Pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
SonarSource/ci-github-actions	action	pin	v1 → 1.3.34
SonarSource/gh-action_cache	action	pin	v1 → v1.4.4
SonarSource/gh-action_release	action	pin	v6 → 6.8.0
SonarSource/gh-action_setup-cloudflare-warp	action	pin	v1 → v1.0.7
SonarSource/release-github-actions	action	pin	v1 → 1.5.4
SonarSource/unified-dogfooding-actions	action	pin	v1 → 1.0.0
SonarSource/vault-action-wrapper	action	pin	v3 → 3.4.0

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Configuration

📅 Schedule: (in timezone CET)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonar-review-alpha]

Summary

This Renovate-generated PR pins seven SonarSource GitHub Actions to specific versions across the repository's CI/CD workflows. The changes move from floating version tags (e.g., v1, v3, v6) to exact versions (e.g., 1.3.34, 3.4.0, 6.8.0), which improves build reproducibility and reduces the risk of unexpected behavior from automatic major version updates.

The pinning affects 11 workflow files and one custom action, with multiple references in some files like build.yml.

What reviewers should know

What to verify:

• Check that the pinned versions are recent and actively maintained (avoid pinning to outdated releases)
• Confirm the version numbers match what's documented in the action repositories
• Look for any breaking changes between the previous floating versions and the new pinned versions (especially for ci-github-actions, which gets heavy use across multiple jobs)

Where to look:

• Start with .github/workflows/build.yml — it has the most changes and exercises the most actions
• Key actions to spot-check: vault-action-wrapper (security-sensitive), ci-github-actions (core build), and gh-action_release (release process)
• The changes are mechanical and consistent — each action reference follows the same pattern

No functional changes: Workflows should continue to behave identically; this is purely about version pinning strategy.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonar-review-alpha]

LGTM! ✅

Clean dependency-pinning PR with no functional changes. All 7 targeted SonarSource action families are pinned consistently and correctly across the 11 affected files. Non-SonarSource actions (actions/*, jdx/mise-action, etc.) are already pinned to commit SHAs throughout the repo.

One gap worth noting: five workflows that this PR touches also reference sonarsource/gh-action-lt-backlog sub-actions (PullRequestClosed, PullRequestCreated, RequestReview, SubmitReview, ToggleLockBranch) still at the floating @v2 tag. Renovate apparently isn't configured to manage this action family. It's not a blocker for merging this PR, but worth adding to Renovate's config or pinning manually to keep the posture consistent.

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed for 'sonar-rust'

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube