chore: update action references to v2026 (f98ae7cd7d)

This commit updates all internal action references to point to the latest

v2026 tag SHA.

.coderabbit.yaml

@@ -1,18 +0,0 @@
----
-# yaml-language-server: $schema=https://www.coderabbit.ai/integrations/schema.v2.json
-remote_config:
-  url: 'https://raw.githubusercontent.com/ivuorinen/coderabbit/1985ff756ef62faf7baad0c884719339ffb652bd/coderabbit.yaml'
-path_instructions:
-  - path: '.serena/**/*'
-    instructions: >-
-      - These are files for Serena LLM. Do not review them.
-  - path: '**/*/README.md'
-    instructions: >-
-      - README.md files next to action.yml files are autogenerated
-        and should not be reviewed.
-      - README.md file in the root of the repository should be reviewed.
-      - README.md files for actions use `@main` version for the action as an illustration.
-        Do not review them.
-  - path: '**/*.md'
-    instructions: >-
-      - The repository uses CalVer for versioning. Do not review version numbers in the documentation.

.github/renovate.json

@@ -4,6 +4,8 @@
     "github>ivuorinen/renovate-config",
     "customManagers:biomeVersions"
   ],
+  "pinDigests": true,
+  "platformAutomerge": true,
   "packageRules": [
     {
       "matchUpdateTypes": [

.github/workflows/release.yml

@@ -19,3 +19,49 @@ jobs:
       - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           generate_release_notes: true
+
+  provenance:
+    needs: release
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
+      - name: Create source archive
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          set -eu
+          git archive --format=tar.gz --prefix="${TAG}/" HEAD > "${TAG}-source.tar.gz"
+          sha256sum "${TAG}-source.tar.gz" > "${TAG}-source.tar.gz.sha256"
+      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: '${{ github.ref_name }}-source.tar.gz'
+      - name: Upload release assets
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          set -eu
+          gh release upload "$TAG" "${TAG}-source.tar.gz" "${TAG}-source.tar.gz.sha256" --clobber
+
+  sbom:
+    needs: release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
+      - uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
+        with:
+          format: cyclonedx-json
+          output-file: sbom.cdx.json
+      - name: Upload SBOM to release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.ref_name }}
+        run: |
+          set -eu
+          gh release upload "$TAG" sbom.cdx.json --clobber

.github/workflows/scorecard.yml

@@ -0,0 +1,58 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: Scorecard analysis workflow
+on:
+  push:
+    # Only the default branch is supported.
+    branches:
+      - main
+  schedule:
+    # Weekly on Saturdays.
+    - cron: '30 1 * * 6'
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for Code scanning upload
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+
+    steps:
+      - name: 'Checkout code'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: 'Run analysis'
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Scorecard team runs a weekly scan of public GitHub repos,
+          # see https://github.com/ossf/scorecard#public-data.
+          # Setting `publish_results: true` helps us scale by leveraging your workflow to
+          # extract the results instead of relying on our own infrastructure to run scans.
+          # And it's free for you!
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable
+      # uploads of run results in SARIF format to the repository Actions tab.
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+      - name: 'Upload artifact'
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: 'Upload to code-scanning'
+        uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        with:
+          sarif_file: results.sarif

