chore(deps): pin dependencies (#2855)

oep-renovate[bot] · web-flow · commit e4aa9b246b84 · 2025-07-30T13:30:26.000+02:00
Signed-off-by: oep-renovate[bot] &lt;212772560+oep-renovate[bot]@users.noreply.github.com&gt;
Co-authored-by: oep-renovate[bot] &lt;212772560+oep-renovate[bot]@users.noreply.github.com&gt;
diff --git a/.github/actions/code-quality/pre-commit/action.yaml b/.github/actions/code-quality/pre-commit/action.yaml
@@ -69,15 +69,15 @@ runs:
   steps:
     # Set up Python environment with caching
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: ${{ inputs.python-version }}
         cache: pip # Enable pip caching
         cache-dependency-path: .pre-commit-config.yaml
 
     # Set up Node.js for JavaScript-related hooks
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         node-version: ${{ inputs.node-version }}
 
@@ -92,7 +92,7 @@ runs:
     - name: Cache pre-commit hooks
       if: inputs.cache == 'true'
       id: pre-commit-cache
-      uses: actions/cache@v3
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
       with:
         path: ~/.cache/pre-commit
         # Cache key includes Python and Node versions to ensure correct environment
diff --git a/.github/actions/pytest/action.yaml b/.github/actions/pytest/action.yaml
@@ -94,7 +94,7 @@ runs:
   steps:
     # Set up Python with pip caching
     - name: Set up Python environment
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       with:
         python-version: ${{ inputs.python-version }}
         cache: ${{ inputs.enable-cache == 'true' && 'pip' || '' }}
@@ -186,7 +186,7 @@ runs:
 
     - name: Upload test results
       if: always() && steps.test-execution.outcome == 'failure'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: pytest-results-${{ inputs.test-type }}
         path: pytest_output.log
diff --git a/.github/actions/security/bandit/action.yaml b/.github/actions/security/bandit/action.yaml
@@ -88,7 +88,7 @@ runs:
   using: composite
   steps:
     - name: Set up Python
-      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
       with:
         python-version: "3.10"
 
@@ -101,7 +101,7 @@ runs:
     - name: Get changed files
       if: inputs.scan-scope == 'changed'
       id: changed-files
-      uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
       with:
         files: |
           **/*.py
@@ -163,13 +163,13 @@ runs:
       # Upload results after full scope analysis
     - name: Upload reports
       if: hashFiles('bandit-report.*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: bandit-results
         path: bandit-report.*
         retention-days: 7
     - name: Upload sarif
       if: hashFiles('bandit-report.sarif') != '' # if SARIF is available, upload it
-      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+      uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
       with:
         sarif_file: bandit-report.sarif
diff --git a/.github/actions/security/clamav/action.yaml b/.github/actions/security/clamav/action.yaml
@@ -168,7 +168,7 @@ runs:
       # Upload results
     - name: Upload reports
       if: hashFiles('security-results/clamav*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: clamav-results
         path: security-results/clamav
diff --git a/.github/actions/security/semgrep/action.yaml b/.github/actions/security/semgrep/action.yaml
@@ -91,7 +91,7 @@ runs:
     - name: Get changed files
       if: inputs.scan-scope == 'changed'
       id: changed-files
-      uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
       with:
         files: |
           **/*.*
@@ -170,13 +170,13 @@ runs:
       # Upload results after full scope analysis
     - name: Upload reports
       if: hashFiles('security-results/semgrep/*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: semgrep-results
         path: security-results/semgrep
         retention-days: 7
     - name: Upload sarif
       if: hashFiles('security-results/semgrep/semgrep-results.sarif') != '' # if SARIF is available, upload it
-      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+      uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
       with:
         sarif_file: security-results/semgrep/semgrep-results.sarif
diff --git a/.github/actions/security/trivy/action.yaml b/.github/actions/security/trivy/action.yaml
@@ -111,7 +111,7 @@ runs:
       uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
 
     - name: Cache Trivy vulnerability database
-      uses: actions/cache@v3
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
       with:
         path: ~/.cache/trivy
         key: trivy-db-${{ runner.os }}-${{ hashFiles('**/trivy-db/**') }}
@@ -220,13 +220,13 @@ runs:
       # Upload results after full scope analysis
     - name: Upload reports
       if: hashFiles('security-results/trivy/*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: trivy-results
         path: security-results/trivy
         retention-days: 7
     - name: Upload sarif
       if: hashFiles('security-results/trivy/trivy-results.sarif') != '' # if SARIF is available, upload it
-      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+      uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
       with:
         sarif_file: security-results/trivy/trivy-results.sarif
diff --git a/.github/actions/security/zizmor/action.yaml b/.github/actions/security/zizmor/action.yaml
@@ -66,7 +66,7 @@ runs:
   using: composite
   steps:
     - name: Install uv
-      uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
+      uses: astral-sh/setup-uv@e92bafb6253dcd438e0484186d7669ea7a8ca1cc # v6.4.3
       with:
         enable-cache: true
         activate-environment: true
@@ -76,7 +76,7 @@ runs:
     - name: Get changed files
       if: inputs.scan-scope == 'changed'
       id: changed-files
-      uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46.0.3
+      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
       with:
         files: .github/**
 
