feat: add action-validator and clean up CI workflows (#513)

* chore(pre-commit): update hooks and add action-validator

Update uv-pre-commit 0.10.9→0.10.11 and checkov 3.2.508→3.2.510.
Normalize single quotes to double quotes in hook args.
Add action-validator v0.8.0 hook for GitHub Actions validation.

* fix(ci): clean up workflow path filters

Remove non-existent action.yaml paths from action-security workflow.
Fix glob patterns (**.md → **/*.md) in pr-lint workflow.
Remove unused trigger paths (yarn.lock, pnpm-lock.yaml,
requirements.txt, .github/labels.yml, docs/**) from security-suite
and sync-labels workflows.

* feat(make): add lint-actions target for action-validator

Add lint-actions target that runs action-validator via pre-commit.
Include it in the lint dependency list and .PHONY declaration.

* docs: add context-mode routing rules to CLAUDE.md

Add mandatory routing rules section for context-mode MCP plugin,
documenting blocked commands, redirected tools, tool selection
hierarchy, and output constraints.

* fix(lint): resolve action-validator failure on language-version-detect

- Remove unsupported `deprecated: true` from language-version-detect/action.yml
  (deprecation already communicated via description field)
- Scope action-validator pre-commit hook to workflow and action.yml files only
- Make missing pre-commit a hard error in lint-actions target

* fix(deps): update action pins and fix trivy-action version comment

Update SHA-pinned action references to latest versions:
- github/codeql-action v4.32.6 → v4.33.0
- nick-fields/retry v3.0.2 → v4.0.0
- actions/cache v5.0.3 → v5.0.4
- oven-sh/setup-bun v2.1.3 → v2.2.0
- softprops/action-gh-release v2.5.0 → v2.6.1
- github/issue-metrics v4.1.0 → v4.1.1
- shivammathur/setup-php 2.36.0 → 2.37.0
- astral-sh/setup-uv v7.5.0 → v7.6.0
- terraform-linters/setup-tflint v6.2.1 → v6.2.2
- aquasecurity/trivy-action: pin from master to v0.35.0

Fix pinact warning in docker-build by adding missing v prefix
to trivy-action version comment (0.35.0 → v0.35.0).

.github/actions/setup-test-environment/action.yml

@@ -17,7 +17,7 @@ runs:
   using: composite
   steps:
     - name: Install uv
-      uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
       with:
         enable-cache: true
 

.github/workflows/action-security.yml

@@ -6,11 +6,9 @@ on:
   push:
     paths:
       - '**/action.yml'
-      - '**/action.yaml'
   pull_request:
     paths:
       - '**/action.yml'
-      - '**/action.yaml'
   merge_group:
 
 concurrency:

.github/workflows/issue-stats.yml

@@ -29,7 +29,7 @@ jobs:
           echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV"
 
       - name: Run issue-metrics tool
-        uses: github/issue-metrics@41a7961f701cc64490f32e143af8ef479b93e87d # v4.1.0
+        uses: github/issue-metrics@6a35322ff89cee3e1a594d282c27eb34bffa9174 # v4.1.1
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"'

.github/workflows/pr-lint.yml

@@ -8,19 +8,17 @@ on:
       - main
       - master
     paths-ignore:
-      - '**.md'
-      - 'docs/**'
+      - '**/*.md'
       - '.github/*.md'
-      - 'LICENSE'
+      - 'LICENSE.md'
   pull_request:
     branches:
       - main
       - master
     paths-ignore:
-      - '**.md'
-      - 'docs/**'
+      - '**/*.md'
       - '.github/*.md'
-      - 'LICENSE'
+      - 'LICENSE.md'
   merge_group:
 
 env:
@@ -72,7 +70,7 @@ jobs:
 
       - name: Upload SARIF Report
         if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: megalinter-reports/sarif
           category: megalinter

.github/workflows/release.yml

@@ -16,7 +16,7 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
-      - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+      - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           generate_release_notes: true
 

