chore(new-release): add prefix v, add security as type (#376)

* chore(new-release): add prefix v, add security as type

* fix(pr-lint): fix pr-lint workflow

* fix(lint): prettier format

.github/actions/setup-test-environment/action.yml

@@ -17,12 +17,12 @@ runs:
   using: composite
   steps:
     - name: Install uv
-      uses: astral-sh/setup-uv@5a7eac68fb9809dea845d802897dc5c723910fa3 # v7.1.3
+      uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
       with:
         enable-cache: true
 
     - name: Set up Python
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version-file: pyproject.toml
 

.github/tag-changelog-config.js

@@ -1,6 +1,7 @@
 module.exports = {
   types: [
     { types: ['feat', 'feature', 'Feat'], label: '🎉 New Features' },
+    { types: ['security'], label: '🔐 Security' },
     { types: ['fix', 'bugfix', 'Fix'], label: '🐛 Bugfixes' },
     { types: ['improvements', 'enhancement'], label: '🔨 Improvements' },
     { types: ['perf'], label: '🏎️ Performance Improvements' },

.github/workflows/action-security.yml

@@ -117,14 +117,14 @@ jobs:
 
       - name: Upload Trivy results
         if: steps.verify-sarif.outputs.has_trivy == 'true'
-        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           sarif_file: 'trivy-results.sarif'
           category: 'trivy'
 
       - name: Upload Gitleaks results
         if: steps.verify-sarif.outputs.has_gitleaks == 'true'
-        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           sarif_file: 'gitleaks-report.sarif'
           category: 'gitleaks'

.github/workflows/codeql.yml

@@ -37,15 +37,15 @@ jobs:
         uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           category: '/language:${{matrix.language}}'

.github/workflows/issue-stats.yml

@@ -30,7 +30,7 @@ jobs:
           echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV"
 
       - name: Run issue-metrics tool
-        uses: github/issue-metrics@637a24e71b78bc10881e61972b19ea9ff736e14a # v3.25.2
+        uses: github/issue-metrics@78b1d469a1b1c94945b15bd71dedcb1928667f49 # v3.25.3
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"'

.github/workflows/new-release.yml

@@ -25,6 +25,8 @@ jobs:
       - name: Create tag if necessary
         uses: fregante/daily-version-action@fb1a60b7c4daf1410cd755e360ebec3901e58588 # v2.1.3
         id: daily-version
+        with:
+          prefix: v
 
       - name: Create changelog text
         if: steps.daily-version.outputs.created

.github/workflows/pr-lint.yml

@@ -25,7 +25,7 @@ on:
 
 env:
   # Apply linter fixes configuration
-  APPLY_FIXES: all
+  APPLY_FIXES: none
   APPLY_FIXES_EVENT: pull_request
   APPLY_FIXES_MODE: commit
 
@@ -104,7 +104,7 @@ jobs:
 
       - name: Upload SARIF Report
         if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
-        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         with:
           sarif_file: megalinter-reports/sarif
           category: megalinter
@@ -113,7 +113,7 @@ jobs:
         if: steps.ml.outputs.has_updated_sources == 1
         shell: sh
         run: |
-          sudo chown -Rc $UID .git/
+          sudo chown -Rc $(id -u) .git/
           git config --global user.name "fiximus"
           git config --global user.email "github-bot@ivuorinen.net"
 
@@ -124,7 +124,7 @@ jobs:
           env.APPLY_FIXES_MODE == 'pull_request' &&
           (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) &&
           !contains(github.event.head_commit.message, 'skip fix')
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
         id: cpr
         with:
           token: ${{ secrets.FIXIMUS_TOKEN || secrets.GITHUB_TOKEN }}

.github/workflows/test-actions.yml

@@ -73,7 +73,7 @@ jobs:
         if: always()
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         if: always() && hashFiles('_tests/reports/test-results.sarif') != ''
         with:
           sarif_file: _tests/reports/test-results.sarif

.github/workflows/version-maintenance.yml

@@ -49,7 +49,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.action-versioning.outputs.updated == 'true'
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'chore: update action references to ${{ steps.version.outputs.major }}'

