chore: update action references for release v2025.11.02 (#332)

This commit updates all internal action references to point to the current
commit SHA in preparation for release v2025.11.02.

.github/workflows/action-security.yml

@@ -117,14 +117,14 @@ jobs:
 
       - name: Upload Trivy results
         if: steps.verify-sarif.outputs.has_trivy == 'true'
-        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           sarif_file: 'trivy-results.sarif'
           category: 'trivy'
 
       - name: Upload Gitleaks results
         if: steps.verify-sarif.outputs.has_gitleaks == 'true'
-        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           sarif_file: 'gitleaks-report.sarif'
           category: 'gitleaks'

.github/workflows/codeql.yml

@@ -37,15 +37,15 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           category: '/language:${{matrix.language}}'

.github/workflows/issue-stats.yml

@@ -1,3 +1,4 @@
+---
 name: Monthly issue metrics
 on:
   workflow_dispatch:

.github/workflows/pr-lint.yml

@@ -101,7 +101,7 @@ jobs:
 
       - name: Upload SARIF Report
         if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
-        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         with:
           sarif_file: megalinter-reports/sarif
           category: megalinter

.github/workflows/test-actions.yml

@@ -73,7 +73,7 @@ jobs:
         if: always()
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
         if: always() && hashFiles('_tests/reports/test-results.sarif') != ''
         with:
           sarif_file: _tests/reports/test-results.sarif

.pre-commit-config.yaml

@@ -89,7 +89,7 @@ repos:
       - id: renovate-config-validator
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.487'
+    rev: '3.2.489'
     hooks:
       - id: checkov
         args:

.serena/project.yml

@@ -4,10 +4,6 @@
 #  * For JavaScript, use typescript
 # Special requirements:
 #  * csharp: Requires the presence of a .sln file in the project folder.
-language: bash
-
-# whether to use the project's gitignore file to ignore files
-# Added on 2025-04-07
 ignore_all_files_in_gitignore: true
 # list of additional paths to ignore
 # same syntax as gitignore, so you can use * and **
@@ -66,3 +62,8 @@ excluded_tools: []
 initial_prompt: ''
 
 project_name: 'actions'
+languages:
+  - bash
+  - python
+included_optional_tools: []
+encoding: utf-8

Makefile

@@ -1,7 +1,7 @@
 # Makefile for GitHub Actions repository
 # Provides organized task management with parallel execution capabilities
 
-.PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release update-version-refs bump-major-version check-version-refs
+.PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release release-dry release-prep release-tag release-undo update-version-refs bump-major-version check-version-refs
 .DEFAULT_GOAL := help
 
 # Colors for output
@@ -159,12 +159,36 @@ fix-local-refs-dry: ## Preview local action reference fixes (dry run)
 release: ## Create a new release with version tags (usage: make release [VERSION=v2025.10.18])
 	@VERSION_TO_USE=$$(if [ -n "$(VERSION)" ]; then echo "$(VERSION)"; else date +v%Y.%m.%d; fi); \
 	echo "$(BLUE)🚀 Creating release $$VERSION_TO_USE...$(RESET)"; \
-	sh _tools/release.sh "$$VERSION_TO_USE"; \
+	sh _tools/release.sh "$$VERSION_TO_USE"
-	echo "$(GREEN)✅ Release created$(RESET)"; \
+
-	echo ""; \
+release-dry: ## Preview release without making changes (usage: make release-dry VERSION=v2025.11.01)
-	echo "$(YELLOW)Next steps:$(RESET)"; \
+	@if [ -z "$(VERSION)" ]; then \
-	echo "  1. Review changes: git show HEAD"; \
+		VERSION_TO_USE=$$(date +v%Y.%m.%d); \
-	echo "  2. Push tags: git push origin main --tags --force-with-lease"
+	else \
+		VERSION_TO_USE="$(VERSION)"; \
+	fi; \
+	echo "$(BLUE)🔍 Previewing release $$VERSION_TO_USE (dry run)...$(RESET)"; \
+	sh _tools/release.sh --dry-run "$$VERSION_TO_USE"
+
+release-prep: ## Update action refs and commit (no tags) (usage: make release-prep [VERSION=v2025.11.01])
+	@VERSION_TO_USE=$$(if [ -n "$(VERSION)" ]; then echo "$(VERSION)"; else date +v%Y.%m.%d; fi); \
+	echo "$(BLUE)🔧 Preparing release $$VERSION_TO_USE...$(RESET)"; \
+	sh _tools/release.sh --prep-only "$$VERSION_TO_USE"; \
+	echo "$(GREEN)✅ Preparation complete$(RESET)"; \
+	echo "$(YELLOW)Next: make release-tag VERSION=$$VERSION_TO_USE$(RESET)"
+
+release-tag: ## Create tags only (assumes prep done) (usage: make release-tag VERSION=v2025.11.01)
+	@if [ -z "$(VERSION)" ]; then \
+		echo "$(RED)❌ Error: VERSION parameter required for release-tag$(RESET)"; \
+		echo "Usage: make release-tag VERSION=v2025.11.01"; \
+		exit 1; \
+	fi; \
+	echo "$(BLUE)🏷️  Creating tags for release $(VERSION)...$(RESET)"; \
+	sh _tools/release.sh --tag-only "$(VERSION)"
+
+release-undo: ## Rollback the most recent release (delete tags and reset HEAD)
+	@echo "$(BLUE)🔙 Rolling back release...$(RESET)"; \
+	sh _tools/release-undo.sh
 
 update-version-refs: ## Update all action references to a specific version tag (usage: make update-version-refs MAJOR=v2025)
 	@if [ -z "$(MAJOR)" ]; then \

_tests/run-tests.sh

@@ -203,7 +203,7 @@ install_shellspec() {
 
   # Pinned SHA256 checksum for ShellSpec 0.28.1
   # Source: https://github.com/shellspec/shellspec/archive/refs/tags/0.28.1.tar.gz
-  local checksum="351e7a63b8df47c07b022c19d21a167b85693f5eb549fa96e64f64844b680024"
+  local checksum="400d835466429a5fe6c77a62775a9173729d61dd43e05dfa893e8cf6cb511783"
 
