chore(ci): bump deps, fixes

.github/actions/changes/action.yml

@@ -16,7 +16,7 @@ outputs:
 runs:
   using: 'composite'
   steps:
-    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+    - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
       id: changes
       with:
         list-files: 'csv'

.github/actions/check-go-version/action.yml

@@ -9,14 +9,18 @@ inputs:
 outputs:
   go_version:
     description: 'The extracted Go version.'
+    value: ${{ steps.extract-go-version.outputs.go_version }}
 
 runs:
   using: 'composite'
   steps:
     - name: Extract go version
+      id: extract-go-version
       shell: bash
+      env:
+        WORKING_DIRECTORY: ${{ inputs.working-directory }}
       run: |
           set -euo pipefail
-          go_version=$(grep -E '^golang [0-9]+\.[0-9]+\.[0-9]+' ${{ inputs.working-directory }}/.tool-versions | awk '{print $2}')
+          go_version=$(grep -E '^golang [0-9]+\.[0-9]+\.[0-9]+' ${WORKING_DIRECTORY}/.tool-versions | awk '{print $2}')
           echo "go_version=${go_version}" >> $GITHUB_ENV
-          echo "::set-output name=go_version::${go_version}"
+          echo "go_version=${go_version}" | tee -a "${GITHUB_OUTPUT}"

.github/workflows/aptos-bindings.yml

@@ -5,9 +5,9 @@ jobs:
   bindgen:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Install Aptos CLI
-        uses: aptos-labs/actions/install-aptos-cli@ce57287eb852b9819c1d74fecc3be187677559fd # v0.1
+        uses: aptos-labs/actions/install-aptos-cli@528ef7ad9427a8c0720ea3eea790a9190d6e377d # 2026-04-09
         with:
           CLI_VERSION: 9.1.0
       - name: Run make wrappers

.github/workflows/aptos-ccip-integration-tests.yml

@@ -16,22 +16,22 @@ jobs:
       contents: read
     steps:
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     - name: Extract Go version
       uses: ./.github/actions/check-go-version
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version: ${{ env.go_version }}
 
     - name: Install Aptos CLI
-      uses: aptos-labs/actions/install-aptos-cli@ce57287eb852b9819c1d74fecc3be187677559fd # v0.1
+      uses: aptos-labs/actions/install-aptos-cli@528ef7ad9427a8c0720ea3eea790a9190d6e377d # 2026-04-09
       with:
         CLI_VERSION: 9.1.0
 
     - name: Run tests
       run: |
         cd integration-tests
-        go test ./ccip -timeout 10m -v
+        go test ./ccip -timeout 10m -v

.github/workflows/aptos-ccip-tests.yml

@@ -35,15 +35,15 @@ jobs:
           fi
 
       - name: Install Aptos CLI
-        uses: aptos-labs/actions/install-aptos-cli@ce57287eb852b9819c1d74fecc3be187677559fd # v0.1
+        uses: aptos-labs/actions/install-aptos-cli@528ef7ad9427a8c0720ea3eea790a9190d6e377d # 2026-04-09
         with:
           CLI_VERSION: 9.1.0
 
       - name: Checkout chainlink-aptos
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@v6
 
       - name: Checkout chainlink
-        uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
+        uses: actions/checkout@v6
         with:
           repository: smartcontractkit/chainlink
           ref: ${{ env.CUSTOM_CORE_REF || env.DEFAULT_CORE_REF }}
@@ -56,7 +56,7 @@ jobs:
           echo "GO_VERSION=${go_version}" >> "${GITHUB_OUTPUT}"
 
       - name: Set up Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ steps.tool_versions.outputs.GO_VERSION }}
 

.github/workflows/aptos-contracts.yml

@@ -13,10 +13,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     - name: Install Aptos CLI
-      uses: aptos-labs/actions/install-aptos-cli@ce57287eb852b9819c1d74fecc3be187677559fd # v0.1
+      uses: aptos-labs/actions/install-aptos-cli@528ef7ad9427a8c0720ea3eea790a9190d6e377d # 2026-04-09
       with:
         CLI_VERSION: 9.1.0
 

