chore(deps)!: update actions/download-artifact (v6.0.0 → v7.0.0) (#396)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/actions/setup-test-environment/action.yml

@@ -17,7 +17,7 @@ runs:
   using: composite
   steps:
     - name: Install uv
-      uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v7.1.4
+      uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
       with:
         enable-cache: true
 
@@ -31,7 +31,7 @@ runs:
       run: uv sync --frozen
 
     - name: Setup Node.js
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
       with:
         node-version: '24'
         cache: npm

.github/workflows/action-security.yml

@@ -48,7 +48,7 @@ jobs:
 
       - name: Notify on Critical Issues
         if: failure() && steps.security-scan.outputs.critical_issues != '0'
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |-
             const { repo, owner } = context.repo;

.github/workflows/issue-stats.yml

@@ -30,7 +30,7 @@ jobs:
           echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV"
 
       - name: Run issue-metrics tool
-        uses: github/issue-metrics@78b1d469a1b1c94945b15bd71dedcb1928667f49 # v3.25.3
+        uses: github/issue-metrics@55bb0b704982057a101ab7515fb72b2293927c8a # v3.25.4
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"'

.github/workflows/pr-lint.yml

@@ -74,14 +74,14 @@ jobs:
 
       - name: Upload SARIF Report
         if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
-        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+        uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
         with:
           sarif_file: megalinter-reports/sarif
           category: megalinter
 
       - name: Check Results
         if: always()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const status = '${{ steps.pr-lint.outputs.validation_status }}';

.github/workflows/release.yml

@@ -17,6 +17,6 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
-      - uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+      - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           generate_release_notes: true

.github/workflows/stale.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: 🚀 Run stale
-        uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
+        uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 30

.github/workflows/test-actions.yml

@@ -73,14 +73,14 @@ jobs:
         if: always()
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+        uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
         if: always() && hashFiles('_tests/reports/test-results.sarif') != ''
         with:
           sarif_file: _tests/reports/test-results.sarif
           category: github-actions-tests
 
       - name: Upload unit test results
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: always()
         with:
           name: unit-test-results
@@ -133,7 +133,7 @@ jobs:
           fi
 
       - name: Upload integration test results
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: always() && steps.check-integration-reports.outputs.reports-found == 'true'
         with:
           name: integration-test-results
@@ -167,7 +167,7 @@ jobs:
         run: make test-coverage
 
       - name: Upload coverage report
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: coverage-report
           path: _tests/coverage/
@@ -263,7 +263,7 @@ jobs:
 
     steps:
       - name: Download test results
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           pattern: '*-test-results'
           merge-multiple: true

.github/workflows/version-maintenance.yml

@@ -49,7 +49,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.action-versioning.outputs.updated == 'true'
-        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'chore: update action references to ${{ steps.version.outputs.major }}'
@@ -76,7 +76,7 @@ jobs:
 
       - name: Check for Annual Bump
         if: steps.action-versioning.outputs.needs-annual-bump == 'true'
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const currentYear = new Date().getFullYear();

.pre-commit-config.yaml

@@ -14,7 +14,7 @@ repos:
         types: [markdown, python, yaml]
         files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.9.13
+    rev: 0.9.17
     hooks:
       - id: uv-lock
       - id: uv-sync
@@ -44,7 +44,7 @@ repos:
         args: [--autofix, --no-sort-keys]
 
   - repo: https://github.com/DavidAnson/markdownlint-cli2
-    rev: v0.19.1
+    rev: v0.20.0
     hooks:
       - id: markdownlint-cli2
         args: [--fix]
@@ -55,7 +55,7 @@ repos:
       - id: yamllint
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.7
+    rev: v0.14.9
     hooks:
       # Run the linter with auto-fix
       - id: ruff-check
@@ -83,11 +83,6 @@ repos:
       - id: actionlint
         args: ['-shellcheck=']
 
-  - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 42.19.3
-    hooks:
-      - id: renovate-config-validator
-
   - repo: https://github.com/bridgecrewio/checkov.git
     rev: '3.2.495'
     hooks:

.python-version

@@ -1 +1 @@
-3.14.0
+3.14.2

ansible-lint-fix/action.yml

@@ -130,6 +130,6 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.files_found == 'true'
-      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         sarif_file: ansible-lint.sarif

biome-lint/action.yml

@@ -181,7 +181,7 @@ runs:
         echo "Detected package manager: $package_manager"
 
