chore(deps): update actions/dependency-review-action action (v4.7.3 → v4.8.0) (#276)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/action-security.yml

@@ -35,7 +35,7 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
 
@@ -58,7 +58,7 @@ jobs:
           fi
 
       - name: Run actionlint
-        uses: raven-actions/actionlint@01fce4f43a270a612932cb1c64d40505a029f821 # v2.0.0
+        uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc # v2.0.1
         with:
           cache: true
           fail-on-error: true
@@ -117,14 +117,14 @@ jobs:
 
       - name: Upload Trivy results
         if: steps.verify-sarif.outputs.has_trivy == 'true'
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           sarif_file: 'trivy-results.sarif'
           category: 'trivy'
 
       - name: Upload Gitleaks results
         if: steps.verify-sarif.outputs.has_gitleaks == 'true'
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           sarif_file: 'gitleaks-report.sarif'
           category: 'gitleaks'
@@ -141,7 +141,7 @@ jobs:
 
       - name: Analyze Results
         if: always()
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const fs = require('fs');
@@ -232,7 +232,7 @@ jobs:
 
       - name: Notify on Critical Issues
         if: failure()
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const { repo, owner } = context.repo;

.github/workflows/codeql.yml

@@ -25,22 +25,22 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['javascript'] # Add languages used in your actions
+        language: ['actions', 'javascript'] # Add languages used in your actions
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/autobuild@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           category: '/language:${{matrix.language}}'

.github/workflows/dependency-review.yml

@@ -11,6 +11,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
+        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0

.github/workflows/new-release.yml

@@ -20,7 +20,7 @@ jobs:
       version: ${{ steps.daily-version.outputs.version }}
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Create tag if necessary
         uses: fregante/daily-version-action@fb1a60b7c4daf1410cd755e360ebec3901e58588 # v2.1.3
@@ -36,7 +36,7 @@ jobs:
 
       - name: Create release
         if: steps.daily-version.outputs.created
-        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
+        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/pr-lint.yml

@@ -62,28 +62,14 @@ jobs:
 
     steps:
       - name: Checkout Code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           token: ${{ secrets.FIXIMUS_TOKEN || secrets.GITHUB_TOKEN }}
           fetch-depth: 0
 
       - name: MegaLinter
         id: ml
-        uses: oxsecurity/megalinter/flavors/cupcake@5a91fb06c83d0e69fbd23756d47438aa723b4a5a # v8.7.0
-        env:
-          PARALLEL: true # Run linters in parallel
-          FILTER_REGEX_EXCLUDE: '(\.automation/test|docs/json-schemas|\.github/workflows)'
-
-          # Error configuration
-          ERROR_ON_MISSING_EXEC_BIT: true
-          CLEAR_REPORT_FOLDER: true
-          PRINT_ALPACA: false
-          SHOW_ELAPSED_TIME: true
-
-          # File configuration
-          YAML_YAMLLINT_CONFIG_FILE: .yamllint.yml
-          YAML_PRETTIER_CONFIG_FILE: .prettierrc.yml
-          YAML_YAMLLINT_FILTER_REGEX_EXCLUDE: '(\.automation/test|docs/json-schemas|\.github/workflows)'
+        uses: oxsecurity/megalinter/flavors/cupcake@0dcbedd66ea456ba2d54fd350affaa15df8a0da3 # v9.0.1
 
       - name: Check MegaLinter Results
         id: check-results
@@ -113,7 +99,7 @@ jobs:
 
       - name: Upload SARIF Report
         if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           sarif_file: megalinter-reports/sarif
           category: megalinter
@@ -168,7 +154,7 @@ jobs:
           github.ref != 'refs/heads/main' &&
           (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) &&
           !contains(github.event.head_commit.message, 'skip fix')
-        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
+        uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
         with:
           branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
           commit_message: |
@@ -181,7 +167,7 @@ jobs:
 
       - name: Create Status Check
         if: always()
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const status = '${{ steps.check-results.outputs.status }}';