.serena/project.yml

@@ -60,10 +60,75 @@ excluded_tools: []
 # initial prompt for the project. It will always be given to the LLM upon activating the project
 # (contrary to the memories, which are loaded on demand).
 initial_prompt: ''
-
+# the name by which the project can be referenced within Serena
 project_name: 'actions'
+
+# list of languages for which language servers are started; choose from:
+#   al                  bash                clojure             cpp                 csharp
+#   csharp_omnisharp    dart                elixir              elm                 erlang
+#   fortran             fsharp              go                  groovy              haskell
+#   java                julia               kotlin              lua                 markdown
+#   matlab              nix                 pascal              perl                php
+#   php_phpactor        powershell          python              python_jedi         r
+#   rego                ruby                ruby_solargraph     rust                scala
+#   swift               terraform           toml                typescript          typescript_vts
+#   vue                 yaml                zig
+#   (This list may be outdated. For the current list, see values of Language enum here:
+#   https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py
+#   For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.)
+# Note:
+#   - For C, use cpp
+#   - For JavaScript, use typescript
+#   - For Free Pascal/Lazarus, use pascal
+# Special requirements:
+#   Some languages require additional setup/installations.
+#   See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers
+# When using multiple languages, the first language server that supports a given file will be used for that file.
+# The first language is the default language and the respective language server will be used as a fallback.
+# Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored.
 languages:
   - bash
   - python
+
+# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default)
 included_optional_tools: []
+
+# the encoding used by text files in the project
+# For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings
 encoding: utf-8
+
+# fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools.
+# This cannot be combined with non-empty excluded_tools or included_optional_tools.
+fixed_tools: []
+
+# list of mode names to that are always to be included in the set of active modes
+# The full set of modes to be activated is base_modes + default_modes.
+# If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this setting overrides the global configuration.
+# Set this to [] to disable base modes for this project.
+# Set this to a list of mode names to always include the respective modes for this project.
+base_modes:
+
+# list of mode names that are to be activated by default.
+# The full set of modes to be activated is base_modes + default_modes.
+# If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
+# This setting can, in turn, be overridden by CLI parameters (--mode).
+default_modes:
+
+# time budget (seconds) per tool call for the retrieval of additional symbol information
+# such as docstrings or parameter information.
+# This overrides the corresponding setting in the global configuration; see the documentation there.
+# If null or missing, use the setting from the global configuration.
+symbol_info_budget:
+
+# The language backend to use for this project.
+# If not set, the global setting from serena_config.yml is used.
+# Valid values: LSP, JetBrains
+# Note: the backend is fixed at startup. If a project with a different backend
+# is activated post-init, an error will be returned.
+language_backend:
+
+# list of regex patterns which, when matched, mark a memory entry as read‑only.
+# Extends the list from the global configuration, merging the two lists.
+read_only_memory_patterns: []

CONTRIBUTING.md

@@ -0,0 +1,75 @@
+# Contributing to ivuorinen/actions
+
+Thank you for your interest in contributing to this GitHub Actions monorepo.
+
+## Reporting Issues
+
+- **Bugs**: Open an issue using the bug report template.
+- **Security vulnerabilities**: See [SECURITY.md](SECURITY.md) for responsible disclosure.
+- **Feature requests**: Open an issue describing the use case.
+
+## Development Setup
+
+1. Clone the repository:
+
+   ```bash
+   git clone https://github.com/ivuorinen/actions.git
+   cd actions
+   ```
+
+2. Install dependencies (Node.js, Python 3, ShellSpec, shellcheck, actionlint, ruff, prettier, markdownlint, yamllint).
+3. Run formatting, linting, and pre-commit checks:
+
+   ```bash
+   make all
+   ```
+
+4. Run the test suite:
+
+   ```bash
+   make test
+   ```
+
+## Code Style
+
+- **EditorConfig**: 2-space indentation, UTF-8, LF line endings, max 200 chars.
+- **Shell scripts**: POSIX `sh` with `set -eu`. No bash-only syntax.
+- **Python**: Formatted and linted with `ruff`.
+- **YAML/JSON/Markdown**: Formatted with `prettier`; linted with `yamllint` and `markdownlint`.
+- **Action references**: SHA-pinned in `action.yml` files. Date-based tags or commit SHAs for published refs.
+
+Run `make dev` (format + lint) to check your changes.
+
+## Pull Request Process
+
+1. Branch from `main`.
+2. Make focused changes (one feature or fix per PR).
+3. Ensure all checks pass: `make all` and `make test`.
+4. Follow existing patterns in the codebase.
+5. Update documentation if adding or modifying actions.
+
+## Testing
+
+```bash
+make test              # All tests (ShellSpec + pytest)
+make test-actions      # GitHub Actions tests only
+make test-python       # Python validation tests only
+make test-coverage     # All tests with coverage
+```
+
+See [\_tests/README.md](_tests/README.md) for details on the ShellSpec testing framework.
+
+## Adding a New Action
+
+Each action is a self-contained directory at the repository root containing:
+
+- `action.yml` with inputs, outputs, and runs definition
+- `README.md` generated via `action-docs` (`make docs`)
+- Tests in `_tests/`
+
+Do not manually edit sections between `<!--LISTING-->` markers in the root README.
+Use `npm run update-catalog` to regenerate the catalog.
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the [MIT License](LICENSE.md).