   # Ensure cleanup of the downloaded file
   # Use ${tarball:-} to handle unbound variable when trap fires after function returns

_tools/release-undo.sh

@@ -0,0 +1,152 @@
+#!/bin/sh
+# Undo the most recent release by deleting tags and optionally resetting HEAD
+set -eu
+
+# Source shared utilities
+# shellcheck source=_tools/shared.sh
+SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
+# shellcheck disable=SC1091
+. "$SCRIPT_DIR/shared.sh"
+
+# Check git availability
+require_git
+
+msg_info "Finding most recent release tags..."
+
+# Portable version sort function
+# Sorts CalVer tags vYYYY.MM.DD numerically
+version_sort_tags() {
+  # Try GNU sort first (Linux and some macOS with GNU coreutils)
+  if sort --version 2>/dev/null | grep -q GNU; then
+    sort -V
+    return
+  fi
+
+  # Try gsort (macOS with GNU coreutils via Homebrew)
+  if command -v gsort >/dev/null 2>&1; then
+    gsort -V
+    return
+  fi
+
+  # Fallback: awk-based numeric version sort with validation
+  awk -F. '{
+    # Validate CalVer format: vYYYY.MM.DD or YYYY.MM.DD
+    if ($0 !~ /^v?[0-9]+\.[0-9]+\.[0-9]+$/) {
+      printf "Warning: Skipping malformed tag: %s\n", $0 > "/dev/stderr"
+      next
+    }
+
+    # Check we have exactly 3 fields after splitting on dots
+    if (NF != 3) {
+      printf "Warning: Skipping invalid tag (wrong field count): %s\n", $0 > "/dev/stderr"
+      next
+    }
+
+    # Save original input before modification
+    original = $0
+    # Remove leading v and split into year, month, day
+    gsub(/^v/, "", $0)
+
+    # Verify each field is numeric after field recalculation
+    if ($1 !~ /^[0-9]+$/ || $2 !~ /^[0-9]+$/ || $3 !~ /^[0-9]+$/) {
+      printf "Warning: Skipping tag with non-numeric components: %s\n", original > "/dev/stderr"
+      next
+    }
+
+    printf "%04d.%02d.%02d %s\n", $1, $2, $3, original
+  }' | sort -n | cut -d' ' -f2
+}
+
+# Find all release tags matching vYYYY.MM.DD pattern
+all_tags=$(git tag -l 'v[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]' | version_sort_tags)
+
+if [ -z "$all_tags" ]; then
+  msg_warn "No release tags found"
+  exit 0
+fi
+
+# Get most recent tag
+latest_tag=$(echo "$all_tags" | tail -n 1)
+
+# Extract version components
+version_no_v="${latest_tag#v}"
+year=$(echo "$version_no_v" | cut -d'.' -f1)
+month=$(echo "$version_no_v" | cut -d'.' -f2)
+day=$(echo "$version_no_v" | cut -d'.' -f3)
+
+major="v$year"
+minor="v$year.$month"
+patch="v$year.$month.$day"
+
+printf '\n'
+msg_info "Most recent release:"
+printf '  Patch: %s\n' "$patch"
+printf '  Minor: %s\n' "$minor"
+printf '  Major: %s\n' "$major"
+printf '\n'
+
+# Show which tags exist
+msg_info "Tags that will be deleted:"
+for tag in "$patch" "$minor" "$major"; do
+  if check_tag_exists "$tag"; then
+    tag_sha=$(git rev-list -n 1 "$tag")
+    tag_sha_short=$(echo "$tag_sha" | cut -c1-7)
+    printf '  %s (points to %s)\n' "$tag" "$tag_sha_short"
+  fi
+done
+printf '\n'
+
+# Check if HEAD commit is a release commit
+head_message=$(git log -1 --pretty=%s)
+if echo "$head_message" | grep -q "^chore: update action references for release"; then
+  msg_warn "Last commit appears to be a release preparation commit:"
+  printf '  %s\n' "$head_message"
+  printf '\n'
+  reset_head=true
+else
+  reset_head=false
+fi
+
+# Confirm deletion
+msg_warn "This will:"
+printf '  1. Delete tags: %s, %s, %s\n' "$patch" "$minor" "$major"
+if [ "$reset_head" = "true" ]; then
+  printf '  2. Reset HEAD to previous commit (undo release prep)\n'
+fi
+printf '\n'
+
+if ! prompt_confirmation "Proceed with rollback?"; then
+  msg_warn "Rollback cancelled"
+  exit 0
+fi
+printf '\n'
+
+# Delete tags
+msg_info "Deleting tags..."
+for tag in "$patch" "$minor" "$major"; do
+  if check_tag_exists "$tag"; then
+    git tag -d "$tag"
+    msg_item "Deleted tag: $tag"
+  else
+    msg_notice "Tag not found: $tag (skipping)"
+  fi
+done
+
+# Reset HEAD if needed
+if [ "$reset_head" = "true" ]; then
+  printf '\n'
+  msg_info "Resetting HEAD to previous commit..."
+  git reset --hard HEAD~1
+  msg_item "Reset complete"
+  new_head=$(git rev-parse HEAD)
+  new_head_short=$(echo "$new_head" | cut -c1-7)
+  printf 'New HEAD: %s%s%s\n' "$GREEN" "$new_head_short" "$NC"
+fi
+
+printf '\n'
+msg_done "Rollback complete"
+printf '\n'
+msg_warn "Note:"
+printf '  Tags were deleted locally only\n'
+printf '  If you had pushed the tags, delete them from remote:\n'
+printf '    git push origin --delete %s %s %s\n' "$patch" "$minor" "$major"

_tools/release.sh

@@ -2,7 +2,59 @@
 # Release script for creating versioned tags and updating action references
 set -eu
 
