chore(deps): update actions/setup-dotnet action (v5.1.0 → v5.2.0)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
chore(deps): update pre-commit hook astral-sh/uv-pre-commit (0.10.7 → 0.10.8) (#486 )
2026-03-06 05:55:31 +00:00 · 2026-03-06 04:59:42 +00:00 · 2026-03-06 02:51:06 +02:00 · 2026-03-06 02:50:33 +02:00 · 2026-03-06 02:49:32 +02:00 · 2026-03-06 02:49:00 +02:00
29 changed files with 57 additions and 60 deletions
--- a/.github/workflows/action-security.yml
+++ b/.github/workflows/action-security.yml
@@ -17,10 +17,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
-permissions:
+permissions: {}
  contents: read
  actions: read
  pull-requests: read
 jobs:
  analyze:
@@ -29,6 +26,9 @@ jobs:
    timeout-minutes: 30
    permissions:
      contents: read
      actions: read
      pull-requests: read
      security-events: write
      statuses: write
      issues: write
--- a/.github/workflows/build-testing-image.yml
+++ b/.github/workflows/build-testing-image.yml
@@ -23,15 +23,16 @@ on:
        default: 'latest'
        type: string
-permissions:
+permissions: {}
  contents: read
  packages: write
 jobs:
  build-and-push:
    name: Build and Push Testing Image
    runs-on: ubuntu-latest
    timeout-minutes: 20
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
--- a/.github/workflows/codeql-new.yml
+++ b/.github/workflows/codeql-new.yml
@@ -13,17 +13,16 @@ on:
    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
  merge_group:
-permissions:
+permissions: {}
  actions: read
  contents: read
 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    permissions:
-      security-events: write
+      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -4,12 +4,13 @@ name: 'Dependency Review'
 on:
  - pull_request
-permissions:
+permissions: {}
  contents: read
 jobs:
  dependency-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
--- a/.github/workflows/issue-stats.yml
+++ b/.github/workflows/issue-stats.yml
@@ -5,8 +5,7 @@ on:
  schedule:
    - cron: '3 2 1 * *'
-permissions:
+permissions: {}
  contents: read
 jobs:
  build:
--- a/.github/workflows/new-release.yml
+++ b/.github/workflows/new-release.yml
@@ -6,7 +6,7 @@ on:
  schedule:
    - cron: '0 21 * * *' # 00:00 at Europe/Helsinki
-permissions: read-all
+permissions: {}
 jobs:
  new-daily-release:
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -37,9 +37,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
-permissions:
+permissions: {}
  contents: read
  packages: read # Required for private dependencies
 jobs:
  megalinter:
@@ -74,7 +72,7 @@ jobs:
      - name: Upload SARIF Report
        if: always() && hashFiles('megalinter-reports/sarif/*.sarif')
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
        with:
          sarif_file: megalinter-reports/sarif
          category: megalinter
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,8 +7,7 @@ on:
    tags:
      - 'v*'
-permissions:
+permissions: {}
  contents: read
 jobs:
  release:
--- a/.github/workflows/security-suite.yml
+++ b/.github/workflows/security-suite.yml
@@ -18,11 +18,7 @@ on:
      - '**/*.yaml'
      - '.github/workflows/**'
-permissions:
+permissions: {}
  contents: read
  pull-requests: write
  issues: write
  actions: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -32,6 +28,11 @@ jobs:
  security-analysis:
    name: Security Analysis
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      issues: write
      actions: read
    steps:
      - name: Checkout PR
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
  workflow_call:
  workflow_dispatch:
-permissions:
+permissions: {}
  contents: read
  packages: read
  statuses: read
 jobs:
  stale:
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -22,7 +22,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
-permissions: read-all
+permissions: {}
 jobs:
  labels:
@@ -31,6 +31,7 @@ jobs:
    timeout-minutes: 10
    permissions:
      contents: read
      issues: write
    steps:
--- a/.github/workflows/test-actions.yml
+++ b/.github/workflows/test-actions.yml
@@ -73,7 +73,7 @@ jobs:
        if: always()