README.md

@@ -1,5 +1,7 @@
 # ivuorinen/actions - My Reusable GitHub Actions and Workflows
 
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/ivuorinen/actions/badge)](https://scorecard.dev/viewer/?uri=github.com/ivuorinen/actions)
+
 ## Overview
 
 This repository contains a collection of reusable GitHub Actions
@@ -27,73 +29,73 @@ This repository contains **26 reusable GitHub Actions** for CI/CD automation.
 ### Quick Reference (26 Actions)
 
 | Icon | Action                                               | Category   | Description                                                     | Key Features                                 |
-|:----:|:-----------------------------------------------------|:-----------|:----------------------------------------------------------------|:---------------------------------------------|
+| :--: | :--------------------------------------------------- | :--------- | :-------------------------------------------------------------- | :------------------------------------------- |
 |  🔀  | [`action-versioning`][action-versioning]             | Utilities  | Automatically update SHA-pinned action references to match l... | Token auth, Outputs                          |
 |  📦  | [`ansible-lint-fix`][ansible-lint-fix]               | Linting    | Lints and fixes Ansible playbooks, commits changes, and uplo... | Caching, Token auth, Outputs                 |
-|  ✅   | [`biome-lint`][biome-lint]                           | Linting    | Run Biome linter in check or fix mode                           | Caching, Auto-detection, Token auth, Outputs |
-| 🛡️  | [`codeql-analysis`][codeql-analysis]                 | Repository | Run CodeQL security analysis for a single language with conf... | Auto-detection, Token auth, Outputs          |
-| 🖼️  | [`compress-images`][compress-images]                 | Repository | Compress images on demand (workflow_dispatch), and at 11pm e... | Token auth, Outputs                          |
+|  ✅  | [`biome-lint`][biome-lint]                           | Linting    | Run Biome linter in check or fix mode                           | Caching, Auto-detection, Token auth, Outputs |
+|  🛡️  | [`codeql-analysis`][codeql-analysis]                 | Repository | Run CodeQL security analysis for a single language with conf... | Auto-detection, Token auth, Outputs          |
+|  🖼️  | [`compress-images`][compress-images]                 | Repository | Compress images on demand (workflow_dispatch), and at 11pm e... | Token auth, Outputs                          |
 |  📝  | [`csharp-build`][csharp-build]                       | Build      | Builds and tests C# projects.                                   | Caching, Auto-detection, Token auth, Outputs |
 |  📝  | [`csharp-lint-check`][csharp-lint-check]             | Linting    | Runs linters like StyleCop or dotnet-format for C# code styl... | Caching, Auto-detection, Token auth, Outputs |
 |  📦  | [`csharp-publish`][csharp-publish]                   | Publishing | Publishes a C# project to GitHub Packages.                      | Caching, Auto-detection, Token auth, Outputs |
 |  📦  | [`docker-build`][docker-build]                       | Build      | Builds a Docker image for multiple architectures with enhanc... | Caching, Auto-detection, Token auth, Outputs |
 |  ☁️  | [`docker-publish`][docker-publish]                   | Publishing | Simple wrapper to publish Docker images to GitHub Packages a... | Token auth, Outputs                          |
-|  ✅   | [`eslint-lint`][eslint-lint]                         | Linting    | Run ESLint in check or fix mode with advanced configuration ... | Caching, Auto-detection, Token auth, Outputs |
+|  ✅  | [`eslint-lint`][eslint-lint]                         | Linting    | Run ESLint in check or fix mode with advanced configuration ... | Caching, Auto-detection, Token auth, Outputs |
 |  📦  | [`go-build`][go-build]                               | Build      | Builds the Go project.                                          | Caching, Auto-detection, Token auth, Outputs |
