Bump the github-actions group across 1 directory with 18 updates

.github/workflows/pipeline.yml

@@ -69,32 +69,32 @@ jobs:
       BUILD_VERSION: ${{ needs.generate-version.outputs.version }}
       IS_PUBLIC_BUILD: ${{ needs.generate-version.outputs.is-public-build }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0
         with:
           platforms: arm64
-      - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         id: buildx
         with:
           install: true
           version: latest
-      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker Meta
         id: meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         with:
           images: ${{ env.IMAGE_NAME }}
           tags: |
             type=raw,value=trunk-artifact,enable=${{ github.ref == 'refs/heads/master' }}
             type=raw,value=pr-artifact,enable=${{ github.event_name == 'pull_request' }}
             type=raw,value=dispatch-artifact,enable=${{ github.event_name == 'workflow_dispatch' }}
             type=raw,value=release-artifact,enable=${{ needs.generate-version.outputs.version != '0.0.1' }}
-      - uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         id: build
         with:
           file: Dockerfile
@@ -114,8 +114,8 @@ jobs:
     env:
       BUILD_VERSION: ${{ needs.generate-version.outputs.version }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0
       - name: Generate Manifests (Prod)
         run: |
           set -xe
@@ -147,7 +147,7 @@ jobs:
           cp manifests/install/all/crds/crds.yaml ./crds.yaml
         shell: bash
       - name: Publish (Artifacts)
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: manifests
           path: |
@@ -161,9 +161,9 @@ jobs:
     env:
       BUILD_VERSION: ${{ needs.generate-version.outputs.version }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0
-      - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0
+      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: v3.19.2
       - name: Generate Chart
@@ -184,21 +184,21 @@ jobs:
             | tee ./manifests/helm/dist/output.yaml
         shell: bash
       - name: Publish (Chart)
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: helm-chart
           path: |
             manifests/helm/dist/*.tgz
           retention-days: 7
       - name: Publish (Schema)
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: helm-schema
           path: |
             manifests/helm/values.schema.json
           retention-days: 7
       - name: Publish (Manifests)
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: helm-manifests
           path: |
@@ -225,19 +225,19 @@ jobs:
       IMAGE: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }}
     if: ${{ github.event_name != 'pull_request' }} # should match push logic in build-image
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
+      - uses: nolar/setup-k3d-k3s@62c9d1bd2bc843275c85d2e7dcd696edc1160eee # v1.1.0
         name: Deploy K3d
         with:
           version: v${{ matrix.k3s-version }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Import Images
-        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         with:
           timeout_minutes: 10
           max_attempts: 5
@@ -263,7 +263,7 @@ jobs:
           kubectl apply -k manifests/examples/testing
         shell: bash
       - name: Setup .NET SDK
-        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
+        uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
         with:
           dotnet-version: 10.0.x
       - name: Execute Functional Tests
@@ -272,7 +272,7 @@ jobs:
           dotnet test ./tests/Contrast.K8s.AgentOperator.FunctionalTests/Contrast.K8s.AgentOperator.FunctionalTests.csproj
         shell: bash
       - name: Dump Operator Logs
-        uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
         if: ${{ always() }}
         with:
           timeout_minutes: 10
@@ -303,9 +303,9 @@ jobs:
       fail-fast: false
     steps:
       - name: Setup Pluto
-        uses: fairwindsops/pluto/github-action@d45f6d122de3d99fc4b7576592939ff62655db66 # v5.21.1
+        uses: fairwindsops/pluto/github-action@dd5ec8cccce5e42dfe8054b8250baa35546056a0 # v5.24.0
       - name: Setup Polaris
-        uses: fairwindsops/polaris/.github/actions/setup-polaris@80e6f7214ee611feb8a0ad2f8be6e58f822b868b # v9.6.1
+        uses: fairwindsops/polaris/.github/actions/setup-polaris@1fdfec73a1a6611078cad745340ad2f0ae0f7db7 # v10.2.0
         with:
           version: 7.2.0
       - name: Setup Kubeconform
@@ -315,7 +315,7 @@ jobs:
           tar xf kubeconform-linux-amd64.tar.gz
           sudo install kubeconform /usr/local/bin/kubeconform
       - name: Download Manifests
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         id: download-artifacts
         with:
           name: ${{ matrix.artifact }}
@@ -372,16 +372,16 @@ jobs:
       IMAGE_NAME: ghcr.io/contrast-security-oss/agent-operator/operator
     if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Login (GitHub)
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Docker Meta
         id: meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         with:
           images: ${{ env.IMAGE_NAME }}
           tags: |
@@ -390,7 +390,7 @@ jobs:
             type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }},enable=${{ needs.generate-version.outputs.is-release == 'true' }}
             type=raw,latest,enable=${{ needs.generate-version.outputs.is-release == 'true' }}
       - name: Tag for Release
-        uses: akhilerm/tag-push-action@f35ff2cb99d407368b5c727adbcc14a2ed81d509 # v2.2.0
+        uses: akhilerm/tag-push-action@eadeefebd39db8a47e146115649adae1fce576a6 # v2.3.0
         with:
           src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }}
           dst: |
@@ -415,27 +415,27 @@ jobs:
       BUILD_VERSION: ${{ needs.generate-version.outputs.version }}
     if: ${{ needs.generate-version.outputs.version != '0.0.1' }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Login (GitHub)
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login (Dockerhub)
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PAT }}
       - name: Login (Quay)
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
       - name: Docker Meta
         id: dockerhub-meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         with:
           images: |
             docker.io/contrast/agent-operator
@@ -447,17 +447,17 @@ jobs:
             type=semver,pattern={{major}},value=${{ env.BUILD_VERSION }},enable=${{ needs.generate-version.outputs.is-release == 'true' }}
             type=raw,latest,enable=${{ needs.generate-version.outputs.is-release == 'true' }}
       - name: Tag for Release
-        uses: akhilerm/tag-push-action@f35ff2cb99d407368b5c727adbcc14a2ed81d509 # v2.2.0
+        uses: akhilerm/tag-push-action@eadeefebd39db8a47e146115649adae1fce576a6 # v2.3.0
         with:
           src: ghcr.io/contrast-security-oss/agent-operator/operator@${{ needs.build-image.outputs.digest }}
           dst: |
             ${{ steps.dockerhub-meta.outputs.tags }}
-      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         id: download-manifests
         with:
           name: manifests
           path: ./artifacts/manifests
-      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         id: download-schema
         with:
           name: helm-schema
@@ -482,7 +482,7 @@ jobs:
           immutableCreate: true
           prerelease: ${{ needs.generate-version.outputs.is-release == 'false' }} # pre-releases will have is-release false
       - name: Publish Helm Chart
-        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         if: ${{ needs.generate-version.outputs.is-release == 'true' }}
         with:
           token: ${{ secrets.GH_PR_WRITE_PAT }}
@@ -506,7 +506,7 @@ jobs:
       #     SENTRY_ORG: sentry
       #     SENTRY_PROJECT: agent-operator
       #     SENTRY_URL: https://sentry.prod.dotnet.contsec.com
-      - uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
+      - uses: act10ns/slack@d96404edccc6d6467fc7f8134a420c851b1e9054 # v2.2.0
         if: ${{ needs.generate-version.outputs.is-release == 'true' }}
         with:
           status: ${{ job.status }}

.github/workflows/wiz-scan.yml

@@ -22,7 +22,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Build the Docker image
         run: docker build . --tag agent-operator:dev
@@ -38,7 +38,7 @@ jobs:
 
       - name: Capture Wiz Output
         if: always()
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: agent-operator-wiz-report
           path: |