chore(deps): update actions/dependency-review-action action (v4.8.3 → v4.9.0)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482 )
2026-03-06 03:55:16 +00:00 · 2026-03-06 00:47:01 +00:00 · 2026-03-06 02:44:56 +02:00 · 2026-03-06 02:41:33 +02:00 · 2026-03-05 22:41:05 +02:00 · 2026-03-05 22:26:51 +02:00
16 changed files with 49 additions and 52 deletions
--- a/.github/workflows/action-security.yml
+++ b/.github/workflows/action-security.yml
@@ -17,10 +17,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-  actions: read
-  pull-requests: read
+permissions: {}

 jobs:
  analyze:
@@ -29,6 +26,9 @@ jobs:
    timeout-minutes: 30

    permissions:
+      contents: read
+      actions: read
+      pull-requests: read
      security-events: write
      statuses: write
      issues: write
--- a/.github/workflows/build-testing-image.yml
+++ b/.github/workflows/build-testing-image.yml
@@ -23,25 +23,26 @@ on:
        default: 'latest'
        type: string

-permissions:
-  contents: read
-  packages: write
+permissions: {}

 jobs:
  build-and-push:
    name: Build and Push Testing Image
    runs-on: ubuntu-latest
    timeout-minutes: 20
+    permissions:
+      contents: read
+      packages: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/codeql-new.yml
+++ b/.github/workflows/codeql-new.yml
@@ -13,17 +13,16 @@ on:
    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
  merge_group:

-permissions:
-  actions: read
-  contents: read
+permissions: {}

 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    permissions:
-      security-events: write
+      actions: read
      contents: read
+      security-events: write

    strategy:
      fail-fast: false
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -4,14 +4,15 @@ name: 'Dependency Review'
 on:
  - pull_request

-permissions:
-  contents: read
+permissions: {}

 jobs:
  dependency-review:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
      - name: 'Dependency Review'
-        uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
--- a/.github/workflows/issue-stats.yml
+++ b/.github/workflows/issue-stats.yml
@@ -5,8 +5,7 @@ on:
  schedule:
    - cron: '3 2 1 * *'

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build:
@@ -30,7 +29,7 @@ jobs:
          echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV"

      - name: Run issue-metrics tool
-        uses: github/issue-metrics@67526e7bd8100b870f10b1c120780a8375777b43 # v3.25.5
+        uses: github/issue-metrics@41a7961f701cc64490f32e143af8ef479b93e87d # v4.1.0
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SEARCH_QUERY: 'repo:ivuorinen/actions is:issue created:${{ env.last_month }} -reason:"not planned"'
--- a/.github/workflows/new-release.yml
+++ b/.github/workflows/new-release.yml
@@ -6,7 +6,7 @@ on:
  schedule:
    - cron: '0 21 * * *' # 00:00 at Europe/Helsinki

-permissions: read-all
+permissions: {}

 jobs:
  new-daily-release:
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -37,9 +37,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-  packages: read # Required for private dependencies
+permissions: {}

 jobs:
  megalinter:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,8 +7,7 @@ on:
    tags:
      - 'v*'

-permissions:
-  contents: read
+permissions: {}

 jobs:
  release:
--- a/.github/workflows/security-suite.yml
+++ b/.github/workflows/security-suite.yml
@@ -18,11 +18,7 @@ on:
      - '**/*.yaml'
      - '.github/workflows/**'

-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-  actions: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -32,6 +28,11 @@ jobs:
  security-analysis:
    name: Security Analysis
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      actions: read

    steps:
      - name: Checkout PR
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}

 jobs:
  stale:
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -22,7 +22,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 jobs:
  labels:
@@ -31,6 +31,7 @@ jobs:
    timeout-minutes: 10

    permissions:
+      contents: read
      issues: write

    steps:
--- a/.github/workflows/version-maintenance.yml
+++ b/.github/workflows/version-maintenance.yml
@@ -12,15 +12,16 @@ on:
        required: false
        type: string

-permissions:
-  contents: write
-  pull-requests: write
-  issues: write
+permissions: {}

 jobs:
  check-and-update:
    name: Check Version References
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write

    steps:
      - name: Checkout Repository
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -84,7 +84,7 @@ repos:
        args: ['-shellcheck=']

  - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.506'
+    rev: '3.2.507'
    hooks:
      - id: checkov
        args:
--- a/docker-build/action.yml
+++ b/docker-build/action.yml
@@ -169,13 +169,13 @@ runs:
        fi

    - name: Set up QEMU
-      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      with:
        platforms: ${{ inputs.architectures }}

    - name: Set up Docker Buildx
      id: buildx
-      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      with:
        version: ${{ inputs.buildx-version }}
        platforms: ${{ inputs.architectures }}
@@ -321,7 +321,7 @@ runs:

    - name: Login to GitHub Container Registry
      if: ${{ inputs.push == 'true' }}
-      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
--- a/docker-publish/action.yml
+++ b/docker-publish/action.yml
@@ -202,7 +202,7 @@ runs:
        printf '%s\n' "Input validation completed successfully"

    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

    - name: Determine Image Names and Tags
      id: meta
@@ -265,14 +265,14 @@ runs:

    - name: Login to Docker Hub
      if: inputs.registry == 'dockerhub' || inputs.registry == 'both'
-      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
      with:
        username: ${{ inputs.dockerhub-username }}
        password: ${{ inputs.dockerhub-token }}

    - name: Login to GitHub Container Registry
      if: inputs.registry == 'github' || inputs.registry == 'both'
-      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
--- a/package-lock.json
+++ b/package-lock.json
@@ -523,9 +523,9 @@
      "license": "MIT"
    },
    "node_modules/fs-extra": {
-      "version": "11.3.3",
-      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.3.3.tgz",
-      "integrity": "sha512-VWSRii4t0AFm6ixFFmLLx1t7wS1gh+ckoa84aOeapGum0h+EZd1EhEumSB+ZdDLnEPuucsVB9oB7cxJHap6Afg==",
+      "version": "11.3.4",
+      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.3.4.tgz",
+      "integrity": "sha512-CTXd6rk/M3/ULNQj8FBqBWHYBVYybQ3VPBw0xGKFe3tuH7ytT6ACnvzpIQ3UZtB8yvUKC2cXn1a+x+5EVQLovA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -813,9 +813,9 @@
      }
    },
    "node_modules/katex": {
-      "version": "0.16.33",
-      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.33.tgz",
-      "integrity": "sha512-q3N5u+1sY9Bu7T4nlXoiRBXWfwSefNGoKeOwekV+gw0cAXQlz2Ww6BLcmBxVDeXBMUDQv6fK5bcNaJLxob3ZQA==",
+      "version": "0.16.35",
+      "resolved": "https://registry.npmjs.org/katex/-/katex-0.16.35.tgz",
+      "integrity": "sha512-S0+riEvy1CK4VKse1ivMff8gmabe/prY7sKB3njjhyoLLsNFDQYtKNgXrbWUggGDCJBz7Fctl5i8fLCESHXzSg==",
      "dev": true,
      "funding": [
        "https://opencollective.com/katex",
Author	SHA1	Message	Date
renovate[bot]	718540b74e	chore(deps): update actions/dependency-review-action action (v4.8.3 → v4.9.0) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 00:47:01 +00:00
Copilot	ae4ad9ec80	fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482 )	2026-03-06 02:44:56 +02:00
renovate[bot]	455267f892	chore(deps): update pre-commit hook bridgecrewio/checkov (3.2.506 → 3.2.507) (#487 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 02:41:33 +02:00
renovate[bot]	d1af04260d	chore(deps)!: update docker/login-action (v3.7.0 → v4.0.0) (#477 )	2026-03-05 22:41:05 +02:00
renovate[bot]	0921e373ce	chore(deps)!: update docker/setup-buildx-action (v3.12.0 → v4.0.0) (#478 )	2026-03-05 22:26:51 +02:00
renovate[bot]	6bbe5089d2	chore(deps)!: update docker/setup-qemu-action (v3.7.0 → v4.0.0) (#479 )	2026-03-05 22:15:39 +02:00
renovate[bot]	7cf51e5364	chore(deps): lock file maintenance (#481 )	2026-03-05 22:14:11 +02:00
renovate[bot]	72c6155089	chore(deps)!: update github/issue-metrics (v3.25.5 → v4.1.0) (#480 )	2026-03-05 22:07:00 +02:00