-VERSION="${1:-}"
+# Parse arguments
+VERSION=""
+DRY_RUN=false
+SKIP_CONFIRM=false
+PREP_ONLY=false
+TAG_ONLY=false
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --dry-run)
+      DRY_RUN=true
+      shift
+      ;;
+    --yes|--no-confirm)
+      SKIP_CONFIRM=true
+      shift
+      ;;
+    --prep-only)
+      PREP_ONLY=true
+      shift
+      ;;
+    --tag-only)
+      TAG_ONLY=true
+      shift
+      ;;
+    --help|-h)
+      printf 'Usage: %s [OPTIONS] VERSION\n' "$0"
+      printf '\n'
+      printf 'Options:\n'
+      printf '  --dry-run        Show what would happen without making changes\n'
+      printf '  --yes            Skip confirmation prompt\n'
+      printf '  --no-confirm     Alias for --yes\n'
+      printf '  --prep-only      Only update refs and commit (no tags)\n'
+      printf '  --tag-only       Only create tags (assumes prep done)\n'
+      printf '  --help, -h       Show this help message\n'
+      printf '\n'
+      printf 'Examples:\n'
+      printf '  %s v2025.11.01\n' "$0"
+      printf '  %s --dry-run v2025.11.01\n' "$0"
+      printf '  %s --yes v2025.11.01\n' "$0"
+      exit 0
+      ;;
+    -*)
+      printf 'Unknown option: %s\n' "$1" >&2
+      printf 'Use --help for usage information\n' >&2
+      exit 1
+      ;;
+    *)
+      VERSION="$1"
+      shift
+      ;;
+  esac
+done
 
 # Source shared utilities
 # shellcheck source=_tools/shared.sh
@@ -11,15 +63,17 @@ SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
 . "$SCRIPT_DIR/shared.sh"
 
 if [ -z "$VERSION" ]; then
-  printf '%b' "${RED}Error: VERSION argument required${NC}\n"
+  msg_error "VERSION argument required"
-  printf 'Usage: %s v2025.10.18\n' "$0"
+  printf 'Usage: %s [OPTIONS] VERSION\n' "$0"
+  printf 'Use --help for more information\n'
   exit 1
 fi
 
 # Validate version format
 if ! validate_version "$VERSION"; then
-  printf '%b' "${RED}Error: Invalid version format: $VERSION${NC}\n"
+  msg_error "Invalid version format: $VERSION"
-  printf 'Expected: vYYYY.MM.DD (e.g., v2025.10.18)\n'
+  printf 'Expected: vYYYY.MM.DD with zero-padded month/day (e.g., v2025.10.18, v2025.01.05)\n'
+  printf 'Invalid: v2025.1.5 (must be zero-padded)\n'
   exit 1
 fi
 
@@ -35,68 +89,201 @@ major="v$year"
 minor="v$year.$month"
 patch="v$year.$month.$day"
 
-printf '%b' "${BLUE}Creating release $VERSION${NC}\n"
+# Show dry-run banner if applicable
+if [ "$DRY_RUN" = "true" ]; then
+  msg_plain "$YELLOW" "=== DRY RUN MODE ==="
+  printf 'No changes will be made to git repository\n'
+  printf '\n'
+fi
+
+msg_info "Creating release $VERSION"
 printf '  Major: %s\n' "$major"
 printf '  Minor: %s\n' "$minor"
 printf '  Patch: %s\n' "$patch"
 printf '\n'
 
+# Check if git is available (required for all modes)
+if ! require_git 2>/dev/null; then
+  msg_error "git not available"
+  exit 1
+fi
+
+# Pre-flight checks (skip for --tag-only since prep should be done)
+if [ "$TAG_ONLY" = "false" ]; then
+  msg_info "Running pre-flight checks..."
+  msg_item "git is available"
+
+  # Check if on main branch
+  if ! check_on_branch "main"; then
+    current_branch=$(git rev-parse --abbrev-ref HEAD)
+    msg_error "Not on main branch (currently on: $current_branch)"
+    if [ "$DRY_RUN" = "false" ]; then
+      exit 1
+    fi
+  else
+    msg_item "On main branch"
+  fi
+
+  # Check if working directory is clean
+  if ! check_git_clean; then
+    msg_error "Working directory has uncommitted changes"
+    if [ "$DRY_RUN" = "false" ]; then
+      printf 'Please commit or stash changes before creating a release\n'
+      exit 1
+    fi
+  else
+    msg_item "Working directory is clean"
+  fi
+
+  # Check if patch tag already exists
+  if check_tag_exists "$patch"; then
+    msg_error "Tag $patch already exists"
+    if [ "$DRY_RUN" = "false" ]; then
+      printf 'Use a different version or delete the existing tag first\n'
+      exit 1
+    fi
+  else
+    msg_item "Tag $patch does not exist"
+  fi
+
+  printf '\n'
+fi
+
 # Get current commit SHA
 current_sha=$(git rev-parse HEAD)
-printf '%b' "Current HEAD: ${GREEN}$current_sha${NC}\n"
+printf 'Current HEAD: %s%s%s\n' "$GREEN" "$current_sha" "$NC"
 printf '\n'
 
-# Update all action references to current SHA
+# Confirmation prompt (skip if --yes or --dry-run)
-printf '%b' "${BLUE}Updating action references to $current_sha...${NC}\n"
+if [ "$DRY_RUN" = "false" ] && [ "$SKIP_CONFIRM" = "false" ]; then
-"$SCRIPT_DIR/update-action-refs.sh" "$current_sha" "direct"
+  if ! prompt_confirmation "Proceed with release $VERSION?"; then
+    msg_warn "Release cancelled by user"
+    exit 0
+  fi
+  printf '\n'
+fi
 
-# Commit the changes
+# Skip prep if --tag-only
-if ! git diff --quiet; then
+if [ "$TAG_ONLY" = "true" ]; then
-  git add -- */action.yml
+  msg_info "Skipping preparation (--tag-only mode)"
-  git commit -m "chore: update action references for release $VERSION
+  printf '\n'
+else
+  # Update all action references to current SHA
+  msg_info "Updating action references to $current_sha..."
+  if [ "$DRY_RUN" = "true" ]; then
+    msg_warn "[DRY RUN] Would run: update-action-refs.sh $current_sha direct"
+  else
+    "$SCRIPT_DIR/update-action-refs.sh" "$current_sha" "direct"
+  fi
+fi
+
+# Commit the changes (skip if --tag-only)
+if [ "$TAG_ONLY" = "false" ]; then
+  if ! git diff --quiet; then
+    if [ "$DRY_RUN" = "true" ]; then
+      msg_warn "[DRY RUN] Would add: */action.yml"
+      msg_warn "[DRY RUN] Would commit: update action references for release $VERSION"
+    else
+      git add -- */action.yml
+      git commit -m "chore: update action references for release $VERSION
 
 This commit updates all internal action references to point to the current
 commit SHA in preparation for release $VERSION."
 