.pre-commit-config.yaml

@@ -44,7 +44,7 @@ repos:
         args: [--autofix, --no-sort-keys]
 
   - repo: https://github.com/DavidAnson/markdownlint-cli2
-    rev: v0.19.0
+    rev: v0.19.1
     hooks:
       - id: markdownlint-cli2
         args: [--fix]
@@ -55,7 +55,7 @@ repos:
       - id: yamllint
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.5
+    rev: v0.14.6
     hooks:
       # Run the linter with auto-fix
       - id: ruff-check
@@ -78,24 +78,24 @@ repos:
         exclude: '^_tests/.*\.sh$'
 
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.7.8
+    rev: v1.7.9
     hooks:
       - id: actionlint
         args: ['-shellcheck=']
 
   - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 42.19.0
+    rev: 42.19.3
     hooks:
       - id: renovate-config-validator
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.494'
+    rev: '3.2.495'
     hooks:
       - id: checkov
         args:
           - '--quiet'
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.29.0
+    rev: v8.29.1
     hooks:
       - id: gitleaks

ansible-lint-fix/action.yml

@@ -45,7 +45,7 @@ runs:
   steps:
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
       with:
         action-type: 'ansible-lint-fix'
         token: ${{ inputs.token }}
@@ -75,7 +75,7 @@ runs:
 
     - name: Setup Python
       if: steps.check-files.outputs.files_found == 'true'
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: '3.11'
         cache: 'pip'
@@ -83,7 +83,7 @@ runs:
     - name: Install ansible-lint
       id: install-ansible-lint
       if: steps.check-files.outputs.files_found == 'true'
-      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3
+      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3.0.4
       with:
         timeout_minutes: 5
         max_attempts: ${{ inputs.max-retries }}
@@ -130,6 +130,6 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.files_found == 'true'
-      uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       with:
         sarif_file: ansible-lint.sarif

biome-lint/action.yml

@@ -331,7 +331,7 @@ runs:
 
     - name: Upload SARIF Report
       if: inputs.mode == 'check' && always()
-      uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       with:
         sarif_file: biome-report.sarif
 

codeql-analysis/action.yml

@@ -107,7 +107,7 @@ runs:
   using: composite
   steps:
     - name: Validate inputs
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
       with:
         action-type: codeql-analysis
         language: ${{ inputs.language }}
@@ -186,7 +186,7 @@ runs:
         echo "Using build mode: $build_mode"
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       with:
         languages: ${{ inputs.language }}
         queries: ${{ inputs.queries }}
@@ -199,12 +199,12 @@ runs:
         threads: ${{ inputs.threads }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}
 
     - name: Perform CodeQL Analysis
       id: analysis
-      uses: github/codeql-action/analyze@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       with:
         category: ${{ steps.set-category.outputs.category }}
         upload: ${{ inputs.upload-results }}

compress-images/action.yml

@@ -163,7 +163,7 @@ runs:
 
     - name: Create New Pull Request If Needed
       if: steps.calibre.outputs.markdown != ''
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
       with:
         token: ${{ inputs.token }}
         title: 'chore: compress images'

csharp-build/action.yml

@@ -148,14 +148,14 @@ runs:
         echo "Final detected .NET version: $detected_version" >&2
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+      uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1
       with:
         dotnet-version: ${{ steps.detect-dotnet-version.outputs.detected-version }}
         cache: true
         cache-dependency-path: '**/packages.lock.json'
 
     - name: Restore Dependencies
-      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3
+      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3.0.4
       with:
         timeout_minutes: 10
         max_attempts: ${{ inputs.max-retries }}

csharp-lint-check/action.yml

@@ -164,7 +164,7 @@ runs:
         echo "Final detected .NET version: $detected_version" >&2
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+      uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1
       with:
         dotnet-version: ${{ steps.detect-dotnet-version.outputs.detected-version }}
         cache: true
@@ -206,6 +206,6 @@ runs:
         fi
 
     - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       with:
         sarif_file: dotnet-format.sarif

csharp-publish/action.yml

@@ -55,7 +55,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
       with:
         action-type: 'csharp-publish'
         token: ${{ inputs.token }}
@@ -162,14 +162,14 @@ runs:
         echo "Final detected .NET version: $detected_version" >&2
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+      uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1
       with:
         dotnet-version: ${{ inputs.dotnet-version || steps.detect-dotnet-version.outputs.detected-version }}
         cache: true
         cache-dependency-path: '**/packages.lock.json'
 