@@ -137,13 +137,13 @@ runs:
       # Upload results after full scope analysis
     - name: Upload reports
       if: hashFiles('zizmor-report.*') != '' # if any report is available
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: zizmor-results
         path: zizmor-report.*
         retention-days: 7
     - name: Upload sarif
       if: hashFiles('zizmor-report.sarif') != '' # if SARIF is available, upload it
-      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.8
+      uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
       with:
         sarif_file: zizmor-report.sarif
diff --git a/.github/workflows/_reusable-artifact-builder.yaml b/.github/workflows/_reusable-artifact-builder.yaml
@@ -78,10 +78,10 @@ jobs:
     outputs:
       artifact-name: ${{ steps.set-artifact-name.outputs.name }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: ${{ inputs.python-version }}
       - name: Build package
@@ -96,13 +96,13 @@ jobs:
       - name: Set artifact name
         id: set-artifact-name
         run: echo "name=dist-$(date +%s)" >> $GITHUB_OUTPUT
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: ${{ steps.set-artifact-name.outputs.name }}
           path: dist/
           retention-days: 5
       - name: Cache pip dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
         with:
           path: |
             ~/.cache/pip
@@ -111,7 +111,7 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-pip-
       - name: Cache build artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
         with:
           path: |
             dist/
diff --git a/.github/workflows/_reusable-code-quality.yaml b/.github/workflows/_reusable-code-quality.yaml
@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
           lfs: true
diff --git a/.github/workflows/_reusable-pr-title-check.yaml b/.github/workflows/_reusable-pr-title-check.yaml
@@ -60,12 +60,12 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: ${{ inputs.python-version }}
           cache: pip
diff --git a/.github/workflows/_reusable-production-release-process.yaml b/.github/workflows/_reusable-production-release-process.yaml
@@ -90,13 +90,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: ${{ inputs.artifact-name }}
           path: dist
 
       - name: Upload for production release
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: production-release-artifacts
           path: dist/
diff --git a/.github/workflows/_reusable-rc-release-process.yaml b/.github/workflows/_reusable-rc-release-process.yaml
@@ -84,27 +84,27 @@ jobs:
           echo "url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
 
       - name: Download build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: ${{ inputs.artifact-name }}
           path: dist
 
       - name: Download test results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           pattern: "*-test-results"
           merge-multiple: true
           path: test-results
 
       - name: Download security results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           pattern: "*-security-results"
           merge-multiple: true
           path: security-results
 
       - name: Download quality results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           pattern: "*-quality-results"
           merge-multiple: true
@@ -177,7 +177,7 @@ jobs:
           EOF
 
       - name: Upload technical review report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: technical-review-report
           path: technical-review-report.md
@@ -195,7 +195,7 @@ jobs:
           echo "url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
 
       - name: Download technical review report
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: technical-review-report
           path: qa-review
@@ -225,7 +225,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download technical review report
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: technical-review-report
 
diff --git a/.github/workflows/_reusable-release-publisher.yaml b/.github/workflows/_reusable-release-publisher.yaml
@@ -83,7 +83,7 @@ jobs:
     permissions:
       contents: write # is required by action-gh-release
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           name: ${{ inputs.artifact-name }}
           path: dist
diff --git a/.github/workflows/_reusable-security-scan.yaml b/.github/workflows/_reusable-security-scan.yaml
@@ -79,7 +79,7 @@ jobs:
     if: contains(inputs.tools, 'bandit')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
       - name: Run Bandit scan
@@ -94,9 +94,9 @@ jobs:
     if: contains(inputs.tools, 'semgrep')
     runs-on: ubuntu-latest
     container:
-      image: returntocorp/semgrep@sha256:14e073f6417e5d2d0797aa13f26d569270b86fac9d52052d2358c985f1a4e9f0 # v1.124.0
+      image: returntocorp/semgrep@sha256:fca58525689355641019c05ab49dcc5bc3a1eb7e044f35014ee39594b5aa4fc1 # v1.124.0
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
       - name: Run Semgrep scan
@@ -110,7 +110,7 @@ jobs:
     if: contains(inputs.tools, 'trivy')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0 # Required for changed files detection
           persist-credentials: false
@@ -132,7 +132,7 @@ jobs:
     if: contains(inputs.tools, 'clamav')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
       - name: Run ClamAV scan
@@ -145,7 +145,7 @@ jobs:
     if: contains(inputs.tools, 'zizmor')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
       - name: Run Zizmor scan
@@ -177,7 +177,7 @@ jobs:
 
       # Download artifacts with error handling
       - name: Download all results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         continue-on-error: true # Don't fail if some tools didn't generate results
         with:
           pattern: "*-results"
@@ -187,7 +187,7 @@ jobs:
       # Only upload if there are files
       - name: Upload combined results
         if: hashFiles('all-results/**/*') != ''
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: security-scan-results
           path: all-results
diff --git a/.github/workflows/_reusable-test-suite.yaml b/.github/workflows/_reusable-test-suite.yaml
@@ -108,7 +108,7 @@ jobs:
         run: |
           nvidia-smi || echo "::error::No GPU found"
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
       - name: Run tests
diff --git a/.github/workflows/_reusable-version-bump.yaml b/.github/workflows/_reusable-version-bump.yaml
diff --git a/.github/workflows/_reusable-version-check.yaml b/.github/workflows/_reusable-version-check.yaml
diff --git a/.github/workflows/issue-management.yaml b/.github/workflows/issue-management.yaml
diff --git a/.github/workflows/pre_merge.yml b/.github/workflows/pre_merge.yml
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
