fix(deps): update action pins and fix trivy-action version comment

Update SHA-pinned action references to latest versions: - github/codeql-action v4.32.6 → v4.33.0 - nick-fields/retry v3.0.2 → v4.0.0 - actions/cache v5.0.3 → v5.0.4 - oven-sh/setup-bun v2.1.3 → v2.2.0 - softprops/action-gh-release v2.5.0 → v2.6.1 - github/issue-metrics v4.1.0 → v4.1.1 - shivammathur/setup-php 2.36.0 → 2.37.0 - astral-sh/setup-uv v7.5.0 → v7.6.0 - terraform-linters/setup-tflint v6.2.1 → v6.2.2 - aquasecurity/trivy-action: pin from master to v0.35.0 Fix pinact warning in docker-build by adding missing v prefix to trivy-action version comment (0.35.0 → v0.35.0).
2026-03-20 16:01:09 +00:00 · 2026-03-20 12:49:50 +02:00
parent 08773dea53
commit c435155a95
23 changed files with 40 additions and 40 deletions
--- a/.github/actions/setup-test-environment/action.yml
+++ b/.github/actions/setup-test-environment/action.yml
@@ -17,7 +17,7 @@ runs:
  using: composite
  steps:
    - name: Install uv
-      uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
      with:
        enable-cache: true

--- a/.github/workflows/issue-stats.yml
+++ b/.github/workflows/issue-stats.yml
@@ -29,7 +29,7 @@ jobs:
          echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV"

      - name: Run issue-metrics tool
-        uses: github/issue-metrics@41a7961f701cc64490f32e143af8ef479b93e87d # v4.1.0
+        uses: github/issue-metrics@6a35322ff89cee3e1a594d282c27eb34bffa9174 # v4.1.1
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"'
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -70,7 +70,7 @@ jobs:

      - name: Upload SARIF Report
        if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
        with:
          sarif_file: megalinter-reports/sarif
          category: megalinter
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
      contents: write
    steps:
      - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
-      - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+      - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          generate_release_notes: true

--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -53,6 +53,6 @@ jobs:
      # Upload the results to GitHub's code scanning dashboard (optional).
      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
      - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
        with:
          sarif_file: results.sarif
--- a/.github/workflows/test-actions.yml
+++ b/.github/workflows/test-actions.yml
@@ -73,7 +73,7 @@ jobs:
        if: always()

      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
        if: always() && hashFiles('_tests/reports/test-results.sarif') != ''
        with:
          sarif_file: _tests/reports/test-results.sarif
--- a/ansible-lint-fix/action.yml
+++ b/ansible-lint-fix/action.yml
@@ -83,7 +83,7 @@ runs:
    - name: Install ansible-lint
      id: install-ansible-lint
      if: steps.check-files.outputs.files_found == 'true'
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
      with:
        timeout_minutes: 5
        max_attempts: ${{ inputs.max-retries }}
@@ -130,6 +130,6 @@ runs:

    - name: Upload SARIF Report
      if: steps.check-files.outputs.files_found == 'true'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        sarif_file: ansible-lint.sarif
--- a/biome-lint/action.yml
+++ b/biome-lint/action.yml
@@ -212,13 +212,13 @@ runs:

    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
      with:
        bun-version: latest

    - name: Cache Node Dependencies
      id: cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: node_modules
        key: ${{ runner.os }}-biome-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -331,7 +331,7 @@ runs:

    - name: Upload SARIF Report
      if: inputs.mode == 'check' && always()
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        sarif_file: biome-report.sarif

--- a/codeql-analysis/action.yml
+++ b/codeql-analysis/action.yml
@@ -186,7 +186,7 @@ runs:
        echo "Using build mode: $build_mode"

    - name: Initialize CodeQL
-      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        languages: ${{ inputs.language }}
        queries: ${{ inputs.queries }}
@@ -199,12 +199,12 @@ runs:
        threads: ${{ inputs.threads }}

    - name: Autobuild
-      uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}

    - name: Perform CodeQL Analysis
      id: analysis
-      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        category: ${{ steps.set-category.outputs.category }}
        upload: ${{ inputs.upload-results }}
--- a/csharp-build/action.yml
+++ b/csharp-build/action.yml
@@ -155,7 +155,7 @@ runs:
        cache-dependency-path: '**/packages.lock.json'

    - name: Restore Dependencies
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
      with:
        timeout_minutes: 10
        max_attempts: ${{ inputs.max-retries }}
--- a/csharp-lint-check/action.yml
+++ b/csharp-lint-check/action.yml
@@ -206,6 +206,6 @@ runs:
        fi

    - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        sarif_file: dotnet-format.sarif
--- a/csharp-publish/action.yml
+++ b/csharp-publish/action.yml
@@ -169,7 +169,7 @@ runs:
        cache-dependency-path: '**/packages.lock.json'