     - name: Restore Dependencies
-      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3
+      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3.0.4
       with:
         timeout_minutes: 10
         max_attempts: ${{ inputs.max-retries }}

docker-build/action.yml

@@ -147,7 +147,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
       with:
         action-type: 'docker-build'
         image-name: ${{ inputs.image-name }}

docker-publish/action.yml

@@ -171,7 +171,7 @@ runs:
         echo "Input validation completed successfully"
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
     - name: Determine Image Names and Tags
       id: meta
@@ -234,14 +234,14 @@ runs:
 
     - name: Login to Docker Hub
       if: inputs.registry == 'dockerhub' || inputs.registry == 'both'
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
       with:
         username: ${{ inputs.dockerhub-username }}
         password: ${{ inputs.dockerhub-token }}
 
     - name: Login to GitHub Container Registry
       if: inputs.registry == 'github' || inputs.registry == 'both'
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
@@ -249,7 +249,7 @@ runs:
 
     - name: Build and Push Docker Image
       id: build
-      uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       with:
         context: ${{ inputs.context }}
         file: ${{ inputs.dockerfile }}

eslint-lint/action.yml

@@ -457,7 +457,7 @@ runs:
 
     - name: Upload SARIF Report
       if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always()
-      uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       with:
         sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif
 

go-build/action.yml

@@ -159,13 +159,13 @@ runs:
         echo "Final detected Go version: $detected_version" >&2
 
     - name: Setup Go
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
       with:
         go-version: ${{ steps.detect-go-version.outputs.detected-version }}
         cache: true
 
     - name: Download Dependencies
-      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3
+      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3.0.4
       with:
         timeout_minutes: 10
         max_attempts: ${{ inputs.max-retries }}

go-lint/action.yml

@@ -205,7 +205,7 @@ runs:
         validate_linter_list "$DISABLE_LINTERS" "disable-linters"
 
     - name: Setup Go
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
       with:
         go-version: ${{ inputs.go-version }}
         cache: true
@@ -414,7 +414,7 @@ runs:
 
     - name: Upload Lint Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif
         category: golangci-lint

php-tests/action.yml

@@ -376,7 +376,7 @@ runs:
         composer clear-cache
 
     - name: Install Composer Dependencies
-      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3
+      uses: step-security/retry@e1d59ce1f574b32f0915e3a8df055cfe9f99be5d # v3.0.4
       with:
         timeout_minutes: 10
         max_attempts: ${{ inputs.max-retries }}
@@ -454,7 +454,7 @@ runs:
           phpunit_output=$(composer test 2>&1) || phpunit_exit_code=$?
         elif [ -f "vendor/bin/phpunit" ]; then
           echo "Running PHPUnit directly..."
-          phpunit_output=$(vendor/bin/phpunit --verbose 2>&1) || phpunit_exit_code=$?
+          phpunit_output=$(vendor/bin/phpunit 2>&1) || phpunit_exit_code=$?
         else
           echo "::error::PHPUnit not found. Ensure Composer dependencies are installed."
           exit 1

pr-lint/action.yml

@@ -40,7 +40,7 @@ runs:
   steps:
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
       with:
         action-type: pr-lint
         token: ${{ inputs.token }}
@@ -95,7 +95,7 @@ runs:
         fi
 
         printf 'package-manager=%s\n' "$package_manager" >> "$GITHUB_OUTPUT"
-        echo "Detected package manager: $package_manager"
+        printf 'Detected package manager: %s\n' "$package_manager"
 
     - name: Setup Node.js
       if: steps.detect-node.outputs.found == 'true'
@@ -154,7 +154,7 @@ runs:
       run: |
         set -eu
 
-        echo "Installing dependencies using $PACKAGE_MANAGER..."
+        printf 'Installing dependencies using %s...\n' "$PACKAGE_MANAGER"
 
         case "$PACKAGE_MANAGER" in
           "pnpm")
@@ -175,7 +175,7 @@ runs:
             ;;
         esac
 
