[#patch](deps): Bump the actions-deps group with 4 updates (#298)

dependabot[bot] · notdodo · web-flow · commit e55684fdd42b · 2026-03-06T09:07:45.000+01:00
Signed-off-by: dependabot[bot] &lt;support@github.com&gt;
Co-authored-by: dependabot[bot] &lt;49699333+dependabot[bot]@users.noreply.github.com&gt;
Co-authored-by: Edoardo Rosa &lt;6991986+notdodo@users.noreply.github.com&gt;
diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
@@ -61,16 +61,16 @@ on:
         default: '.'
     outputs:
       image_name:
-        description: "Full image name (<registry>/<image>)."
+        description: 'Full image name (<registry>/<image>).'
         value: ${{ jobs.build-and-push-image.outputs.image_name }}
       image_digest:
-        description: "Pushed image digest (sha256:...), empty when push=false."
+        description: 'Pushed image digest (sha256:...), empty when push=false.'
         value: ${{ jobs.build-and-push-image.outputs.image_digest }}
       image_ref:
-        description: "Immutable image reference (<registry>/<image>@<digest>), empty when push=false."
+        description: 'Immutable image reference (<registry>/<image>@<digest>), empty when push=false.'
         value: ${{ jobs.build-and-push-image.outputs.image_ref }}
       local_image_ref:
-        description: "Local image reference used when push=false."
+        description: 'Local image reference used when push=false.'
         value: ${{ jobs.build-and-push-image.outputs.local_image_ref }}
     secrets:
       registry-username:
@@ -179,14 +179,6 @@ jobs:
             echo "image_ref=${IMAGE_REF}"
             echo "local_image_ref=${LOCAL_IMAGE_REF}"
           } >> "${GITHUB_OUTPUT}"
-      - name: Generate artifact attestation
-        if: inputs.push
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
-        with:
-          subject-name: ${{ inputs.registry }}/${{ inputs.image }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
-          create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }}
       - name: Run Trivy Scan
         uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
         if: inputs.scan-image
@@ -206,12 +198,14 @@ jobs:
           image-ref: ${{ format('{0}/{1}@{2}', inputs.registry, inputs.image, steps.build.outputs.digest) }}
           output: ${{ inputs.working-directory }}/sbom.spdx.json
           github-pat: ${{ secrets.GITHUB_TOKEN }}
-      - name: Attest SBOM
-        uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34 # v3.0.0
+      - name: Generate artifact and SBOM attestation
         if: inputs.push
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-name: ${{ inputs.registry }}/${{ inputs.image }}
           subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
+          create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }}
           sbom-path: ${{ inputs.working-directory }}/sbom.spdx.json
       - name: Install cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
@@ -87,7 +87,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Setup Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: ${{ inputs.working-directory }}/go.mod
           cache-dependency-path: |
@@ -123,7 +123,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Setup Go
-        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version-file: ${{ inputs.working-directory }}/go.mod
           cache-dependency-path: |
diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
@@ -71,7 +71,7 @@ jobs:
           path: ~/.terraform.d/plugin-cache
           key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }}
           restore-keys: terraform-providers-
-      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
       - name: Sops Binary Installer
         uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056
       - name: Decrypt Secrets
@@ -158,7 +158,7 @@ jobs:
           path: ~/.terraform.d/plugin-cache
           key: terraform-providers-${{ hashFiles('**/.terraform.lock.hcl') }}
           restore-keys: terraform-providers-
-      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
       - name: Sops Binary Installer
         uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056
       - name: Decrypt Secrets