.github/workflows/scorecard.yml

@@ -53,6 +53,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         with:
           sarif_file: results.sarif

.github/workflows/security-suite.yml

@@ -7,16 +7,12 @@ on:
     paths:
       - '**/package.json'
       - '**/package-lock.json'
-      - '**/yarn.lock'
-      - '**/pnpm-lock.yaml'
-      - '**/requirements.txt'
       - '**/Dockerfile'
       - '**/*.py'
       - '**/*.js'
       - '**/*.ts'
       - '**/*.yml'
       - '**/*.yaml'
-      - '.github/workflows/**'
 
 permissions: {}
 

.github/workflows/sync-labels.yml

@@ -8,7 +8,6 @@ on:
       - main
       - master
     paths:
-      - '.github/labels.yml'
       - '.github/workflows/sync-labels.yml'
       - 'sync-labels/action.yml'
       - 'sync-labels/labels.yml'

.github/workflows/test-actions.yml

@@ -73,7 +73,7 @@ jobs:
         if: always()
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
         if: always() && hashFiles('_tests/reports/test-results.sarif') != ''
         with:
           sarif_file: _tests/reports/test-results.sarif

.pre-commit-config.yaml

@@ -14,7 +14,7 @@ repos:
         types: [markdown, python, yaml]
         files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.10.9
+    rev: 0.10.11
     hooks:
       - id: uv-lock
       - id: uv-sync
@@ -67,30 +67,36 @@ repos:
     rev: v3.12.0-2
     hooks:
       - id: shfmt
-        args: ['--apply-ignore']
+        args: ["--apply-ignore"]
         exclude: '^_tests/.*\.sh$'
 
   - repo: https://github.com/shellcheck-py/shellcheck-py
     rev: v0.11.0.1
     hooks:
       - id: shellcheck
-        args: ['-x']
+        args: ["-x"]
         exclude: '^_tests/.*\.sh$'
 
   - repo: https://github.com/rhysd/actionlint
     rev: v1.7.11
     hooks:
       - id: actionlint
-        args: ['-shellcheck=']
+        args: ["-shellcheck="]
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.508'
+    rev: "3.2.510"
     hooks:
       - id: checkov
         args:
-          - '--quiet'
+          - "--quiet"
 
   - repo: https://github.com/gitleaks/gitleaks
     rev: v8.30.1
     hooks:
       - id: gitleaks
+
+  - repo: https://github.com/mpalmer/action-validator
+    rev: v0.8.0
+    hooks:
+      - id: action-validator
+        files: '(^\.github/workflows/.*\.ya?ml$|.*/action\.ya?ml$)'

