ChipWolf · ChipWolf · Jun 18, 2026 · Jun 18, 2026
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -2,7 +2,11 @@
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   extends: [
     "config:recommended",
-    "helpers:pinGitHubActionDigests",
+    // Pin Action digests AND write the full semver (e.g. `# v6.0.2`) as the
+    // comment, not the major (`# v6`). zizmor's `ref-version-mismatch` audit
+    // (run via MegaLinter) fails when the comment doesn't match the exact tag
+    // the pinned SHA resolves to.
+    "helpers:pinGitHubActionDigestsToSemver",
     ":semanticCommits",
     ":timezone(Europe/London)",
   ],

diff --git a/.github/workflows/_build-container.yml b/.github/workflows/_build-container.yml
@@ -24,7 +24,7 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -35,7 +35,7 @@ jobs:
         env:
           IMAGE_NAME: ${{ inputs.image_registry }}/${{ inputs.image_name }}
 
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
           install: true
 
@@ -50,7 +50,7 @@ jobs:
           chmod +x install.sh
 
       - name: Log in to GHCR
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ inputs.image_registry }}
           username: ${{ github.actor }}
@@ -127,7 +127,7 @@ jobs:
           rm -rf "$work"
 
       - name: Attest container provenance
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-name: ${{ steps.image.outputs.name }}
           subject-digest: ${{ steps.push.outputs.digest }}

diff --git a/.github/workflows/_upload-scripts.yml b/.github/workflows/_upload-scripts.yml
@@ -23,11 +23,11 @@ jobs:
   upload:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
           install: true
 
@@ -54,7 +54,7 @@ jobs:
             --clobber
 
       - name: Attest install script provenance
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-path: |
             install.sh

diff --git a/.github/workflows/badgesort.yml b/.github/workflows/badgesort.yml
@@ -23,7 +23,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

diff --git a/.github/workflows/e2e-install.yml b/.github/workflows/e2e-install.yml
@@ -50,11 +50,11 @@ jobs:
       # kics-scan ignore-line — ephemeral CI-only Vaultwarden test password (not a repo secret).
       BW_PASSWORD: "CiTestPassword123!"
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
           install: true
 
@@ -118,11 +118,11 @@ jobs:
     if: github.event.action != 'closed'
     runs-on: windows-2025
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
           install: true
 
@@ -172,11 +172,11 @@ jobs:
     if: github.event.action != 'closed'
     runs-on: macos-26
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
           install: true
 

diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-24.04
     if: github.event.action != 'closed' && (github.event_name == 'pull_request' || !contains(github.actor, '[bot]'))
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -36,6 +36,6 @@ jobs:
 
       - name: Upload SARIF report
         if: always()
-        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         with:
           sarif_file: megalinter-reports/megalinter-report.sarif
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -28,7 +28,7 @@ jobs:
     steps:
       - name: Release Please
         id: rp
-        uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5
+        uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
 
   # --- Build and attest container image (reusable workflow for SLSA L3) ---
 

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -19,11 +19,11 @@ jobs:
         os: [ubuntu-24.04, windows-2025]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
         with:
           install: true
 

diff --git a/.github/workflows/wiki-sync.yml b/.github/workflows/wiki-sync.yml
@@ -20,7 +20,7 @@ jobs:
   sync-wiki:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false