From 5d9de2f863082351e36880b6f80d7666cfa0ad5b Mon Sep 17 00:00:00 2001
From: Tom Whitwell <tom.whitwell@digital.cabinet-office.gov.uk>
Date: Thu, 18 Jul 2024 16:24:48 +0100
Subject: [PATCH 1/2] BAU: Dependabot should also check sidecar docker

---
 .github/dependabot.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index a499db655..497e8aac9 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,7 +13,9 @@ updates:
     commit-message:
       prefix: BAU
   - package-ecosystem: docker
-    directory: "/"
+    directories:
+      - "basic-auth-sidecar"
+      - "/"
     schedule:
       interval: daily
       time: "03:00"

From c226d83aaf08b9ce9dad99292746955490e49f4d Mon Sep 17 00:00:00 2001
From: Tom Whitwell <tom.whitwell@digital.cabinet-office.gov.uk>
Date: Thu, 18 Jul 2024 17:22:07 +0100
Subject: [PATCH 2/2] BAU: Add Dependabot validation workflow

Also, add a pre-commit hook to check that the GHA pinning is correct.
---
 .github/workflows/dependabot-validate.yml | 15 +++++++++++++++
 .pre-commit-config.yaml                   |  7 +++++++
 2 files changed, 22 insertions(+)
 create mode 100644 .github/workflows/dependabot-validate.yml

diff --git a/.github/workflows/dependabot-validate.yml b/.github/workflows/dependabot-validate.yml
new file mode 100644
index 000000000..99a5f4bdd
--- /dev/null
+++ b/.github/workflows/dependabot-validate.yml
@@ -0,0 +1,15 @@
+name: Validate Dependabot
+
+on:
+  pull_request:
+    paths:
+      - ".github/dependabot.yml"
+      - ".github/workflows/dependabot-validate.yml"
+jobs:
+  validate:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: marocchino/validate-dependabot@d8ae5c0d03dd75fbd0ad5f8ab4ba8101ebbd4b37 # v3.0.0
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d89e90eae..773552022 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -27,6 +27,13 @@ repos:
     hooks:
       - id: actionlint
 
+  - repo: https://github.com/lalten/check-gha-pinning
+    rev: v1.1.0
+    hooks:
+      - id: check-gha-pinning
+        # Skip git check for now until subdirectory support is added (#1)
+        entry: env GHA_PINNING_SKIP_GIT_CHECK=1 check-gha-pinning
+
   - repo: local
     hooks:
       - id: eslint