feat(github-action): update ivuorinen/actions (25.4.28 → 25.5.5) (#136)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/renovate.json

@@ -1,33 +1,20 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "github>ivuorinen/renovate-config"
-  ],
+  "extends": ["github>ivuorinen/renovate-config"],
   "packageRules": [
     {
-      "matchUpdateTypes": [
-        "minor",
-        "patch"
-      ],
+      "matchUpdateTypes": ["minor", "patch"],
       "matchCurrentVersion": "!/^0/",
       "automerge": true
     },
     {
-      "matchDepTypes": [
-        "devDependencies"
-      ],
+      "matchDepTypes": ["devDependencies"],
       "automerge": true
     }
   ],
-  "schedule": [
-    "before 4am on monday"
-  ],
+  "schedule": ["before 4am on monday"],
   "vulnerabilityAlerts": {
-    "labels": [
-      "security"
-    ],
-    "assignees": [
-      "ivuorinen"
-    ]
+    "labels": ["security"],
+    "assignees": ["ivuorinen"]
   }
 }

.github/workflows/action-security.yml

@@ -66,7 +66,7 @@ jobs:
 
       - name: Run Gitleaks
         if: steps.check-configs.outputs.run_gitleaks == 'true'
-        uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7
+        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
@@ -117,21 +117,21 @@ jobs:
 
       - name: Upload Trivy results
         if: steps.verify-sarif.outputs.has_trivy == 'true'
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           sarif_file: 'trivy-results.sarif'
           category: 'trivy'
 
       - name: Upload Gitleaks results
         if: steps.verify-sarif.outputs.has_gitleaks == 'true'
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           sarif_file: 'gitleaks-report.sarif'
           category: 'gitleaks'
 
       - name: Archive security reports
         if: always()
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: security-reports-${{ github.run_id }}
           path: |

.github/workflows/codeql.yml

@@ -32,15 +32,15 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/autobuild@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           category: '/language:${{matrix.language}}'

.github/workflows/dependency-review.yml

@@ -13,4 +13,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
+        uses: actions/dependency-review-action@38ecb5b593bf0eb19e335c03f97670f792489a8b # v4.7.0

.github/workflows/new-release.yml

@@ -20,10 +20,10 @@ jobs:
       version: ${{ steps.daily-version.outputs.version }}
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Create tag if necessary
-        uses: fregante/daily-version-action@fb1a60b7c4daf1410cd755e360ebec3901e58588 # v2
+        uses: fregante/daily-version-action@fb1a60b7c4daf1410cd755e360ebec3901e58588 # v2.1.3
         id: daily-version
 
       - name: Create changelog text

.github/workflows/pr-lint.yml

@@ -69,7 +69,7 @@ jobs:
 
       - name: MegaLinter
         id: ml
-        uses: oxsecurity/megalinter/flavors/cupcake@ec124f7998718d79379a3c5b39f5359952baf21d # v8.4.2
+        uses: oxsecurity/megalinter/flavors/cupcake@5a91fb06c83d0e69fbd23756d47438aa723b4a5a # v8.7.0
         env:
           PARALLEL: true # Run linters in parallel
           FILTER_REGEX_EXCLUDE: '(\.automation/test|docs/json-schemas|\.github/workflows)'
@@ -103,7 +103,7 @@ jobs:
 
       - name: Upload Reports
         if: always()
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: MegaLinter reports
           path: |
@@ -113,7 +113,7 @@ jobs:
 
       - name: Upload SARIF Report
         if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           sarif_file: megalinter-reports/sarif
           category: megalinter
@@ -133,7 +133,7 @@ jobs:
           env.APPLY_FIXES_MODE == 'pull_request' &&
           (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) &&
           !contains(github.event.head_commit.message, 'skip fix')
-        uses: peter-evans/create-pull-request@dd2324fc52d5d43c699a5636bcf19fceaa70c284 # v7.0.7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         id: cpr
         with:
           token: ${{ secrets.FIXIMUS_TOKEN || secrets.GITHUB_TOKEN }}
@@ -168,7 +168,7 @@ jobs:
           github.ref != 'refs/heads/main' &&
           (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) &&
           !contains(github.event.head_commit.message, 'skip fix')
-        uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
         with:
           branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
           commit_message: |