.github/workflows/release.yml

@@ -16,7 +16,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
         with:
           generate_release_notes: true

.github/workflows/security-suite.yml

@@ -74,7 +74,7 @@ jobs:
       security-events: write
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run OWASP Dependency Check
         uses: dependency-check/Dependency-Check_Action@3102a65fd5f36d0000297576acc56a475b0de98d # main
         with:
@@ -87,7 +87,7 @@ jobs:
             --enableExperimental
             --failOnCVSS 7
       - name: Upload OWASP Results
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           sarif_file: reports/dependency-check-report.sarif
           category: owasp-dependency-check
@@ -106,8 +106,8 @@ jobs:
       security-events: write
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 'lts/*'
           cache: 'npm'
@@ -119,7 +119,7 @@ jobs:
         with:
           args: --all-projects --sarif-file-output=snyk-results.sarif
       - name: Upload Snyk Results
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           sarif_file: snyk-results.sarif
           category: snyk
@@ -138,7 +138,7 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Run Scorecard
         uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
@@ -146,7 +146,7 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: Upload Scorecard Results
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           sarif_file: scorecard-results.sarif
           category: scorecard
@@ -165,16 +165,16 @@ jobs:
       issues: write
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Download scan results
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           path: ./results
 
       - name: Analyze Results
         id: analysis
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const fs = require('fs');
@@ -249,7 +249,7 @@ jobs:
 
       - name: Generate Reports
         if: always()
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const fs = require('fs');

.github/workflows/stale.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: 🚀 Run stale
-        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 30

.github/workflows/sync-labels.yml

@@ -35,6 +35,6 @@ jobs:
 
     steps:
       - name: ⤵️ Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: ⤵️ Sync Latest Labels Definitions
         uses: ./sync-labels

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: requirements-txt-fixer
       - id: detect-private-key
@@ -23,13 +23,13 @@ repos:
         args: [--autofix, --no-sort-keys]
 
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.44.0
+    rev: v0.45.0
     hooks:
       - id: markdownlint
         args: [-c, .markdownlint.json, --fix]
 
   - repo: https://github.com/adrienverge/yamllint
-    rev: v1.37.0
+    rev: v1.37.1
     hooks:
       - id: yamllint
 
@@ -39,7 +39,7 @@ repos:
       - id: shfmt
 
   - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.10.0
+    rev: v0.11.0
     hooks:
       - id: shellcheck
         args: ['--severity=warning']
@@ -51,12 +51,12 @@ repos:
         args: ['-shellcheck=']
 
   - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 39.227.2
+    rev: 41.132.5
     hooks:
       - id: renovate-config-validator
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.400'
+    rev: '3.2.473'
     hooks:
       - id: checkov
         args:

README.md

@@ -2,14 +2,20 @@
 
 ## Overview
 
-This project contains a collection of workflows and composable actions to streamline CI/CD
-processes and ensure code quality. Below is a categorized list of all workflows, grouped by their types.
+This project contains a collection of workflows and composable actions to streamline CI/CD processes and ensure code quality. The actions are grouped by purpose for easier discovery.
 
-## Testing Workflows
+## Setup & Caching
 
-- [PHP Tests][php-tests]: Runs PHPUnit tests to ensure PHP code correctness.
+- [Node Setup][node-setup]: Sets up Node.js with caching and tooling.
+- [PHP Composer][php-composer]: Installs PHP dependencies using Composer.
+- [Dotnet Version Detect][dotnet-v-detect]: Detects the required .NET version from `global.json`.
+- [Go Version Detect][go-version-detect]: Detects the required Go version from configuration files.
+- [Common Cache][common-cache]: Provides a consistent caching strategy for multiple languages.
+- [Set Git Config][set-git-config]: Configures Git user information for automated commits.
 