     - name: Setup Node.js
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
       with:
         node-version: '24'
 
@@ -218,7 +218,7 @@ runs:
 
     - name: Cache Node Dependencies
       id: cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: node_modules
         key: ${{ runner.os }}-biome-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -331,7 +331,7 @@ runs:
 
     - name: Upload SARIF Report
       if: inputs.mode == 'check' && always()
-      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         sarif_file: biome-report.sarif
 

codeql-analysis/action.yml

@@ -186,7 +186,7 @@ runs:
         echo "Using build mode: $build_mode"
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/init@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         languages: ${{ inputs.language }}
         queries: ${{ inputs.queries }}
@@ -199,12 +199,12 @@ runs:
         threads: ${{ inputs.threads }}
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/autobuild@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}
 
     - name: Perform CodeQL Analysis
       id: analysis
-      uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/analyze@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         category: ${{ steps.set-category.outputs.category }}
         upload: ${{ inputs.upload-results }}

compress-images/action.yml

@@ -163,7 +163,7 @@ runs:
 
     - name: Create New Pull Request If Needed
       if: steps.calibre.outputs.markdown != ''
-      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
+      uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
       with:
         token: ${{ inputs.token }}
         title: 'chore: compress images'

csharp-build/action.yml

@@ -203,7 +203,7 @@ runs:
 
     - name: Upload Test Results
       if: always()
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: csharp-test-results
         path: |

csharp-lint-check/action.yml

@@ -206,6 +206,6 @@ runs:
         fi
 
     - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         sarif_file: dotnet-format.sarif

eslint-lint/action.yml

@@ -288,7 +288,7 @@ runs:
         echo "Detected package manager: $package_manager"
 
     - name: Setup Node.js
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
       with:
         node-version: '24'
 
@@ -325,7 +325,7 @@ runs:
 
     - name: Cache Node Dependencies
       id: cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: node_modules
         key: ${{ runner.os }}-eslint-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -457,7 +457,7 @@ runs:
 
     - name: Upload SARIF Report
       if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always()
-      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif
 

go-build/action.yml

@@ -253,7 +253,7 @@ runs:
 
     - name: Upload Build Artifacts
       if: always()
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: go-build-artifacts
         path: |

go-lint/action.yml

@@ -218,7 +218,7 @@ runs:
     - name: Cache golangci-lint
       id: cache
       if: inputs.cache == 'true'
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: |
           ~/.cache/golangci-lint
@@ -414,7 +414,7 @@ runs:
 
     - name: Upload Lint Results
       if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif
         category: golangci-lint

npm-publish/action.yml

@@ -121,7 +121,7 @@ runs:
         echo "Detected package manager: $package_manager"
 
     - name: Setup Node.js
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
       with:
         node-version: '24'
 
@@ -158,7 +158,7 @@ runs:
 
     - name: Cache Node Dependencies
       id: cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: node_modules
         key: ${{ runner.os }}-npm-publish-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}