.github/workflows/release.yml

@@ -17,6 +17,6 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+      - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
           generate_release_notes: true

.github/workflows/security-suite.yml

@@ -87,12 +87,12 @@ jobs:
             --enableExperimental
             --failOnCVSS 7
       - name: Upload OWASP Results
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           sarif_file: reports/dependency-check-report.sarif
           category: owasp-dependency-check
       - name: Upload artifact
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: owasp-results
           path: reports/dependency-check-report.sarif
@@ -107,7 +107,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 'lts/*'
           cache: 'npm'
@@ -119,12 +119,12 @@ jobs:
         with:
           args: --all-projects --sarif-file-output=snyk-results.sarif
       - name: Upload Snyk Results
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           sarif_file: snyk-results.sarif
           category: snyk
       - name: Upload artifact
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: snyk-results
           path: snyk-results.sarif
@@ -146,12 +146,12 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: Upload Scorecard Results
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           sarif_file: scorecard-results.sarif
           category: scorecard
       - name: Upload artifact
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: scorecard-results
           path: scorecard-results.sarif
@@ -168,7 +168,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Download scan results
-        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: ./results
 
@@ -338,7 +338,7 @@ jobs:
 
       - name: Archive Results
         if: always()
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: security-results
           path: |

.pre-commit-config.yaml

@@ -29,12 +29,12 @@ repos:
         args: [-c, .markdownlint.json, --fix]
 
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.35.1
+    rev: v1.37.0
     hooks:
       - id: yamllint
 
   - repo: https://github.com/scop/pre-commit-shfmt
-    rev: v3.10.0-2
+    rev: v3.11.0-1
     hooks:
       - id: shfmt
 
@@ -51,12 +51,12 @@ repos:
         args: ['-shellcheck=']
 
   - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 39.156.0
+    rev: 39.227.2
     hooks:
       - id: renovate-config-validator
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.360'
+    rev: '3.2.400'
     hooks:
       - id: checkov
         args:

ansible-lint-fix/action.yml

@@ -47,6 +47,6 @@ runs:
         fi
 
     - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
       with:
         sarif_file: ansible-lint.sarif

biome-check/action.yml

@@ -12,7 +12,7 @@ runs:
   using: composite
   steps:
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set Git Config
       uses: ivuorinen/actions/set-git-config@main
@@ -31,6 +31,6 @@ runs:
         biome check . --json > biome-report.json
 
     - name: Upload Biome Results
-      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
       with:
         sarif_file: biome-report.json

biome-fix/action.yml

@@ -12,7 +12,7 @@ runs:
   using: composite
   steps:
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set Git Config
       uses: ivuorinen/actions/set-git-config@main
@@ -32,7 +32,7 @@ runs:
 
     - name: Push Fixes
       if: success()
-      uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
       with:
         commit_message: 'style: autofix Biome violations'
         add_options: '-u'

common-cache/action.yml

@@ -95,7 +95,7 @@ runs:
         echo "cache-paths=${cache_paths}" >> $GITHUB_OUTPUT
 
     - id: cache
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: ${{ steps.prepare.outputs.cache-paths }}
         key: ${{ steps.prepare.outputs.cache-key }}

compress-images/action.yml

@@ -18,7 +18,7 @@ runs:
       uses: ivuorinen/actions/set-git-config@main
 
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Compress Images
       id: calibre
@@ -29,7 +29,7 @@ runs:
 
     - name: Create New Pull Request If Needed
       if: steps.calibre.outputs.markdown != ''
-      uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
       with:
         title: Compressed Images Nightly
         branch-suffix: timestamp

csharp-build/action.yml

@@ -22,7 +22,7 @@ runs:
         default-version: '7.0'
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@3951f0dfe7a07e2313ec93c75700083e2005cbab # v4
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
       with:
         dotnet-version: '${{ steps.detect-dotnet-version.outputs.dotnet-version }}'
 
