From c435155a9552e15c4b3986fbf1c152a6ac912e7d Mon Sep 17 00:00:00 2001 From: Ismo Vuorinen Date: Fri, 20 Mar 2026 12:49:50 +0200 Subject: [PATCH] fix(deps): update action pins and fix trivy-action version comment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update SHA-pinned action references to latest versions: - github/codeql-action v4.32.6 → v4.33.0 - nick-fields/retry v3.0.2 → v4.0.0 - actions/cache v5.0.3 → v5.0.4 - oven-sh/setup-bun v2.1.3 → v2.2.0 - softprops/action-gh-release v2.5.0 → v2.6.1 - github/issue-metrics v4.1.0 → v4.1.1 - shivammathur/setup-php 2.36.0 → 2.37.0 - astral-sh/setup-uv v7.5.0 → v7.6.0 - terraform-linters/setup-tflint v6.2.1 → v6.2.2 - aquasecurity/trivy-action: pin from master to v0.35.0 Fix pinact warning in docker-build by adding missing v prefix to trivy-action version comment (0.35.0 → v0.35.0). --- .github/actions/setup-test-environment/action.yml | 2 +- .github/workflows/issue-stats.yml | 2 +- .github/workflows/pr-lint.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/scorecard.yml | 2 +- .github/workflows/test-actions.yml | 2 +- ansible-lint-fix/action.yml | 4 ++-- biome-lint/action.yml | 6 +++--- codeql-analysis/action.yml | 6 +++--- csharp-build/action.yml | 2 +- csharp-lint-check/action.yml | 2 +- csharp-publish/action.yml | 2 +- docker-build/action.yml | 2 +- eslint-lint/action.yml | 6 +++--- go-build/action.yml | 2 +- go-lint/action.yml | 4 ++-- npm-publish/action.yml | 4 ++-- php-tests/action.yml | 6 +++--- pr-lint/action.yml | 6 +++--- prettier-lint/action.yml | 4 ++-- python-lint-fix/action.yml | 2 +- security-scan/action.yml | 6 +++--- terraform-lint-fix/action.yml | 4 ++-- 23 files changed, 40 insertions(+), 40 deletions(-) diff --git a/.github/actions/setup-test-environment/action.yml b/.github/actions/setup-test-environment/action.yml index 55cab75..f1304ad 100644 --- a/.github/actions/setup-test-environment/action.yml +++ b/.github/actions/setup-test-environment/action.yml @@ -17,7 +17,7 @@ runs: using: composite steps: - name: Install uv - uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: enable-cache: true diff --git a/.github/workflows/issue-stats.yml b/.github/workflows/issue-stats.yml index 5778ab4..5fe9579 100644 --- a/.github/workflows/issue-stats.yml +++ b/.github/workflows/issue-stats.yml @@ -29,7 +29,7 @@ jobs: echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV" - name: Run issue-metrics tool - uses: github/issue-metrics@41a7961f701cc64490f32e143af8ef479b93e87d # v4.1.0 + uses: github/issue-metrics@6a35322ff89cee3e1a594d282c27eb34bffa9174 # v4.1.1 env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"' diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index c506ead..6824cb5 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -70,7 +70,7 @@ jobs: - name: Upload SARIF Report if: always() && hashFiles('megalinter-reports/sarif/*.sarif') - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: megalinter-reports/sarif category: megalinter diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8a6c356..ef8cd45 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: contents: write steps: - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta - - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 + - uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 with: generate_release_notes: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 31fe836..1c6ebba 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -53,6 +53,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: 'Upload to code-scanning' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: results.sarif diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml index fad28f1..483d3cd 100644 --- a/.github/workflows/test-actions.yml +++ b/.github/workflows/test-actions.yml @@ -73,7 +73,7 @@ jobs: if: always() - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 if: always() && hashFiles('_tests/reports/test-results.sarif') != '' with: sarif_file: _tests/reports/test-results.sarif diff --git a/ansible-lint-fix/action.yml b/ansible-lint-fix/action.yml index e371fb5..17079d1 100644 --- a/ansible-lint-fix/action.yml +++ b/ansible-lint-fix/action.yml @@ -83,7 +83,7 @@ runs: - name: Install ansible-lint