update: bump the gh-actions-packages group across 1 directory with 7 updates

.github/workflows/.reusable-build.yml

@@ -63,7 +63,7 @@ jobs:
  build_labels: ${{ steps.get_context.outputs.build_labels }}
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Get context
  id: get_context
  uses: ./.github/actions/context
@@ -79,7 +79,7 @@ jobs:
  packages: write
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Build semgr8s
  id: build
  uses: ./.github/actions/build

.github/workflows/.reusable-cleanup-registry.yml

@@ -10,7 +10,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Cleanup test images
- uses: snok/container-retention-policy@b56f4ff7539c1f94f01e5dc726671cd619aa8072 # v2.2.1
+ uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0
  with:
  image-names: semgr8s-test
  cut-off: three weeks ago UTC+1
@@ -19,7 +19,7 @@ jobs:
  org-name: semgr8ns
  token: ${{ secrets.GHCR_PAT }}
  - name: Cleanup dangling images without tag
- uses: snok/container-retention-policy@b56f4ff7539c1f94f01e5dc726671cd619aa8072 # v2.2.1
+ uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0
  with:
  image-names: semgr8s*
  untagged-only: true
@@ -29,7 +29,7 @@ jobs:
  org-name: semgr8ns
  token: ${{ secrets.GHCR_PAT }}
  # - name: Cleanup all images
- # uses: snok/container-retention-policy@b56f4ff7539c1f94f01e5dc726671cd619aa8072 # v2.2.1
+ # uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0
  # with:
  # image-names: semgr8s
  # skip-tags: main, dev, "v*.*.*", "sha256-*"

.github/workflows/.reusable-compliance.yml

@@ -22,7 +22,7 @@ jobs:
  security-events: write
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  with:
  persist-credentials: false
  - name: Analyze
@@ -33,7 +33,7 @@ jobs:
  repo_token: ${{ secrets.SCORECARD_TOKEN }}
  publish_results: false #TODO: reactivate when working again
  - name: Upload
- uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+ uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
  with:
  sarif_file: results.sarif
 
@@ -49,9 +49,9 @@ jobs:
  pull-requests: write
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Review
- uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
+ uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
  with:
  comment-summary-in-pr: always
 
@@ -63,7 +63,7 @@ jobs:
  permissions: {}
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  with:
  ref: ${{ github.event.pull_request.head.sha }} # Otherwise will checkout merge commit, which isn't conform
  fetch-depth: ${{ github.event.pull_request.commits }} # Fetch all commits of the MR, but only those

.github/workflows/.reusable-docs.yml

@@ -20,7 +20,7 @@ jobs:
  contents: write
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  with:
  fetch-depth: 0
  - name: Set release env

.github/workflows/.reusable-integration-test.yml

@@ -47,7 +47,7 @@ jobs:
  ]
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Login with registry
  uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
  with:
@@ -102,7 +102,7 @@ jobs:
  ]
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Login with registry
  uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
  with:
@@ -157,7 +157,7 @@ jobs:
  ]
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Login with registry
  uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
  with:
@@ -212,7 +212,7 @@ jobs:
  ]
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Login with registry
  uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
  with:

.github/workflows/.reusable-sast.yml

@@ -25,7 +25,7 @@ jobs:
  security-events: write
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Install python
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
@@ -48,7 +48,7 @@ jobs:
  run: bandit -r -f sarif -o bandit-results.sarif semgr8s/ --exit-zero
  - name: Upload
  if: inputs.output == 'sarif'
- uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+ uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
  with:
  sarif_file: 'bandit-results.sarif'
 