@@ -40,7 +40,7 @@ runs:
         dotnet test --configuration Release --no-build --collect:"XPlat Code Coverage" --logger "trx;LogFileName=test-results.trx"
 
     - name: Upload Test Results
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: test-results
         path: |

csharp-lint-check/action.yml

@@ -22,7 +22,7 @@ runs:
         default-version: '7.0'
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@3951f0dfe7a07e2313ec93c75700083e2005cbab # v4
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
       with:
         dotnet-version: '${{ steps.detect-dotnet-version.outputs.dotnet-version }}'
 
@@ -40,6 +40,6 @@ runs:
         fi
 
     - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
       with:
         sarif_file: dotnet-format.sarif

csharp-publish/action.yml

@@ -26,7 +26,7 @@ runs:
         default-version: '7.0'
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@3951f0dfe7a07e2313ec93c75700083e2005cbab # v4
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
       with:
         dotnet-version: '${{ steps.detect-dotnet-version.outputs.dotnet-version }}'
 

docker-build/action.yml

@@ -92,13 +92,13 @@ runs:
         fi
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       with:
         platforms: ${{ inputs.architectures }}
 
     - name: Set up Docker Buildx
       id: buildx
-      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       with:
         version: latest
         platforms: ${{ inputs.architectures }}

docker-publish-gh/action.yml

@@ -97,12 +97,12 @@ runs:
         done
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       with:
         platforms: ${{ inputs.platforms }}
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       with:
         platforms: ${{ inputs.platforms }}
 
@@ -133,7 +133,7 @@ runs:
         echo "tags=${processed_tags}" >> $GITHUB_OUTPUT
 
     - name: Log in to GitHub Container Registry
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
       with:
         registry: ${{ inputs.registry }}
         username: ${{ github.actor }}
@@ -141,7 +141,7 @@ runs:
 
     - name: Set up Cosign
       if: inputs.provenance == 'true'
-      uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3
+      uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
 
     - name: Publish Image
       id: publish

docker-publish-hub/action.yml

@@ -105,12 +105,12 @@ runs:
         fi
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       with:
         platforms: ${{ inputs.platforms }}
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       with:
         platforms: ${{ inputs.platforms }}
 
@@ -144,14 +144,14 @@ runs:
         echo "repo-url=https://hub.docker.com/r/${full_name}" >> $GITHUB_OUTPUT
 
     - name: Log in to Docker Hub
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
       with:
         username: ${{ inputs.username }}
         password: ${{ inputs.password }}
 
     - name: Set up Cosign
       if: inputs.provenance == 'true'
-      uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3
+      uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
 
     - name: Update Docker Hub Description
       if: inputs.repository-description != '' || inputs.readme-file != ''

eslint-check/action.yml

@@ -239,7 +239,7 @@ runs:
 
     - name: Upload ESLint Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/eslint.sarif
         category: eslint

eslint-fix/action.yml

@@ -12,7 +12,7 @@ runs:
   using: composite
   steps:
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set Git Config
       uses: ivuorinen/actions/set-git-config@main
@@ -32,7 +32,7 @@ runs:
 
     - name: Push Fixes
       if: always()
-      uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
       with:
         commit_message: 'style: autofix ESLint violations'
         add_options: '-u'

go-build/action.yml

@@ -24,7 +24,7 @@ runs:
       uses: ivuorinen/actions/go-version-detect@main
 
     - name: Setup Go
-      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version: '${{ steps.detect-go-version.outputs.go-version }}'
 

go-lint/action.yml

@@ -106,7 +106,7 @@ runs:
         done
 
     - name: Setup Go
-      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
         go-version: ${{ inputs.go-version }}
         cache: true
@@ -114,7 +114,7 @@ runs:
     - name: Set up Cache
       id: cache
       if: inputs.cache == 'true'
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: |
           ~/.cache/golangci-lint
@@ -266,7 +266,7 @@ runs:
 
     - name: Upload Lint Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif
         category: golangci-lint

node-setup/action.yml

@@ -161,7 +161,7 @@ runs:
 