id: install-ansible-lint if: steps.check-files.outputs.files_found == 'true' - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 5 max_attempts: ${{ inputs.max-retries }} @@ -130,6 +130,6 @@ runs: - name: Upload SARIF Report if: steps.check-files.outputs.files_found == 'true' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ansible-lint.sarif diff --git a/biome-lint/action.yml b/biome-lint/action.yml index 65dde5d..0a8ee63 100644 --- a/biome-lint/action.yml +++ b/biome-lint/action.yml @@ -212,13 +212,13 @@ runs: - name: Setup Bun if: steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies id: cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-biome-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} @@ -331,7 +331,7 @@ runs: - name: Upload SARIF Report if: inputs.mode == 'check' && always() - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: biome-report.sarif diff --git a/codeql-analysis/action.yml b/codeql-analysis/action.yml index c5db5d0..e892a91 100644 --- a/codeql-analysis/action.yml +++ b/codeql-analysis/action.yml @@ -186,7 +186,7 @@ runs: echo "Using build mode: $build_mode" - name: Initialize CodeQL - uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: languages: ${{ inputs.language }} queries: ${{ inputs.queries }} @@ -199,12 +199,12 @@ runs: threads: ${{ inputs.threads }} - name: Autobuild - uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }} - name: Perform CodeQL Analysis id: analysis - uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: category: ${{ steps.set-category.outputs.category }} upload: ${{ inputs.upload-results }} diff --git a/csharp-build/action.yml b/csharp-build/action.yml index 99cf734..36cb845 100644 --- a/csharp-build/action.yml +++ b/csharp-build/action.yml @@ -155,7 +155,7 @@ runs: cache-dependency-path: '**/packages.lock.json' - name: Restore Dependencies - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: ${{ inputs.max-retries }} diff --git a/csharp-lint-check/action.yml b/csharp-lint-check/action.yml index 87ef02a..ba99703 100644 --- a/csharp-lint-check/action.yml +++ b/csharp-lint-check/action.yml @@ -206,6 +206,6 @@ runs: fi - name: Upload SARIF Report - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: dotnet-format.sarif diff --git a/csharp-publish/action.yml b/csharp-publish/action.yml index 348062c..a4a5ac8 100644 --- a/csharp-publish/action.yml +++ b/csharp-publish/action.yml @@ -169,7 +169,7 @@ runs: cache-dependency-path: '**/packages.lock.json' - name: Restore Dependencies - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: ${{ inputs.max-retries }} diff --git a/docker-build/action.yml b/docker-build/action.yml index bff91dc..45f5e20 100644 --- a/docker-build/action.yml +++ b/docker-build/action.yml @@ -536,7 +536,7 @@ runs: - name: Scan Image for Vulnerabilities id: scan if: inputs.scan-image == 'true' && inputs.dry-run != 'true' - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: 'image' image-ref: ${{ steps.image-name.outputs.name }}:${{ inputs.tag }} diff --git a/eslint-lint/action.yml b/eslint-lint/action.yml index 7c00a34..fe871ee 100644 --- a/eslint-lint/action.yml +++ b/eslint-lint/action.yml @@ -319,13 +319,13 @@ runs: - name: Setup Bun if: steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies id: cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-eslint-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} @@ -457,7 +457,7 @@ runs: - name: Upload SARIF Report if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always() - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif diff --git a/go-build/action.yml b/go-build/action.yml index a92ba9d..4256fb7 100644 --- a/go-build/action.yml +++ b/go-build/action.yml @@ -165,7 +165,7 @@ runs: cache: true - name: Download Dependencies - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: ${{ inputs.max-retries }} diff --git a/go-lint/action.yml b/go-lint/action.yml index 02c32d0..5ee3300 100644 --- a/go-lint/action.yml +++ b/go-lint/action.yml @@ -218,7 +218,7 @@ runs: - name: Cache golangci-lint id: cache if: inputs.cache == 'true' - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | ~/.cache/golangci-lint @@ -414,7 +414,7 @@ runs: - name: Upload Lint Results if: always() && inputs.report-format == 'sarif' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif category: golangci-lint diff --git a/npm-publish/action.yml b/npm-publish/action.yml index 4cf36f9..9813bbf 100644 --- a/npm-publish/action.yml +++ b/npm-publish/action.yml @@ -152,13 +152,13 @@ runs: - name: Setup Bun if: steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies id: cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-npm-publish-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} diff --git a/php-tests/action.yml b/php-tests/action.yml index 0ddd0e6..ad095b2 100644 --- a/php-tests/action.yml +++ b/php-tests/action.yml @@ -319,7 +319,7 @@ runs: - name: Setup PHP id: setup-php - uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.detect-php-version.outputs.detected-version }} extensions: ${{ inputs.extensions }} @@ -356,7 +356,7 @@ runs: - name: Cache Composer packages id: composer-cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: | vendor @@ -376,7 +376,7 @@ runs: composer clear-cache - name: Install Composer Dependencies - uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: ${{ inputs.max-retries }} diff --git a/pr-lint/action.yml b/pr-lint/action.yml index c1b06d7..d439e98 100644 --- a/pr-lint/action.yml +++ b/pr-lint/action.yml @@ -156,14 +156,14 @@ runs: - name: Setup Bun if: steps.detect-node.outputs.found == 'true' && steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies if: steps.detect-node.outputs.found == 'true' id: node-cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-pr-lint-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} @@ -335,7 +335,7 @@ runs: - name: Setup PHP if: steps.detect-php.outputs.found == 'true' - uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # 2.36.0 + uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0 with: php-version: ${{ steps.php-version.outputs.detected-version }} tools: composer diff --git a/prettier-lint/action.yml b/prettier-lint/action.yml index 89d04d9..c910a32 100644 --- a/prettier-lint/action.yml +++ b/prettier-lint/action.yml @@ -305,13 +305,13 @@ runs: - name: Setup Bun if: steps.detect-pm.outputs.package-manager == 'bun' - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest - name: Cache Node Dependencies id: cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 with: path: node_modules key: ${{ runner.os }}-prettier-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }} diff --git a/python-lint-fix/action.yml b/python-lint-fix/action.yml index c100af4..be15d18 100644 --- a/python-lint-fix/action.yml +++ b/python-lint-fix/action.yml @@ -370,7 +370,7 @@ runs: - name: Upload SARIF Report if: steps.check-files.outputs.result == 'found' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif category: 'python-lint' diff --git a/security-scan/action.yml b/security-scan/action.yml index eb95de4..58e07d3 100644 --- a/security-scan/action.yml +++ b/security-scan/action.yml @@ -118,7 +118,7 @@ runs: - name: Run Trivy vulnerability scanner if: steps.check-configs.outputs.run_trivy == 'true' - uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # master + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: 'fs' scanners: ${{ inputs.trivy-scanners }} @@ -161,14 +161,14 @@ runs: - name: Upload Trivy results if: steps.verify-sarif.outputs.has_trivy == 'true' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: 'trivy-results.sarif' category: 'trivy' - name: Upload Gitleaks results if: steps.verify-sarif.outputs.has_gitleaks == 'true' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: 'gitleaks-report.sarif' category: 'gitleaks' diff --git a/terraform-lint-fix/action.yml b/terraform-lint-fix/action.yml index a9947e1..a8e5347 100644 --- a/terraform-lint-fix/action.yml +++ b/terraform-lint-fix/action.yml @@ -147,7 +147,7 @@ runs: - name: Setup TFLint if: steps.check-files.outputs.found == 'true' - uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1 + uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2 with: tflint_version: ${{ inputs.tflint-version }} @@ -256,7 +256,7 @@ runs: - name: Upload SARIF Report if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif' - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif category: terraform-lint