chore(deps)!: update renovatebot/pre-commit-hooks (41.159.4 → 42.6.2) (#337)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/build-testing-image.yml

@@ -49,7 +49,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ghcr.io/${{ github.repository_owner }}/actions
           tags: |

.github/workflows/release.yml

@@ -17,6 +17,6 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+      - uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
         with:
           generate_release_notes: true

.pre-commit-config.yaml

@@ -14,7 +14,7 @@ repos:
         types: [markdown, python, yaml]
         files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.9.5
+    rev: 0.9.8
     hooks:
       - id: uv-lock
       - id: uv-sync
@@ -55,7 +55,7 @@ repos:
       - id: yamllint
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.2
+    rev: v0.14.4
     hooks:
       # Run the linter with auto-fix
       - id: ruff-check
@@ -84,7 +84,7 @@ repos:
         args: ['-shellcheck=']
 
   - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 41.159.4
+    rev: 42.6.2
     hooks:
       - id: renovate-config-validator
 
@@ -96,6 +96,6 @@ repos:
           - '--quiet'
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.28.0
+    rev: v8.29.0
     hooks:
       - id: gitleaks

docker-build/action.yml

@@ -169,7 +169,7 @@ runs:
         fi
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       with:
         platforms: ${{ inputs.architectures }}
 

docker-publish-gh/action.yml

@@ -153,7 +153,7 @@ runs:
         done
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       with:
         platforms: ${{ inputs.platforms }}
 

docker-publish-hub/action.yml

@@ -157,7 +157,7 @@ runs:
         fi
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       with:
         platforms: ${{ inputs.platforms }}
 

pr-lint/action.yml

@@ -54,6 +54,7 @@ runs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         token: ${{ inputs.token || github.token }}
+        ref: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref_name }}
 
         # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
         # improve performance
@@ -220,7 +221,7 @@ runs:
             contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
           }}
 
-        GITHUB_TOKEN: ${{ steps.git-config.outputs.token || inputs.token }}
+        GITHUB_TOKEN: ${{ steps.git-config.outputs.token || inputs.token || github.token }}
 
         # Apply linter fixes configuration
         #
@@ -300,7 +301,7 @@ runs:
       id: cpr
       if: env.APPLY_FIXES_IF_PR == 'true'
       with:
-        token: ${{ steps.git-config.outputs.token || inputs.token }}
+        token: ${{ steps.git-config.outputs.token || inputs.token || github.token }}
         commit-message: '[MegaLinter] Apply linters automatic fixes'
         title: '[MegaLinter] Apply linters automatic fixes'
         labels: bot
@@ -322,10 +323,33 @@ runs:
     - name: Prepare commit
       if: env.APPLY_FIXES_IF_COMMIT == 'true'
       shell: bash
+      env:
+        BRANCH_REF: >-
+          ${{
+            github.event.pull_request.head.ref ||
+            github.head_ref ||
+            github.ref_name
+          }}
       run: |
         set -euo pipefail
 
-        sudo chown -Rc $UID .git/
+        # Fix .git directory ownership after MegaLinter container execution
+        sudo chown -Rc "$UID" .git/
+
+        # Ensure we're on the correct branch (not in detached HEAD state)
+        # This is necessary because MegaLinter may leave the repo in a detached HEAD state
+        current_branch=$(git rev-parse --abbrev-ref HEAD)
+        if [ "$current_branch" = "HEAD" ]; then
+          echo "Repository is in detached HEAD state, checking out $BRANCH_REF"
+          # Validate branch reference to prevent command injection
+          if ! git check-ref-format --branch "$BRANCH_REF"; then
+            echo "::error::Invalid branch reference format: $BRANCH_REF"
+            exit 1
+          fi
+          git checkout "$BRANCH_REF"
+        else
+          echo "Repository is on branch: $current_branch"
+        fi
 
     - name: Commit and push applied linter fixes
       uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0