Update actions 2026 June 14

.github/workflows/reusable-container-publication.yml

@@ -129,11 +129,12 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: ${{ inputs.extra-build-arguments }}
-      - name: Generate SBOM with Syft
-        uses: anchore/sbom-action@v0
-        continue-on-error: true
-        with:
-          image: ${{ env.IMAGE_REF }}
+      # TODO: replace with a more secure action
+      # - name: Generate SBOM with Syft
+      #   uses: anchore/sbom-action@v0
+      #   continue-on-error: true
+      #   with:
+      #     image: ${{ env.IMAGE_REF }}
       - name: Push latest tag
         if: ${{ inputs.create-latest }}
         run: |

.github/workflows/reusable-dotnet-quality.yml

@@ -163,7 +163,7 @@ jobs:
           sonar-token: ${{ secrets.sonar-token }}
       - name: Check license compliance with FOSSA
         if: ${{ inputs.fossa-enabled }}
-        uses: fossas/fossa-action@v1.8.0
+        uses: fossas/fossa-action@ff70fe9fe17cbd2040648f1c45e8ec4e4884dcf3
         id: fossa
         # https://status.fossa.com/
         continue-on-error: true
@@ -177,13 +177,14 @@ jobs:
         if: ${{ inputs.fossa-enabled && steps.fossa.outputs.report != '' }}
         run: echo '${{ steps.fossa.outputs.report }}' > report/fossa.html
         continue-on-error: true
-      - name: Generate SBOM with Syft
-        uses: anchore/sbom-action@v0
-        # with:
-        #   path: . # Or Dockerfile path
-        #   format: spdx-json # Or cyclonedx-json
-        #   output-file: sbom.json
-        #   upload-artifact: true # Auto-upload to workflow artifacts
+      # TODO: replace with more secure action
+      # - name: Generate SBOM with Syft
+      #   uses: anchore/sbom-action@v0
+      #   # with:
+      #   #   path: . # Or Dockerfile path
+      #   #   format: spdx-json # Or cyclonedx-json
+      #   #   output-file: sbom.json
+      #   #   upload-artifact: true # Auto-upload to workflow artifacts
       - name: Archive test results
         if: always()
         uses: actions/upload-artifact@v4

.github/workflows/reusable-terraform-deployment.yml

@@ -126,7 +126,7 @@ jobs:
             ~/.terraform.d/plugin-cache
           key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
       - name: Install terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e
       - name: Terraform init
         run: terraform init
       - name: Terraform validate

.github/workflows/reusable-terraform-quality.yml

@@ -36,7 +36,7 @@ jobs:
             ~/.terraform.d/plugin-cache
           key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
       - name: Install terraform
-        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
+        uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e
       - name: Check Terraform format
         run: terraform fmt -recursive -check
       - name: Terraform Init

actions/dotnet/build-test-sonar/action.yml

@@ -43,19 +43,19 @@ runs:
   using: "composite"
   steps:
     - name: Set up JDK for Sonar
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         java-version: ${{ inputs.java-version }}
         distribution: "zulu"
     - name: Cache Sonar packages
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ~/sonar/cache
         key: ${{ runner.os }}-sonar
         restore-keys: ${{ runner.os }}-sonar
     - name: Cache Sonar scanner
       id: cache-sonar-scanner
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ./.sonar/scanner
         key: ${{ runner.os }}-sonar-scanner