From 8319a02c15d90472e1e11439e6daa9c9fd9a76bb Mon Sep 17 00:00:00 2001
From: Alec Scott <alec@llnl.gov>
Date: Sat, 20 Jun 2026 09:56:09 -0700
Subject: [PATCH 1/2] Swap to uploading the outputs as an artifact of the PR

Signed-off-by: Alec Scott <alec@llnl.gov>
---
 .github/workflows/outputs.yml | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/outputs.yml b/.github/workflows/outputs.yml
index ca5a08739..dc79a6f4b 100644
--- a/.github/workflows/outputs.yml
+++ b/.github/workflows/outputs.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: write
+      contents: read
 
     steps:
     - name: Checkout (Push)
@@ -51,11 +51,10 @@ jobs:
       run: |
         git diff HEAD outputs/
 
-    # - name: Push modified files to branch
-    #   if: ( github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork )
-    #   run: |
-    #     git config user.name "github-actions[bot]"
-    #     git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-    #     git add outputs/
-    #     git commit -m "Update generated outputs on behalf of [@${{ github.actor }}]"
-    #     git push
+    - name: Upload outputs as artifact
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+      with:
+        name: generated-outputs
+        path: outputs/
+        retention-days: 7
+        compression-level: 9

From 441d73e51be28a1dc80cc25827db5cb15a334d8e Mon Sep 17 00:00:00 2001
From: Alec Scott <alec@llnl.gov>
Date: Sat, 20 Jun 2026 10:15:30 -0700
Subject: [PATCH 2/2] Add version comments to actions

Signed-off-by: Alec Scott <alec@llnl.gov>
---
 .github/dependabot.yml          |  4 ++--
 .github/workflows/ci.yml        |  4 ++--
 .github/workflows/container.yml | 12 ++++++------
 .github/workflows/outputs.yml   |  8 ++++----
 .github/workflows/style.yml     |  4 ++--
 5 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9c03565ea..07fb605a7 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,9 +4,9 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "monthly"
   # Python dependencies to build documentation
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "monthly"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0052e1ee2..fcafcf2f1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,13 +25,13 @@ jobs:
       style: ${{ steps.filter.outputs.style }}
 
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # @v2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
         if: ${{ github.event_name == 'push' }}
         with:
           fetch-depth: 0
 
         # For pull requests it's not necessary to checkout the code
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d
+      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d  # v4.0.1
         id: filter
         with:
           filters: |
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index e63d0f923..c0d676b4c 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -11,21 +11,21 @@ jobs:
 
     steps:
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3  # v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5  # v3.0.0
 
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee  # v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Generate Container Metadata
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9  # v5.0.0
         id: metadata
         with:
           images: ghcr.io/spack/tutorial
@@ -36,7 +36,7 @@ jobs:
             type=raw,value={{tag}}
 
       - name: Build & Push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf  # v5.0.0
         env:
           DOCKER_BUILD_SUMMARY: false
           DOCKER_BUILD_RECORD_UPLOAD: false
@@ -52,7 +52,7 @@ jobs:
 
       - name: Upload container as artifact for PRs
         if: github.event_name == 'pull_request'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v4.3.1
         with:
           name: tutorial-container
           path: /tmp/tutorial-container.tar
diff --git a/.github/workflows/outputs.yml b/.github/workflows/outputs.yml
index dc79a6f4b..5bafb35b3 100644
--- a/.github/workflows/outputs.yml
+++ b/.github/workflows/outputs.yml
@@ -16,20 +16,20 @@ jobs:
     steps:
     - name: Checkout (Push)
       if: github.event_name != 'pull_request'
-      uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
       with:
         ref: ${{ github.head_ref }}
 
     - name: Checkout (PR)
       if: github.event_name == 'pull_request'
-      uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
       with:
         ref: ${{ github.event.pull_request.head.ref }}
         repository: ${{ github.event.pull_request.head.repo.full_name }}
 
     - name: Download container from artifact if PR
       if: github.event_name == 'pull_request' && inputs.with_pr_container
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v4.1.7
       with:
         name: tutorial-container
         path: /tmp
@@ -52,7 +52,7 @@ jobs:
         git diff HEAD outputs/
 
     - name: Upload outputs as artifact
-      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v4.3.1
       with:
         name: generated-outputs
         path: outputs/
diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml
index 4e780ff6b..c412be309 100644
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@@ -7,10 +7,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v4.2.2
 
       - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: '3.13'