From 44a11e9773be8ae72c469d2461478413156de797 Mon Sep 17 00:00:00 2001 From: Ismo Vuorinen Date: Sun, 7 Dec 2025 02:24:33 +0200 Subject: [PATCH] chore: update actions, cleanup pr-lint and pre-commit (#389) * chore: update actions, cleanup pr-lint * chore: cleanup pre-commit config, formatting * chore: revert sigstore/cosign-installer downgrade * chore: formatting --- .../actions/setup-test-environment/action.yml | 2 +- .github/workflows/action-security.yml | 2 +- .github/workflows/issue-stats.yml | 2 +- .github/workflows/pr-lint.yml | 4 +- .github/workflows/release.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/test-actions.yml | 2 +- .github/workflows/version-maintenance.yml | 4 +- .pre-commit-config.yaml | 5 - ansible-lint-fix/action.yml | 2 +- biome-lint/action.yml | 4 +- codeql-analysis/action.yml | 6 +- compress-images/action.yml | 2 +- csharp-lint-check/action.yml | 2 +- eslint-lint/action.yml | 4 +- go-lint/action.yml | 2 +- npm-publish/action.yml | 2 +- pr-lint/action.yml | 132 +----------------- prettier-lint/action.yml | 2 +- python-lint-fix/action.yml | 2 +- security-scan/action.yml | 4 +- stale/action.yml | 2 +- terraform-lint-fix/action.yml | 2 +- 23 files changed, 32 insertions(+), 161 deletions(-) diff --git a/.github/actions/setup-test-environment/action.yml b/.github/actions/setup-test-environment/action.yml index fe46191..bd376eb 100644 --- a/.github/actions/setup-test-environment/action.yml +++ b/.github/actions/setup-test-environment/action.yml @@ -31,7 +31,7 @@ runs: run: uv sync --frozen - name: Setup Node.js - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' cache: npm diff --git a/.github/workflows/action-security.yml b/.github/workflows/action-security.yml index 830043e..af99a25 100644 --- a/.github/workflows/action-security.yml +++ b/.github/workflows/action-security.yml @@ -48,7 +48,7 @@ jobs: - name: Notify on Critical Issues if: failure() && steps.security-scan.outputs.critical_issues != '0' - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: |- const { repo, owner } = context.repo; diff --git a/.github/workflows/issue-stats.yml b/.github/workflows/issue-stats.yml index 4e9f8eb..a4bbbce 100644 --- a/.github/workflows/issue-stats.yml +++ b/.github/workflows/issue-stats.yml @@ -30,7 +30,7 @@ jobs: echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV" - name: Run issue-metrics tool - uses: github/issue-metrics@78b1d469a1b1c94945b15bd71dedcb1928667f49 # v3.25.3 + uses: github/issue-metrics@55bb0b704982057a101ab7515fb72b2293927c8a # v3.25.4 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"' diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 6f2455e..67725bd 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -74,14 +74,14 @@ jobs: - name: Upload SARIF Report if: always() && hashFiles('megalinter-reports/sarif/*.sarif') - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: megalinter-reports/sarif category: megalinter - name: Check Results if: always() - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const status = '${{ steps.pr-lint.outputs.validation_status }}'; diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 47f5611..c800f45 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,6 @@ jobs: contents: write steps: - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta - - uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2 + - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: generate_release_notes: true diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 569b48b..c2584e5 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -25,7 +25,7 @@ jobs: steps: - name: 🚀 Run stale - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 + uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 30 diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml index 051d1f6..4f1143e 100644 --- a/.github/workflows/test-actions.yml +++ b/.github/workflows/test-actions.yml @@ -73,7 +73,7 @@ jobs: if: always() - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 if: always() && hashFiles('_tests/reports/test-results.sarif') != '' with: sarif_file: _tests/reports/test-results.sarif diff --git a/.github/workflows/version-maintenance.yml b/.github/workflows/version-maintenance.yml index eda216e..0643c87 100644 --- a/.github/workflows/version-maintenance.yml +++ b/.github/workflows/version-maintenance.yml @@ -49,7 +49,7 @@ jobs: - name: Create Pull Request if: steps.action-versioning.outputs.updated == 'true' - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: 'chore: update action references to ${{ steps.version.outputs.major }}' @@ -76,7 +76,7 @@ jobs: - name: Check for Annual Bump if: steps.action-versioning.outputs.needs-annual-bump == 'true' - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | const currentYear = new Date().getFullYear(); diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 32f7281..0a1a593 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -83,11 +83,6 @@ repos: - id: actionlint args: ['-shellcheck='] - - repo: https://github.com/renovatebot/pre-commit-hooks - rev: 42.19.3 - hooks: - - id: renovate-config-validator - - repo: https://github.com/bridgecrewio/checkov.git rev: '3.2.495' hooks: diff --git a/ansible-lint-fix/action.yml b/ansible-lint-fix/action.yml index 8a553f7..1af7448 100644 --- a/ansible-lint-fix/action.yml +++ b/ansible-lint-fix/action.yml @@ -130,6 +130,6 @@ runs: - name: Upload SARIF Report if: steps.check-files.outputs.files_found == 'true' - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: ansible-lint.sarif diff --git a/biome-lint/action.yml b/biome-lint/action.yml index e6472c9..842f3b2 100644 --- a/biome-lint/action.yml +++ b/biome-lint/action.yml @@ -181,7 +181,7 @@ runs: echo "Detected package manager: $package_manager" - name: Setup Node.js - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' @@ -331,7 +331,7 @@ runs: - name: Upload SARIF Report if: inputs.mode == 'check' && always() - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: biome-report.sarif diff --git a/codeql-analysis/action.yml b/codeql-analysis/action.yml index f0951ec..05c53c3 100644 --- a/codeql-analysis/action.yml +++ b/codeql-analysis/action.yml @@ -186,7 +186,7 @@ runs: echo "Using build mode: $build_mode" - name: Initialize CodeQL - uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: languages: ${{ inputs.language }} queries: ${{ inputs.queries }} @@ -199,12 +199,12 @@ runs: threads: ${{ inputs.threads }} - name: Autobuild - uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/autobuild@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }} - name: Perform CodeQL Analysis id: analysis - uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: category: ${{ steps.set-category.outputs.category }} upload: ${{ inputs.upload-results }} diff --git a/compress-images/action.yml b/compress-images/action.yml index 674e134..010afca 100644 --- a/compress-images/action.yml +++ b/compress-images/action.yml @@ -163,7 +163,7 @@ runs: - name: Create New Pull Request If Needed if: steps.calibre.outputs.markdown != '' - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: token: ${{ inputs.token }} title: 'chore: compress images' diff --git a/csharp-lint-check/action.yml b/csharp-lint-check/action.yml index d1ffcbe..0aec1ef 100644 --- a/csharp-lint-check/action.yml +++ b/csharp-lint-check/action.yml @@ -206,6 +206,6 @@ runs: fi - name: Upload SARIF Report - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: dotnet-format.sarif diff --git a/eslint-lint/action.yml b/eslint-lint/action.yml index 8977e13..b4f3554 100644 --- a/eslint-lint/action.yml +++ b/eslint-lint/action.yml @@ -288,7 +288,7 @@ runs: echo "Detected package manager: $package_manager" - name: Setup Node.js - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' @@ -457,7 +457,7 @@ runs: - name: Upload SARIF Report if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always() - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif diff --git a/go-lint/action.yml b/go-lint/action.yml index 3a3c162..d494f13 100644 --- a/go-lint/action.yml +++ b/go-lint/action.yml @@ -414,7 +414,7 @@ runs: - name: Upload Lint Results if: always() && inputs.report-format == 'sarif' - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif category: golangci-lint diff --git a/npm-publish/action.yml b/npm-publish/action.yml index b67ff8a..820dc14 100644 --- a/npm-publish/action.yml +++ b/npm-publish/action.yml @@ -121,7 +121,7 @@ runs: echo "Detected package manager: $package_manager" - name: Setup Node.js - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' diff --git a/pr-lint/action.yml b/pr-lint/action.yml index 112d420..f186c88 100644 --- a/pr-lint/action.yml +++ b/pr-lint/action.yml @@ -57,10 +57,6 @@ runs: ref: ${{ github.event.pull_request.head.sha || github.sha }} persist-credentials: false - # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to - # improve performance - fetch-depth: 0 - # ╭──────────────────────────────────────────────────────────╮ # │ Install packages for linting │ # ╰──────────────────────────────────────────────────────────╯ @@ -122,7 +118,7 @@ runs: - name: Setup Node.js if: steps.detect-node.outputs.found == 'true' - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' @@ -382,7 +378,7 @@ runs: id: python-version shell: sh env: - DEFAULT_VERSION: '3.11' + DEFAULT_VERSION: '3.14' run: | set -eu @@ -519,7 +515,7 @@ runs: id: go-version shell: sh env: - DEFAULT_VERSION: '1.24' + DEFAULT_VERSION: '1.25' run: | set -eu @@ -654,11 +650,7 @@ runs: # github.event_name == 'push' && # contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) # }} - VALIDATE_ALL_CODEBASE: >- - ${{ - github.event_name == 'push' && - contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref) - }} + VALIDATE_ALL_CODEBASE: false GITHUB_TOKEN: ${{ inputs.token || github.token }} @@ -682,13 +674,6 @@ runs: # Uncomment to disable copy-paste and spell checks DISABLE: COPYPASTE,SPELL - # Export env vars to make them available for subsequent expressions - - name: Export Apply Fixes Variables - shell: sh - run: | - printf '%s\n' "APPLY_FIXES_EVENT=pull_request" >> "$GITHUB_ENV" - printf '%s\n' "APPLY_FIXES_MODE=commit" >> "$GITHUB_ENV" - # Upload MegaLinter artifacts - name: Archive production artifacts if: success() || failure() @@ -699,112 +684,3 @@ runs: path: | megalinter-reports mega-linter.log - - # Set APPLY_FIXES_IF var for use in future steps - - name: Set APPLY_FIXES_IF var - shell: sh - env: - APPLY_FIXES_CONDITION: >- - ${{ - steps.ml.outputs.has_updated_sources == 1 && - (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && - (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) - }} - run: | - set -eu - - # Sanitize by removing newlines to prevent env var injection - sanitized_condition="$(echo "$APPLY_FIXES_CONDITION" | tr -d '\n\r')" - printf 'APPLY_FIXES_IF=%s\n' "$sanitized_condition" >> "${GITHUB_ENV}" - - # Set APPLY_FIXES_IF_* vars for use in future steps - - name: Set APPLY_FIXES_IF_* vars - shell: sh - env: - APPLY_FIXES_IF_PR_CONDITION: ${{ env.APPLY_FIXES_IF == 'true' && env.APPLY_FIXES_MODE == 'pull_request' }} - APPLY_FIXES_IF_COMMIT_CONDITION: ${{ env.APPLY_FIXES_IF == 'true' && env.APPLY_FIXES_MODE == 'commit' && (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) }} - run: | - set -eu - - # Sanitize by removing newlines to prevent env var injection - sanitized_pr="$(echo "$APPLY_FIXES_IF_PR_CONDITION" | tr -d '\n\r')" - sanitized_commit="$(echo "$APPLY_FIXES_IF_COMMIT_CONDITION" | tr -d '\n\r')" - - printf 'APPLY_FIXES_IF_PR=%s\n' "$sanitized_pr" >> "${GITHUB_ENV}" - printf 'APPLY_FIXES_IF_COMMIT=%s\n' "$sanitized_commit" >> "${GITHUB_ENV}" - - # Create pull request if applicable - # (for now works only on PR from same repository, not from forks) - - name: Create Pull Request with applied fixes - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 - id: cpr - if: env.APPLY_FIXES_IF_PR == 'true' - with: - token: ${{ inputs.token || github.token }} - commit-message: 'style: apply linter fixes' - title: 'style: apply linter fixes' - labels: bot - - - name: Create PR output - if: env.APPLY_FIXES_IF_PR == 'true' - shell: sh - env: - PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }} - PR_URL: ${{ steps.cpr.outputs.pull-request-url }} - run: | - set -eu - - printf 'PR Number - %s\n' "$PR_NUMBER" - printf 'PR URL - %s\n' "$PR_URL" - - # Push new commit if applicable - # (for now works only on PR from same repository, not from forks) - - name: Prepare commit - if: env.APPLY_FIXES_IF_COMMIT == 'true' - shell: sh - run: | - set -eu - - # Fix .git directory ownership after MegaLinter container execution - current_uid=$(id -u) - sudo chown -Rc "$current_uid" .git/ - - # Ensure we're on the correct branch (not in detached HEAD state) - # This is necessary because MegaLinter may leave the repo in a detached HEAD state - current_branch=$(git rev-parse --abbrev-ref HEAD) - if [ "$current_branch" = "HEAD" ]; then - printf '%s\n' "Repository is in detached HEAD state" - - # Get the branch name from git refs (safer than trusting event data) - # This finds the branch that points to the current commit - branch_ref=$(git for-each-ref --format='%(refname:short)' --points-at=HEAD 'refs/remotes/origin/*' | head -1 | sed 's|^origin/||') - - if [ -z "$branch_ref" ]; then - printf '%s\n' "::error::Could not determine branch name from git refs" - exit 1 - fi - - # Validate branch reference to prevent command injection - if ! git check-ref-format --branch "$branch_ref"; then - printf '%s\n' "::error::Invalid branch reference format: $branch_ref" - exit 1 - fi - - printf 'Checking out branch: %s\n' "$branch_ref" - git checkout "$branch_ref" - - # Export for next step - printf '%s\n' "VALIDATED_BRANCH=$branch_ref" >> "$GITHUB_ENV" - else - printf 'Repository is on branch: %s\n' "$current_branch" - printf '%s\n' "VALIDATED_BRANCH=$current_branch" >> "$GITHUB_ENV" - fi - - - name: Commit and push applied linter fixes - uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0 - if: env.APPLY_FIXES_IF_COMMIT == 'true' - with: - branch: ${{ env.VALIDATED_BRANCH }} - commit_message: 'style: apply linter fixes' - commit_user_name: ${{ inputs.username }} - commit_user_email: ${{ inputs.email }} diff --git a/prettier-lint/action.yml b/prettier-lint/action.yml index f36de55..09e760e 100644 --- a/prettier-lint/action.yml +++ b/prettier-lint/action.yml @@ -274,7 +274,7 @@ runs: echo "Detected package manager: $package_manager" - name: Setup Node.js - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0 with: node-version: '24' diff --git a/python-lint-fix/action.yml b/python-lint-fix/action.yml index 356f541..3090406 100644 --- a/python-lint-fix/action.yml +++ b/python-lint-fix/action.yml @@ -370,7 +370,7 @@ runs: - name: Upload SARIF Report if: steps.check-files.outputs.result == 'found' - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif category: 'python-lint' diff --git a/security-scan/action.yml b/security-scan/action.yml index 1ab5100..dc81315 100644 --- a/security-scan/action.yml +++ b/security-scan/action.yml @@ -161,14 +161,14 @@ runs: - name: Upload Trivy results if: steps.verify-sarif.outputs.has_trivy == 'true' - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: 'trivy-results.sarif' category: 'trivy' - name: Upload Gitleaks results if: steps.verify-sarif.outputs.has_gitleaks == 'true' - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: 'gitleaks-report.sarif' category: 'gitleaks' diff --git a/stale/action.yml b/stale/action.yml index c89a413..157beee 100644 --- a/stale/action.yml +++ b/stale/action.yml @@ -52,7 +52,7 @@ runs: - name: 🚀 Run stale id: stale - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0 + uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 with: repo-token: ${{ inputs.token || github.token }} days-before-stale: ${{ inputs.days-before-stale }} diff --git a/terraform-lint-fix/action.yml b/terraform-lint-fix/action.yml index c2b155b..446cdc4 100644 --- a/terraform-lint-fix/action.yml +++ b/terraform-lint-fix/action.yml @@ -256,7 +256,7 @@ runs: - name: Upload SARIF Report if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif' - uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7 with: sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif category: terraform-lint