Update GitHub Actions dependencies (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
SonarSource/gh-action_release	action	major	v6 → 7.0.0
actions/checkout	action	major	v5.0.1 → v6.0.2
actions/checkout	action	major	v4 → v6
jdx/mise-action	action	major	v3.6.3 → v4.0.1

---

Release Notes

SonarSource/gh-action_release (SonarSource/gh-action_release)

v7.0.0

Compare Source

What's Changed

The v7 generation complies with release and tag immutability.

Improvements

• BUILD-11106 Draft-first v7 release flow (workflow_dispatch) by @​SamirM-BE in #​393
• BUILD-11106 Simplify self-reference release script by @​julien-carsique-sonarsource in #​394

Breaking Change

• version input is now required
• the action must not be triggered by the release published event: the action now owns the GitHub release publication (existing draft will be reused). See https://github.com/SonarSource/gh-action_release/tree/7.0.0#migrating-from-v6-to-v7-draft-first-workflow_dispatch for more details and migration steps.

Full Changelog: SonarSource/gh-action_release@6.8.1...7.0.0

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6.0.0

Compare Source

v6

Compare Source

jdx/mise-action (jdx/mise-action)

v4.0.1: : Documentation and Internal Cleanup

Compare Source

A small maintenance release that updates the README documentation to reflect v4 and cleans up internal code. There are no functional changes to the action itself.

Changed

• Updated all README examples to reference jdx/mise-action@v4, actions/checkout@v6, and current tool versions by @​deining in #​407 and #​408
• Extracted getCwd() helper to deduplicate working directory resolution logic (internal refactor, no behavior change) by @​altendky in #​403

New Contributors

• @​deining made their first contribution in #​407

Full Changelog: jdx/mise-action@v4.0.0...v4.0.1

v4.0.0

Compare Source

What's Changed

• chore(deps): lock file maintenance by @​renovate[bot] in #​392
• chore(deps): update actions/setup-node digest to 53b8394 by @​renovate[bot] in #​396
• feat!: Update Node.js version from 20 to 24 by @​tumerorkun in #​395
• chore(deps): update github/codeql-action digest to 820e316 by @​renovate[bot] in #​397
• chore: release v4.0.0 by @​mise-en-dev in #​398

New Contributors

• @​tumerorkun made their first contribution in #​395

Full Changelog: jdx/mise-action@v3...v4.0.0

v4

Compare Source

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • "before 6am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: SONARJAVA-6324

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This PR updates GitHub Actions to major versions across four workflows:

• actions/checkout: v5.0.1 & v4 → v6.0.2 & v6 (updated in build.yml, unified-dogfooding.yml, and PrepareNextIteration.yml)
• jdx/mise-action: v3.6.3 → v4.0.1 (updated in build.yml and unified-dogfooding.yml)
• SonarSource/gh-action_release: v6 → 7.0.0 (updated in release.yml with breaking changes)

All references use pinned commit SHAs with version tags for reproducibility.

What reviewers should know

Critical review point: SonarSource/gh-action_release v7.0.0 introduces breaking changes:

• version input is now required — verify it's being provided in release.yml
• Action ownership of GitHub release publication changes — must not be triggered by the release published event; verify the trigger configuration is correct

Routine checks:

• actions/checkout v6 changes tag handling (preserves annotations, explicit fetch-tags) — no breaking concerns for this repo
• jdx/mise-action v4.0.1 is a maintenance release with no functional changes
• All version updates are consistently applied across workflows

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

The bump to gh-action_release v7.0.0 introduces two breaking changes that haven't been addressed — the release workflow will fail at runtime as-is. The other three action upgrades (checkout v6, mise-action v4) are clean and consistent.

🗣️ Give feedback

[sonar-review-alpha]

gh-action_release v7.0.0 requires the version input — it is now mandatory and missing from the with: block below. Without it the workflow will error immediately on invocation.

Additionally, v7.0.0's breaking change states the action must not be triggered by the release: published event — the action now owns GitHub release publication itself (reusing an existing draft). The trigger at the top of this file needs to change from release: published to workflow_dispatch. See the v6→v7 migration guide: https://github.com/SonarSource/gh-action_release/tree/7.0.0#migrating-from-v6-to-v7-draft-first-workflow_dispatch

• Mark as noise

[sonar-review-alpha]

SHA comment says # v6 but build.yml and unified-dogfooding.yml annotate the same SHA (de0fac2e) as # v6.0.2. Update the comment to match so the pinned version is unambiguous at a glance.

Suggested change

	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

• Mark as noise