 |  📝  | [`go-lint`][go-lint]                                 | Linting    | Run golangci-lint with advanced configuration, caching, and ... | Caching, Token auth, Outputs                 |
 |  📝  | [`language-version-detect`][language-version-detect] | Setup      | DEPRECATED: This action is deprecated. Inline version detect... | Auto-detection, Token auth, Outputs          |
 |  📦  | [`npm-publish`][npm-publish]                         | Publishing | Publishes the package to the NPM registry with configurable ... | Caching, Auto-detection, Token auth, Outputs |
-|  ✅   | [`php-tests`][php-tests]                             | Testing    | Run PHPUnit tests with optional Laravel setup and Composer d... | Caching, Auto-detection, Token auth, Outputs |
-|  ✅   | [`pr-lint`][pr-lint]                                 | Linting    | Runs MegaLinter against pull requests                           | Caching, Auto-detection, Token auth, Outputs |
+|  ✅  | [`php-tests`][php-tests]                             | Testing    | Run PHPUnit tests with optional Laravel setup and Composer d... | Caching, Auto-detection, Token auth, Outputs |
+|  ✅  | [`pr-lint`][pr-lint]                                 | Linting    | Runs MegaLinter against pull requests                           | Caching, Auto-detection, Token auth, Outputs |
 |  📦  | [`pre-commit`][pre-commit]                           | Linting    | Runs pre-commit on the repository and pushes the fixes back ... | Auto-detection, Token auth, Outputs          |
-|  ✅   | [`prettier-lint`][prettier-lint]                     | Linting    | Run Prettier in check or fix mode with advanced configuratio... | Caching, Auto-detection, Token auth, Outputs |
+|  ✅  | [`prettier-lint`][prettier-lint]                     | Linting    | Run Prettier in check or fix mode with advanced configuratio... | Caching, Auto-detection, Token auth, Outputs |
 |  📝  | [`python-lint-fix`][python-lint-fix]                 | Linting    | Lints and fixes Python files, commits changes, and uploads S... | Caching, Auto-detection, Token auth, Outputs |
 |  📦  | [`release-monthly`][release-monthly]                 | Repository | Creates a release for the current month, incrementing patch ... | Token auth, Outputs                          |
-| 🛡️  | [`security-scan`][security-scan]                     | Security   | Comprehensive security scanning for GitHub Actions including... | Caching, Token auth, Outputs                 |
+|  🛡️  | [`security-scan`][security-scan]                     | Security   | Comprehensive security scanning for GitHub Actions including... | Caching, Token auth, Outputs                 |
 |  📦  | [`stale`][stale]                                     | Repository | A GitHub Action to close stale issues and pull requests.        | Token auth, Outputs                          |
-| 🏷️  | [`sync-labels`][sync-labels]                         | Repository | Sync labels from a YAML file to a GitHub repository             | Token auth, Outputs                          |
-| 🖥️  | [`terraform-lint-fix`][terraform-lint-fix]           | Linting    | Lints and fixes Terraform files with advanced validation and... | Token auth, Outputs                          |
-| 🛡️  | [`validate-inputs`][validate-inputs]                 | Validation | Centralized Python-based input validation for GitHub Actions... | Token auth, Outputs                          |
+|  🏷️  | [`sync-labels`][sync-labels]                         | Repository | Sync labels from a YAML file to a GitHub repository             | Token auth, Outputs                          |
+|  🖥️  | [`terraform-lint-fix`][terraform-lint-fix]           | Linting    | Lints and fixes Terraform files with advanced validation and... | Token auth, Outputs                          |
+|  🛡️  | [`validate-inputs`][validate-inputs]                 | Validation | Centralized Python-based input validation for GitHub Actions... | Token auth, Outputs                          |
 