     - name: Setup Node.js
       id: setup
-      uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: ${{ steps.version.outputs.version }}
         registry-url: ${{ inputs.registry-url }}
@@ -216,7 +216,7 @@ runs:
     - name: Setup Caching
       if: inputs.cache == 'true'
       id: deps-cache
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: |
           **/node_modules

php-composer/action.yml

@@ -172,7 +172,7 @@ runs:
 
     - name: Cache Composer packages
       id: composer-cache
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       with:
         path: |
           vendor
@@ -238,12 +238,6 @@ runs:
           exit 1
         fi
 
-        # Check for any PHP errors in vendor
-        find vendor -name "*.php" -type f -exec php -l {} \; > /dev/null
-
-        # Verify Composer installation
-        composer validate --no-check-all --strict
-
     - name: Generate Optimized Autoloader
       if: success()
       shell: bash

php-laravel-phpunit/action.yml

@@ -50,11 +50,11 @@ runs:
         extensions: ${{ inputs.extensions }}
         coverage: ${{ inputs.coverage }}
 
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: 'Check file existence'
       id: check_files
-      uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
+      uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
       with:
         files: 'package.json, artisan'
 

pr-lint/action.yml

@@ -12,9 +12,11 @@ branding:
 runs:
   using: composite
   steps:
-    # Git Checkout
+    #   ╭──────────────────────────────────────────────────────────╮
+    #   │                       Git Checkout                       │
+    #   ╰──────────────────────────────────────────────────────────╯
     - name: Checkout Code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         token: ${{ github.token }}
 
@@ -22,15 +24,108 @@ runs:
         # improve performance
         fetch-depth: 0
 
+    #   ╭──────────────────────────────────────────────────────────╮
+    #   │                 Setup Git configuration                  │
+    #   ╰──────────────────────────────────────────────────────────╯
     - name: Setup Git Config
       id: git-config
-      uses: ivuorinen/actions/set-git-config@main
+      uses: ivuorinen/actions/set-git-config@2be873ebc893ab669d11d1848e5bddfe1cb9f828 # 25.5.5
 
-    # MegaLinter
+    #   ╭──────────────────────────────────────────────────────────╮
+    #   │               Install packages for linting               │
+    #   ╰──────────────────────────────────────────────────────────╯
+
+    # Node.js tests if package.json exists
+    - name: Detect package.json
+      id: detect-node
+      shell: bash
+      run: |
+        if [ -f package.json ]; then
+          echo "found=true" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Setup Node.js and run tests
+      if: steps.detect-node.outputs.found == 'true'
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        cache: 'npm'
+
+    - name: Install Node.js dependencies
+      if: steps.detect-node.outputs.found == 'true'
+      shell: bash
+      run: npm ci
+
+    # PHP tests if composer.json exists
+    - name: Detect composer.json
+      id: detect-php
+      shell: bash
+      run: |
+        if [ -f composer.json ]; then
+          echo "found=true" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Setup PHP
+      if: steps.detect-php.outputs.found == 'true'
+      uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # master
+      with:
+        tools: composer
+        coverage: none
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+
+    - name: Setup problem matchers for PHP
+      if: steps.detect-php.outputs.found == 'true'
+      shell: bash
+      run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
+
+    - name: Install PHP dependencies
+      if: steps.detect-php.outputs.found == 'true'
+      shell: bash
+      run: composer install --no-progress --prefer-dist --no-interaction
+
+    # Python tests if requirements.txt exists
+    - name: Detect requirements.txt
+      id: detect-python
+      shell: bash
+      run: |
+        if [ -f requirements.txt ]; then
+          echo "found=true" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Setup Python
+      if: steps.detect-python.outputs.found == 'true'
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        cache: 'pip'
+
+    - name: Install Python dependencies
+      if: steps.detect-python.outputs.found == 'true'
+      shell: bash
+      run: pip install -r requirements.txt
+
+    # Go tests if go.mod exists
+    - name: Detect go.mod
+      id: detect-go
+      shell: bash
+      run: |
+        if [ -f go.mod ]; then
+          echo "found=true" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Setup Go
+      if: steps.detect-go.outputs.found == 'true'
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      with:
+        go-version-file: 'go.mod'
+        cache: true
+
+    #   ╭──────────────────────────────────────────────────────────╮
+    #   │                        MegaLinter                        │
+    #   ╰──────────────────────────────────────────────────────────╯
     - name: MegaLinter
       # You can override MegaLinter flavor used to have faster performances
       # More info at https://megalinter.io/latest/flavors/
-      uses: oxsecurity/megalinter@ec124f7998718d79379a3c5b39f5359952baf21d # v8
+      uses: oxsecurity/megalinter/flavors/cupcake@5a91fb06c83d0e69fbd23756d47438aa723b4a5a # v8.7.0
       id: ml
 