-        echo "✅ Dependencies installed successfully"
+        printf '✅ Dependencies installed successfully\n'
 
     # PHP tests if composer.json exists
     - name: Detect composer.json
@@ -219,12 +219,12 @@ runs:
 
         # Parse .tool-versions file
         if [ -f .tool-versions ]; then
-          echo "Checking .tool-versions for php..." >&2
+          printf 'Checking .tool-versions for php...\n' >&2
           version=$(awk '/^php[[:space:]]/ {gsub(/#.*/, ""); print $2; exit}' .tool-versions 2>/dev/null || echo "")
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found PHP version in .tool-versions: $version" >&2
+              printf 'Found PHP version in .tool-versions: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -232,13 +232,13 @@ runs:
 
         # Parse Dockerfile
         if [ -z "$detected_version" ] && [ -f Dockerfile ]; then
-          echo "Checking Dockerfile for php..." >&2
+          printf 'Checking Dockerfile for php...\n' >&2
           version=$(grep -iF "FROM" Dockerfile | grep -F "php:" | head -1 | \
             sed -n -E "s/.*php:([0-9]+(\.[0-9]+)*)(-[^:]*)?.*/\1/p" || echo "")
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found PHP version in Dockerfile: $version" >&2
+              printf 'Found PHP version in Dockerfile: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -246,29 +246,29 @@ runs:
 
         # Parse devcontainer.json
         if [ -z "$detected_version" ] && [ -f .devcontainer/devcontainer.json ]; then
-          echo "Checking devcontainer.json for php..." >&2
+          printf 'Checking devcontainer.json for php...\n' >&2
           if command -v jq >/dev/null 2>&1; then
             version=$(jq -r '.image // empty' .devcontainer/devcontainer.json 2>/dev/null | sed -n -E "s/.*php:([0-9]+(\.[0-9]+)*)(-[^:]*)?.*/\1/p" || echo "")
             if [ -n "$version" ]; then
               version=$(clean_version "$version")
               if validate_version "$version"; then
-                echo "Found PHP version in devcontainer: $version" >&2
+                printf 'Found PHP version in devcontainer: %s\n' "$version" >&2
                 detected_version="$version"
               fi
             fi
           else
-            echo "jq not found; skipping devcontainer.json parsing" >&2
+            printf 'jq not found; skipping devcontainer.json parsing\n' >&2
           fi
         fi
 
         # Parse .php-version file
         if [ -z "$detected_version" ] && [ -f .php-version ]; then
-          echo "Checking .php-version..." >&2
+          printf 'Checking .php-version...\n' >&2
           version=$(tr -d '\r' < .php-version | head -1)
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found PHP version in .php-version: $version" >&2
+              printf 'Found PHP version in .php-version: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -276,7 +276,7 @@ runs:
 
         # Parse composer.json
         if [ -z "$detected_version" ] && [ -f composer.json ]; then
-          echo "Checking composer.json..." >&2
+          printf 'Checking composer.json...\n' >&2
           if command -v jq >/dev/null 2>&1; then
             version=$(jq -r '.require.php // empty' composer.json 2>/dev/null | sed -n 's/[^0-9]*\([0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*/\1/p')
             if [ -z "$version" ]; then
@@ -285,24 +285,24 @@ runs:
             if [ -n "$version" ]; then
               version=$(clean_version "$version")
               if validate_version "$version"; then
-                echo "Found PHP version in composer.json: $version" >&2
+                printf 'Found PHP version in composer.json: %s\n' "$version" >&2
                 detected_version="$version"
               fi
             fi
           else
-            echo "jq not found; skipping composer.json parsing" >&2
+            printf 'jq not found; skipping composer.json parsing\n' >&2
           fi
         fi
 
         # Use default version if nothing detected
         if [ -z "$detected_version" ]; then
           detected_version="$DEFAULT_VERSION"
-          echo "Using default PHP version: $detected_version" >&2
+          printf 'Using default PHP version: %s\n' "$detected_version" >&2
         fi
 