package-lock.json

@@ -13,7 +13,7 @@
         "js-yaml": "^4.1.0",
         "markdown-table": "^3.0.3",
         "markdown-table-formatter": "^1.6.0",
-        "markdownlint-cli2": "^0.19.0",
+        "markdownlint-cli2": "^0.20.0",
         "prettier": "^3.3.3",
         "yaml-lint": "^1.7.0"
       },
@@ -661,6 +661,19 @@
         "node": "6.* || 8.* || >= 10.*"
       }
     },
+    "node_modules/get-east-asian-width": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.4.0.tgz",
+      "integrity": "sha512-QZjmEOC+IT1uk6Rx0sX22V6uHWVwbdbxf1faPqJ1QhLdGgsRGCZoyaQBm/piRdJy/D2um6hM1UP7ZEeQ4EkP+Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/glob": {
       "version": "10.5.0",
       "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
@@ -1051,9 +1064,9 @@
       }
     },
     "node_modules/markdownlint": {
-      "version": "0.39.0",
-      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.39.0.tgz",
-      "integrity": "sha512-Xt/oY7bAiHwukL1iru2np5LIkhwD19Y7frlsiDILK62v3jucXCD6JXlZlwMG12HZOR+roHIVuJZrfCkOhp6k3g==",
+      "version": "0.40.0",
+      "resolved": "https://registry.npmjs.org/markdownlint/-/markdownlint-0.40.0.tgz",
+      "integrity": "sha512-UKybllYNheWac61Ia7T6fzuQNDZimFIpCg2w6hHjgV1Qu0w1TV0LlSgryUGzM0bkKQCBhy2FDhEELB73Kb0kAg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1064,7 +1077,8 @@
         "micromark-extension-gfm-footnote": "2.1.0",
         "micromark-extension-gfm-table": "2.1.1",
         "micromark-extension-math": "3.1.0",
-        "micromark-util-types": "2.0.2"
+        "micromark-util-types": "2.0.2",
+        "string-width": "8.1.0"
       },
       "engines": {
         "node": ">=20"
@@ -1074,17 +1088,18 @@
       }
     },
     "node_modules/markdownlint-cli2": {
-      "version": "0.19.0",
-      "resolved": "https://registry.npmjs.org/markdownlint-cli2/-/markdownlint-cli2-0.19.0.tgz",
-      "integrity": "sha512-0+g7Fi/Y3qfvwfhJr77CpC/dEEoc4k7SvumlnL1tb68O+7fjKtIUG7aKzNUQIMXTVi8x63jcfXg4swz/ZYKyCw==",
+      "version": "0.20.0",
+      "resolved": "https://registry.npmjs.org/markdownlint-cli2/-/markdownlint-cli2-0.20.0.tgz",
+      "integrity": "sha512-esPk+8Qvx/f0bzI7YelUeZp+jCtFOk3KjZ7s9iBQZ6HlymSXoTtWGiIRZP05/9Oy2ehIoIjenVwndxGtxOIJYQ==",
       "dev": true,
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "globby": "15.0.0",
         "js-yaml": "4.1.1",
         "jsonc-parser": "3.3.1",
         "markdown-it": "14.1.0",
-        "markdownlint": "0.39.0",
+        "markdownlint": "0.40.0",
         "markdownlint-cli2-formatter-default": "0.0.6",
         "micromatch": "4.0.8"
       },
@@ -1111,6 +1126,23 @@
         "markdownlint-cli2": ">=0.0.4"
       }
     },
+    "node_modules/markdownlint/node_modules/string-width": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-8.1.0.tgz",
+      "integrity": "sha512-Kxl3KJGb/gxkaUMOjRsQ8IrXiGW75O4E3RPjFIINOVH8AMl2SQ/yWdTzWwF3FevIX9LcMAjJW+GRwAlAbTSXdg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "get-east-asian-width": "^1.3.0",
+        "strip-ansi": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=20"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/mdurl": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-2.0.0.tgz",

package.json

@@ -24,7 +24,7 @@
     "js-yaml": "^4.1.0",
     "markdown-table": "^3.0.3",
     "markdown-table-formatter": "^1.6.0",
-    "markdownlint-cli2": "^0.19.0",
+    "markdownlint-cli2": "^0.20.0",
     "prettier": "^3.3.3",
     "yaml-lint": "^1.7.0"
   },

php-tests/action.yml

@@ -356,7 +356,7 @@ runs:
 
     - name: Cache Composer packages
       id: composer-cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: |
           vendor

pr-lint/action.yml

@@ -57,10 +57,6 @@ runs:
         ref: ${{ github.event.pull_request.head.sha || github.sha }}
         persist-credentials: false
 
-        # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to
-        # improve performance
-        fetch-depth: 0
-
     #   ╭──────────────────────────────────────────────────────────╮
     #   │               Install packages for linting               │
     #   ╰──────────────────────────────────────────────────────────╯
@@ -122,7 +118,7 @@ runs:
 
     - name: Setup Node.js
       if: steps.detect-node.outputs.found == 'true'
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
       with:
         node-version: '24'
 
@@ -167,7 +163,7 @@ runs:
     - name: Cache Node Dependencies
       if: steps.detect-node.outputs.found == 'true'
       id: node-cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: node_modules
         key: ${{ runner.os }}-pr-lint-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}
@@ -382,7 +378,7 @@ runs:
       id: python-version
       shell: sh
       env:
-        DEFAULT_VERSION: '3.11'
+        DEFAULT_VERSION: '3.14'
       run: |
         set -eu
 
