chore(deps): update actions/setup-dotnet action (v5.1.0 → v5.2.0)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482 )
2026-03-06 03:55:16 +00:00 · 2026-03-06 00:47:05 +00:00 · 2026-03-06 02:44:56 +02:00 · 2026-03-06 02:41:33 +02:00 · 2026-03-05 22:41:05 +02:00 · 2026-03-05 22:26:51 +02:00
27 changed files with 64 additions and 67 deletions
--- a/.github/workflows/action-security.yml
+++ b/.github/workflows/action-security.yml
@@ -17,10 +17,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-  actions: read
-  pull-requests: read
+permissions: {}

 jobs:
  analyze:
@@ -29,6 +26,9 @@ jobs:
    timeout-minutes: 30

    permissions:
+      contents: read
+      actions: read
+      pull-requests: read
      security-events: write
      statuses: write
      issues: write
--- a/.github/workflows/build-testing-image.yml
+++ b/.github/workflows/build-testing-image.yml
@@ -23,25 +23,26 @@ on:
        default: 'latest'
        type: string

-permissions:
-  contents: read
-  packages: write
+permissions: {}

 jobs:
  build-and-push:
    name: Build and Push Testing Image
    runs-on: ubuntu-latest
    timeout-minutes: 20
+    permissions:
+      contents: read
+      packages: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/codeql-new.yml
+++ b/.github/workflows/codeql-new.yml
@@ -13,17 +13,16 @@ on:
    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
  merge_group:

-permissions:
-  actions: read
-  contents: read
+permissions: {}

 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    permissions:
-      security-events: write
+      actions: read
      contents: read
+      security-events: write

    strategy:
      fail-fast: false
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -4,12 +4,13 @@ name: 'Dependency Review'
 on:
  - pull_request

-permissions:
-  contents: read
+permissions: {}

 jobs:
  dependency-review:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
--- a/.github/workflows/issue-stats.yml
+++ b/.github/workflows/issue-stats.yml
@@ -5,8 +5,7 @@ on:
  schedule:
    - cron: '3 2 1 * *'

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build:
@@ -30,7 +29,7 @@ jobs:
          echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV"

      - name: Run issue-metrics tool
-        uses: github/issue-metrics@67526e7bd8100b870f10b1c120780a8375777b43 # v3.25.5
+        uses: github/issue-metrics@41a7961f701cc64490f32e143af8ef479b93e87d # v4.1.0
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"'
--- a/.github/workflows/new-release.yml
+++ b/.github/workflows/new-release.yml
@@ -6,7 +6,7 @@ on:
  schedule:
    - cron: '0 21 * * *' # 00:00 at Europe/Helsinki

-permissions: read-all
+permissions: {}

 jobs:
  new-daily-release:
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -37,9 +37,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-  packages: read # Required for private dependencies
+permissions: {}

 jobs:
  megalinter:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,8 +7,7 @@ on:
    tags:
      - 'v*'

-permissions:
-  contents: read
+permissions: {}

 jobs:
  release:
--- a/.github/workflows/security-suite.yml
+++ b/.github/workflows/security-suite.yml
@@ -18,11 +18,7 @@ on:
      - '**/*.yaml'
      - '.github/workflows/**'

-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-  actions: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -32,6 +28,11 @@ jobs:
  security-analysis:
    name: Security Analysis
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      actions: read

    steps:
      - name: Checkout PR
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}

 jobs:
  stale:
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -22,7 +22,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 jobs:
  labels:
@@ -31,6 +31,7 @@ jobs:
    timeout-minutes: 10

    permissions:
+      contents: read
      issues: write

    steps:
--- a/.github/workflows/version-maintenance.yml
+++ b/.github/workflows/version-maintenance.yml
@@ -12,15 +12,16 @@ on:
        required: false
        type: string

-permissions:
-  contents: write
-  pull-requests: write
-  issues: write
+permissions: {}

 jobs:
  check-and-update:
    name: Check Version References
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write

    steps:
      - name: Checkout Repository
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -14,7 +14,7 @@ repos:
        types: [markdown, python, yaml]
        files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$
  - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.10.5
+    rev: 0.10.7
    hooks:
      - id: uv-lock
      - id: uv-sync
@@ -55,7 +55,7 @@ repos:
      - id: yamllint

  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.2
+    rev: v0.15.4
    hooks:
      # Run the linter with auto-fix
      - id: ruff-check
@@ -84,7 +84,7 @@ repos:
        args: ['-shellcheck=']

  - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.506'
+    rev: '3.2.507'
    hooks:
      - id: checkov
        args:
--- a/ansible-lint-fix/action.yml
+++ b/ansible-lint-fix/action.yml
@@ -45,7 +45,7 @@ runs:
  steps:
    - name: Validate Inputs
      id: validate
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: 'ansible-lint-fix'
        token: ${{ inputs.token }}
--- a/codeql-analysis/action.yml
+++ b/codeql-analysis/action.yml
@@ -107,7 +107,7 @@ runs:
  using: composite
  steps:
    - name: Validate inputs
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: codeql-analysis
        language: ${{ inputs.language }}
--- a/csharp-build/action.yml
+++ b/csharp-build/action.yml
@@ -148,7 +148,7 @@ runs:
        echo "Final detected .NET version: $detected_version" >&2

    - name: Setup .NET SDK
-      uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
      with:
        dotnet-version: ${{ steps.detect-dotnet-version.outputs.detected-version }}
        cache: true
--- a/csharp-lint-check/action.yml
+++ b/csharp-lint-check/action.yml
@@ -164,7 +164,7 @@ runs:
        echo "Final detected .NET version: $detected_version" >&2

    - name: Setup .NET SDK
-      uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
      with:
        dotnet-version: ${{ steps.detect-dotnet-version.outputs.detected-version }}
        cache: true
--- a/csharp-publish/action.yml
+++ b/csharp-publish/action.yml
@@ -55,7 +55,7 @@ runs:

    - name: Validate Inputs
      id: validate
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: 'csharp-publish'
        token: ${{ inputs.token }}
@@ -162,7 +162,7 @@ runs:
        echo "Final detected .NET version: $detected_version" >&2

    - name: Setup .NET SDK
-      uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
      with:
        dotnet-version: ${{ inputs.dotnet-version || steps.detect-dotnet-version.outputs.detected-version }}
        cache: true
--- a/docker-build/action.yml
+++ b/docker-build/action.yml
@@ -147,7 +147,7 @@ runs:

    - name: Validate Inputs
      id: validate
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: 'docker-build'
        image-name: ${{ inputs.image-name }}
@@ -169,13 +169,13 @@ runs:
        fi

    - name: Set up QEMU
-      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      with:
        platforms: ${{ inputs.architectures }}

    - name: Set up Docker Buildx
      id: buildx
-      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      with:
        version: ${{ inputs.buildx-version }}
        platforms: ${{ inputs.architectures }}
@@ -321,7 +321,7 @@ runs:

    - name: Login to GitHub Container Registry
      if: ${{ inputs.push == 'true' }}
-      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
--- a/docker-publish/action.yml
+++ b/docker-publish/action.yml
@@ -202,7 +202,7 @@ runs:
        printf '%s\n' "Input validation completed successfully"

    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

    - name: Determine Image Names and Tags
      id: meta
@@ -265,14 +265,14 @@ runs:

    - name: Login to Docker Hub
      if: inputs.registry == 'dockerhub' || inputs.registry == 'both'
-      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
      with:
        username: ${{ inputs.dockerhub-username }}
        password: ${{ inputs.dockerhub-token }}

    - name: Login to GitHub Container Registry
      if: inputs.registry == 'github' || inputs.registry == 'both'
-      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
--- a/package-lock.json
+++ b/package-lock.json
@@ -523,9 +523,9 @@
      "license": "MIT"
    },
    "node_modules/fs-extra": {
-      "version": "11.3.3",
-      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.3.3.tgz",
-      "integrity": "sha512-VWSRii4t0AFm6ixFFmLLx1t7wS1gh+ckoa84aOeapGum0h+EZd1EhEumSB+ZdDLnEPuucsVB9oB7cxJHap6Afg==",
+      "version": "11.3.4",
+      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.3.4.tgz",
+      "integrity": "sha512-CTXd6rk/M3/ULNQj8FBqBWHYBVYybQ3VPBw0xGKFe3tuH7ytT6ACnvzpIQ3UZtB8yvUKC2cXn1a+x+5EVQLovA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -813,9 +813,9 @@
      }
    },
    "node_modules/katex": {
-      "version": "0.16.33",
-      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.33.tgz",
-      "integrity": "sha512-q3N5u+1sY9Bu7T4nlXoiRBXWfwSefNGoKeOwekV+gw0cAXQlz2Ww6BLcmBxVDeXBMUDQv6fK5bcNaJLxob3ZQA==",
+      "version": "0.16.35",
+      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.35.tgz",
+      "integrity": "sha512-S0+riEvy1CK4VKse1ivMff8gmabe/prY7sKB3njjhyoLLsNFDQYtKNgXrbWUggGDCJBz7Fctl5i8fLCESHXzSg==",
      "dev": true,
      "funding": [
        "https://opencollective.com/katex",
--- a/pr-lint/action.yml
+++ b/pr-lint/action.yml
@@ -40,7 +40,7 @@ runs:
  steps:
    - name: Validate Inputs
      id: validate
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: pr-lint
        token: ${{ inputs.token }}
@@ -632,7 +632,7 @@ runs:
    - name: MegaLinter
      # You can override MegaLinter flavor used to have faster performances
      # More info at https://megalinter.io/latest/flavors/
-      uses: oxsecurity/megalinter/flavors/cupcake@42bb470545e359597e7f12156947c436e4e3fb9a # v9.3.0
+      uses: oxsecurity/megalinter/flavors/cupcake@8fbdead70d1409964ab3d5afa885e18ee85388bb # v9.4.0
      id: ml