.github/workflows/aptos-movefmt.yml

@@ -5,9 +5,9 @@ jobs:
   movefmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Install Aptos CLI
-        uses: aptos-labs/actions/install-aptos-cli@ce57287eb852b9819c1d74fecc3be187677559fd # v0.1
+        uses: aptos-labs/actions/install-aptos-cli@528ef7ad9427a8c0720ea3eea790a9190d6e377d # 2026-04-09
         with:
           CLI_VERSION: 9.1.0
       - name: Update movefmt

.github/workflows/aptos-relayer.yml

@@ -11,7 +11,7 @@ jobs:
   test:
     name: Integration Tests
     runs-on: ubuntu-latest
-    
+
     services:
       postgres:
         image: postgres:16
@@ -26,24 +26,24 @@ jobs:
           --health-retries 5
         ports:
           - 5432:5432
-    
+
     env:
       TEST_DB_URL: postgres://user:pass@localhost:5432/testdb_test
-    
+
     steps:
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     - name: Extract Go version
       uses: ./.github/actions/check-go-version
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version: ${{ env.go_version }}
 
     - name: Install Aptos CLI
-      uses: aptos-labs/actions/install-aptos-cli@ce57287eb852b9819c1d74fecc3be187677559fd # v0.1
+      uses: aptos-labs/actions/install-aptos-cli@528ef7ad9427a8c0720ea3eea790a9190d6e377d # 2026-04-09
       with:
         CLI_VERSION: 9.1.0
 
@@ -61,10 +61,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        uses: actions/checkout@v6
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           cache-dependency-path: go.sum
           go-version-file: go.mod

.github/workflows/aptos-release.yml

@@ -42,33 +42,39 @@ jobs:
     steps:
     - name: Setup GitHub Token
       id: setup-github-token
-      uses: smartcontractkit/.github/actions/setup-github-token@ef78fa97bf3c77de6563db1175422703e9e6674f # setup-github-token@0.2.1
+      uses: smartcontractkit/.github/actions/setup-github-token@setup-github-token/v1
       with:
         aws-role-arn: ${{ secrets.AWS_ROLE_ARN_GATI_CHANGESETS }}
         aws-lambda-url: ${{ secrets.AWS_LAMBDA_URL_GATI }}
         aws-region: ${{ secrets.AWS_REGION }}
 
     - name: Checkout this repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0
 
     - name: Compute Docker Tag
       id: compute-docker-tag
+      env:
+        GITHUB_REF: ${{ github.ref }}
+        GITHUB_REF_NAME: ${{ github.ref_name }}
+        GITHUB_EVENT_NAME: ${{ github.event_name }}
+        GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }}
+        NEXT_VERSION: ${{ env.NEXT_VERSION }}
       run: |
-        BRANCH_NAME=${{ github.ref_name }}
+        BRANCH_NAME=${GITHUB_REF_NAME}
         SHORT_HASH=$(git rev-parse --short HEAD)
-        INPUT_VERSION="${{ github.event.inputs.version }}"
+        INPUT_VERSION="${GITHUB_EVENT_INPUTS_VERSION}"
 
         if [[ -n "$INPUT_VERSION" ]]; then
           IMAGE_TAG="${INPUT_VERSION}-aptos"
         elif [[ "$BRANCH_NAME" == "main" ]]; then
-          IMAGE_TAG="${{ env.NEXT_VERSION }}-aptos"
+          IMAGE_TAG="${NEXT_VERSION}-aptos"
         elif [[ "$BRANCH_NAME" == "develop" ]]; then
-          IMAGE_TAG="${{ env.NEXT_VERSION }}-develop-${SHORT_HASH}-aptos"
+          IMAGE_TAG="${NEXT_VERSION}-develop-${SHORT_HASH}-aptos"
         elif [[ "$BRANCH_NAME" == integration/* ]]; then
           INTEGRATION_NAME=${BRANCH_NAME#integration/}
-          IMAGE_TAG="${{ env.NEXT_VERSION }}-${INTEGRATION_NAME}-${SHORT_HASH}-aptos"
+          IMAGE_TAG="${NEXT_VERSION}-${INTEGRATION_NAME}-${SHORT_HASH}-aptos"
         else
           echo "Branch '$BRANCH_NAME' does not match expected patterns"
           exit 0
@@ -79,39 +85,42 @@ jobs:
 
     - name: Determine Chainlink CORE_REF
       id: determine-chainlink-core-ref
+      env:
+        INPUT_CORE_REF: ${{ github.event.inputs.core_ref }}
+        APTOS_CORE_REF: ${{ env.APTOS_CORE_REF }}
       run: |
-        if [ -n "${{ github.event.inputs.core_ref }}" ]; then
-          echo "CORE_REF provided as input: ${{ github.event.inputs.core_ref }}"
-          echo "CORE_REF=${{ github.event.inputs.core_ref }}" >> $GITHUB_ENV
+        if [ -n "${INPUT_CORE_REF}" ]; then
+          echo "CORE_REF provided as input: ${INPUT_CORE_REF}"
+          echo "CORE_REF=${INPUT_CORE_REF}" >> $GITHUB_ENV
         else
-          echo "No core_ref provided as input. Using default: ${{ env.APTOS_CORE_REF }}"
-          echo "CORE_REF=${{ env.APTOS_CORE_REF }}" >> $GITHUB_ENV
+          echo "No core_ref provided as input. Using default: ${APTOS_CORE_REF}"
+          echo "CORE_REF=${APTOS_CORE_REF}" >> $GITHUB_ENV
         fi
 
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
       with:
-        aws-region: ${{ vars.AWS_REGION }}
+        aws-region: ${{ secrets.AWS_REGION }}
         role-to-assume: ${{ secrets.AWS_ROLE_ARN_PROD_PUBLISH_ECR }}
         role-duration-seconds: 3600
         mask-aws-account-id: true
 
     - name: Login to Amazon ECR
       id: login-ecr
-      uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+      uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2.1.2
       with:
         mask-password: "true"
         registries: "${{ secrets.AWS_ACCOUNT_ID_PROD}},${{ secrets.QA_AWS_ACCOUNT_NUMBER }}"
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
     # This is not the most efficient way to check if the image exist or not. I was having trouble using aws CLI due to missing permission. We could improve this in a next iteration.
     - name: Check if Aptos image already exists
       id: check-ecr-tag
+      env:
+        IMAGE_URI: ${{ format('{0}.dkr.ecr.{1}.amazonaws.com/chainlink-internal-integrations-aptos:{2}', secrets.AWS_ACCOUNT_ID_PROD, secrets.AWS_REGION, env.IMAGE_TAG) }}
       run: |
-        IMAGE_URI="${{ secrets.AWS_ACCOUNT_ID_PROD }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com/chainlink-internal-integrations-aptos:${{ env.IMAGE_TAG }}"
-
         # Try to pull the image
         if docker pull $IMAGE_URI; then
           echo "Image $IMAGE_URI already exists. Skipping image build and push."
@@ -125,7 +134,7 @@ jobs:
 
     - name: Build and Push
       if: steps.check-ecr-tag.outputs.SKIP_IMAGE_BUILD == 'false'
-      uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
       id: build-image
       with:
         context: ${{ github.workspace }}
@@ -138,11 +147,14 @@ jobs:
     - name: Determine if Prerelease
       if: steps.check-ecr-tag.outputs.SKIP_IMAGE_BUILD == 'false'
       id: determine-prerelease
+      env:
+        INPUT_PRERELEASE: ${{ github.event.inputs.prerelease }}
+        GITHUB_REF_NAME: ${{ github.ref_name }}
       run: |
-        if [[ -n "${{ github.event.inputs.prerelease }}" ]]; then
-          PRERELEASE=${{ github.event.inputs.prerelease }}
+        if [[ -n "${INPUT_PRERELEASE}" ]]; then
+          PRERELEASE=${INPUT_PRERELEASE}
           echo "Using provided prerelease value: $PRERELEASE"
-        elif [[ "${{ github.ref_name }}" == "main" ]]; then
+        elif [[ "${GITHUB_REF_NAME}" == "main" ]]; then
           PRERELEASE=false
           echo "Branch 'main' detected. Setting prerelease=false"
         else
@@ -154,7 +166,7 @@ jobs:
 