@@ -519,7 +515,7 @@ runs:
       id: go-version
       shell: sh
       env:
-        DEFAULT_VERSION: '1.24'
+        DEFAULT_VERSION: '1.25'
       run: |
         set -eu
 
@@ -654,11 +650,7 @@ runs:
         #     github.event_name == 'push' &&
         #     contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
         #   }}
-        VALIDATE_ALL_CODEBASE: >-
-          ${{
-            github.event_name == 'push' &&
-            contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)
-          }}
+        VALIDATE_ALL_CODEBASE: false
 
         GITHUB_TOKEN: ${{ inputs.token || github.token }}
 
@@ -682,129 +674,13 @@ runs:
         # Uncomment to disable copy-paste and spell checks
         DISABLE: COPYPASTE,SPELL
 
-    # Export env vars to make them available for subsequent expressions
-    - name: Export Apply Fixes Variables
-      shell: sh
-      run: |
-        printf '%s\n' "APPLY_FIXES_EVENT=pull_request" >> "$GITHUB_ENV"
-        printf '%s\n' "APPLY_FIXES_MODE=commit" >> "$GITHUB_ENV"
-
     # Upload MegaLinter artifacts
     - name: Archive production artifacts
       if: success() || failure()
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: MegaLinter reports
         include-hidden-files: 'true'
         path: |
           megalinter-reports
           mega-linter.log
-
-    # Set APPLY_FIXES_IF var for use in future steps
-    - name: Set APPLY_FIXES_IF var
-      shell: sh
-      env:
-        APPLY_FIXES_CONDITION: >-
-          ${{
-            steps.ml.outputs.has_updated_sources == 1 &&
-            (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) &&
-            (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
-          }}
-      run: |
-        set -eu
-
-        # Sanitize by removing newlines to prevent env var injection
-        sanitized_condition="$(echo "$APPLY_FIXES_CONDITION" | tr -d '\n\r')"
-        printf 'APPLY_FIXES_IF=%s\n' "$sanitized_condition" >> "${GITHUB_ENV}"
-
-    # Set APPLY_FIXES_IF_* vars for use in future steps
-    - name: Set APPLY_FIXES_IF_* vars
-      shell: sh
-      env:
-        APPLY_FIXES_IF_PR_CONDITION: ${{ env.APPLY_FIXES_IF == 'true' && env.APPLY_FIXES_MODE == 'pull_request' }}
-        APPLY_FIXES_IF_COMMIT_CONDITION: ${{ env.APPLY_FIXES_IF == 'true' && env.APPLY_FIXES_MODE == 'commit' && (!contains(fromJSON('["refs/heads/main", "refs/heads/master"]'), github.ref)) }}
-      run: |
-        set -eu
-
-        # Sanitize by removing newlines to prevent env var injection
-        sanitized_pr="$(echo "$APPLY_FIXES_IF_PR_CONDITION" | tr -d '\n\r')"
-        sanitized_commit="$(echo "$APPLY_FIXES_IF_COMMIT_CONDITION" | tr -d '\n\r')"
-
-        printf 'APPLY_FIXES_IF_PR=%s\n' "$sanitized_pr" >> "${GITHUB_ENV}"
-        printf 'APPLY_FIXES_IF_COMMIT=%s\n' "$sanitized_commit" >> "${GITHUB_ENV}"
-
-    # Create pull request if applicable
-    # (for now works only on PR from same repository, not from forks)
-    - name: Create Pull Request with applied fixes
-      uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
-      id: cpr
-      if: env.APPLY_FIXES_IF_PR == 'true'
-      with:
-        token: ${{ inputs.token || github.token }}
-        commit-message: 'style: apply linter fixes'
-        title: 'style: apply linter fixes'
-        labels: bot
-
-    - name: Create PR output
-      if: env.APPLY_FIXES_IF_PR == 'true'
-      shell: sh
-      env:
-        PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
-        PR_URL: ${{ steps.cpr.outputs.pull-request-url }}
-      run: |
-        set -eu
-
-        printf 'PR Number - %s\n' "$PR_NUMBER"
-        printf 'PR URL - %s\n' "$PR_URL"
-
-    # Push new commit if applicable
-    # (for now works only on PR from same repository, not from forks)
-    - name: Prepare commit
-      if: env.APPLY_FIXES_IF_COMMIT == 'true'
-      shell: sh
-      run: |
-        set -eu
-
-        # Fix .git directory ownership after MegaLinter container execution
-        current_uid=$(id -u)
-        sudo chown -Rc "$current_uid" .git/
-
-        # Ensure we're on the correct branch (not in detached HEAD state)
-        # This is necessary because MegaLinter may leave the repo in a detached HEAD state
-        current_branch=$(git rev-parse --abbrev-ref HEAD)
-        if [ "$current_branch" = "HEAD" ]; then
-          printf '%s\n' "Repository is in detached HEAD state"
-
-          # Get the branch name from git refs (safer than trusting event data)
-          # This finds the branch that points to the current commit
-          branch_ref=$(git for-each-ref --format='%(refname:short)' --points-at=HEAD 'refs/remotes/origin/*' | head -1 | sed 's|^origin/||')
-
-          if [ -z "$branch_ref" ]; then
-            printf '%s\n' "::error::Could not determine branch name from git refs"
-            exit 1
-          fi
-
-          # Validate branch reference to prevent command injection
-          if ! git check-ref-format --branch "$branch_ref"; then
-            printf '%s\n' "::error::Invalid branch reference format: $branch_ref"
-            exit 1
-          fi
-
-          printf 'Checking out branch: %s\n' "$branch_ref"
-          git checkout "$branch_ref"
-
-          # Export for next step
-          printf '%s\n' "VALIDATED_BRANCH=$branch_ref" >> "$GITHUB_ENV"
-        else
-          printf 'Repository is on branch: %s\n' "$current_branch"
-          printf '%s\n' "VALIDATED_BRANCH=$current_branch" >> "$GITHUB_ENV"
-        fi
-
-    - name: Commit and push applied linter fixes
-      uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
-      if: env.APPLY_FIXES_IF_COMMIT == 'true'
-      with:
-        branch: ${{ env.VALIDATED_BRANCH }}
-        commit_message: 'style: apply linter fixes'
-        commit_user_name: ${{ inputs.username }}
-        commit_user_email: ${{ inputs.email }}

