From 743869dabf669fd2d89329eedc37a4bf0f64d9d8 Mon Sep 17 00:00:00 2001 From: mrz1836 Date: Wed, 3 Jun 2026 15:44:41 -0400 Subject: [PATCH] sync(ci): update GitHub Actions to v6.0.3 and Go 1.26.4 --- .github/actions/warm-cache/action.yml | 4 ++-- .github/env/00-core.env | 2 +- .github/workflows/auto-merge-on-approval.yml | 2 +- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/dependabot-auto-merge.yml | 2 +- .github/workflows/fortress-benchmarks.yml | 2 +- .github/workflows/fortress-code-quality.yml | 4 ++-- .github/workflows/fortress-completion-report.yml | 2 +- .github/workflows/fortress-coverage.yml | 4 ++-- .github/workflows/fortress-pre-commit.yml | 2 +- .github/workflows/fortress-release.yml | 2 +- .github/workflows/fortress-security-scans.yml | 4 ++-- .github/workflows/fortress-setup-config.yml | 6 +++--- .github/workflows/fortress-test-fuzz.yml | 2 +- .github/workflows/fortress-test-matrix.yml | 2 +- .github/workflows/fortress-test-suite.yml | 2 +- .github/workflows/fortress-warm-cache.yml | 4 ++-- .github/workflows/pull-request-management.yml | 4 ++-- .github/workflows/scorecard.yml | 4 ++-- .github/workflows/stale-check.yml | 2 +- .github/workflows/sync-labels.yml | 4 ++-- 21 files changed, 34 insertions(+), 34 deletions(-) diff --git a/.github/actions/warm-cache/action.yml b/.github/actions/warm-cache/action.yml index 3552720..0231aa8 100644 --- a/.github/actions/warm-cache/action.yml +++ b/.github/actions/warm-cache/action.yml @@ -267,7 +267,7 @@ runs: # ──────────────────────────────────────────────────────────────────────────── - name: 📥 Full checkout for module download (module cache miss) if: steps.setup-go.outputs.module-cache-hit != 'true' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -306,7 +306,7 @@ runs: # ──────────────────────────────────────────────────────────────────────────── - name: 📥 Full checkout for build warming (module hit, build miss) if: steps.setup-go.outputs.module-cache-hit == 'true' && steps.setup-go.outputs.build-cache-hit != 'true' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/env/00-core.env b/.github/env/00-core.env index 77fe3e9..a4fcf3d 100644 --- a/.github/env/00-core.env +++ b/.github/env/00-core.env @@ -29,7 +29,7 @@ GO_PRIMARY_VERSION=1.24.x GO_SECONDARY_VERSION=1.24.x # Govulncheck-specific Go version for vulnerability scanning -GOVULNCHECK_GO_VERSION=1.26.3 +GOVULNCHECK_GO_VERSION=1.26.4 # ================================================================================================ # 📦 GO MODULE CONFIGURATION diff --git a/.github/workflows/auto-merge-on-approval.yml b/.github/workflows/auto-merge-on-approval.yml index 3ce3329..c91b490 100644 --- a/.github/workflows/auto-merge-on-approval.yml +++ b/.github/workflows/auto-merge-on-approval.yml @@ -98,7 +98,7 @@ jobs: # empty on pull_request_review, where `github.ref` is refs/pull//merge (PR-controlled). # Read the base branch directly from the event payload so it is the trusted base ref for # BOTH triggers. Env files and the action are not modified there, so base-ref loading is safe. - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.event.pull_request.base.ref }} persist-credentials: false diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 1c08c9a..1217d92 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,13 +43,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/autobuild@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -70,4 +70,4 @@ jobs: # uses a compiled language - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1 diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 2da4138..dd9f629 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -94,7 +94,7 @@ jobs: # write) can never be a PR-controlled version. Default checkout on pull_request # events resolves to the PR head. Lower risk here (job is gated to dependabot[bot]), # but pinned for defense-in-depth and consistency with the other PR workflows. - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.base_ref || github.ref }} persist-credentials: false diff --git a/.github/workflows/fortress-benchmarks.yml b/.github/workflows/fortress-benchmarks.yml index 3019476..ca96639 100644 --- a/.github/workflows/fortress-benchmarks.yml +++ b/.github/workflows/fortress-benchmarks.yml @@ -129,7 +129,7 @@ jobs: # Checkout code and set up Go environment # -------------------------------------------------------------------- - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/fortress-code-quality.yml