CLAUDE.md

@@ -168,3 +168,78 @@ Check: `make check-version-refs`
 ---
 
 All actions modular and externally usable. No exceptions to any rule.
+
+## context-mode — MANDATORY routing rules
+
+You have context-mode MCP tools available. These rules are NOT optional — they protect your context window from flooding. A single unrouted command can dump 56 KB into context and waste the entire session.
+
+### BLOCKED commands — do NOT attempt these
+
+#### curl / wget — BLOCKED
+
+Any Bash command containing `curl` or `wget` is intercepted and replaced with an error message. Do NOT retry.
+Instead use:
+
+- `ctx_fetch_and_index(url, source)` to fetch and index web pages
+- `ctx_execute(language: "javascript", code: "const r = await fetch(...)")` to run HTTP calls in sandbox
+
+#### Inline HTTP — BLOCKED
+
+Any Bash command containing `fetch('http`, `requests.get(`, `requests.post(`, `http.get(`, or `http.request(` is intercepted and replaced with an error message. Do NOT retry with Bash.
+Instead use:
+
+- `ctx_execute(language, code)` to run HTTP calls in sandbox — only stdout enters context
+
+#### WebFetch — BLOCKED
+
+WebFetch calls are denied entirely. The URL is extracted and you are told to use `ctx_fetch_and_index` instead.
+Instead use:
+
+- `ctx_fetch_and_index(url, source)` then `ctx_search(queries)` to query the indexed content
+
+### REDIRECTED tools — use sandbox equivalents
+
+#### Bash (>20 lines output)
+
+Bash is ONLY for: `git`, `mkdir`, `rm`, `mv`, `cd`, `ls`, `npm install`, `pip install`, and other short-output commands.
+For everything else, use:
+
+- `ctx_batch_execute(commands, queries)` — run multiple commands + search in ONE call
+- `ctx_execute(language: "shell", code: "...")` — run in sandbox, only stdout enters context
+
+#### Read (for analysis)
+
+If you are reading a file to **Edit** it → Read is correct (Edit needs content in context).
+If you are reading to **analyze, explore, or summarize** → use `ctx_execute_file(path, language, code)` instead. Only your printed summary enters context. The raw file content stays in the sandbox.
+
+#### Grep (large results)
+
+Grep results can flood context. Use `ctx_execute(language: "shell", code: "grep ...")` to run searches in sandbox. Only your printed summary enters context.
+
+### Tool selection hierarchy
+
+1. **GATHER**: `ctx_batch_execute(commands, queries)` — Primary tool. Runs all commands, auto-indexes output, returns search results. ONE call replaces 30+ individual calls.
+2. **FOLLOW-UP**: `ctx_search(queries: ["q1", "q2", ...])` — Query indexed content. Pass ALL questions as array in ONE call.
+3. **PROCESSING**: `ctx_execute(language, code)` | `ctx_execute_file(path, language, code)` — Sandbox execution. Only stdout enters context.
+4. **WEB**: `ctx_fetch_and_index(url, source)` then `ctx_search(queries)` — Fetch, chunk, index, query. Raw HTML never enters context.
+5. **INDEX**: `ctx_index(content, source)` — Store content in FTS5 knowledge base for later search.
+
+### Subagent routing
+
+When spawning subagents (Agent/Task tool), the routing block is automatically injected into their prompt.
+Bash-type subagents are upgraded to general-purpose so they have access to MCP tools.
+You do NOT need to manually instruct subagents about context-mode.
+
+### Output constraints
+
+- Keep responses under 500 words.
+- Write artifacts (code, configs, PRDs) to FILES — never return them as inline text. Return only: file path + 1-line description.
+- When indexing content, use descriptive source labels so others can `ctx_search(source: "label")` later.
+
+### ctx commands
+
+| Command | Action |
+|---------|--------|
+| `ctx stats` | Call the `ctx_stats` MCP tool and display the full output verbatim |
+| `ctx doctor` | Call the `ctx_doctor` MCP tool, run the returned shell command, display as checklist |
+| `ctx upgrade` | Call the `ctx_upgrade` MCP tool, run the returned shell command, display as checklist |

Makefile

@@ -1,7 +1,7 @@
 # Makefile for GitHub Actions repository
 # Provides organized task management with parallel execution capabilities
 
-.PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release release-dry release-prep release-tag release-undo update-version-refs bump-major-version check-version-refs
+.PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release release-dry release-prep release-tag release-undo update-version-refs bump-major-version check-version-refs lint-actions
 .DEFAULT_GOAL := help
 
 # Colors for output
@@ -98,7 +98,7 @@ update-validators-dry: ## Preview validation rules changes (dry run)
 format: format-markdown format-yaml-json format-python ## Format all files
 	@echo "$(GREEN)✅ All files formatted$(RESET)"
 
-lint: lint-markdown lint-yaml lint-shell lint-python ## Run all linters
+lint: lint-markdown lint-yaml lint-shell lint-python lint-actions ## Run all linters
 	@echo "$(GREEN)✅ All linting completed$(RESET)"
 
 check: check-tools check-syntax check-local-refs ## Quick syntax and tool availability checks
@@ -322,6 +322,20 @@ lint-python: ## Lint Python files with ruff and pyright
 		echo "$(GREEN)✅ Python linting and type checking passed$(RESET)"; \
 	fi
 