prettier-lint/action.yml

@@ -274,7 +274,7 @@ runs:
         echo "Detected package manager: $package_manager"
 
     - name: Setup Node.js
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
       with:
         node-version: '24'
 
@@ -311,7 +311,7 @@ runs:
 
     - name: Cache Node Dependencies
       id: cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
       with:
         path: node_modules
         key: ${{ runner.os }}-prettier-lint-${{ inputs.mode }}-${{ steps.detect-pm.outputs.package-manager }}-${{ hashFiles('package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'bun.lockb') }}

python-lint-fix/action.yml

@@ -370,7 +370,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.result == 'found'
-      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif
         category: 'python-lint'

security-scan/action.yml

@@ -99,7 +99,7 @@ runs:
 
     - name: Run actionlint
       if: steps.check-configs.outputs.run_actionlint == 'true'
-      uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc # v2.0.1
+      uses: raven-actions/actionlint@963d4779ef039e217e5d0e6fd73ce9ab7764e493 # v2.1.0
       with:
         cache: true
         fail-on-error: true
@@ -161,21 +161,21 @@ runs:
 
     - name: Upload Trivy results
       if: steps.verify-sarif.outputs.has_trivy == 'true'
-      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         sarif_file: 'trivy-results.sarif'
         category: 'trivy'
 
     - name: Upload Gitleaks results
       if: steps.verify-sarif.outputs.has_gitleaks == 'true'
-      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         sarif_file: 'gitleaks-report.sarif'
         category: 'gitleaks'
 
     - name: Archive security reports
       if: always()
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
       with:
         name: security-reports-${{ github.run_id }}
         path: |

stale/action.yml

@@ -52,7 +52,7 @@ runs:
 
     - name: 🚀 Run stale
       id: stale
-      uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
+      uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
       with:
         repo-token: ${{ inputs.token || github.token }}
         days-before-stale: ${{ inputs.days-before-stale }}

terraform-lint-fix/action.yml

@@ -256,7 +256,7 @@ runs:
 
     - name: Upload SARIF Report
       if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif'
-      uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
       with:
         sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif
         category: terraform-lint