 ### Actions by Category
 
 #### 🔧 Setup (1 action)
 
 | Action                                                  | Description                                           | Languages                      | Features                            |
-|:--------------------------------------------------------|:------------------------------------------------------|:-------------------------------|:------------------------------------|
+| :------------------------------------------------------ | :---------------------------------------------------- | :----------------------------- | :---------------------------------- |
 | 📝 [`language-version-detect`][language-version-detect] | DEPRECATED: This action is deprecated. Inline vers... | PHP, Python, Go, .NET, Node.js | Auto-detection, Token auth, Outputs |
 
 #### 🛠️ Utilities (1 action)
 
 | Action                                      | Description                                           | Languages      | Features            |
-|:--------------------------------------------|:------------------------------------------------------|:---------------|:--------------------|
+| :------------------------------------------ | :---------------------------------------------------- | :------------- | :------------------ |
 | 🔀 [`action-versioning`][action-versioning] | Automatically update SHA-pinned action references ... | GitHub Actions | Token auth, Outputs |
 
 #### 📝 Linting (10 actions)
 
-| Action                                         | Description                                           | Languages                                    | Features                                     |
-|:-----------------------------------------------|:------------------------------------------------------|:---------------------------------------------|:---------------------------------------------|
-| 📦 [`ansible-lint-fix`][ansible-lint-fix]      | Lints and fixes Ansible playbooks, commits changes... | Ansible, YAML                                | Caching, Token auth, Outputs                 |
-| ✅ [`biome-lint`][biome-lint]                   | Run Biome linter in check or fix mode                 | JavaScript, TypeScript, JSON                 | Caching, Auto-detection, Token auth, Outputs |
-| 📝 [`csharp-lint-check`][csharp-lint-check]    | Runs linters like StyleCop or dotnet-format for C#... | C#, .NET                                     | Caching, Auto-detection, Token auth, Outputs |
-| ✅ [`eslint-lint`][eslint-lint]                 | Run ESLint in check or fix mode with advanced conf... | JavaScript, TypeScript                       | Caching, Auto-detection, Token auth, Outputs |
-| 📝 [`go-lint`][go-lint]                        | Run golangci-lint with advanced configuration, cac... | Go                                           | Caching, Token auth, Outputs                 |
-| ✅ [`pr-lint`][pr-lint]                         | Runs MegaLinter against pull requests                 | Conventional Commits                         | Caching, Auto-detection, Token auth, Outputs |
-| 📦 [`pre-commit`][pre-commit]                  | Runs pre-commit on the repository and pushes the f... | Python, Multiple Languages                   | Auto-detection, Token auth, Outputs          |
-| ✅ [`prettier-lint`][prettier-lint]             | Run Prettier in check or fix mode with advanced co... | JavaScript, TypeScript, Markdown, YAML, JSON | Caching, Auto-detection, Token auth, Outputs |
-| 📝 [`python-lint-fix`][python-lint-fix]        | Lints and fixes Python files, commits changes, and... | Python                                       | Caching, Auto-detection, Token auth, Outputs |
+| Action                                        | Description                                           | Languages                                    | Features                                     |
+| :-------------------------------------------- | :---------------------------------------------------- | :------------------------------------------- | :------------------------------------------- |
+| 📦 [`ansible-lint-fix`][ansible-lint-fix]     | Lints and fixes Ansible playbooks, commits changes... | Ansible, YAML                                | Caching, Token auth, Outputs                 |
+| ✅ [`biome-lint`][biome-lint]                 | Run Biome linter in check or fix mode                 | JavaScript, TypeScript, JSON                 | Caching, Auto-detection, Token auth, Outputs |
+| 📝 [`csharp-lint-check`][csharp-lint-check]   | Runs linters like StyleCop or dotnet-format for C#... | C#, .NET                                     | Caching, Auto-detection, Token auth, Outputs |
+| ✅ [`eslint-lint`][eslint-lint]               | Run ESLint in check or fix mode with advanced conf... | JavaScript, TypeScript                       | Caching, Auto-detection, Token auth, Outputs |
+| 📝 [`go-lint`][go-lint]                       | Run golangci-lint with advanced configuration, cac... | Go                                           | Caching, Token auth, Outputs                 |
+| ✅ [`pr-lint`][pr-lint]                       | Runs MegaLinter against pull requests                 | Conventional Commits                         | Caching, Auto-detection, Token auth, Outputs |
+| 📦 [`pre-commit`][pre-commit]                 | Runs pre-commit on the repository and pushes the f... | Python, Multiple Languages                   | Auto-detection, Token auth, Outputs          |
+| ✅ [`prettier-lint`][prettier-lint]           | Run Prettier in check or fix mode with advanced co... | JavaScript, TypeScript, Markdown, YAML, JSON | Caching, Auto-detection, Token auth, Outputs |
+| 📝 [`python-lint-fix`][python-lint-fix]       | Lints and fixes Python files, commits changes, and... | Python                                       | Caching, Auto-detection, Token auth, Outputs |
 | 🖥️ [`terraform-lint-fix`][terraform-lint-fix] | Lints and fixes Terraform files with advanced vali... | Terraform, HCL                               | Token auth, Outputs                          |
 
