ci(actions): update github-actions (minor and patch)

.github/actions/build-image/action.yml

@@ -102,7 +102,7 @@ runs:
   steps:
     - name: Login to Docker Hub
       if: inputs.dockerhub-username != '' && inputs.dockerhub-token != ''
-      uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4.1.0
       with:
         registry: docker.io
         username: ${{ inputs.dockerhub-username }}
@@ -151,7 +151,7 @@ runs:
 
     - name: Build image (tar output)
       if: inputs.output-type == 'tar'
-      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
+      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f  # v7.1.0
       with:
         context: ./build
         file: ./build/Containerfile
@@ -201,7 +201,7 @@ runs:
 
     - name: Build image (registry output)
       if: inputs.output-type == 'registry'
-      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
+      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f  # v7.1.0
       with:
         context: ./build
         file: ./build/Containerfile

.github/actions/setup-env/action.yml

@@ -130,7 +130,7 @@ runs:
       with:
         enable-cache: true
         # Install a specific version of uv.
-        version: "0.10.0"
+        version: "0.11.8"
 
     - name: Wait before retrying uv install
       if: steps.setup-uv.outcome == 'failure'
@@ -144,7 +144,7 @@ runs:
       with:
         enable-cache: true
         # Install a specific version of uv.
-        version: "0.10.0"
+        version: "0.11.8"
 
     # ── retry() shell helper ───────────────────────────────────────────
     - name: Export retry helper function
@@ -210,7 +210,7 @@ runs:
     # Also installed when install-devcontainer-cli is true (npm is required)
     - name: Install Node.js
       if: inputs.install-node == 'true' || inputs.install-devcontainer-cli == 'true'
-      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
       with:
         node-version: ${{ inputs.node-version }}
 

.github/actions/test-project/action.yml

@@ -51,7 +51,7 @@ runs:
 
     - name: Cache pre-commit hooks
       if: inputs.suite == 'all' || inputs.suite == 'lint'
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
       with:
         path: ~/.cache/pre-commit
         key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}
@@ -147,7 +147,7 @@ runs:
 
     - name: Upload coverage report
       if: always() && inputs.suite == 'all'
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
       with:
         name: coverage-report
         path: coverage.xml

.github/workflows/ci.yml

@@ -93,7 +93,7 @@ jobs:
           output-file: /tmp/image.tar
 
       - name: Upload image artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: container-image-${{ steps.version.outputs.version }}-amd64
           path: /tmp/image.tar
@@ -153,7 +153,7 @@ jobs:
 
       - name: Upload test artifacts on failure
         if: failure()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: integration-test-artifacts
           path: |
@@ -215,7 +215,7 @@ jobs:
 
       - name: Upload security reports as artifacts
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: python-security-reports
           path: |
@@ -256,9 +256,9 @@ jobs:
           path: /tmp
 
       - name: Scan image for vulnerabilities
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image.tar
           format: 'table'
           severity: 'HIGH,CRITICAL'
@@ -268,9 +268,9 @@ jobs:
 
       - name: Report unfixed HIGH/CRITICAL vulnerabilities (non-blocking)
         if: always()
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image.tar
           format: 'table'
           severity: 'HIGH,CRITICAL'
@@ -279,28 +279,28 @@ jobs:
 
       - name: Report MEDIUM severity vulnerabilities (non-blocking)
         if: always()
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image.tar
           format: 'table'
           severity: 'MEDIUM'
           exit-code: '0'  # Non-blocking report
 
       - name: Generate container SBOM (CycloneDX)
         if: always()
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image.tar
           format: 'cyclonedx'
           output: 'sbom-cyclonedx.json'
 
       - name: Generate SARIF report
         if: always()
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image.tar
           format: 'sarif'
           output: 'trivy-results.sarif'
@@ -309,7 +309,7 @@ jobs:
 
       - name: Upload SBOM artifact
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: sbom-${{ needs.build-image.outputs.version }}-amd64
           path: sbom-cyclonedx.json

.github/workflows/release.yml

@@ -783,9 +783,9 @@ jobs:
           ref: ${{ needs.finalize.outputs.finalize_sha }}
 
       - name: Scan image for vulnerabilities
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image.tar
           format: 'table'
           severity: 'HIGH,CRITICAL'
@@ -794,7 +794,7 @@ jobs:
           trivyignores: '.trivyignore'
 
       - name: Upload tested image
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: container-image-${{ needs.validate.outputs.publish_version }}-${{ matrix.arch }}
           path: /tmp/image.tar
@@ -1035,7 +1035,7 @@ jobs:
           format: spdx-json
 
       - name: Upload SBOM artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: sbom-${{ needs.validate.outputs.publish_version }}
           path: /tmp/sbom.spdx.json

.github/workflows/renovate-validate.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Setup Node
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v4.1.0
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: '20'
 

.github/workflows/security-scan.yml

@@ -65,9 +65,9 @@ jobs:
 
       - name: Scan latest image for all vulnerabilities
         if: steps.pull.outcome == 'success'
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image-latest.tar
           format: 'table'
           severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
@@ -78,9 +78,9 @@ jobs:
         id: gate
         if: steps.pull.outcome == 'success'
         continue-on-error: true
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image-latest.tar
           format: 'table'
           severity: 'HIGH,CRITICAL'
@@ -90,18 +90,18 @@ jobs:
 
       - name: Generate latest image SBOM (CycloneDX)
         if: steps.pull.outcome == 'success'
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image-latest.tar
           format: 'cyclonedx'
           output: 'sbom-latest-cyclonedx.json'
 
       - name: Generate latest image SARIF report
         if: steps.pull.outcome == 'success'
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1  # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25  # v0.36.0
         with:
-          version: 'v0.69.3'
+          version: 'v0.70.0'
           input: /tmp/image-latest.tar
           format: 'sarif'
           output: 'trivy-latest-results.sarif'
@@ -110,7 +110,7 @@ jobs:
 
       - name: Upload latest SBOM artifact
         if: steps.pull.outcome == 'success'
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: sbom-latest
           path: sbom-latest-cyclonedx.json

.github/workflows/sync-issues.yml

@@ -95,7 +95,7 @@ jobs:
 
       - name: Restore sync state (last synced timestamp)
         id: restore-state
-        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: .sync-state
           key: sync-issues-state-${{ github.repository }}
@@ -151,7 +151,7 @@ jobs:
 
       - name: Save sync state
         if: always()
-        uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: .sync-state
           key: sync-issues-state-${{ github.repository }}

assets/workspace/.github/workflows/sync-issues.yml

@@ -91,7 +91,7 @@ jobs:
 
       - name: Restore sync state (last synced timestamp)
         id: restore-state
-        uses: actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: .sync-state
           key: sync-issues-state-${{ github.repository }}
@@ -147,7 +147,7 @@ jobs:
 
       - name: Save sync state
         if: always()
-        uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: .sync-state
           key: sync-issues-state-${{ github.repository }}