CI: Hashpin github-actions with dangerous permissions

[diogoteles08]

trafficstars

Closes #7119

[github-actions[bot]]

:point_left: Launch a Binder on branch diogoteles08/notebook/ci/hashpin-dependencies

[diogoteles08]

Hey @krassowski, I've updated the PR after a version update dated after my initial PR, and resolved the merge conflicts.

It seems like the "Enforce PR label" is still blocking the merge, let me know if there is anything I can do to help solving it.

Cheers,

[krassowski]

Will we get clever dependabot updates, or will we need to manually update the pins?

[jtpio]

Should this be discussed in a team compass repo maybe? For example https://github.com/jupyterlab/team-compass?

These actions are used by many Jupyter projects, and if going with these pins then there is no reason for them to be specific to the notebook repo, but would likely be relevant to other repos as well? For example https://github.com/jupyterlab/jupyterlab, https://github.com/jupyterlab/jupyterlab_server, https://github.com/jupyter-server/jupyter_server, and more.

[diogoteles08]

Will we get clever dependabot updates, or will we need to manually update the pins?

You'll receive clever dependabot updates! It would update them at the same pace you're already used to, and it would still keep a comment with the human-readable version used =).

If you wish, we can also configure it to update all github actions in a single monthly PR, for example.

Should this be discussed in a team compass repo maybe? For example https://github.com/jupyterlab/team-compass?

Let me know if you want my help raising this discussion anywhere else. I'd be happy to help =)