      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
        if: always() && hashFiles('_tests/reports/test-results.sarif') != ''
        with:
          sarif_file: _tests/reports/test-results.sarif
--- a/.github/workflows/version-maintenance.yml
+++ b/.github/workflows/version-maintenance.yml
@@ -12,15 +12,16 @@ on:
        required: false
        type: string
-permissions:
+permissions: {}
  contents: write
  pull-requests: write
  issues: write
 jobs:
  check-and-update:
    name: Check Version References
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      issues: write
    steps:
      - name: Checkout Repository
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -14,7 +14,7 @@ repos:
        types: [markdown, python, yaml]
        files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$
  - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.10.7
+    rev: 0.10.8
    hooks:
      - id: uv-lock
      - id: uv-sync
@@ -84,7 +84,7 @@ repos:
        args: ['-shellcheck=']
  - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.506'
+    rev: '3.2.507'
    hooks:
      - id: checkov
        args:
--- a/ansible-lint-fix/action.yml
+++ b/ansible-lint-fix/action.yml
@@ -130,6 +130,6 @@ runs:
    - name: Upload SARIF Report
      if: steps.check-files.outputs.files_found == 'true'
-      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        sarif_file: ansible-lint.sarif
--- a/biome-lint/action.yml
+++ b/biome-lint/action.yml
@@ -212,7 +212,7 @@ runs:
    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
      with:
        bun-version: latest
@@ -331,7 +331,7 @@ runs:
    - name: Upload SARIF Report
      if: inputs.mode == 'check' && always()
-      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        sarif_file: biome-report.sarif
--- a/codeql-analysis/action.yml
+++ b/codeql-analysis/action.yml
@@ -186,7 +186,7 @@ runs:
        echo "Using build mode: $build_mode"
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        languages: ${{ inputs.language }}
        queries: ${{ inputs.queries }}
@@ -199,12 +199,12 @@ runs:
        threads: ${{ inputs.threads }}
    - name: Autobuild
-      uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      if: ${{ steps.set-build-mode.outputs.build-mode == 'autobuild' }}
    - name: Perform CodeQL Analysis
      id: analysis
-      uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        category: ${{ steps.set-category.outputs.category }}
        upload: ${{ inputs.upload-results }}
--- a/csharp-build/action.yml
+++ b/csharp-build/action.yml
@@ -148,7 +148,7 @@ runs:
        echo "Final detected .NET version: $detected_version" >&2
    - name: Setup .NET SDK
-      uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
      with:
        dotnet-version: ${{ steps.detect-dotnet-version.outputs.detected-version }}
        cache: true
--- a/csharp-lint-check/action.yml
+++ b/csharp-lint-check/action.yml
@@ -164,7 +164,7 @@ runs:
        echo "Final detected .NET version: $detected_version" >&2
    - name: Setup .NET SDK
-      uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
      with:
        dotnet-version: ${{ steps.detect-dotnet-version.outputs.detected-version }}
        cache: true
@@ -206,6 +206,6 @@ runs:
        fi
    - name: Upload SARIF Report
-      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        sarif_file: dotnet-format.sarif
--- a/csharp-publish/action.yml
+++ b/csharp-publish/action.yml
@@ -162,7 +162,7 @@ runs:
        echo "Final detected .NET version: $detected_version" >&2
    - name: Setup .NET SDK
-      uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
      with:
        dotnet-version: ${{ inputs.dotnet-version || steps.detect-dotnet-version.outputs.detected-version }}
        cache: true
--- a/docker-build/action.yml
+++ b/docker-build/action.yml
@@ -536,7 +536,7 @@ runs:
    - name: Scan Image for Vulnerabilities
      id: scan
      if: inputs.scan-image == 'true' && inputs.dry-run != 'true'
-      uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
+      uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
