      - "/"
+    schedule:
+      interval: monthly
+    allow:
+      - dependency-type: all
+    groups:
+      ruby-deps:
+        patterns: [ "*" ]

.github/workflows/maven.yml

@@ -25,10 +25,10 @@ jobs:
       fail-fast: false
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up JDK
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
       with:
         java-version: ${{ matrix.java_version }}
         distribution: 'temurin'
@@ -39,7 +39,7 @@ jobs:
 
     # Uploads the full dependency graph to GitHub to improve the quality of Dependabot alerts this repository can receive
     - name: Update dependency graph
-      uses: advanced-security/maven-dependency-submission-action@571e99aab1055c2e71a1e2309b9691de18d6b7d6
+      uses: advanced-security/maven-dependency-submission-action@aeab9f885293af501bae8bdfe88c589528ea5e25 # v4.1.2
       if: github.head_ref == 'refs/heads/master' && matrix.java_version == '8' && startsWith(matrix.jruby_version, '9.4')
 
   appraisals:
@@ -98,17 +98,17 @@ jobs:
       fail-fast: false
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
         with:
           java-version: ${{ matrix.java_version }}
           distribution: 'temurin'
           cache: maven
 
       - name: Setup JRuby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0
         with:
           ruby-version: jruby-${{ matrix.jruby_version }}
           bundler: 2.3.27 # use version that is OK for JRuby 9.3

Gemfile.lock

@@ -5,7 +5,7 @@ GEM
       bundler
       rake
       thor (>= 0.14.0)
-    diff-lcs (1.6.0)
+    diff-lcs (1.6.1)
     rack (2.2.13)
     rake (13.2.1)
     rspec (3.13.0)

pom.xml

@@ -219,7 +219,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>
-        <version>3.5.2</version>
+        <version>3.5.3</version>
       </plugin>
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>