-  # Update SHA since we just created a new commit
+      # Update SHA since we just created a new commit
-  current_sha=$(git rev-parse HEAD)
+      current_sha=$(git rev-parse HEAD)
-  printf '%b' "${GREEN}✅ Committed updated action references${NC}\n"
+      msg_done "Committed updated action references"
-  printf '%b' "New HEAD: ${GREEN}$current_sha${NC}\n"
+      printf 'New HEAD: %s%s%s\n' "$GREEN" "$current_sha" "$NC"
-else
+    fi
-  printf '%b' "${BLUE}No changes to commit${NC}\n"
+  else
+    msg_info "No changes to commit"
+  fi
+fi
+
+# Exit early if --prep-only
+if [ "$PREP_ONLY" = "true" ]; then
+  printf '\n'
+  msg_done "Preparation complete (--prep-only mode)"
+  msg_warn "Run with --tag-only to create tags"
+  exit 0
 fi
 
 # Create/update tags
-printf '%b' "${BLUE}Creating tags...${NC}\n"
+printf '\n'
+msg_info "Creating tags..."
 
 # Create patch tag
-git tag -a "$patch" -m "Release $patch"
+if [ "$DRY_RUN" = "true" ]; then
-printf '%b' "  ${GREEN}✓${NC} Created tag: $patch\n"
+  msg_warn "[DRY RUN] Would create tag: $patch"
+else
+  git tag -a "$patch" -m "Release $patch"
+  msg_item "Created tag: $patch"
+fi
 
 # Move/create minor tag
 if git rev-parse "$minor" >/dev/null 2>&1; then
-  git tag -f -a "$minor" -m "Latest $minor release: $patch"
+  if [ "$DRY_RUN" = "true" ]; then
-  printf '%b' "  ${GREEN}✓${NC} Updated tag: $minor (force)\n"
+    msg_warn "[DRY RUN] Would force-update tag: $minor"
+  else
+    git tag -f -a "$minor" -m "Latest $minor release: $patch"
+    msg_item "Updated tag: $minor (force)"
+  fi
 else
-  git tag -a "$minor" -m "Latest $minor release: $patch"
+  if [ "$DRY_RUN" = "true" ]; then
-  printf '%b' "  ${GREEN}✓${NC} Created tag: $minor\n"
+    msg_warn "[DRY RUN] Would create tag: $minor"
+  else
+    git tag -a "$minor" -m "Latest $minor release: $patch"
+    msg_item "Created tag: $minor"
+  fi
 fi
 
 # Move/create major tag
 if git rev-parse "$major" >/dev/null 2>&1; then
-  git tag -f -a "$major" -m "Latest $major release: $patch"
+  if [ "$DRY_RUN" = "true" ]; then
-  printf '%b' "  ${GREEN}✓${NC} Updated tag: $major (force)\n"
+    msg_warn "[DRY RUN] Would force-update tag: $major"
+  else
+    git tag -f -a "$major" -m "Latest $major release: $patch"
+    msg_item "Updated tag: $major (force)"
+  fi
 else
-  git tag -a "$major" -m "Latest $major release: $patch"
+  if [ "$DRY_RUN" = "true" ]; then
-  printf '%b' "  ${GREEN}✓${NC} Created tag: $major\n"
+    msg_warn "[DRY RUN] Would create tag: $major"
+  else
+    git tag -a "$major" -m "Latest $major release: $patch"
+    msg_item "Created tag: $major"
+  fi
 fi
 
 printf '\n'
-printf '%b' "${GREEN}✅ Release $VERSION created successfully${NC}\n"
+if [ "$DRY_RUN" = "true" ]; then
+  msg_done "Dry run complete - no changes made"
+  printf '\n'
+  msg_info "Would have created release $VERSION"
+else
+  msg_done "Release $VERSION created successfully"
+fi
 printf '\n'
-printf '%b' "${YELLOW}All tags point to: $current_sha${NC}\n"
+msg_plain "$YELLOW" "All tags point to: $current_sha"
 printf '\n'
-printf '%b' "${BLUE}Tags created:${NC}\n"
+msg_info "Tags created:"
 printf '  %s\n' "$patch"
 printf '  %s\n' "$minor"
 printf '  %s\n' "$major"
+printf '\n'
+
+# Enhanced next steps
+if [ "$DRY_RUN" = "false" ]; then
+  msg_warn "Next steps:"
+  printf '  1. Review changes: git show HEAD\n'
+  printf '  2. Verify CI status: gh run list --limit 5\n'
+  printf '  3. Push tags: git push origin main --tags --force-with-lease\n'
+  printf '  4. Update workflow refs: make update-version-refs MAJOR=%s\n' "$major"
+  printf '  5. Update README examples if needed\n'
+  printf '  6. Create GitHub release: gh release create %s --generate-notes\n' "$VERSION"
+  printf '\n'
+  msg_info "If something went wrong:"
+  printf '  Rollback: make release-undo\n'
+else
+  msg_warn "To execute this release:"
+  printf '  Run without --dry-run flag\n'
+fi

_tools/shared.sh

@@ -14,12 +14,12 @@ YELLOW='\033[1;33m'
 # shellcheck disable=SC2034
 NC='\033[0m' # No Color
 
-# Validate CalVer version format: vYYYY.MM.DD
+# Validate CalVer version format: vYYYY.MM.DD (zero-padded)
 validate_version() {
   version="$1"
 