 #### 🧪 Testing (1 action)
 
-| Action                     | Description                                           | Languages    | Features                                     |
-|:---------------------------|:------------------------------------------------------|:-------------|:---------------------------------------------|
+| Action                      | Description                                           | Languages    | Features                                     |
+| :-------------------------- | :---------------------------------------------------- | :----------- | :------------------------------------------- |
 | ✅ [`php-tests`][php-tests] | Run PHPUnit tests with optional Laravel setup and ... | PHP, Laravel | Caching, Auto-detection, Token auth, Outputs |
 
 #### 🏗️ Build (3 actions)
 
 | Action                            | Description                                           | Languages | Features                                     |
-|:----------------------------------|:------------------------------------------------------|:----------|:---------------------------------------------|
+| :-------------------------------- | :---------------------------------------------------- | :-------- | :------------------------------------------- |
 | 📝 [`csharp-build`][csharp-build] | Builds and tests C# projects.                         | C#, .NET  | Caching, Auto-detection, Token auth, Outputs |
 | 📦 [`docker-build`][docker-build] | Builds a Docker image for multiple architectures w... | Docker    | Caching, Auto-detection, Token auth, Outputs |
 | 📦 [`go-build`][go-build]         | Builds the Go project.                                | Go        | Caching, Auto-detection, Token auth, Outputs |
@@ -101,68 +103,68 @@ This repository contains **26 reusable GitHub Actions** for CI/CD automation.
 #### 🚀 Publishing (3 actions)
 
 | Action                                | Description                                           | Languages    | Features                                     |
-|:--------------------------------------|:------------------------------------------------------|:-------------|:---------------------------------------------|
+| :------------------------------------ | :---------------------------------------------------- | :----------- | :------------------------------------------- |
 | 📦 [`csharp-publish`][csharp-publish] | Publishes a C# project to GitHub Packages.            | C#, .NET     | Caching, Auto-detection, Token auth, Outputs |
 | ☁️ [`docker-publish`][docker-publish] | Simple wrapper to publish Docker images to GitHub ... | Docker       | Token auth, Outputs                          |
 | 📦 [`npm-publish`][npm-publish]       | Publishes the package to the NPM registry with con... | Node.js, npm | Caching, Auto-detection, Token auth, Outputs |
 
 #### 📦 Repository (5 actions)
 
-| Action                                   | Description                                           | Languages                                               | Features                            |
-|:-----------------------------------------|:------------------------------------------------------|:--------------------------------------------------------|:------------------------------------|
+| Action                                  | Description                                           | Languages                                               | Features                            |
+| :-------------------------------------- | :---------------------------------------------------- | :------------------------------------------------------ | :---------------------------------- |
 | 🛡️ [`codeql-analysis`][codeql-analysis] | Run CodeQL security analysis for a single language... | JavaScript, TypeScript, Python, Java, C#, C++, Go, Ruby | Auto-detection, Token auth, Outputs |
 | 🖼️ [`compress-images`][compress-images] | Compress images on demand (workflow_dispatch), and... | Images, PNG, JPEG                                       | Token auth, Outputs                 |
-| 📦 [`release-monthly`][release-monthly]  | Creates a release for the current month, increment... | GitHub Actions                                          | Token auth, Outputs                 |
-| 📦 [`stale`][stale]                      | A GitHub Action to close stale issues and pull req... | GitHub Actions                                          | Token auth, Outputs                 |
+| 📦 [`release-monthly`][release-monthly] | Creates a release for the current month, increment... | GitHub Actions                                          | Token auth, Outputs                 |
+| 📦 [`stale`][stale]                     | A GitHub Action to close stale issues and pull req... | GitHub Actions                                          | Token auth, Outputs                 |
 | 🏷️ [`sync-labels`][sync-labels]         | Sync labels from a YAML file to a GitHub repositor... | YAML, GitHub                                            | Token auth, Outputs                 |
 
 #### 🛡️ Security (1 action)
 
-| Action                               | Description                                           | Languages | Features                     |
-|:-------------------------------------|:------------------------------------------------------|:----------|:-----------------------------|
+| Action                              | Description                                           | Languages | Features                     |
+| :---------------------------------- | :---------------------------------------------------- | :-------- | :--------------------------- |
 | 🛡️ [`security-scan`][security-scan] | Comprehensive security scanning for GitHub Actions... | -         | Caching, Token auth, Outputs |
 