@@ -60,7 +60,7 @@ jobs:
  inputs.skip != 'all'
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Install python
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
@@ -89,7 +89,7 @@ jobs:
  security-events: write
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Render Helm charts
  run: |
  rm -rf tests # remove 'tests' folder from scan
@@ -99,22 +99,22 @@ jobs:
  shell: bash
  - name: Scan
  if: inputs.output == 'table'
- uses: bridgecrewio/checkov-action@cbef505ba3282486a24541d7c862e19266ad0d96 # v12.2762.0
+ uses: bridgecrewio/checkov-action@ebff1eb63648a05e86b2f15cfe439551a7d70070 # v12.2787.0
  with:
  skip_check: CKV_DOCKER_2
  output_format: cli
  soft_fail: false
  - name: Scan
  if: inputs.output == 'sarif'
- uses: bridgecrewio/checkov-action@cbef505ba3282486a24541d7c862e19266ad0d96 # v12.2762.0
+ uses: bridgecrewio/checkov-action@ebff1eb63648a05e86b2f15cfe439551a7d70070 # v12.2787.0
  with:
  skip_check: CKV_DOCKER_2
  output_file_path: console,checkov-results.sarif
  output_format: cli,sarif
  soft_fail: true
  - name: Upload
  if: inputs.output == 'sarif'
- uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+ uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
  with:
  sarif_file: checkov-results.sarif
 
@@ -129,13 +129,13 @@ jobs:
  pull-requests: read
  steps:
  - name: Checkout repository
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Initialize CodeQL
- uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+ uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
  with:
  languages: 'python'
  - name: Analyze
- uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+ uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
 
  hadolint:
  runs-on: ubuntu-latest
@@ -147,7 +147,7 @@ jobs:
  security-events: write
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Scan
  uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
  if: inputs.output == 'table'
@@ -164,7 +164,7 @@ jobs:
  no-fail: true
  output-file: hadolint-results.sarif
  - name: Upload
- uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+ uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
  if: inputs.output == 'sarif'
  with:
  sarif_file: 'hadolint-results.sarif'
@@ -179,7 +179,7 @@ jobs:
  security-events: write
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Scan
  uses: stackrox/kube-linter-action@5792edc6a03735d592b13c08201711327a935735 # v1.0.5
  if: inputs.output == 'table'
@@ -197,7 +197,7 @@ jobs:
  format: sarif
  output-file: kubelinter-results.sarif
  - name: Upload
- uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+ uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
  if: inputs.output == 'sarif'
  with:
  sarif_file: 'kubelinter-results.sarif'
@@ -209,7 +209,7 @@ jobs:
  inputs.skip != 'all'
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Install python
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
@@ -241,15 +241,15 @@ jobs:
  SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Scan
  if: inputs.output == 'table'
  run: semgrep ci --config=auto --suppress-errors --text
  - name: Scan
  if: inputs.output == 'sarif'
  run: semgrep ci --config=auto --suppress-errors --sarif --output=semgrep-results.sarif || exit 0
  - name: Upload
- uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+ uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
  if: inputs.output == 'sarif'
  with:
  sarif_file: semgrep-results.sarif
@@ -265,7 +265,7 @@ jobs:
  security-events: write
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Run Trivy
  uses: ./.github/actions/trivy-config
  with:

.github/workflows/.reusable-sca.yml

@@ -41,7 +41,7 @@ jobs:
  image: docker:stable
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Run
  uses: ./.github/actions/trivy-image
  with:
@@ -64,7 +64,7 @@ jobs:
  image: docker:stable
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Run
  uses: ./.github/actions/grype
  with:

.github/workflows/.reusable-unit-test.yml

@@ -19,11 +19,11 @@ jobs:
  if: inputs.skip != 'all'
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Set up Docker buildx
  uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
  - name: Build test image
- uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+ uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
  with:
  push: false
  load: true
@@ -46,7 +46,7 @@ jobs:
  pytest-coverage-path: tests/pytest-coverage.txt
  junitxml-path: tests/pytest.xml
  - name: Publish Test Report
- uses: mikepenz/action-junit-report@9379f0ccddcab154835d4e2487555ee79614fe95 # v4.2.1
+ uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
  if: success() || failure() # always run even if the previous step fails
  with:
  report_paths: 'tests/pytest.xml'
@@ -59,7 +59,7 @@ jobs:
  inputs.skip != 'all'
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Install python
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:
@@ -88,7 +88,7 @@ jobs:
  inputs.skip != 'all'
  steps:
  - name: Checkout code
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - name: Install python
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
  with:

.github/workflows/semgrep.yml

@@ -18,5 +18,5 @@ jobs:
  container:
  image: semgrep/semgrep
  steps:
- - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
  - run: semgrep ci