-  # Check format: vYYYY.MM.DD using grep
+  # Check format: vYYYY.MM.DD (require zero-padding) using grep
-  if ! echo "$version" | grep -qE '^v[0-9]{4}\.[0-9]{1,2}\.[0-9]{1,2}$'; then
+  if ! echo "$version" | grep -qE '^v[0-9]{4}\.[0-9]{2}\.[0-9]{2}$'; then
     return 1
   fi
 
@@ -34,12 +34,12 @@ validate_version() {
     return 1
   fi
 
-  # Validate month (1-12)
+  # Validate month (01-12)
   if [ "$month" -lt 1 ] || [ "$month" -gt 12 ]; then
     return 1
   fi
 
-  # Validate day (1-31)
+  # Validate day (01-31)
   if [ "$day" -lt 1 ] || [ "$day" -gt 31 ]; then
     return 1
   fi
@@ -67,12 +67,12 @@ validate_major_version() {
   return 0
 }
 
-# Validate minor version format: vYYYY.MM
+# Validate minor version format: vYYYY.MM (zero-padded)
 validate_minor_version() {
   version="$1"
 
-  # Check format: vYYYY.MM using grep
+  # Check format: vYYYY.MM (require zero-padding) using grep
-  if ! echo "$version" | grep -qE '^v[0-9]{4}\.[0-9]{1,2}$'; then
+  if ! echo "$version" | grep -qE '^v[0-9]{4}\.[0-9]{2}$'; then
     return 1
   fi
 
@@ -86,7 +86,7 @@ validate_minor_version() {
     return 1
   fi
 
-  # Validate month (1-12)
+  # Validate month (01-12)
   if [ "$month" -lt 1 ] || [ "$month" -gt 12 ]; then
     return 1
   fi
@@ -94,6 +94,139 @@ validate_minor_version() {
   return 0
 }
 
+# Check if working directory is clean (no uncommitted changes)
+check_git_clean() {
+  if ! has_git; then
+    return 1
+  fi
+  if ! git diff --quiet || ! git diff --cached --quiet; then
+    return 1
+  fi
+  return 0
+}
+
+# Check if currently on specified branch (default: main)
+check_on_branch() {
+  target_branch="${1:-main}"
+
+  if ! has_git; then
+    return 1
+  fi
+
+  current_branch=$(git rev-parse --abbrev-ref HEAD 2>/dev/null) || return 1
+
+  if [ "$current_branch" != "$target_branch" ]; then
+    return 1
+  fi
+  return 0
+}
+
+# Check if a git tag exists
+check_tag_exists() {
+  tag="$1"
+
+  if ! has_git; then
+    return 1
+  fi
+
+  if git rev-parse "$tag" >/dev/null 2>&1; then
+    return 0
+  fi
+  return 1
+}
+
+# Prompt user for yes/no confirmation
+# Usage: if prompt_confirmation "Continue?"; then ...; fi
+prompt_confirmation() {
+  prompt_text="${1:-Continue?}"
+  timeout_seconds="${2:-30}"
+
+  # Check if stdin is a TTY (interactive terminal)
+  if [ ! -t 0 ]; then
+    msg_error "Non-interactive session detected - cannot prompt for confirmation"
+    return 1
+  fi
+
+  # Check if timeout command is available for optional timeout support
+  if command -v timeout >/dev/null 2>&1; then
+    printf '%s [y/N] (timeout in %ss) ' "$prompt_text" "$timeout_seconds"
+
+    # Create a temporary file to store the response
+    _temp_response=$(mktemp) || return 1
+
+    # Use timeout with --foreground to allow reading from TTY
+    # Write response to temp file instead of trying to capture in command substitution
+    if timeout --foreground "$timeout_seconds" sh -c "read -r r && printf '%s' \"\$r\" > '$_temp_response'" 2>/dev/null; then
+      response=$(cat "$_temp_response")
+      rm -f "$_temp_response"
+    else
+      rm -f "$_temp_response"
+      printf '\n'
+      msg_warn "Confirmation timeout - defaulting to No"
+      return 1
+    fi
+  else
+    # No timeout available - plain read
+    printf '%s [y/N] ' "$prompt_text"
+    read -r response || return 1
+  fi
+
+  case "$response" in
+    [yY]|[yY][eE][sS])
+      return 0
+      ;;
+    *)
+      return 1
+      ;;
+  esac
+}
+
+# Message output functions for consistent, colored output
+# These functions provide a clean API for printing status messages
+
+# msg_error "message" - Print error message in red with ✗ symbol to stderr
+msg_error() {
+  printf '%s✗ %s%s\n' "$RED" "$1" "$NC" >&2
+}
+
+# msg_success "message" - Print success message in green with ✓ symbol
+msg_success() {
+  printf '%s✓ %s%s\n' "$GREEN" "$1" "$NC"
+}
+
+# msg_done "message" - Print completion message in green with ✅ symbol
+msg_done() {
+  printf '%s✅ %s%s\n' "$GREEN" "$1" "$NC"
+}
+
+# msg_info "message" - Print info/status message in blue (no symbol)
+msg_info() {
+  printf '%s%s%s\n' "$BLUE" "$1" "$NC"
+}
+
+# msg_warn "message" - Print warning message in yellow (no symbol)
+msg_warn() {
+  printf '%s%s%s\n' "$YELLOW" "$1" "$NC"
+}
+
+# msg_item "message" - Print indented item with ✓ in green
+msg_item() {
+  printf '  %s✓%s %s\n' "$GREEN" "$NC" "$1"
+}
+
+# msg_notice "message" - Print indented notice with ℹ in blue
+msg_notice() {
+  printf '  %sℹ%s %s\n' "$BLUE" "$NC" "$1"
+}
+
+# msg_plain "color" "message" - Print plain colored message (no symbol)
+# Usage: msg_plain "$YELLOW" "=== BANNER ==="
+msg_plain() {
+  color="$1"
+  message="$2"
+  printf '%s%s%s\n' "$color" "$message" "$NC"
+}
+
 # Get the directory where the calling script is located
 get_script_dir() {
   cd "$(dirname -- "$1")" && pwd
@@ -107,7 +240,7 @@ has_git() {
 # Require git to be available, exit with error if not
 require_git() {
   if ! has_git; then
-    printf '%b' "${RED}Error: git is not installed or not in PATH${NC}\n" >&2
+    msg_error "git is not installed or not in PATH"
     printf 'Please install git to use this script.\n' >&2
     exit 1
   fi
@@ -117,7 +250,7 @@ require_git() {
 safe_mktemp() {
   _temp_file=""
   if ! _temp_file=$(mktemp); then
-    printf '%b' "${RED}Error: Failed to create temp file${NC}\n" >&2
+    msg_error "Failed to create temp file"
     exit 1
   fi
   printf '%s' "$_temp_file"

