Update GitHub actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
SonarSource/gh-action_cache	action	minor	v1.2.3 → v1.4.1
SonarSource/vault-action-wrapper	action	minor	3.3.0 → 3.4.0

---

Release Notes

SonarSource/gh-action_cache (SonarSource/gh-action_cache)

v1.4.1

Compare Source

What's Changed

Improvements

• BUILD-10724 migrate only when S3 is forced by @​julien-carsique-sonarsource in #​51
  The cache migration from GitHub to S3 is enabled by default on the public repositories when the S3 backend is explicitly forced.
  Explicitly opt in/out with import-github-cache input or CACHE_IMPORT_GITHUB environment variable.

Bug Fixes

• BUILD-10724 fix provision-s3-cache job for tests by @​julien-carsique-sonarsource in #​50

Full Changelog: SonarSource/gh-action_cache@v1.4.0...v1.4.1

v1.4.0

Compare Source

What's Changed

New Features

• BUILD-10724: Import GitHub cache to S3 (migration fallback) by @​julien-carsique-sonarsource in #​45

When switching from GitHub Actions cache to S3, existing cache entries live only in GitHub and would need to be rebuilt from scratch.
Migration mode bridges this gap: when using the S3 backend and no S3 cache exists, the action automatically falls back to restore
from GitHub Actions cache using the original key. The S3 post-job step then saves the restored content to S3, pre-provisioning it
for subsequent runs.

Migration mode is enabled by default for S3 backend. It can be deactivated with import-github-cache: 'false' input or CACHE_IMPORT_GITHUB=false environment variable.

Full Changelog: SonarSource/gh-action_cache@v1.3.1...v1.4.0

v1.3.1

Compare Source

What's Changed

New Features

• BUILD-10739: Cache cleanup - docs by @​mikolaj-matuszny-ext-sonarsource in #​46
• BUILD-10699: Adds fallback-to-default-branch option for setting restore-keys by @​bwalsh434 in #​42
• BUILD-10761: Fix credential guard SQ Analysis security hotspot by @​bwalsh434 in #​47
• BUILD-10772: Changes fallback-to-default-branch default to false by @​bwalsh434 in #​48
• BUILD-10779: Always restore from cache key with fallback-to-default-branch by @​bwalsh434 in #​49

Documentation

• This release introduces the new fallback-to-default-branch option which is set to 'false' by default. With this option set to false, the cache fallback mechanism largely operates the same, though we plan to set it to 'true' in the next release. See the README.md for more details on how this works.

New Contributors

• @​bwalsh434 made their first contribution in #​42

Full Changelog: SonarSource/gh-action_cache@v1.3.0...v1.3.1

v1.3.0

Compare Source

New Features
Added new composite action for self-service S3 cache cleanup: SonarSource/gh-action_cache/cleanup

It supports:

• List mode — discover all cache entries for your repo without deleting anything
• Delete by branch — remove all cache entries for a specific branch (e.g., feature/my-branch)
• Delete by key — remove entries matching a cache key prefix across all branches or specific branch (e.g., sccache-Linux)
• Dry-run — preview what would be deleted before committing
• GitHub Actions job summary — collapsible table of matched/deleted objects in the workflow summary

Setup
Add a workflow_dispatch workflow to your repository and trigger it from the default branch.
See Cache Cleanup in the README for full setup instructions and usage examples.

NOTE: Due to security constrains you cannot run cache cleanup from non-default branch!

SonarSource/vault-action-wrapper (SonarSource/vault-action-wrapper)

v3.4.0

Compare Source

What's Changed

• BUILD-10632 Improve Vault diagnostic error messages with actionable guidance by @​jayadeep-km-sonarsource in #​72

Full Changelog: SonarSource/vault-action-wrapper@3.3.0...3.4.0

---

Configuration

📅 Schedule: Branch creation - "after 7am every weekday,before 8pm every weekday" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonar-review-alpha]

Summary

This PR updates two critical GitHub Actions with security and reliability improvements across 20+ files:

• vault-action-wrapper (3.3.0 → 3.4.0): Improves Vault diagnostic error messages with actionable guidance
• gh-action_cache (v1.2.3 → v1.4.1): Adds S3 cache migration with GitHub cache fallback, fixes S3 provisioning

Additionally, several action files are refactored to move GitHub Actions context variables into shell environment variables before use (e.g., ${{ inputs.foo }} → FOO env var → ${FOO} in shell), strengthening protection against shell injection vulnerabilities.

What reviewers should know

What to check:

• Review the two version bumps to confirm the improvements are desired (Vault error messages, cache migration behavior)
• The shell variable refactoring is mechanical across multiple files—spot check one file (like build-maven) to confirm the pattern is correct, then the rest are consistent

Key decisions:

• Cache migration in gh-action_cache v1.4.1 only triggers when S3 is explicitly forced; verify this aligns with your CI/CD expectations if you use S3 caching
• The env var refactoring prevents shell metacharacter injection but doesn't change behavior—these are pure security improvements

Files to focus on:

• Start with the version updates in build-maven/action.yml and code-signing/action.yml to see both the vault-wrapper bump and the env var refactoring pattern
• All workflow files (.github/workflows/) have uniform vault-wrapper updates only—no refactoring there

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: BUILD-10758

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[sonarqubecloud]

SonarQube reviewer guide

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

Conclusion: Clean, mechanical PR. The version bumps are correct and the shell injection hardening is applied consistently and correctly across all affected files.

🗣️ Give feedback