+lint-actions: ## Validate GitHub Actions workflows and action.yml files
+	@echo "$(BLUE)🔍 Validating GitHub Actions...$(RESET)"
+	@if command -v pre-commit >/dev/null 2>&1; then \
+		if PRE_COMMIT_USE_UV=1 pre-commit run action-validator --all-files; then \
+			echo "$(GREEN)✅ Actions validation passed$(RESET)"; \
+		else \
+			echo "$(RED)❌ Actions validation failed$(RESET)" | tee -a $(LOG_FILE); \
+			exit 1; \
+		fi; \
+	else \
+		echo "$(RED)❌ pre-commit not found. Install it via 'make install-tools' before linting$(RESET)"; \
+		exit 1; \
+	fi
+
 # Check targets
 check-tools: ## Check if required tools are available
 	@echo "$(BLUE)🔧 Checking required tools...$(RESET)"

ansible-lint-fix/action.yml

@@ -83,7 +83,7 @@ runs:
     - name: Install ansible-lint
       id: install-ansible-lint
       if: steps.check-files.outputs.files_found == 'true'
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:
         timeout_minutes: 5
         max_attempts: ${{ inputs.max-retries }}
@@ -130,6 +130,6 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.files_found == 'true'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         sarif_file: ansible-lint.sarif

biome-lint/action.yml

@@ -212,13 +212,13 @@ runs:
 
     - name: Setup Bun
       if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
       with:
         bun-version: latest
 
     - name: Cache Node Dependencies
       id: cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: node_modules
         key: ${{ runner.os }}-biome-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -331,7 +331,7 @@ runs:
 
     - name: Upload SARIF Report
       if: inputs.mode == 'check' && always()
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         sarif_file: biome-report.sarif
 

codeql-analysis/action.yml

@@ -186,7 +186,7 @@ runs:
         echo "Using build mode: $build_mode"
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         languages: ${{ inputs.language }}
         queries: ${{ inputs.queries }}
@@ -199,12 +199,12 @@ runs:
         threads: ${{ inputs.threads }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}
 
     - name: Perform CodeQL Analysis
       id: analysis
-      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         category: ${{ steps.set-category.outputs.category }}
         upload: ${{ inputs.upload-results }}

csharp-build/action.yml

@@ -155,7 +155,7 @@ runs:
         cache-dependency-path: '**/packages.lock.json'
 
     - name: Restore Dependencies
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:
         timeout_minutes: 10
         max_attempts: ${{ inputs.max-retries }}

csharp-lint-check/action.yml

@@ -206,6 +206,6 @@ runs:
         fi
 
     - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         sarif_file: dotnet-format.sarif

csharp-publish/action.yml

@@ -169,7 +169,7 @@ runs:
         cache-dependency-path: '**/packages.lock.json'
 
     - name: Restore Dependencies
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:
         timeout_minutes: 10
         max_attempts: ${{ inputs.max-retries }}

docker-build/action.yml

@@ -536,7 +536,7 @@ runs:
     - name: Scan Image for Vulnerabilities
       id: scan
       if: inputs.scan-image == 'true' && inputs.dry-run != 'true'
-      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
       with:
         scan-type: 'image'
         image-ref: ${{ steps.image-name.outputs.name }}:${{ inputs.tag }}

eslint-lint/action.yml

@@ -319,13 +319,13 @@ runs:
 
     - name: Setup Bun
       if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
       with:
         bun-version: latest
 
     - name: Cache Node Dependencies
       id: cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: node_modules
         key: ${{ runner.os }}-eslint-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -457,7 +457,7 @@ runs:
 