      # All available variables are described in documentation
--- a/pre-commit/action.yml
+++ b/pre-commit/action.yml
@@ -49,7 +49,7 @@ runs:

    - name: Validate Inputs
      id: validate
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: 'pre-commit'
        token: ${{ inputs.token }}
--- a/python-lint-fix/action.yml
+++ b/python-lint-fix/action.yml
@@ -64,7 +64,7 @@ runs:
  steps:
    - name: Validate Inputs
      id: validate
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: 'python-lint-fix'
        token: ${{ inputs.token }}
--- a/security-scan/action.yml
+++ b/security-scan/action.yml
@@ -65,7 +65,7 @@ runs:
  steps:
    - name: Validate Inputs
      id: validate
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: security-scan
        gitleaks-license: ${{ inputs.gitleaks-license }}
--- a/stale/action.yml
+++ b/stale/action.yml
@@ -43,7 +43,7 @@ runs:

    - name: Validate Inputs
      id: validate
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: 'stale'
        token: ${{ inputs.token || github.token }}
--- a/terraform-lint-fix/action.yml
+++ b/terraform-lint-fix/action.yml
@@ -78,7 +78,7 @@ runs:

    - name: Validate Inputs
      id: validate
-      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
+      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
      with:
        action-type: 'terraform-lint-fix'
        token: ${{ inputs.token || github.token }}
Author	SHA1	Message	Date
renovate[bot]	3ef8a96b85	chore(deps): update actions/setup-dotnet action (v5.1.0 → v5.2.0) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 00:47:05 +00:00
Copilot	ae4ad9ec80	fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482 )	2026-03-06 02:44:56 +02:00
renovate[bot]	455267f892	chore(deps): update pre-commit hook bridgecrewio/checkov (3.2.506 → 3.2.507) (#487 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 02:41:33 +02:00
renovate[bot]	d1af04260d	chore(deps)!: update docker/login-action (v3.7.0 → v4.0.0) (#477 )	2026-03-05 22:41:05 +02:00
renovate[bot]	0921e373ce	chore(deps)!: update docker/setup-buildx-action (v3.12.0 → v4.0.0) (#478 )	2026-03-05 22:26:51 +02:00
renovate[bot]	6bbe5089d2	chore(deps)!: update docker/setup-qemu-action (v3.7.0 → v4.0.0) (#479 )	2026-03-05 22:15:39 +02:00
renovate[bot]	7cf51e5364	chore(deps): lock file maintenance (#481 )	2026-03-05 22:14:11 +02:00
renovate[bot]	72c6155089	chore(deps)!: update github/issue-metrics (v3.25.5 → v4.1.0) (#480 )	2026-03-05 22:07:00 +02:00
renovate[bot]	6e8f2aae9d	chore(deps): update pre-commit hook astral-sh/uv-pre-commit (0.10.5 → 0.10.7) (#475 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-02 17:22:01 +02:00
renovate[bot]	f15daec6dc	chore(deps): update pre-commit hook astral-sh/ruff-pre-commit (v0.15.2 → v0.15.4) (#474 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-02 17:21:37 +02:00
renovate[bot]	66870c6d0c	chore(deps): update oxsecurity/megalinter action (v9.3.0 → v9.4.0) (#476 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-02 17:20:54 +02:00