      with:
        scan-type: 'image'
        image-ref: ${{ steps.image-name.outputs.name }}:${{ inputs.tag }}
--- a/eslint-lint/action.yml
+++ b/eslint-lint/action.yml
@@ -319,7 +319,7 @@ runs:
    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
      with:
        bun-version: latest
@@ -457,7 +457,7 @@ runs:
    - name: Upload SARIF Report
      if: inputs.mode == 'check' && inputs.report-format == 'sarif' && always()
-      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        sarif_file: ${{ inputs.working-directory }}/eslint-results.sarif
--- a/go-lint/action.yml
+++ b/go-lint/action.yml
@@ -414,7 +414,7 @@ runs:
    - name: Upload Lint Results
      if: always() && inputs.report-format == 'sarif'
-      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        sarif_file: ${{ inputs.working-directory }}/reports/golangci-lint.sarif
        category: golangci-lint
--- a/npm-publish/action.yml
+++ b/npm-publish/action.yml
@@ -152,7 +152,7 @@ runs:
    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
      with:
        bun-version: latest
--- a/pr-lint/action.yml
+++ b/pr-lint/action.yml
@@ -156,7 +156,7 @@ runs:
    - name: Setup Bun
      if: steps.detect-node.outputs.found == 'true' && steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
      with:
        bun-version: latest
--- a/prettier-lint/action.yml
+++ b/prettier-lint/action.yml
@@ -305,7 +305,7 @@ runs:
    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
+      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
      with:
        bun-version: latest
--- a/python-lint-fix/action.yml
+++ b/python-lint-fix/action.yml
@@ -370,7 +370,7 @@ runs:
    - name: Upload SARIF Report
      if: steps.check-files.outputs.result == 'found'
-      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        sarif_file: ${{ inputs.working-directory }}/reports/flake8.sarif
        category: 'python-lint'
--- a/security-scan/action.yml
+++ b/security-scan/action.yml
@@ -161,14 +161,14 @@ runs:
    - name: Upload Trivy results
      if: steps.verify-sarif.outputs.has_trivy == 'true'
-      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        sarif_file: 'trivy-results.sarif'
        category: 'trivy'
    - name: Upload Gitleaks results
      if: steps.verify-sarif.outputs.has_gitleaks == 'true'
-      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        sarif_file: 'gitleaks-report.sarif'
        category: 'gitleaks'
--- a/terraform-lint-fix/action.yml
+++ b/terraform-lint-fix/action.yml
@@ -256,7 +256,7 @@ runs:
    - name: Upload SARIF Report
      if: steps.check-files.outputs.found == 'true' && inputs.format == 'sarif'
-      uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+      uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
      with:
        sarif_file: ${{ env.VALIDATED_WORKING_DIR }}/reports/tflint.sarif
        category: terraform-lint
Author	SHA1	Message	Date
renovate[bot]	fd4300674c	chore(deps): update actions/setup-dotnet action (v5.1.0 → v5.2.0) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 04:59:42 +00:00
renovate[bot]	c679f0c863	chore(deps): update pre-commit hook astral-sh/uv-pre-commit (0.10.7 → 0.10.8) (#486 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 02:51:06 +02:00
renovate[bot]	128b2f1713	chore(deps): update oven-sh/setup-bun action (v2.1.2 → v2.1.3) (#485 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 02:50:33 +02:00
renovate[bot]	08393e8063	chore(deps): update github/codeql-action action (v4.32.4 → v4.32.6) (#484 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 02:49:32 +02:00
renovate[bot]	ed9f205433	chore(deps): update aquasecurity/trivy-action action (0.34.1 → 0.34.2) (#483 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 02:49:00 +02:00
Copilot	ae4ad9ec80	fix: harden workflow permissions with deny-all top-level and least-privilege job scopes (#482 )	2026-03-06 02:44:56 +02:00
renovate[bot]	455267f892	chore(deps): update pre-commit hook bridgecrewio/checkov (3.2.506 → 3.2.507) (#487 ) Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 02:41:33 +02:00