     - name: Upload SARIF Report
       if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always()
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif
 

go-build/action.yml

@@ -165,7 +165,7 @@ runs:
         cache: true
 
     - name: Download Dependencies
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:
         timeout_minutes: 10
         max_attempts: ${{ inputs.max-retries }}

go-lint/action.yml

@@ -218,7 +218,7 @@ runs:
     - name: Cache golangci-lint
       id: cache
       if: inputs.cache == 'true'
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: |
           ~/.cache/golangci-lint
@@ -414,7 +414,7 @@ runs:
 
     - name: Upload Lint Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif
         category: golangci-lint

language-version-detect/action.yml

@@ -5,7 +5,6 @@
 name: Language Version Detect
 description: 'DEPRECATED: This action is deprecated. Inline version detection directly in your actions instead. Detects language version from project configuration files with support for PHP, Python, Go, and .NET.'
 author: 'Ismo Vuorinen'
-deprecated: true
 
 branding:
   icon: code

npm-publish/action.yml

@@ -152,13 +152,13 @@ runs:
 
     - name: Setup Bun
       if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
       with:
         bun-version: latest
 
     - name: Cache Node Dependencies
       id: cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: node_modules
         key: ${{ runner.os }}-npm-publish-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}

php-tests/action.yml

@@ -319,7 +319,7 @@ runs:
 
     - name: Setup PHP
       id: setup-php
-      uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
+      uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
       with:
         php-version: ${{ steps.detect-php-version.outputs.detected-version }}
         extensions: ${{ inputs.extensions }}
@@ -356,7 +356,7 @@ runs:
 
     - name: Cache Composer packages
       id: composer-cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: |
           vendor
@@ -376,7 +376,7 @@ runs:
         composer clear-cache
 
     - name: Install Composer Dependencies
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
       with:
         timeout_minutes: 10
         max_attempts: ${{ inputs.max-retries }}

pr-lint/action.yml

@@ -156,14 +156,14 @@ runs:
 
     - name: Setup Bun
       if: steps.detect-node.outputs.found == 'true' && steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
       with:
         bun-version: latest
 
     - name: Cache Node Dependencies
       if: steps.detect-node.outputs.found == 'true'
       id: node-cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: node_modules
         key: ${{ runner.os }}-pr-lint-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -335,7 +335,7 @@ runs:
 
     - name: Setup PHP
       if: steps.detect-php.outputs.found == 'true'
-      uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
+      uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
       with:
         php-version: ${{ steps.php-version.outputs.detected-version }}
         tools: composer

prettier-lint/action.yml

@@ -305,13 +305,13 @@ runs:
 
     - name: Setup Bun
       if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
       with:
         bun-version: latest
 
     - name: Cache Node Dependencies
       id: cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: node_modules
         key: ${{ runner.os }}-prettier-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}

python-lint-fix/action.yml

@@ -370,7 +370,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.result == 'found'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif
         category: 'python-lint'

security-scan/action.yml

@@ -118,7 +118,7 @@ runs:
 
     - name: Run Trivy vulnerability scanner
       if: steps.check-configs.outputs.run_trivy == 'true'
-      uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # master
+      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
       with:
         scan-type: 'fs'
         scanners: ${{ inputs.trivy-scanners }}
@@ -161,14 +161,14 @@ runs:
 
     - name: Upload Trivy results
       if: steps.verify-sarif.outputs.has_trivy == 'true'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         sarif_file: 'trivy-results.sarif'
         category: 'trivy'
 
     - name: Upload Gitleaks results
       if: steps.verify-sarif.outputs.has_gitleaks == 'true'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         sarif_file: 'gitleaks-report.sarif'
         category: 'gitleaks'

terraform-lint-fix/action.yml

@@ -147,7 +147,7 @@ runs:
 
     - name: Setup TFLint
       if: steps.check-files.outputs.found == 'true'
-      uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1
+      uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2
       with:
         tflint_version: ${{ inputs.tflint-version }}
 
@@ -256,7 +256,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
       with:
         sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif
         category: terraform-lint