ansible-lint-fix/action.yml

@@ -112,7 +112,7 @@ runs:
     - name: Cache Python Dependencies
       if: steps.check-files.outputs.files_found == 'true'
       id: cache-pip
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'pip'
         paths: '~/.cache/pip'
@@ -122,7 +122,7 @@ runs:
     - name: Install ansible-lint
       id: install-ansible-lint
       if: steps.check-files.outputs.files_found == 'true'
-      uses: ivuorinen/actions/common-retry@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-retry@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         command: 'pip install ansible-lint==6.22.1'
         max-retries: ${{ inputs.max-retries }}
@@ -162,7 +162,7 @@ runs:
     - name: Set Git Config for Fixes
       id: set-git-config
       if: steps.check-files.outputs.files_found == 'true'
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token }}
         username: ${{ inputs.username }}
@@ -184,6 +184,6 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.files_found == 'true'
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: ansible-lint.sarif

biome-check/action.yml

@@ -44,7 +44,7 @@ runs:
   using: composite
   steps:
     - name: Validate Inputs (Centralized)
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: biome-check
 
@@ -112,7 +112,7 @@ runs:
         token: ${{ inputs.token }}
 
     - name: Set Git Config
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token }}
         username: ${{ inputs.username }}
@@ -120,11 +120,11 @@ runs:
 
     - name: Node Setup
       id: node-setup
-      uses: ivuorinen/actions/node-setup@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/node-setup@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Cache Node Dependencies
       id: cache
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'npm'
         paths: 'node_modules'
@@ -233,6 +233,6 @@ runs:
 
     - name: Upload Biome Results
       if: always()
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: biome-report.sarif

biome-fix/action.yml

@@ -95,7 +95,7 @@ runs:
         token: ${{ inputs.token }}
 
     - name: Set Git Config
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token }}
         username: ${{ inputs.username }}
@@ -103,11 +103,11 @@ runs:
 
     - name: Node Setup
       id: node-setup
-      uses: ivuorinen/actions/node-setup@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/node-setup@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Cache Node Dependencies
       id: cache
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'npm'
         paths: 'node_modules'

codeql-analysis/action.yml

@@ -112,7 +112,7 @@ runs:
   using: composite
   steps:
     - name: Validate inputs
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: codeql-analysis
         language: ${{ inputs.language }}
@@ -189,7 +189,7 @@ runs:
         echo "Using build mode: $build_mode"
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         languages: ${{ inputs.language }}
         queries: ${{ inputs.queries }}
@@ -202,12 +202,12 @@ runs:
         threads: ${{ inputs.threads }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}
 
     - name: Perform CodeQL Analysis
       id: analysis
-      uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         category: ${{ steps.set-category.outputs.category }}
         upload: ${{ inputs.upload-results }}

compress-images/action.yml

@@ -143,7 +143,7 @@ runs:
         fi
     - name: Set Git Config
       id: set-git-config
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token }}
         username: ${{ inputs.username }}

csharp-build/action.yml

@@ -50,7 +50,7 @@ runs:
 
     - name: Detect .NET SDK Version
       id: detect-dotnet-version
-      uses: ivuorinen/actions/dotnet-version-detect@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/dotnet-version-detect@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         default-version: "${{ inputs.dotnet-version || '7.0' }}"
 
@@ -61,7 +61,7 @@ runs:
 
     - name: Cache NuGet packages
       id: cache-nuget
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'nuget'
         paths: '~/.nuget/packages'
@@ -70,7 +70,7 @@ runs:
 
     - name: Restore Dependencies
       if: steps.cache-nuget.outputs.cache-hit != 'true'
-      uses: ivuorinen/actions/common-retry@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-retry@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         command: |
           echo "Restoring .NET dependencies..."

csharp-lint-check/action.yml

@@ -66,7 +66,7 @@ runs:
 
     - name: Detect .NET SDK Version
       id: detect-dotnet-version
-      uses: ivuorinen/actions/dotnet-version-detect@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/dotnet-version-detect@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         default-version: ${{ inputs.dotnet-version || '7.0' }}
 
@@ -111,6 +111,6 @@ runs:
         fi
 
     - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: dotnet-format.sarif

csharp-publish/action.yml

@@ -51,7 +51,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: 'csharp-publish'
         token: ${{ inputs.token }}
@@ -60,7 +60,7 @@ runs:
 
     - name: Detect .NET SDK Version
       id: detect-dotnet-version
-      uses: ivuorinen/actions/dotnet-version-detect@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/dotnet-version-detect@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         default-version: '7.0'
 
@@ -71,7 +71,7 @@ runs:
 
     - name: Cache NuGet packages
       id: cache-nuget
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'nuget'
         paths: '~/.nuget/packages'

docker-build/action.yml

@@ -147,7 +147,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: 'docker-build'
         image-name: ${{ inputs.image-name }}

docker-publish/action.yml

@@ -170,7 +170,7 @@ runs:
 