    - name: Restore Dependencies
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
      with:
        timeout_minutes: 10
        max_attempts: ${{ inputs.max-retries }}
--- a/docker-build/action.yml
+++ b/docker-build/action.yml
@@ -536,7 +536,7 @@ runs:
    - name: Scan Image for Vulnerabilities
      id: scan
      if: inputs.scan-image == 'true' && inputs.dry-run != 'true'
-      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
      with:
        scan-type: 'image'
        image-ref: ${{ steps.image-name.outputs.name }}:${{ inputs.tag }}
--- a/eslint-lint/action.yml
+++ b/eslint-lint/action.yml
@@ -319,13 +319,13 @@ runs:

    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
      with:
        bun-version: latest

    - name: Cache Node Dependencies
      id: cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: node_modules
        key: ${{ runner.os }}-eslint-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -457,7 +457,7 @@ runs:

    - name: Upload SARIF Report
      if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always()
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif

--- a/go-build/action.yml
+++ b/go-build/action.yml
@@ -165,7 +165,7 @@ runs:
        cache: true

    - name: Download Dependencies
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
      with:
        timeout_minutes: 10
        max_attempts: ${{ inputs.max-retries }}
--- a/go-lint/action.yml
+++ b/go-lint/action.yml
@@ -218,7 +218,7 @@ runs:
    - name: Cache golangci-lint
      id: cache
      if: inputs.cache == 'true'
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: |
          ~/.cache/golangci-lint
@@ -414,7 +414,7 @@ runs:

    - name: Upload Lint Results
      if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif
        category: golangci-lint
--- a/npm-publish/action.yml
+++ b/npm-publish/action.yml
@@ -152,13 +152,13 @@ runs:

    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
      with:
        bun-version: latest

    - name: Cache Node Dependencies
      id: cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: node_modules
        key: ${{ runner.os }}-npm-publish-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
--- a/php-tests/action.yml
+++ b/php-tests/action.yml
@@ -319,7 +319,7 @@ runs:

    - name: Setup PHP
      id: setup-php
-      uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
+      uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
      with:
        php-version: ${{ steps.detect-php-version.outputs.detected-version }}
        extensions: ${{ inputs.extensions }}
@@ -356,7 +356,7 @@ runs:

    - name: Cache Composer packages
      id: composer-cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: |
          vendor
@@ -376,7 +376,7 @@ runs:
        composer clear-cache

    - name: Install Composer Dependencies
-      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+      uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
      with:
        timeout_minutes: 10
        max_attempts: ${{ inputs.max-retries }}
--- a/pr-lint/action.yml
+++ b/pr-lint/action.yml
@@ -156,14 +156,14 @@ runs:

    - name: Setup Bun
      if: steps.detect-node.outputs.found == 'true' && steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
      with:
        bun-version: latest

    - name: Cache Node Dependencies
      if: steps.detect-node.outputs.found == 'true'
      id: node-cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: node_modules
        key: ${{ runner.os }}-pr-lint-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -335,7 +335,7 @@ runs:

    - name: Setup PHP
      if: steps.detect-php.outputs.found == 'true'
-      uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0
+      uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
      with:
        php-version: ${{ steps.php-version.outputs.detected-version }}
        tools: composer
--- a/prettier-lint/action.yml
+++ b/prettier-lint/action.yml
@@ -305,13 +305,13 @@ runs:

    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
      with:
        bun-version: latest

    - name: Cache Node Dependencies
      id: cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
      with:
        path: node_modules
        key: ${{ runner.os }}-prettier-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
--- a/python-lint-fix/action.yml
+++ b/python-lint-fix/action.yml
@@ -370,7 +370,7 @@ runs:

    - name: Upload SARIF Report
      if: steps.check-files.outputs.result == 'found'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif
        category: 'python-lint'
--- a/security-scan/action.yml
+++ b/security-scan/action.yml
@@ -118,7 +118,7 @@ runs:

    - name: Run Trivy vulnerability scanner
      if: steps.check-configs.outputs.run_trivy == 'true'
-      uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # master
+      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
      with:
        scan-type: 'fs'
        scanners: ${{ inputs.trivy-scanners }}
@@ -161,14 +161,14 @@ runs:

    - name: Upload Trivy results
      if: steps.verify-sarif.outputs.has_trivy == 'true'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        sarif_file: 'trivy-results.sarif'
        category: 'trivy'

    - name: Upload Gitleaks results
      if: steps.verify-sarif.outputs.has_gitleaks == 'true'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        sarif_file: 'gitleaks-report.sarif'
        category: 'gitleaks'
--- a/terraform-lint-fix/action.yml
+++ b/terraform-lint-fix/action.yml
@@ -147,7 +147,7 @@ runs:

    - name: Setup TFLint
      if: steps.check-files.outputs.found == 'true'
-      uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1
+      uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2
      with:
        tflint_version: ${{ inputs.tflint-version }}

@@ -256,7 +256,7 @@ runs:

    - name: Upload SARIF Report
      if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif'
-      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+      uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
      with:
        sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif
        category: terraform-lint