chore(deps): update github actions (major)

.github/release-drafter.yml

@@ -1,19 +1,19 @@
 categories:
-  - title: '⚠️  Breaking changes'
+  - title: "⚠️  Breaking changes"
     labels:
-      - 'kind/major'
-      - 'kind/breaking-change'
-  - title: '🚀 Features'
+      - "kind/major"
+      - "kind/breaking-change"
+  - title: "🚀 Features"
     labels:
-      - 'kind/enhancement'
-      - 'kind/feature'
-  - title: '🐛 Bug Fixes'
+      - "kind/enhancement"
+      - "kind/feature"
+  - title: "🐛 Bug Fixes"
     labels:
-      - 'kind/bug'
-  - title: '🧰 Maintenance'
+      - "kind/bug"
+  - title: "🧰 Maintenance"
     labels:
-      - 'kind/chore'
-      - 'area/dependencies'
+      - "kind/chore"
+      - "area/dependencies"
 
 exclude-labels:
   - duplicate
@@ -23,44 +23,51 @@ exclude-labels:
   - kind/question
   - release/skip-changelog
 
-change-template: '- $TITLE (#$NUMBER)'
+change-template: "- $TITLE (#$NUMBER)"
 change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
-name-template: 'v$RESOLVED_VERSION'
+name-template: "v$RESOLVED_VERSION"
 template: |
   $CHANGES
 
 autolabeler:
-    # Tag any PR with "!" in the subject as major update. In other words, breaking change
-  - label: 'kind/breaking-change'
-    title: '/.*!:.*/'
-  - label: 'area/dependencies'
-    title: 'chore(deps)'
-  - label: 'area/dependencies'
-    title: 'fix(deps)'
-  - label: 'area/dependencies'
-    title: 'build(deps)'
-  - label: 'kind/feature'
-    title: 'feat'
-  - label: 'kind/bug'
-    title: 'fix'
-  - label: 'kind/chore'
-    title: 'chore'
+  # Tag any PR with "!" in the subject as major update. In other words, breaking change
+  - label: "kind/breaking-change"
+    title:
+      - "/.*!:.*/"
+  - label: "area/dependencies"
+    title:
+      - "chore(deps)"
+  - label: "area/dependencies"
+    title:
+      - "fix(deps)"
+  - label: "area/dependencies"
+    title:
+      - "build(deps)"
+  - label: "kind/feature"
+    title:
+      - "feat"
+  - label: "kind/bug"
+    title:
+      - "fix"
+  - label: "kind/chore"
+    title:
+      - "chore"
 
 version-resolver:
   major:
     labels:
-      - 'kind/major'
-      - 'kind/breaking-change'
+      - "kind/major"
+      - "kind/breaking-change"
   minor:
     labels:
-      - 'kind/minor'
-      - 'kind/feature'
-      - 'kind/enhancement'
+      - "kind/minor"
+      - "kind/feature"
+      - "kind/enhancement"
   patch:
     labels:
-      - 'kind/patch'
-      - 'kind/fix'
-      - 'kind/bug'
-      - 'kind/chore'
-      - 'area/dependencies'
+      - "kind/patch"
+      - "kind/fix"
+      - "kind/bug"
+      - "kind/chore"
+      - "area/dependencies"
   default: patch

.github/workflows/autolabeler.yml

@@ -0,0 +1,19 @@
+name: Autolabeler
+
+on:
+  pull_request:
+    # Only following types are handled by the action, but one can default to all as well
+    types: [opened, reopened, synchronize, edited]
+
+permissions:
+  contents: read
+
+jobs:
+  autolabeler:
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: release-drafter/release-drafter/autolabeler@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-kwctl.yml

@@ -117,7 +117,7 @@ jobs:
 
       - name: Generate attestations
         if: ${{ !inputs.build_only }}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         id: attestations
         with:
           subject-path: kwctl-linux-${{ matrix.targetarch }}
@@ -134,7 +134,7 @@ jobs:
 
       - name: Upload binary
         if: ${{ !inputs.build_only }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: kwctl-linux-${{ matrix.targetarch }}
           path: kwctl-linux-${{ matrix.targetarch }}.zip
@@ -163,7 +163,7 @@ jobs:
 