-## Linting and Formatting Workflows
+## Linting & Formatting
+
+### Code Linting
 
 - [Ansible Lint and Fix][ansible-lint-fix]: Lints and fixes Ansible playbooks and roles.
 - [Biome Check][biome-check]: Runs Biome to lint multiple languages and formats.
@@ -18,40 +24,46 @@ processes and ensure code quality. Below is a categorized list of all workflows,
 - [ESLint Check][eslint-check]: Runs ESLint to check for code style violations.
 - [ESLint Fix][eslint-fix]: Automatically fixes code style issues with ESLint.
 - [Go Lint Check][go-lint]: Lints Go code using `golangci-lint`.
+- [PR Lint][pr-lint]: Runs MegaLinter against pull requests.
+- [Python Lint and Fix][python-lint-fix]: Lints and fixes Python code using `flake8` and `black`.
+- [Terraform Lint and Fix][terraform-lint-fix]: Lints and fixes Terraform configurations.
+
+### Code Formatting
+
 - [Prettier Check][prettier-check]: Checks code formatting using Prettier.
 - [Prettier Fix][prettier-fix]: Automatically fixes code formatting with Prettier.
-- [Python Lint and Fix][python-lint-fix]: Lints and fixes Python code using `flake8` and `black`.
-- [Terraform Lint and Fix][terraform-lint-fix]: Lints and fixes Terraform
-  configurations.
+- [Pre-Commit][pre-commit]: Runs `pre-commit` hooks to enforce code quality standards.
 
-## Build Workflows
+## Testing
+
+- [PHP Tests][php-tests]: Runs PHPUnit tests to ensure PHP code correctness.
+- [Laravel PHPUnit][php-laravel-phpunit]: Sets up Laravel and runs Composer tests.
+
+## Build & Package
 
 - [C# Build][csharp-build]: Builds C# projects using the .NET SDK.
-- [Docker Build][docker-build]: Builds Docker images using a Dockerfile.
 - [Go Build][go-build]: Builds Go projects using the `go build` command.
+- [Docker Build][docker-build]: Builds Docker images using a Dockerfile.
 
-## Deployment Workflows
+## Publish & Deployment
 
 - [C# Publish][csharp-publish]: Publishes .NET projects to an output directory.
+- [Docker Publish][docker-publish]: Publishes Docker images to GitHub Packages and Docker Hub.
 - [Docker Publish to Docker Hub][docker-publish-hub]: Publishes Docker images to Docker Hub.
 - [Docker Publish to GitHub Packages][docker-publish-gh]: Publishes Docker images to GitHub's Container Registry.
 - [Publish to NPM][npm-publish]: Publishes packages to the NPM registry.
 
-## Release Workflows
+## Release Management
 
 - [GitHub Release][github-release]: Automates GitHub release creation with custom tags and notes.
 - [Release Monthly][release-monthly]: Creates a monthly GitHub release with autogenerated notes.
 
-## Utility Workflows
+## Repository Maintenance
 
 - [Common File Check][common-file-check]: Checks for the presence of specific files based on a glob pattern.
 - [Compress Images][compress-images]: Optimizes and creates a pull request with compressed images.
-- [Dotnet Version Detect][dotnet-v-detect]: Detects the required .NET version from `global.json`.
-- [Go Version Detect][go-version-detect]: Detects the required Go version from configuration files.
-- [Node Setup][node-setup]: Sets up a Node.js environment for workflows.
-- [PHP Composer][php-composer]: Installs PHP dependencies using Composer.
-- [Pre-Commit][pre-commit]: Runs `pre-commit` hooks to enforce code quality standards.
-- [Set Git Config][set-git-config]: Configures Git user information for automated commits.
+- [Stale][stale]: Closes stale issues and pull requests automatically.
+- [Sync Labels][sync-labels]: Syncs repository labels from a YAML file.
 
 ## License
 
@@ -60,12 +72,14 @@ This project is licensed under the MIT License. See the [LICENSE](LICENSE.md) fi
 [ansible-lint-fix]: ansible-lint-fix/README.md
 [biome-check]: biome-check/README.md
 [biome-fix]: biome-fix/README.md
+[common-cache]: common-cache/README.md
 [common-file-check]: common-file-check/README.md
 [compress-images]: compress-images/README.md
 [csharp-build]: csharp-build/README.md
 [csharp-lint-check]: csharp-lint-check/README.md
 [csharp-publish]: csharp-publish/README.md
 [docker-build]: docker-build/README.md
+[docker-publish]: docker-publish/README.md
 [docker-publish-gh]: docker-publish-gh/README.md
 [docker-publish-hub]: docker-publish-hub/README.md
 [dotnet-v-detect]: dotnet-version-detect/README.md
@@ -78,11 +92,15 @@ This project is licensed under the MIT License. See the [LICENSE](LICENSE.md) fi
 [node-setup]: node-setup/README.md
 [npm-publish]: npm-publish/README.md
 [php-composer]: php-composer/README.md
+[php-laravel-phpunit]: php-laravel-phpunit/README.md
 [php-tests]: php-tests/README.md
+[pr-lint]: pr-lint/README.md
 [pre-commit]: pre-commit/README.md
 [prettier-check]: prettier-check/README.md
 [prettier-fix]: prettier-fix/README.md
 [python-lint-fix]: python-lint-fix/README.md
 [release-monthly]: release-monthly/README.md
 [set-git-config]: set-git-config/README.md
+[stale]: stale/README.md
+[sync-labels]: sync-labels/README.md
 [terraform-lint-fix]: terraform-lint-fix/README.md

ansible-lint-fix/action.yml

@@ -47,6 +47,6 @@ runs:
         fi
 
     - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
       with:
         sarif_file: ansible-lint.sarif

biome-check/action.yml

@@ -12,7 +12,7 @@ runs:
   using: composite
   steps:
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Set Git Config
       uses: ivuorinen/actions/set-git-config@main
@@ -31,6 +31,6 @@ runs:
         biome check . --json > biome-report.json
 
     - name: Upload Biome Results
-      uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
       with:
         sarif_file: biome-report.json

biome-fix/action.yml

@@ -12,7 +12,7 @@ runs:
   using: composite
   steps:
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Set Git Config
       uses: ivuorinen/actions/set-git-config@main
@@ -32,7 +32,7 @@ runs:
 
     - name: Push Fixes
       if: success()
-      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
+      uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
       with:
         commit_message: 'style: autofix Biome violations'
         add_options: '-u'

common-cache/action.yml

@@ -95,7 +95,7 @@ runs:
         echo "cache-paths=${cache_paths}" >> $GITHUB_OUTPUT
 
     - id: cache
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: ${{ steps.prepare.outputs.cache-paths }}
         key: ${{ steps.prepare.outputs.cache-key }}

compress-images/action.yml

@@ -18,7 +18,7 @@ runs:
       uses: ivuorinen/actions/set-git-config@main
 
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Compress Images
       id: calibre

csharp-build/action.yml

@@ -22,7 +22,7 @@ runs:
         default-version: '7.0'
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: '${{ steps.detect-dotnet-version.outputs.dotnet-version }}'
 

csharp-lint-check/action.yml

@@ -22,7 +22,7 @@ runs:
         default-version: '7.0'
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: '${{ steps.detect-dotnet-version.outputs.dotnet-version }}'
 
@@ -40,6 +40,6 @@ runs:
         fi
 
     - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
       with:
         sarif_file: dotnet-format.sarif

csharp-publish/action.yml

@@ -26,7 +26,7 @@ runs:
         default-version: '7.0'
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: '${{ steps.detect-dotnet-version.outputs.dotnet-version }}'
 

docker-build/action.yml

@@ -98,7 +98,7 @@ runs:
 
     - name: Set up Docker Buildx
       id: buildx
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       with:
         version: latest
         platforms: ${{ inputs.architectures }}

docker-publish-gh/action.yml

@@ -102,7 +102,7 @@ runs:
         platforms: ${{ inputs.platforms }}
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       with:
         platforms: ${{ inputs.platforms }}
 
@@ -133,7 +133,7 @@ runs:
         echo "tags=${processed_tags}" >> $GITHUB_OUTPUT
 
     - name: Log in to GitHub Container Registry
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
       with:
         registry: ${{ inputs.registry }}
         username: ${{ github.actor }}
@@ -141,7 +141,7 @@ runs:
 
     - name: Set up Cosign
       if: inputs.provenance == 'true'
-      uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+      uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
 
     - name: Publish Image
       id: publish

docker-publish-hub/action.yml

@@ -110,7 +110,7 @@ runs:
         platforms: ${{ inputs.platforms }}
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       with:
         platforms: ${{ inputs.platforms }}
 
@@ -144,14 +144,14 @@ runs:
         echo "repo-url=https://hub.docker.com/r/${full_name}" >> $GITHUB_OUTPUT
 
     - name: Log in to Docker Hub
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
       with:
         username: ${{ inputs.username }}
         password: ${{ inputs.password }}
 
     - name: Set up Cosign
       if: inputs.provenance == 'true'
-      uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+      uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
 
     - name: Update Docker Hub Description
       if: inputs.repository-description != '' || inputs.readme-file != ''

eslint-check/action.yml

@@ -239,7 +239,7 @@ runs:
 
     - name: Upload ESLint Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/eslint.sarif
         category: eslint

eslint-fix/action.yml

@@ -12,7 +12,7 @@ runs:
   using: composite
   steps:
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Set Git Config
       uses: ivuorinen/actions/set-git-config@main
@@ -32,7 +32,7 @@ runs:
 
     - name: Push Fixes
       if: always()
-      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
+      uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
       with:
         commit_message: 'style: autofix ESLint violations'
         add_options: '-u'

go-build/action.yml

@@ -24,7 +24,7 @@ runs:
       uses: ivuorinen/actions/go-version-detect@main
 
     - name: Setup Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: '${{ steps.detect-go-version.outputs.go-version }}'
 

go-lint/action.yml

@@ -106,7 +106,7 @@ runs:
         done
 
     - name: Setup Go
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version: ${{ inputs.go-version }}
         cache: true
@@ -114,7 +114,7 @@ runs:
     - name: Set up Cache
       id: cache
       if: inputs.cache == 'true'
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: |
           ~/.cache/golangci-lint
@@ -266,7 +266,7 @@ runs:
 
     - name: Upload Lint Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif
         category: golangci-lint

node-setup/action.yml

@@ -161,7 +161,7 @@ runs:
 
     - name: Setup Node.js
       id: setup
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ steps.version.outputs.version }}
         registry-url: ${{ inputs.registry-url }}
@@ -216,7 +216,7 @@ runs:
     - name: Setup Caching
       if: inputs.cache == 'true'
       id: deps-cache
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: |
           **/node_modules

php-composer/action.yml

@@ -172,7 +172,7 @@ runs:
 
     - name: Cache Composer packages
       id: composer-cache
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: |
           vendor

php-laravel-phpunit/action.yml

@@ -50,7 +50,7 @@ runs:
         extensions: ${{ inputs.extensions }}
         coverage: ${{ inputs.coverage }}
 
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: 'Check file existence'
       id: check_files

pr-lint/action.yml

@@ -16,7 +16,7 @@ runs:
     #   │                       Git Checkout                       │
     #   ╰──────────────────────────────────────────────────────────╯
     - name: Checkout Code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         token: ${{ github.token }}
 
@@ -29,7 +29,7 @@ runs:
     #   ╰──────────────────────────────────────────────────────────╯
     - name: Setup Git Config
       id: git-config
-      uses: ivuorinen/actions/set-git-config@baed29f713eaa0817982be42681e66511cb092b5 # 25.5.26
+      uses: ivuorinen/actions/set-git-config@4a3c30ccebee01186fd6a6e7e7b6e1fb07b81289 # 25.9.21
 