     - name: Build Multi-Arch Docker Image
       id: build
-      uses: ivuorinen/actions/docker-build@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/docker-build@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         tag: ${{ steps.tags.outputs.all-tags }}
         architectures: ${{ inputs.platforms }}
@@ -185,7 +185,7 @@ runs:
     - name: Publish to Docker Hub
       id: publish-dockerhub
       if: contains(steps.dest.outputs.reg, 'dockerhub')
-      uses: ivuorinen/actions/docker-publish-hub@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/docker-publish-hub@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         tags: ${{ steps.tags.outputs.all-tags }}
         platforms: ${{ inputs.platforms }}
@@ -201,7 +201,7 @@ runs:
     - name: Publish to GitHub Packages
       id: publish-github
       if: contains(steps.dest.outputs.reg, 'github')
-      uses: ivuorinen/actions/docker-publish-gh@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/docker-publish-gh@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         tags: ${{ steps.tags.outputs.all-tags }}
         platforms: ${{ inputs.platforms }}

dotnet-version-detect/action.yml

@@ -58,7 +58,7 @@ runs:
 
     - name: Parse .NET Version
       id: parse-version
-      uses: ivuorinen/actions/version-file-parser@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/version-file-parser@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         language: 'dotnet'
         tool-versions-key: 'dotnet'

eslint-check/action.yml

@@ -176,11 +176,11 @@ runs:
 
     - name: Setup Node.js
       id: node-setup
-      uses: ivuorinen/actions/node-setup@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/node-setup@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Cache Node Dependencies
       id: cache
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'npm'
         paths: 'node_modules'
@@ -414,7 +414,7 @@ runs:
 
     - name: Upload ESLint Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/eslint.sarif
         category: eslint

eslint-fix/action.yml

@@ -44,7 +44,7 @@ runs:
   steps:
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: 'eslint-fix'
         token: ${{ inputs.token }}
@@ -58,7 +58,7 @@ runs:
         token: ${{ inputs.token }}
 
     - name: Set Git Config
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token }}
         username: ${{ inputs.username }}
@@ -66,11 +66,11 @@ runs:
 
     - name: Node Setup
       id: node-setup
-      uses: ivuorinen/actions/node-setup@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/node-setup@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Cache Node Dependencies
       id: cache
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'npm'
         paths: 'node_modules'

generate_listing.cjs

@@ -430,4 +430,4 @@ function main() {
 }
 
 // Run the script
-main();
+main();

go-build/action.yml

@@ -54,7 +54,7 @@ runs:
 
     - name: Detect Go Version
       id: detect-go-version
-      uses: ivuorinen/actions/go-version-detect@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/go-version-detect@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         default-version: "${{ inputs.go-version || '1.21' }}"
 
@@ -66,7 +66,7 @@ runs:
 
     - name: Cache Go Dependencies
       id: cache-go
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'go'
         paths: '~/go/pkg/mod'
@@ -75,7 +75,7 @@ runs:
 
     - name: Download Dependencies
       if: steps.cache-go.outputs.cache-hit != 'true'
-      uses: ivuorinen/actions/common-retry@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-retry@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         command: |
           echo "Downloading Go dependencies..."

go-lint/action.yml

@@ -218,7 +218,7 @@ runs:
     - name: Set up Cache
       id: cache
       if: inputs.cache == 'true'
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'go'
         paths: '~/.cache/golangci-lint,~/.cache/go-build'
@@ -413,7 +413,7 @@ runs:
 
     - name: Upload Lint Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif
         category: golangci-lint

go-version-detect/action.yml

@@ -65,7 +65,7 @@ runs:
 
     - name: Parse Go Version
       id: parse-version
-      uses: ivuorinen/actions/version-file-parser@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/version-file-parser@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         language: 'go'
         tool-versions-key: 'golang'

node-setup/action.yml

@@ -176,7 +176,7 @@ runs:
 
     - name: Parse Node.js Version
       id: version
-      uses: ivuorinen/actions/version-file-parser@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/version-file-parser@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         language: 'node'
         tool-versions-key: 'nodejs'
@@ -300,7 +300,7 @@ runs:
     - name: Cache Dependencies
       if: inputs.cache == 'true'
       id: deps-cache
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'npm'
         paths: '~/.npm,~/.yarn/cache,~/.pnpm-store,~/.bun/install/cache,node_modules'
@@ -360,7 +360,7 @@ runs:
 
     - name: Install Dependencies
       if: inputs.install == 'true' && steps.deps-cache.outputs.cache-hit != 'true'
-      uses: ivuorinen/actions/common-retry@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-retry@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         command: |
           package_manager="$PACKAGE_MANAGER"

npm-publish/action.yml

@@ -101,7 +101,7 @@ runs:
         token: ${{ inputs.token || github.token }}
 
     - name: Setup Node.js
-      uses: ivuorinen/actions/node-setup@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/node-setup@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Authenticate NPM
       shell: sh

package-lock.json

@@ -1079,6 +1079,7 @@
       "integrity": "sha512-/4Osri9QFGCZOCTkfA8qJF+XGjKYERSHkXzxSyS1hd3ZERJGjvsUao2h4wdnvpHp6Tu2Jh/bPHM0FE9JJza6ng==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "globby": "14.1.0",
         "js-yaml": "4.1.0",

php-composer/action.yml

@@ -79,7 +79,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: php-composer
 
@@ -176,7 +176,7 @@ runs:
 
     - name: Cache Composer packages
       id: composer-cache
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'composer'
         paths: vendor,~/.composer/cache${{ inputs.cache-directories != "" && format(",{0}", inputs.cache-directories) || "" }}
@@ -196,7 +196,7 @@ runs:
         composer clear-cache
 
     - name: Install Dependencies
-      uses: ivuorinen/actions/common-retry@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-retry@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         command: composer install ${{ inputs.args }}
         max-retries: ${{ inputs.max-retries }}

php-laravel-phpunit/action.yml

@@ -60,7 +60,7 @@ runs:
 
     - name: Detect PHP Version
       id: php-version
-      uses: ivuorinen/actions/php-version-detect@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/php-version-detect@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         default-version: ${{ inputs.php-version }}
 

php-tests/action.yml

@@ -86,14 +86,14 @@ runs:
         token: ${{ inputs.token || github.token }}
 
     - name: Set Git Config
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token != '' && inputs.token || github.token }}
         username: ${{ inputs.username }}
         email: ${{ inputs.email }}
 
     - name: Composer Install
-      uses: ivuorinen/actions/php-composer@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/php-composer@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Run PHPUnit Tests
       id: test

php-version-detect/action.yml

@@ -67,7 +67,7 @@ runs:
 
     - name: Parse PHP Version
       id: parse-version
-      uses: ivuorinen/actions/version-file-parser@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/version-file-parser@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         language: 'php'
         tool-versions-key: 'php'

pr-lint/action.yml

@@ -40,7 +40,7 @@ runs:
   steps:
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: pr-lint
         token: ${{ inputs.token }}
@@ -64,9 +64,9 @@ runs:
     #   ╰──────────────────────────────────────────────────────────╯
     - name: Setup Git Config
       id: git-config
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
-        token: ${{ inputs.token }}
+        token: ${{ inputs.token || github.token }}
         username: ${{ inputs.username }}
         email: ${{ inputs.email }}
 
@@ -87,7 +87,7 @@ runs:
 
     - name: Setup Node.js environment
       if: steps.detect-node.outputs.found == 'true'
-      uses: ivuorinen/actions/node-setup@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/node-setup@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         install: true
         cache: true
@@ -106,7 +106,7 @@ runs:
     - name: Detect PHP Version
       if: steps.detect-php.outputs.found == 'true'
       id: php-version
-      uses: ivuorinen/actions/php-version-detect@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/php-version-detect@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Setup PHP
       if: steps.detect-php.outputs.found == 'true'
@@ -150,7 +150,7 @@ runs:
     - name: Detect Python Version
       if: steps.detect-python.outputs.found == 'true'
       id: python-version
-      uses: ivuorinen/actions/python-version-detect@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/python-version-detect@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Setup Python
       if: steps.detect-python.outputs.found == 'true'
@@ -181,7 +181,7 @@ runs:
     - name: Detect Go Version
       if: steps.detect-go.outputs.found == 'true'
       id: go-version
-      uses: ivuorinen/actions/go-version-detect@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/go-version-detect@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Setup Go
       if: steps.detect-go.outputs.found == 'true'
@@ -264,7 +264,12 @@ runs:
     - name: Set APPLY_FIXES_IF var
       shell: bash
       env:
-        APPLY_FIXES_CONDITION: ${{ steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) }}
+        APPLY_FIXES_CONDITION: >-
+          ${{
+            steps.ml.outputs.has_updated_sources == 1 &&
+            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) &&
+            (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+          }}
       run: |
         set -euo pipefail
 

pre-commit/action.yml

@@ -49,7 +49,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: 'pre-commit'
         token: ${{ inputs.token }}
@@ -58,7 +58,7 @@ runs:
         email: ${{ inputs.commit_email }}
         username: ${{ inputs.commit_user }}
     - name: Set Git Config
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token }}
         username: ${{ inputs.commit_user }}

prettier-check/action.yml

@@ -202,11 +202,11 @@ runs:
 
     - name: Setup Node.js
       id: node-setup
-      uses: ivuorinen/actions/node-setup@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/node-setup@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Set up Cache
       id: cache
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       if: inputs.cache == 'true'
       with:
         type: 'npm'
@@ -432,7 +432,7 @@ runs:
 
     - name: Upload Prettier Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/prettier.sarif
         category: prettier

prettier-fix/action.yml

@@ -91,7 +91,7 @@ runs:
         token: ${{ inputs.token }}
 
     - name: Set Git Config
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token }}
         username: ${{ inputs.username }}
@@ -99,11 +99,11 @@ runs:
 
     - name: Node Setup
       id: node-setup
-      uses: ivuorinen/actions/node-setup@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/node-setup@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
 
     - name: Cache npm Dependencies
       id: cache-npm
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'npm'
         paths: 'node_modules'

python-lint-fix/action.yml

@@ -155,7 +155,7 @@ runs:
 
     - name: Detect Python Version
       id: python-version
-      uses: ivuorinen/actions/python-version-detect@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/python-version-detect@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         default-version: ${{ inputs.python-version }}
 
@@ -189,7 +189,7 @@ runs:
     - name: Cache Python Dependencies
       if: steps.check-files.outputs.result == 'found'
       id: cache-pip
-      uses: ivuorinen/actions/common-cache@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/common-cache@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         type: 'pip'
         paths: '~/.cache/pip'
@@ -325,7 +325,7 @@ runs:
 
     - name: Set Git Config for Fixes
       if: ${{ fromJSON(steps.fix.outputs.fixed_count) > 0 }}
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token }}
         username: ${{ inputs.username }}
@@ -370,7 +370,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.result == 'found'
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif
         category: 'python-lint'

python-version-detect-v2/action.yml

@@ -72,7 +72,7 @@ runs:
 
     - name: Parse Python Version
       id: parse-version
-      uses: ivuorinen/actions/version-file-parser@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/version-file-parser@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         language: 'python'
         tool-versions-key: 'python'

python-version-detect/action.yml

@@ -65,7 +65,7 @@ runs:
 
     - name: Parse Python Version
       id: parse-version
-      uses: ivuorinen/actions/version-file-parser@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/version-file-parser@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         language: 'python'
         tool-versions-key: 'python'

stale/action.yml

@@ -43,7 +43,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: 'stale'
         token: ${{ inputs.token || github.token }}

terraform-lint-fix/action.yml

@@ -78,7 +78,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         action-type: 'terraform-lint-fix'
         token: ${{ inputs.token || github.token }}
@@ -270,7 +270,7 @@ runs:
 
     - name: Set Git Config for Fixes
       if: ${{ fromJSON(steps.fix.outputs.fixed_count) > 0 }}
-      uses: ivuorinen/actions/set-git-config@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/set-git-config@2f1c73dd8b23ffec17bb93ebd0f32e7a7c7546fc
       with:
         token: ${{ inputs.token || github.token }}
         username: ${{ inputs.username }}
@@ -302,7 +302,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif'
-      uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
+      uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
       with:
         sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif
         category: terraform-lint