pin github actions versions

crazy-max · crazy-max · commit 05feb7fc4119 · 2026-03-16T10:26:07.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/content/manuals/build/checks.md b/content/manuals/build/checks.md
@@ -74,7 +74,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Build and push
-        uses: docker/build-push-action@{{% param "build_push_action_version" %}}.6.0
+        uses: docker/build-push-action@{{% param "build_push_action_version" %}}
 ```
 
 ![GitHub Actions build check annotations](./images/gha-check-annotations.png)
diff --git a/content/manuals/dhi/how-to/scan.md b/content/manuals/dhi/how-to/scan.md
@@ -157,9 +157,9 @@ name: DHI Vulnerability Scan
 
 on:
   push:
-    branches: [ main ]
+    branches:
+      - main
   pull_request:
-    branches: [ "**" ]
 
 env:
   REGISTRY: docker.io
@@ -173,13 +173,12 @@ jobs:
       contents: read
       packages: write
       pull-requests: write
-
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
 
       - name: Set up Docker with containerd image store
-        uses: docker/setup-docker-action@v4
+        uses: docker/setup-docker-action@{{% param "setup_docker_action_version" %}}
         with:
           daemon-config: |
             {
@@ -188,22 +187,20 @@ jobs:
               }
             }
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@{{% param "setup_buildx_action_version" %}}
-
       - name: Log in to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@{{% param "login_action_version" %}}
         with:
+          registry: ${{ env.REGISTRY }}
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Build Docker image
-        run: |
-          docker build \
-             --provenance=mode=max \
-             --sbom=true \
-             -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }} .
-
+      - name: Build
+        uses: docker/build-push-action@{{% param "build_push_action_version" %}}
+        with:
+          context: .
+          sbom: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
+      
       - name: Run Docker Scout CVE scan
         uses: docker/scout-action@v1
         with:
@@ -216,7 +213,6 @@ jobs:
         if: success()
         run: |
           docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
-
 ```
 
 The `exit-code: true` parameter ensures that the workflow fails if any critical or
diff --git a/content/manuals/scout/policy/ci.md b/content/manuals/scout/policy/ci.md
@@ -112,7 +112,7 @@ jobs:
 
       - name: Build image
         id: build-and-push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@{{% param "build_push_action_version" %}}
         with:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