         # Set output
         printf 'detected-version=%s\n' "$detected_version" >> "$GITHUB_OUTPUT"
-        echo "Final detected PHP version: $detected_version" >&2
+        printf 'Final detected PHP version: %s\n' "$detected_version" >&2
 
     - name: Setup PHP
       if: steps.detect-php.outputs.found == 'true'
@@ -312,7 +312,7 @@ runs:
         tools: composer
         coverage: none
       env:
-        GITHUB_TOKEN: ${{ inputs.token }}
+        GITHUB_TOKEN: ${{ inputs.token || github.token }}
 
     - name: Setup problem matchers for PHP
       if: steps.detect-php.outputs.found == 'true'
@@ -322,7 +322,8 @@ runs:
       run: |
         set -eu
 
-        echo "::add-matcher::$RUNNER_TOOL_CACHE/php.json"
+        matcher_path=$(printf '%s' "$RUNNER_TOOL_CACHE/php.json" | tr -d '\n\r')
+        echo "::add-matcher::$matcher_path"
 
     - name: Install PHP dependencies
       if: steps.detect-php.outputs.found == 'true'
@@ -374,12 +375,12 @@ runs:
 
         # Parse .tool-versions file
         if [ -f .tool-versions ]; then
-          echo "Checking .tool-versions for python..." >&2
+          printf 'Checking .tool-versions for python...\n' >&2
           version=$(awk '/^python[[:space:]]/ {gsub(/#.*/, ""); print $2; exit}' .tool-versions 2>/dev/null || echo "")
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found Python version in .tool-versions: $version" >&2
+              printf 'Found Python version in .tool-versions: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -387,13 +388,13 @@ runs:
 
         # Parse Dockerfile
         if [ -z "$detected_version" ] && [ -f Dockerfile ]; then
-          echo "Checking Dockerfile for python..." >&2
+          printf 'Checking Dockerfile for python...\n' >&2
           version=$(grep -iF "FROM" Dockerfile | grep -F "python:" | head -1 | \
             sed -n -E "s/.*python:([0-9]+(\.[0-9]+)*)(-[^:]*)?.*/\1/p" || echo "")
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found Python version in Dockerfile: $version" >&2
+              printf 'Found Python version in Dockerfile: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -401,29 +402,29 @@ runs:
 
         # Parse devcontainer.json
         if [ -z "$detected_version" ] && [ -f .devcontainer/devcontainer.json ]; then
-          echo "Checking devcontainer.json for python..." >&2
+          printf 'Checking devcontainer.json for python...\n' >&2
           if command -v jq >/dev/null 2>&1; then
             version=$(jq -r '.image // empty' .devcontainer/devcontainer.json 2>/dev/null | sed -n -E "s/.*python:([0-9]+(\.[0-9]+)*)(-[^:]*)?.*/\1/p" || echo "")
             if [ -n "$version" ]; then
               version=$(clean_version "$version")
               if validate_version "$version"; then
-                echo "Found Python version in devcontainer: $version" >&2
+                printf 'Found Python version in devcontainer: %s\n' "$version" >&2
                 detected_version="$version"
               fi
             fi
           else
-            echo "jq not found; skipping devcontainer.json parsing" >&2
+            printf 'jq not found; skipping devcontainer.json parsing\n' >&2
           fi
         fi
 
         # Parse .python-version file
         if [ -z "$detected_version" ] && [ -f .python-version ]; then
-          echo "Checking .python-version..." >&2
+          printf 'Checking .python-version...\n' >&2
           version=$(tr -d '\r' < .python-version | head -1)
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found Python version in .python-version: $version" >&2
+              printf 'Found Python version in .python-version: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -431,13 +432,13 @@ runs:
 
         # Parse pyproject.toml
         if [ -z "$detected_version" ] && [ -f pyproject.toml ]; then
-          echo "Checking pyproject.toml..." >&2
-          if grep -q '^\\[project\\]' pyproject.toml; then
-            version=$(grep -A 20 '^\\[project\\]' pyproject.toml | grep -E '^\\s*requires-python[[:space:]]*=' | sed -n 's/[^0-9]*\([0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*/\1/p' | head -1)
+          printf 'Checking pyproject.toml...\n' >&2
+          if grep -q '^\[project\]' pyproject.toml; then
+            version=$(grep -A 20 '^\[project\]' pyproject.toml | grep -E '^\s*requires-python[[:space:]]*=' | sed -n 's/[^0-9]*\([0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*/\1/p' | head -1)
             if [ -n "$version" ]; then
               version=$(clean_version "$version")
               if validate_version "$version"; then
-                echo "Found Python version in pyproject.toml: $version" >&2
+                printf 'Found Python version in pyproject.toml: %s\n' "$version" >&2
                 detected_version="$version"
               fi
             fi
@@ -447,16 +448,16 @@ runs:
         # Use default version if nothing detected
         if [ -z "$detected_version" ]; then
           detected_version="$DEFAULT_VERSION"
-          echo "Using default Python version: $detected_version" >&2
+          printf 'Using default Python version: %s\n' "$detected_version" >&2
         fi
 
         # Set output
         printf 'detected-version=%s\n' "$detected_version" >> "$GITHUB_OUTPUT"
-        echo "Final detected Python version: $detected_version" >&2
+        printf 'Final detected Python version: %s\n' "$detected_version" >&2
 
     - name: Setup Python
       if: steps.detect-python.outputs.found == 'true'
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: ${{ steps.python-version.outputs.detected-version }}
         cache: 'pip'
@@ -511,12 +512,12 @@ runs:
 
         # Parse .tool-versions file
         if [ -f .tool-versions ]; then
-          echo "Checking .tool-versions for golang..." >&2
+          printf 'Checking .tool-versions for golang...\n' >&2
           version=$(awk '/^golang[[:space:]]/ {gsub(/#.*/, ""); print $2; exit}' .tool-versions 2>/dev/null || echo "")
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found Go version in .tool-versions: $version" >&2
+              printf 'Found Go version in .tool-versions: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -524,13 +525,13 @@ runs:
 
         # Parse Dockerfile
         if [ -z "$detected_version" ] && [ -f Dockerfile ]; then
-          echo "Checking Dockerfile for golang..." >&2
+          printf 'Checking Dockerfile for golang...\n' >&2
           version=$(grep -iF "FROM" Dockerfile | grep -F "golang:" | head -1 | \
             sed -n -E "s/.*golang:([0-9]+(\.[0-9]+)*)(-[^:]*)?.*/\1/p" || echo "")
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found Go version in Dockerfile: $version" >&2
+              printf 'Found Go version in Dockerfile: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -538,29 +539,29 @@ runs:
 
         # Parse devcontainer.json
         if [ -z "$detected_version" ] && [ -f .devcontainer/devcontainer.json ]; then
-          echo "Checking devcontainer.json for golang..." >&2
+          printf 'Checking devcontainer.json for golang...\n' >&2
           if command -v jq >/dev/null 2>&1; then
             version=$(jq -r '.image // empty' .devcontainer/devcontainer.json 2>/dev/null | sed -n -E "s/.*golang:([0-9]+(\.[0-9]+)*)(-[^:]*)?.*/\1/p" || echo "")
             if [ -n "$version" ]; then
               version=$(clean_version "$version")
               if validate_version "$version"; then
-                echo "Found Go version in devcontainer: $version" >&2
+                printf 'Found Go version in devcontainer: %s\n' "$version" >&2
                 detected_version="$version"
               fi
             fi
           else
-            echo "jq not found; skipping devcontainer.json parsing" >&2
+            printf 'jq not found; skipping devcontainer.json parsing\n' >&2
           fi
         fi
 
         # Parse .go-version file
         if [ -z "$detected_version" ] && [ -f .go-version ]; then
-          echo "Checking .go-version..." >&2
+          printf 'Checking .go-version...\n' >&2
           version=$(tr -d '\r' < .go-version | head -1)
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found Go version in .go-version: $version" >&2
+              printf 'Found Go version in .go-version: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -568,12 +569,12 @@ runs:
 