       # All available variables are described in documentation
@@ -79,7 +174,7 @@ runs:
     # Upload MegaLinter artifacts
     - name: Archive production artifacts
       if: success() || failure()
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: MegaLinter reports
         include-hidden-files: 'true'
@@ -120,7 +215,7 @@ runs:
     # Create pull request if applicable
     # (for now works only on PR from same repository, not from forks)
     - name: Create Pull Request with applied fixes
-      uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
       id: cpr
       if: env.APPLY_FIXES_IF_PR == 'true'
       with:
@@ -144,7 +239,7 @@ runs:
       run: sudo chown -Rc $UID .git/
 
     - name: Commit and push applied linter fixes
-      uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
       if: env.APPLY_FIXES_IF_COMMIT == 'true'
       with:
         branch: >-

pre-commit/action.yml

@@ -56,7 +56,7 @@ runs:
 
     - name: Push pre-commit fixes
       if: always() # Push changes even when pre-commit fails
-      uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
       with:
         commit_message: 'style(pre-commit): autofix'
         add_options: -u

prettier-check/action.yml

@@ -102,7 +102,7 @@ runs:
 
     - name: Set up Cache
       id: cache
-      uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       if: inputs.cache == 'true'
       with:
         path: |
@@ -305,7 +305,7 @@ runs:
 
     - name: Upload Prettier Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/prettier.sarif
         category: prettier

prettier-fix/action.yml

@@ -12,7 +12,7 @@ runs:
   using: 'composite'
   steps:
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set Git Config
       uses: ivuorinen/actions/set-git-config@main
@@ -32,7 +32,7 @@ runs:
 
     - name: Push Fixes
       if: always()
-      uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
       with:
         commit_message: 'style: autofix Prettier violations'
         add_options: '-u'

python-lint-fix/action.yml

@@ -49,7 +49,7 @@ runs:
   using: composite
   steps:
     - name: Setup Python
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: ${{ inputs.python-version }}
         cache: 'pip'
@@ -213,7 +213,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.result == 'found'
-      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif
         category: 'python-lint'

release-monthly/action.yml

@@ -62,7 +62,7 @@ runs:
         fi
 
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0 # Fetch all history for tag comparison
 

run.sh

@@ -78,7 +78,8 @@ find . -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
       echo "- ⏩ Skipping $dir - action.yml missing"
     fi
   ) || {
-    echo "- ⚠️ Warning: Error processing directory $dir" | tee -a "$log_file"
+    echo "- ⚠️ Warning: Error processing directory $dir" |
+      tee -a "$log_file"
   }
   echo ""
 done
@@ -106,7 +107,7 @@ fi
 echo ""
 
 echo "🔎 Running MegaLinter..."
-if ! npx --yes mega-linter-runner; then
+if ! npx --yes mega-linter-runner --flavor cupcake --fix --remove-container --container-name cupcake; then
   echo "- ⚠️ Warning: MegaLinter found issues" | tee -a "$log_file"
 fi
 echo ""

terraform-lint-fix/action.yml

@@ -82,7 +82,7 @@ runs:
 
     - name: Setup Terraform
       if: steps.check-files.outputs.found == 'true'
-      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
+      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
       with:
         terraform_version: ${{ inputs.terraform-version }}
         terraform_wrapper: false
@@ -225,7 +225,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif'
-      uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3
+      uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/tflint.sarif
         category: terraform-lint