 #### ✅ Validation (1 action)
 
-| Action                                   | Description                                           | Languages            | Features            |
-|:-----------------------------------------|:------------------------------------------------------|:---------------------|:--------------------|
+| Action                                  | Description                                           | Languages            | Features            |
+| :-------------------------------------- | :---------------------------------------------------- | :------------------- | :------------------ |
 | 🛡️ [`validate-inputs`][validate-inputs] | Centralized Python-based input validation for GitH... | YAML, GitHub Actions | Token auth, Outputs |
 
 ### Feature Matrix
 
 | Action                                               | Caching | Auto-detection | Token auth | Outputs |
-|:-----------------------------------------------------|:-------:|:--------------:|:----------:|:-------:|
-| [`action-versioning`][action-versioning]             |    -    |       -        |     ✅      |    ✅    |
-| [`ansible-lint-fix`][ansible-lint-fix]               |    ✅    |       -        |     ✅      |    ✅    |
-| [`biome-lint`][biome-lint]                           |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`codeql-analysis`][codeql-analysis]                 |    -    |       ✅        |     ✅      |    ✅    |
-| [`compress-images`][compress-images]                 |    -    |       -        |     ✅      |    ✅    |
-| [`csharp-build`][csharp-build]                       |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`csharp-lint-check`][csharp-lint-check]             |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`csharp-publish`][csharp-publish]                   |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`docker-build`][docker-build]                       |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`docker-publish`][docker-publish]                   |    -    |       -        |     ✅      |    ✅    |
-| [`eslint-lint`][eslint-lint]                         |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`go-build`][go-build]                               |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`go-lint`][go-lint]                                 |    ✅    |       -        |     ✅      |    ✅    |
-| [`language-version-detect`][language-version-detect] |    -    |       ✅        |     ✅      |    ✅    |
-| [`npm-publish`][npm-publish]                         |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`php-tests`][php-tests]                             |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`pr-lint`][pr-lint]                                 |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`pre-commit`][pre-commit]                           |    -    |       ✅        |     ✅      |    ✅    |
-| [`prettier-lint`][prettier-lint]                     |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`python-lint-fix`][python-lint-fix]                 |    ✅    |       ✅        |     ✅      |    ✅    |
-| [`release-monthly`][release-monthly]                 |    -    |       -        |     ✅      |    ✅    |
-| [`security-scan`][security-scan]                     |    ✅    |       -        |     ✅      |    ✅    |
-| [`stale`][stale]                                     |    -    |       -        |     ✅      |    ✅    |
-| [`sync-labels`][sync-labels]                         |    -    |       -        |     ✅      |    ✅    |
-| [`terraform-lint-fix`][terraform-lint-fix]           |    -    |       -        |     ✅      |    ✅    |
-| [`validate-inputs`][validate-inputs]                 |    -    |       -        |     ✅      |    ✅    |
+| :--------------------------------------------------- | :-----: | :------------: | :--------: | :-----: |
+| [`action-versioning`][action-versioning]             |    -    |       -        |     ✅     |   ✅    |
+| [`ansible-lint-fix`][ansible-lint-fix]               |   ✅    |       -        |     ✅     |   ✅    |
+| [`biome-lint`][biome-lint]                           |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`codeql-analysis`][codeql-analysis]                 |    -    |       ✅       |     ✅     |   ✅    |
+| [`compress-images`][compress-images]                 |    -    |       -        |     ✅     |   ✅    |
+| [`csharp-build`][csharp-build]                       |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`csharp-lint-check`][csharp-lint-check]             |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`csharp-publish`][csharp-publish]                   |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`docker-build`][docker-build]                       |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`docker-publish`][docker-publish]                   |    -    |       -        |     ✅     |   ✅    |
+| [`eslint-lint`][eslint-lint]                         |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`go-build`][go-build]                               |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`go-lint`][go-lint]                                 |   ✅    |       -        |     ✅     |   ✅    |
+| [`language-version-detect`][language-version-detect] |    -    |       ✅       |     ✅     |   ✅    |
+| [`npm-publish`][npm-publish]                         |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`php-tests`][php-tests]                             |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`pr-lint`][pr-lint]                                 |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`pre-commit`][pre-commit]                           |    -    |       ✅       |     ✅     |   ✅    |
+| [`prettier-lint`][prettier-lint]                     |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`python-lint-fix`][python-lint-fix]                 |   ✅    |       ✅       |     ✅     |   ✅    |
+| [`release-monthly`][release-monthly]                 |    -    |       -        |     ✅     |   ✅    |
+| [`security-scan`][security-scan]                     |   ✅    |       -        |     ✅     |   ✅    |
+| [`stale`][stale]                                     |    -    |       -        |     ✅     |   ✅    |
+| [`sync-labels`][sync-labels]                         |    -    |       -        |     ✅     |   ✅    |
+| [`terraform-lint-fix`][terraform-lint-fix]           |    -    |       -        |     ✅     |   ✅    |
+| [`validate-inputs`][validate-inputs]                 |    -    |       -        |     ✅     |   ✅    |
 