       - name: Upload kwctl SBOM files
         if: ${{ !inputs.build_only }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: kwctl-linux-${{ matrix.targetarch }}-sbom
           path: |
@@ -172,7 +172,7 @@ jobs:
 
       - name: Upload kwctl air gap scripts
         if: ${{ !inputs.build_only && matrix.targetarch == 'x86_64' }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: kwctl-airgap-scripts
           path: |
@@ -211,7 +211,7 @@ jobs:
 
       - name: Generate attestations
         if: ${{ !inputs.build_only }}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         id: attestations
         with:
           subject-path: kwctl-darwin-${{ matrix.targetarch }}
@@ -228,7 +228,7 @@ jobs:
 
       - name: Upload binary
         if: ${{ !inputs.build_only }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: kwctl-darwin-${{ matrix.targetarch }}
           path: kwctl-darwin-${{ matrix.targetarch }}.zip
@@ -259,7 +259,7 @@ jobs:
 
       - name: Upload kwctl SBOM files
         if: ${{ !inputs.build_only }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: kwctl-darwin-${{ matrix.targetarch }}-sbom
           path: |
@@ -306,7 +306,7 @@ jobs:
 
       - name: Generate attestations
         if: ${{ !inputs.build_only }}
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         id: attestations
         with:
           subject-path: kwctl-windows-${{ matrix.targetarch }}.exe
@@ -326,7 +326,7 @@ jobs:
 
       - name: Upload binary
         if: ${{ !inputs.build_only }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: kwctl-windows-x86_64
           path: kwctl-windows-x86_64.exe.zip
@@ -358,7 +358,7 @@ jobs:
 
       - name: Upload kwctl SBOM files
         if: ${{ !inputs.build_only }}
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: kwctl-windows-x86_64-sbom
           path: |

.github/workflows/ci.yml

@@ -361,7 +361,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
       # Disable plugin verification until the following issue is addressed https://github.com/helm-unittest/helm-unittest/issues/777
       - name: Install Helm-unittest
         run: helm plugin install https://github.com/helm-unittest/helm-unittest --verify=false

.github/workflows/open-release-pr.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
           app-id: ${{ secrets.APP_ID }}
@@ -32,7 +32,7 @@ jobs:
 
       - name: Install helm
         # Helm and helm plugins installation required by the updatecli release action
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
 
       - name: Install helm values schema json plugin
         # Disable plugin verification until helm v4 is supported

.github/workflows/release-drafter.yml

@@ -6,10 +6,6 @@ on:
     # branches to consider in the event; optional, defaults to all
     branches:
       - main
-  # pull_request event is required only for autolabeler
-  pull_request:
-    # Only following types are handled by the action, but one can default to all as well
-    types: [opened, reopened, synchronize, edited]
 
 permissions:
   contents: read
@@ -19,16 +15,9 @@ jobs:
     permissions:
       # write permission is required to create a github release
       contents: write
-      # write permission is required for autolabeler
-      # otherwise, read permission is required at least
-      pull-requests: write
+      pull-requests: read
     runs-on: ubuntu-latest
     steps:
-      # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: release-drafter/release-drafter@6a93d829887aa2e0748befe2e808c66c0ec6e4c7 # v6.4.0
-        # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml
-        # with:
-        #   config-name: my-config.yml
-        #   disable-autolabeler: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: release-drafter/release-drafter@139054aeaa9adc52ab36ddf67437541f039b88e2 # v7.1.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -180,12 +180,12 @@ jobs:
             }
             core.setFailed(`Draft release not found`)
       - name: Download attestation artifacts
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: attestation-*
           merge-multiple: true
       - name: Download kwctl artifacts
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: kwctl-*
           merge-multiple: false
@@ -277,7 +277,7 @@ jobs:
     needs: release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
           app-id: ${{ secrets.APP_ID }}

.github/workflows/update-dependencies.yaml

@@ -21,7 +21,7 @@ jobs:
           # happen" for the conditions
           version: v0.109.0
 
-      - uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         id: generate-token
         with:
           app-id: ${{ secrets.APP_ID }}