         # Parse go.mod
         if [ -z "$detected_version" ] && [ -f go.mod ]; then
-          echo "Checking go.mod..." >&2
+          printf 'Checking go.mod...\n' >&2
           version=$(grep -E '^go[[:space:]]+[0-9]' go.mod | awk '{print $2}' | head -1 || echo "")
           if [ -n "$version" ]; then
             version=$(clean_version "$version")
             if validate_version "$version"; then
-              echo "Found Go version in go.mod: $version" >&2
+              printf 'Found Go version in go.mod: %s\n' "$version" >&2
               detected_version="$version"
             fi
           fi
@@ -582,16 +583,16 @@ runs:
         # Use default version if nothing detected
         if [ -z "$detected_version" ]; then
           detected_version="$DEFAULT_VERSION"
-          echo "Using default Go version: $detected_version" >&2
+          printf 'Using default Go version: %s\n' "$detected_version" >&2
         fi
 
         # Set output
         printf 'detected-version=%s\n' "$detected_version" >> "$GITHUB_OUTPUT"
-        echo "Final detected Go version: $detected_version" >&2
+        printf 'Final detected Go version: %s\n' "$detected_version" >&2
 
     - name: Setup Go
       if: steps.detect-go.outputs.found == 'true'
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
       with:
         go-version: ${{ steps.go-version.outputs.detected-version }}
         cache: true
@@ -632,7 +633,7 @@ runs:
         #
         # When active, APPLY_FIXES must also be defined as environment variable
         # (in .github/workflows/mega-linter.yml or other CI tool)
-        APPLY_FIXES: all
+        APPLY_FIXES: none
 
         # Decide which event triggers application of fixes in a commit or a PR
         # (pull_request, push, all)
@@ -702,7 +703,7 @@ runs:
     # Create pull request if applicable
     # (for now works only on PR from same repository, not from forks)
     - name: Create Pull Request with applied fixes
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
       id: cpr
       if: env.APPLY_FIXES_IF_PR == 'true'
       with:
@@ -720,8 +721,8 @@ runs:
       run: |
         set -eu
 
-        echo "PR Number - $PR_NUMBER"
-        echo "PR URL - $PR_URL"
+        printf 'PR Number - %s\n' "$PR_NUMBER"
+        printf 'PR URL - %s\n' "$PR_URL"
 
     # Push new commit if applicable
     # (for now works only on PR from same repository, not from forks)
@@ -739,7 +740,8 @@ runs:
         set -eu
 
         # Fix .git directory ownership after MegaLinter container execution
-        sudo chown -Rc "$UID" .git/
+        current_uid=$(id -u)
+        sudo chown -Rc "$current_uid" .git/
 
         # Ensure we're on the correct branch (not in detached HEAD state)
         # This is necessary because MegaLinter may leave the repo in a detached HEAD state

pre-commit/action.yml

@@ -49,7 +49,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
       with:
         action-type: 'pre-commit'
         token: ${{ inputs.token }}

python-lint-fix/action.yml

@@ -64,7 +64,7 @@ runs:
   steps:
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
       with:
         action-type: 'python-lint-fix'
         token: ${{ inputs.token }}
@@ -224,7 +224,7 @@ runs:
 
     - name: Setup Python (pip)
       if: steps.package-manager.outputs.package-manager == 'pip'
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: ${{ steps.python-version.outputs.detected-version }}
         cache: 'pip'
@@ -237,7 +237,7 @@ runs:
 
     - name: Setup Python (pipenv)
       if: steps.package-manager.outputs.package-manager == 'pipenv'
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: ${{ steps.python-version.outputs.detected-version }}
         cache: 'pipenv'
@@ -247,7 +247,7 @@ runs:
 
     - name: Setup Python (poetry)
       if: steps.package-manager.outputs.package-manager == 'poetry'
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
       with:
         python-version: ${{ steps.python-version.outputs.detected-version }}
         cache: 'poetry'
@@ -370,7 +370,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.result == 'found'
-      uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif
         category: 'python-lint'

stale/action.yml

@@ -43,7 +43,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
       with:
         action-type: 'stale'
         token: ${{ inputs.token || github.token }}

terraform-lint-fix/action.yml

@@ -78,7 +78,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@0fa9a68f07a1260b321f814202658a6089a43d42
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
       with:
         action-type: 'terraform-lint-fix'
         token: ${{ inputs.token || github.token }}
@@ -256,7 +256,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif'
-      uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
       with:
         sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif
         category: terraform-lint