b/.github/workflows/fortress-code-quality.yml index 92fd5b6..dfbec73 100644 --- a/.github/workflows/fortress-code-quality.yml +++ b/.github/workflows/fortress-code-quality.yml @@ -80,7 +80,7 @@ jobs: # Shared setup # -------------------------------------------------------------------- - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -449,7 +449,7 @@ jobs: # Checkout code (required for local actions) # -------------------------------------------------------------------- - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/fortress-completion-report.yml b/.github/workflows/fortress-completion-report.yml index 64949dc..4e1bc32 100644 --- a/.github/workflows/fortress-completion-report.yml +++ b/.github/workflows/fortress-completion-report.yml @@ -138,7 +138,7 @@ jobs: # Checkout repository for local actions and helper scripts # -------------------------------------------------------------------- - name: 📥 Checkout Repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/fortress-coverage.yml b/.github/workflows/fortress-coverage.yml index af63291..f77f4d6 100644 --- a/.github/workflows/fortress-coverage.yml +++ b/.github/workflows/fortress-coverage.yml @@ -153,7 +153,7 @@ jobs: echo "✅ Branch helper functions created" - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 # Fetch all history including tags for version display @@ -2441,7 +2441,7 @@ jobs: done - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 2 # Need history for codecov to detect changes diff --git a/.github/workflows/fortress-pre-commit.yml b/.github/workflows/fortress-pre-commit.yml index 462de9a..ce9a23c 100644 --- a/.github/workflows/fortress-pre-commit.yml +++ b/.github/workflows/fortress-pre-commit.yml @@ -67,7 +67,7 @@ jobs: # Checkout code (full checkout to ensure local actions are available) # -------------------------------------------------------------------- - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 # Fetch full history to enable file change detection for all commit ranges diff --git a/.github/workflows/fortress-release.yml b/.github/workflows/fortress-release.yml index 6fd6822..9985dde 100644 --- a/.github/workflows/fortress-release.yml +++ b/.github/workflows/fortress-release.yml @@ -62,7 +62,7 @@ jobs: # Checkout code and set up Go environment # -------------------------------------------------------------------- - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 # Required for changelog generation token: ${{ secrets.github-token }} diff --git a/.github/workflows/fortress-security-scans.yml b/.github/workflows/fortress-security-scans.yml index d10de10..b2dace8 100644 --- a/.github/workflows/fortress-security-scans.yml +++ b/.github/workflows/fortress-security-scans.yml @@ -95,7 +95,7 @@ jobs: # SHARED SETUP # ==================================================================== - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 # Full history required for Gitleaks (other scans tolerate this) @@ -500,7 +500,7 @@ jobs: # NOTE: gitleaks/gitleaks-action@v2.3.9 is the latest release and still uses Node.js 20. # This will trigger a "Node.js 20 actions are deprecated" warning until the gitleaks # maintainers release a new version with Node.js 24 support. Expected and harmless for now. - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 + uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0 env: GITHUB_TOKEN: ${{ github.token }} GITLEAKS_LICENSE: ${{ secrets.gitleaks-license }} diff --git a/.github/workflows/fortress-setup-config.yml b/.github/workflows/fortress-setup-config.yml index 9b2fd62..79453a9 100644 --- a/.github/workflows/fortress-setup-config.yml +++ b/.github/workflows/fortress-setup-config.yml @@ -235,7 +235,7 @@ jobs: # ENVIRONMENT LOAD # ==================================================================== - name: 📥 Checkout (env loader) - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false sparse-checkout: | @@ -320,14 +320,14 @@ jobs: # -------------------------------------------------------------------- - name: 📥 Checkout (full - MAGE-X local build) if: env.MAGE_X_USE_LOCAL == 'true' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 - name: 📥 Checkout (sparse) if: env.MAGE_X_USE_LOCAL != 'true' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 0 # Required so the magex `metrics:mage` step can read git metadata diff --git a/.github/workflows/fortress-test-fuzz.yml b/.github/workflows/fortress-test-fuzz.yml index 58f371a..f7ca7fe 100644 --- a/.github/workflows/fortress-test-fuzz.yml +++ b/.github/workflows/fortress-test-fuzz.yml @@ -69,7 +69,7 @@ jobs: # Checkout code (required for local actions) # -------------------------------------------------------------------- - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/fortress-test-matrix.yml b/.github/workflows/fortress-test-matrix.yml index 1a9a251..7828913 100644 --- a/.github/workflows/fortress-test-matrix.yml +++ b/.github/workflows/fortress-test-matrix.yml @@ -132,7 +132,7 @@ jobs: # Checkout code (required for local actions) # -------------------------------------------------------------------- - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/fortress-test-suite.yml b/.github/workflows/fortress-test-suite.yml index 69ed944..1202a65 100644 --- a/.github/workflows/fortress-test-suite.yml +++ b/.github/workflows/fortress-test-suite.yml @@ -190,7 +190,7 @@ jobs: timeout-minutes: 10 steps: - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false diff --git a/.github/workflows/fortress-warm-cache.yml b/.github/workflows/fortress-warm-cache.yml index d00477c..5a4ac66 100644 --- a/.github/workflows/fortress-warm-cache.yml +++ b/.github/workflows/fortress-warm-cache.yml @@ -112,13 +112,13 @@ jobs: # -------------------------------------------------------------------- - name: 📥 Checkout code (full - multi-module) if: steps.extract.outputs.enable_multi_module == 'true' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - name: 📥 Checkout code (sparse - single module) if: steps.extract.outputs.enable_multi_module != 'true' - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false sparse-checkout: | diff --git a/.github/workflows/pull-request-management.yml b/.github/workflows/pull-request-management.yml index 7e9decb..ed2f145 100644 --- a/.github/workflows/pull-request-management.yml +++ b/.github/workflows/pull-request-management.yml @@ -147,7 +147,7 @@ jobs: # checkov:skip=CKV_GHA_3:Base branch checkout is intentional and safe # sonarcloud:S7631 — false positive: base-ref sparse checkout only (see NOSONAR below) - name: 📥 Checkout base repo (sparse) - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 — NOSONAR(S7631): base-ref sparse checkout only; PR head is never checked out or executed + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.2 — NOSONAR(S7631): base-ref sparse checkout only; PR head is never checked out or executed with: persist-credentials: false ref: ${{ github.base_ref || github.ref }} @@ -751,7 +751,7 @@ jobs: # checkov:skip=CKV_GHA_3:Base branch checkout is intentional and safe # sonarcloud:S7631 — false positive: base-ref sparse checkout only (see NOSONAR below) - name: 📥 Checkout base repo (sparse) - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 — NOSONAR(S7631): base-ref sparse checkout only; PR head is never checked out or executed + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.2 — NOSONAR(S7631): base-ref sparse checkout only; PR head is never checked out or executed with: persist-credentials: false ref: ${{ github.base_ref || github.ref }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 417fddd..6c92762 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -38,7 +38,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false @@ -77,6 +77,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable the upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 + uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1 with: sarif_file: results.sarif diff --git a/.github/workflows/stale-check.yml b/.github/workflows/stale-check.yml index 1934829..9b5909e 100644 --- a/.github/workflows/stale-check.yml +++ b/.github/workflows/stale-check.yml @@ -65,7 +65,7 @@ jobs: # Check out code to access env file # -------------------------------------------------------------------- - name: 📥 Checkout code (sparse) - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false sparse-checkout: | diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index bad0017..f3dc27d 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -67,7 +67,7 @@ jobs: # Check out code to access env file # -------------------------------------------------------------------- - name: 📥 Checkout code (sparse) - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false sparse-checkout: | @@ -138,7 +138,7 @@ jobs: # Checkout repository # -------------------------------------------------------------------- - name: 📥 Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false fetch-depth: 2 # Fetch enough history to check parent commits