updatecli · updateclibot · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026
diff --git a/.github/workflows/add_issue_to_project.yaml b/.github/workflows/add_issue_to_project.yaml
@@ -8,7 +8,7 @@ jobs:
     name: Add issue to Updatecli project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+      - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
         with:
           project-url: https://github.com/orgs/updatecli/projects/2
           github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -9,18 +9,18 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Use Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24
       - name: Install Hugo
-        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
+        uses: peaceiris/actions-hugo@2752ce1d29631191ea3f27c23495fa06139a5b78 # v3.2.1
         with:
           hugo-version: 0.162.1
           extended: true
       - name: Install Bundler
-        uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1
         with:
           ruby-version: 2.7
           bundler-cache: true

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -28,10 +28,10 @@ jobs:
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -41,7 +41,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/autobuild@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
       #- run: |
       #   make bootstrap
       #   make release
@@ -52,4 +52,4 @@ jobs:
         # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
         #    and modify them (or add more) to build your code if your project
         #    uses a compiled language
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
diff --git a/.github/workflows/typos.yaml b/.github/workflows/typos.yaml
@@ -1,24 +1,19 @@
 name: Spell check with typos
-
 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["**"]
-
 permissions: {}
-
 jobs:
   typos:
     runs-on: ubuntu-latest
     permissions:
       contents: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
-
       - name: Run typos
         uses: crate-ci/typos@f8a58b6b53f2279f71eb605f03a4ae4d10608f45 # v1.47.0
-
diff --git a/.github/workflows/updatecli.yaml b/.github/workflows/updatecli.yaml
@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" # v6.0.3
         with:
           persistent-credentials: false
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@2c3221bc5f4499a99fec2c87d9de4a83cb30e990" # v3.1.3
+        uses: "updatecli/updatecli-action@e71be7554f3f940bc439cf720b3e4e379823c562" # v3.2.0
         with:
           version: "v0.117.1"
       - name: "Run updatecli"

diff --git a/.github/workflows/updatecli_release.yaml b/.github/workflows/updatecli_release.yaml
@@ -28,19 +28,17 @@ jobs:
             apply_args: "--labels=release:updatecli"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" # v6.0.3
         with:
           persist-credentials: false
       - name: "Setup updatecli"
         uses: "updatecli/updatecli-action@e71be7554f3f940bc439cf720b3e4e379823c562" # v3.2.0
         with:
           version: "v0.117.1"
-
       # releasepost is required by the Updatecli
       #   * policy ghcr.io/updatecli/policies/releasepost/releasepost
       - name: "Install Releasepost"
         uses: "updatecli/releasepost-action@864390bddae97db06ee881ab4a08d159b4464643" # v0.5.0
-
       - name: "Run updatecli"
         run: updatecli compose apply --clean-git-branches=true ${{ matrix.apply_args }} --experimental
         env:

diff --git a/.github/workflows/updatecli_test.yaml b/.github/workflows/updatecli_test.yaml
@@ -9,11 +9,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" # v6.0.3
         with:
           persist-credentials: false
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@2c3221bc5f4499a99fec2c87d9de4a83cb30e990" # v3.1.3
+        uses: "updatecli/updatecli-action@e71be7554f3f940bc439cf720b3e4e379823c562" # v3.2.0
         with:
           version: "v0.117.1"
       - name: "Test updatecli in dry-run mode"

diff --git a/.github/workflows/updatecli_update.yaml b/.github/workflows/updatecli_update.yaml
@@ -23,7 +23,7 @@ jobs:
             apply_args: "--existing-only=true"
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" # v6.0.3
         with:
           persist-credentials: false
       - name: "Setup updatecli"

diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
@@ -1,26 +1,22 @@
-name: GitHub Actions Security Analysis with zizmor 🌈
-
+name: "GitHub Actions Security Analysis with zizmor \U0001F308"
 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["**"]
-
 permissions: {}
-
 jobs:
   zizmor:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
-
-      - name: Run zizmor 🌈
-        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+      - name: "Run zizmor \U0001F308"
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
         with:
           # intentionally not scanning the entire repository,
           inputs: ./.github/