Pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
SonarSource/ci-github-actions	action	pin	v1 → 1.7.2
SonarSource/gh-action_pre-commit	action	minor	1.1.0 → 1.2.0
SonarSource/gh-action_releasability	action	pin	v3 → 3.0.5
SonarSource/gh-action_release	action	pin	v7 → 7.4.0
actions/checkout	action	pin	v7 → v7.0.0
jdx/mise-action	action	minor	v4.1.0 → v4.2.0

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Release Notes

SonarSource/gh-action_pre-commit (SonarSource/gh-action_pre-commit)

v1.2.0

Compare Source

What's Changed

• BUILD-8875: Migrate to standardized GitHub runner names by @​SonarTech in #​39
• chore(deps): update github actions by @​renovate[bot] in #​35
• chore(deps): update github actions (major) by @​renovate[bot] in #​38
• chore(deps): update dependency python to 3.14 by @​renovate[bot] in #​40
• chore(deps): update actions/checkout action to v6 by @​renovate[bot] in #​42
• chore(deps): update actions/cache action to v5 by @​renovate[bot] in #​44
• chore(deps): update github actions by @​renovate[bot] in #​41

New Contributors

• @​SonarTech made their first contribution in #​39

Full Changelog: SonarSource/gh-action_pre-commit@1.1.0...1.2.0

jdx/mise-action (jdx/mise-action)

v4.2.0: : Bootstrap mode & wget fallback

Compare Source

This release adds an opt-in bootstrap mode for projects that use mise bootstrap, and makes the action work on runner images that ship wget but not curl.

Added

Bootstrap mode (#​522) by @​jdx

Three new inputs let the action drive mise bootstrap instead of mise install:

- uses: jdx/mise-action@v4
  with:
    bootstrap: true
    bootstrap_skip: "tools,task"   # comma-separated parts to skip
    bootstrap_args: "--yes"        # extra args forwarded to mise bootstrap

• When bootstrap: true, the action runs mise bootstrap under the existing install gate and sets MISE_EXPERIMENTAL=1 automatically.
• If a repo mise lock file is present, it runs mise --locked bootstrap, matching the auto-lock behavior introduced for mise install in v4.1.0.
• install_args cannot be combined with bootstrap: true — the action fails fast and tells you to use bootstrap_skip / bootstrap_args instead, because full bootstrap doesn't support partial tool install args.
• A new {{bootstrap_hash}} template variable is included in the default cache key (and available in custom cache_key templates) so bootstrap and non-bootstrap configurations don't share caches.

bootstrap_skip relies on mise bootstrap --skip from jdx/mise#10497, so make sure you're on a recent mise version if you use it.

Fixed

• Fall back to wget when curl is unavailable (#​521) by @​risu729 — The action used to hard-code curl for fetching the mise binary, tar/zip archives, and the latest VERSION lookup, which broke on minimal runner images that only ship wget. It now prefers curl and transparently falls back to wget, preserving the streaming download | tar fast path for .tar.gz and .tar.zst installs on Linux/macOS. Proxy support is unchanged — both tools honor HTTP_PROXY/HTTPS_PROXY. Addresses jdx/mise#10488.

Documentation

• Link the known Rust cache interaction note from the README (#​496) by @​risu729.

Full Changelog: jdx/mise-action@v4.1.0...v4.2.0

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • "after 7am every weekday,before 8pm every weekday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Post-upgrade command 'pre-commit autoupdate --freeze || true' has not been added to the allowed list in allowedCommands

[sonar-review-alpha]

Summary

This Renovate-generated PR pins GitHub Actions workflow dependencies to specific commit SHAs, replacing floating version references like v1, v7, and v3 with immutable commit hashes. Each pinned reference includes a version comment for readability.

Note: The actual versions pinned in the workflows differ from those listed in the PR description:

• SonarSource/ci-github-actions is pinned to 1.4.0 (not 1.3.35 as stated)
• SonarSource/gh-action_release is pinned to 7.0.1 (not 7.0.0 as stated)

Reviewers should verify these versions are intentional, not accidental updates.

What reviewers should know

Files modified: All .github/workflows/ files

• build.yml: pins checkout and both ci-github-actions actions
• pr-cleanup.yml: pins ci-github-actions
• pre-commit.yml: pins gh-action_pre-commit (includes feature update to 1.2.0)
• releasability.yaml: pins gh-action_releasability
• release.yml: pins gh-action_release

Security context: Pinning to commit SHAs prevents unexpected action behavior from future version releases while still maintaining version comments for reference.

Verification needed: Cross-check the actual pinned versions (in the # comments) against the PR description to ensure they match intended updates.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

LGTM! ✅

Clean dependency-pinning PR with no bugs or logic issues. The versions actually pinned in the workflows differ from the PR description: ci-github-actions is pinned to 1.4.0 (description says 1.3.35) and gh-action_release to 7.0.1 (description says 7.0.0). This is a known Renovate behaviour — the description can fall out of sync if the upstream tag moves between when Renovate opens the PR and when it commits. The SHAs in the workflows are what matters; confirm they resolve to the intended tags before merging.

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube