From cfe040485b6a689b32fbb17c1b67538ed6a91b25 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Sun, 1 Mar 2026 09:16:03 -0800
Subject: [PATCH] [StepSecurity] Apply security best practices (#5830)

---
 .github/dependabot.yml                |  5 +++++
 .github/workflows/build.yml           | 10 +++++-----
 .github/workflows/multiOSReleases.yml |  2 +-
 .github/workflows/push-docker.yml     |  2 +-
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 854a5afed..1a811ddfe 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -68,3 +68,8 @@ updates:
     schedule:
       interval: "weekly"
     rebase-strategy: "auto"
+
+  - package-ecosystem: cargo
+    directory: /frontend/src-tauri/provisioner
+    schedule:
+      interval: daily
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f96b866c3..4fb774c51 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -69,7 +69,7 @@ jobs:
           distribution: "temurin"
 
       - name: Cache Gradle dependency artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.gradle/wrapper
@@ -154,7 +154,7 @@ jobs:
           distribution: "temurin"
 
       - name: Cache Gradle dependency artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.gradle/wrapper
@@ -236,7 +236,7 @@ jobs:
           distribution: "temurin"
 
       - name: Cache Gradle dependency artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.gradle/wrapper
@@ -309,7 +309,7 @@ jobs:
           distribution: "temurin"
 
       - name: Cache Gradle dependency artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.gradle/wrapper
@@ -416,7 +416,7 @@ jobs:
           distribution: "temurin"
 
       - name: Cache Gradle dependency artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.gradle/wrapper
diff --git a/.github/workflows/multiOSReleases.yml b/.github/workflows/multiOSReleases.yml
index 8666c0925..dbb62a45d 100644
--- a/.github/workflows/multiOSReleases.yml
+++ b/.github/workflows/multiOSReleases.yml
@@ -49,7 +49,7 @@ jobs:
           distribution: "temurin"
 
       - name: Cache Gradle dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.gradle/caches
diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml
index 7c0883569..af65cb079 100644
--- a/.github/workflows/push-docker.yml
+++ b/.github/workflows/push-docker.yml
@@ -46,7 +46,7 @@ jobs:
           distribution: "temurin"
 
       - name: Cache Gradle dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/.gradle/caches