     #   ╭──────────────────────────────────────────────────────────╮
     #   │               Install packages for linting               │
@@ -46,14 +46,26 @@ runs:
 
     - name: Setup Node.js and run tests
       if: steps.detect-node.outputs.found == 'true'
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-      with:
-        cache: 'npm'
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
 
     - name: Install Node.js dependencies
       if: steps.detect-node.outputs.found == 'true'
       shell: bash
-      run: npm ci
+      run: |
+        if [ -f pnpm-lock.yaml ]; then
+          npm install -g pnpm
+          pnpm install
+        elif [ -f yarn.lock ]; then
+          npm install -g yarn
+          yarn install
+        elif [ -f package-lock.json ]; then
+          if ! npm ci; then
+            echo "::warning ::npm ci failed – falling back to npm install (lockfile drift?)"
+            npm install
+          fi
+        else
+          echo "No supported lockfile found, skipping Node.js dependencies installation."
+        fi
 
     # PHP tests if composer.json exists
     - name: Detect composer.json
@@ -94,7 +106,7 @@ runs:
 
     - name: Setup Python
       if: steps.detect-python.outputs.found == 'true'
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         cache: 'pip'
 
@@ -114,7 +126,7 @@ runs:
 
     - name: Setup Go
       if: steps.detect-go.outputs.found == 'true'
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
       with:
         go-version-file: 'go.mod'
         cache: true
@@ -125,7 +137,7 @@ runs:
     - name: MegaLinter
       # You can override MegaLinter flavor used to have faster performances
       # More info at https://megalinter.io/latest/flavors/
-      uses: oxsecurity/megalinter/flavors/cupcake@5a91fb06c83d0e69fbd23756d47438aa723b4a5a # v8.7.0
+      uses: oxsecurity/megalinter/flavors/cupcake@0dcbedd66ea456ba2d54fd350affaa15df8a0da3 # v9.0.1
       id: ml
 
       # All available variables are described in documentation
@@ -239,7 +251,7 @@ runs:
       run: sudo chown -Rc $UID .git/
 
     - name: Commit and push applied linter fixes
-      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
+      uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
       if: env.APPLY_FIXES_IF_COMMIT == 'true'
       with:
         branch: >-

pre-commit/action.yml

@@ -56,7 +56,7 @@ runs:
 
     - name: Push pre-commit fixes
       if: always() # Push changes even when pre-commit fails
-      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
+      uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
       with:
         commit_message: 'style(pre-commit): autofix'
         add_options: -u

prettier-check/action.yml

@@ -102,7 +102,7 @@ runs:
 
     - name: Set up Cache
       id: cache
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       if: inputs.cache == 'true'
       with:
         path: |
@@ -305,7 +305,7 @@ runs:
 
     - name: Upload Prettier Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/prettier.sarif
         category: prettier

prettier-fix/action.yml

@@ -12,7 +12,7 @@ runs:
   using: 'composite'
   steps:
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Set Git Config
       uses: ivuorinen/actions/set-git-config@main
@@ -32,7 +32,7 @@ runs:
 
     - name: Push Fixes
       if: always()
-      uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
+      uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1
       with:
         commit_message: 'style: autofix Prettier violations'
         add_options: '-u'

python-lint-fix/action.yml

@@ -49,7 +49,7 @@ runs:
   using: composite
   steps:
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ inputs.python-version }}
         cache: 'pip'
@@ -213,7 +213,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.result == 'found'
-      uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif
         category: 'python-lint'

release-monthly/action.yml

@@ -62,7 +62,7 @@ runs:
         fi
 
     - name: Checkout Repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         fetch-depth: 0 # Fetch all history for tag comparison
 

stale/action.yml

@@ -11,7 +11,7 @@ runs:
   using: composite
   steps:
     - name: 🚀 Run stale
-      uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+      uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
       with:
         repo-token: ${{ github.token }}
         days-before-stale: 30

terraform-lint-fix/action.yml

@@ -225,7 +225,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif'
-      uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/tflint.sarif
         category: terraform-lint