 ### Language Support
 
 | Language             | Actions                                                                                                                                                            |
-|:---------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| :------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | .NET                 | [`csharp-build`][csharp-build], [`csharp-lint-check`][csharp-lint-check], [`csharp-publish`][csharp-publish], [`language-version-detect`][language-version-detect] |
 | Ansible              | [`ansible-lint-fix`][ansible-lint-fix]                                                                                                                             |
 | C#                   | [`codeql-analysis`][codeql-analysis], [`csharp-build`][csharp-build], [`csharp-lint-check`][csharp-lint-check], [`csharp-publish`][csharp-publish]                 |

_tools/docker-testing-tools/Dockerfile

@@ -10,7 +10,7 @@ ARG ACT_VERSION=0.2.71
 ARG SHELLSPEC_VERSION=0.28.1
 
 # Stage 1: Build kcov separately to keep final image slim
-FROM ubuntu:24.04 AS kcov-builder
+FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS kcov-builder
 
 ARG KCOV_VERSION
 
@@ -43,7 +43,7 @@ RUN cmake .. \
   && make install DESTDIR=/kcov-install
 
 # Stage 2: Base system setup
-FROM ubuntu:24.04 AS base
+FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS base
 
 LABEL maintainer="ivuorinen"
 LABEL description="GitHub Actions testing framework with pre-installed tools"

ansible-lint-fix/action.yml

@@ -45,7 +45,7 @@ runs:
   steps:
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: 'ansible-lint-fix'
         token: ${{ inputs.token }}

codeql-analysis/action.yml

@@ -107,7 +107,7 @@ runs:
   using: composite
   steps:
     - name: Validate inputs
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: codeql-analysis
         language: ${{ inputs.language }}

csharp-publish/action.yml

@@ -55,7 +55,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: 'csharp-publish'
         token: ${{ inputs.token }}

docker-build/action.yml

@@ -147,7 +147,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: 'docker-build'
         image-name: ${{ inputs.image-name }}
@@ -536,7 +536,7 @@ runs:
     - name: Scan Image for Vulnerabilities
       id: scan
       if: inputs.scan-image == 'true' && inputs.dry-run != 'true'
-      uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
+      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
       with:
         scan-type: 'image'
         image-ref: ${{ steps.image-name.outputs.name }}:${{ inputs.tag }}

pr-lint/action.yml

@@ -40,7 +40,7 @@ runs:
   steps:
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: pr-lint
         token: ${{ inputs.token }}

pre-commit/action.yml

@@ -49,7 +49,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: 'pre-commit'
         token: ${{ inputs.token }}

python-lint-fix/action.yml

@@ -64,7 +64,7 @@ runs:
   steps:
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: 'python-lint-fix'
         token: ${{ inputs.token }}

security-scan/action.yml

@@ -65,7 +65,7 @@ runs:
   steps:
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: security-scan
         gitleaks-license: ${{ inputs.gitleaks-license }}

stale/action.yml

@@ -43,7 +43,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: 'stale'
         token: ${{ inputs.token || github.token }}

terraform-lint-fix/action.yml

@@ -78,7 +78,7 @@ runs:
 
     - name: Validate Inputs
       id: validate
-      uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
+      uses: ivuorinen/actions/validate-inputs@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73
       with:
         action-type: 'terraform-lint-fix'
         token: ${{ inputs.token || github.token }}