     - name: Create a Release
       if: steps.check-ecr-tag.outputs.SKIP_IMAGE_BUILD == 'false'
-      uses: elgohr/Github-Release-Action@c5ea99036abb741a89f8bf1f2cd7fba845e3313a # v5 https://github.com/elgohr/Github-Release-Action/releases/tag/v5
+      uses: elgohr/Github-Release-Action@3af318c9bb451e43ab8cea7fa17a5598abe94ed2 # 20240816194204
       env:
           GH_ENTERPRISE_TOKEN: ${{ steps.setup-github-token.outputs.access-token }}
       with:

.github/workflows/aptos-run-smoke-tests.yml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     - name: Get core ref from PR body
       if: github.event_name == 'pull_request'
@@ -38,7 +38,7 @@ jobs:
         fi
 
     - name: Checkout chainlink repo
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
       with:
         repository: smartcontractkit/chainlink
         ref: ${{ env.CUSTOM_CORE_REF || env.DEFAULT_CORE_REF }}
@@ -71,7 +71,7 @@ jobs:
       id: go-version
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version: ${{ env.go_version }}
 
@@ -115,11 +115,11 @@ jobs:
         set -e
         cd integration-tests
         go mod tidy
-        TEST_LOG_LEVEL=${{env.TEST_LOG_LEVEL}} go test -timeout 24h -count=1 -run TestOCR3Keystone ./smoke
+        TEST_LOG_LEVEL=${TEST_LOG_LEVEL} go test -timeout 24h -count=1 -run TestOCR3Keystone ./smoke
 
     - name: Configure AWS Credentials
       if: success() && github.event.pull_request.user.login != 'dependabot[bot]'
-      uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
+      uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
       with:
         aws-region: ${{ secrets.QA_AWS_REGION }}
         role-to-assume: ${{ secrets.QA_AWS_ROLE_TO_ASSUME }}
@@ -129,19 +129,22 @@ jobs:
     - name: Login to Amazon ECR
       if: success() && github.event.pull_request.user.login != 'dependabot[bot]'
       id: login-ecr
-      uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+      uses: aws-actions/amazon-ecr-login@f2e9fc6c2b355c1890b65e6f6f0e2ac3e6e22f78 # v2.1.2
       with:
         mask-password: "true"
 
     - name: Push Image to ECR
       if: success() && github.event.pull_request.user.login != 'dependabot[bot]'
+      env:
+        CL_ECR: ${{ env.CL_ECR }}
+        GITHUB_SHA: ${{ github.sha }}
       run: |
-        docker tag chainlink-aptos ${{ env.CL_ECR }}:aptos.${{ github.sha }}
-        docker push ${{ env.CL_ECR }}:aptos.${{ github.sha }}
+        docker tag chainlink-aptos ${CL_ECR}:aptos.${GITHUB_SHA}
+        docker push ${CL_ECR}:aptos.${GITHUB_SHA}
 
     - name: Upload Test Artifacts
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         name: smoke-test-logs
         path: ./integration-tests/logs/

.github/workflows/ci-protobuf.yml

@@ -8,10 +8,10 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup buf
-        uses: bufbuild/buf-setup-action@35c243d7f2a909b1d4e40399b348a7fdab27d78d # v1.34.0
+        uses: bufbuild/buf-setup-action@a47c93e0b1648d5651a065437926377d060baa99 # v1.50.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}