From 816c5e9faf88dc0dbf1be2e306683b15a086c90a Mon Sep 17 00:00:00 2001
From: Bertrand THOMAS <bertrand@devpro.fr>
Date: Sun, 14 Jun 2026 12:19:28 +0200
Subject: [PATCH] Update actions

---
 .../reusable-container-publication.yml          | 11 ++++++-----
 .github/workflows/reusable-dotnet-quality.yml   | 17 +++++++++--------
 .../workflows/reusable-terraform-deployment.yml |  2 +-
 .../workflows/reusable-terraform-quality.yml    |  2 +-
 actions/dotnet/build-test-sonar/action.yml      |  6 +++---
 5 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/reusable-container-publication.yml b/.github/workflows/reusable-container-publication.yml
index ec075b0..f0547d6 100644
--- a/.github/workflows/reusable-container-publication.yml
+++ b/.github/workflows/reusable-container-publication.yml
@@ -129,11 +129,12 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: ${{ inputs.extra-build-arguments }}
-      - name: Generate SBOM with Syft
-        uses: anchore/sbom-action@v0
-        continue-on-error: true
-        with:
-          image: ${{ env.IMAGE_REF }}
+      # TODO: replace with a more secure action
+      # - name: Generate SBOM with Syft
+      #   uses: anchore/sbom-action@v0
+      #   continue-on-error: true
+      #   with:
+      #     image: ${{ env.IMAGE_REF }}
       - name: Push latest tag
         if: ${{ inputs.create-latest }}
         run: |
diff --git a/.github/workflows/reusable-dotnet-quality.yml b/.github/workflows/reusable-dotnet-quality.yml
index be8e4d5..304ba98 100644
--- a/.github/workflows/reusable-dotnet-quality.yml
+++ b/.github/workflows/reusable-dotnet-quality.yml
@@ -163,7 +163,7 @@ jobs:
           sonar-token: ${{ secrets.sonar-token }}
       - name: Check license compliance with FOSSA
         if: ${{ inputs.fossa-enabled }}
-        uses: fossas/fossa-action@v1.8.0
+        uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3
         id: fossa
         # https://status.fossa.com/
         continue-on-error: true
@@ -177,13 +177,14 @@ jobs:
         if: ${{ inputs.fossa-enabled && steps.fossa.outputs.report != '' }}
         run: echo '${{ steps.fossa.outputs.report }}' > report/fossa.html
         continue-on-error: true
-      - name: Generate SBOM with Syft
-        uses: anchore/sbom-action@v0
-        # with:
-        #   path: . # Or Dockerfile path
-        #   format: spdx-json # Or cyclonedx-json
-        #   output-file: sbom.json
-        #   upload-artifact: true # Auto-upload to workflow artifacts
+      # TODO: replace with more secure action
+      # - name: Generate SBOM with Syft
+      #   uses: anchore/sbom-action@v0
+      #   # with:
+      #   #   path: . # Or Dockerfile path
+      #   #   format: spdx-json # Or cyclonedx-json
+      #   #   output-file: sbom.json
+      #   #   upload-artifact: true # Auto-upload to workflow artifacts
       - name: Archive test results
         if: always()
         uses: actions/upload-artifact@v4
diff --git a/.github/workflows/reusable-terraform-deployment.yml b/.github/workflows/reusable-terraform-deployment.yml
index 659fde0..0088b82 100644
--- a/.github/workflows/reusable-terraform-deployment.yml
+++ b/.github/workflows/reusable-terraform-deployment.yml
@@ -126,7 +126,7 @@ jobs:
             ~/.terraform.d/plugin-cache
           key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
       - name: Install terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e
       - name: Terraform init
         run: terraform init
       - name: Terraform validate
diff --git a/.github/workflows/reusable-terraform-quality.yml b/.github/workflows/reusable-terraform-quality.yml
index 3b0e896..c6b2d08 100644
--- a/.github/workflows/reusable-terraform-quality.yml
+++ b/.github/workflows/reusable-terraform-quality.yml
@@ -36,7 +36,7 @@ jobs:
             ~/.terraform.d/plugin-cache
           key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
       - name: Install terraform
-        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
+        uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e
       - name: Check Terraform format
         run: terraform fmt -recursive -check
       - name: Terraform Init
diff --git a/actions/dotnet/build-test-sonar/action.yml b/actions/dotnet/build-test-sonar/action.yml
index 2aeae11..78ac516 100644
--- a/actions/dotnet/build-test-sonar/action.yml
+++ b/actions/dotnet/build-test-sonar/action.yml
@@ -43,19 +43,19 @@ runs:
   using: "composite"
   steps:
     - name: Set up JDK for Sonar
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: "zulu"
     - name: Cache Sonar packages
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ~/sonar/cache
         key: ${{ runner.os }}-sonar
         restore-keys: ${{ runner.os }}-sonar
     - name: Cache Sonar scanner
       id: cache-sonar-scanner
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ./.sonar/scanner
         key: ${{ runner.os }}-sonar-scanner