Update github actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
SonarSource/ci-github-actions	action	patch	1.3.29 → 1.3.34
SonarSource/gh-action_releasability	action	patch	3.0.4 → 3.0.5
SonarSource/gh-action_release	action	minor	6.5.0 → 6.7.1
SonarSource/release-github-actions	action	minor	1.4.3 → 1.5.4
actions/upload-artifact	action	patch	v7.0.0 → v7.0.1
peter-evans/create-pull-request (changelog)	action	digest	c0f553f → 5f6978f

---

Release Notes

SonarSource/ci-github-actions (SonarSource/ci-github-actions)

v1.3.34

Compare Source

What's Changed

• PREQ-5070 Update dependency mise to 2026.3.17 by @​renovate[bot] in #​232

Full Changelog: SonarSource/ci-github-actions@1.3.33...1.3.34

v1.3.33

Compare Source

What's Changed

Improvements

• Update SonarSource/gh-action_cache action to v1.4.4 by @​renovate[bot] in #​242

Full Changelog: SonarSource/ci-github-actions@1.3.32...1.3.33

v1.3.32

Compare Source

What's Changed

Improvements

• PREQ-4918: Support unique artifact names for matrix jobs by @​bwalsh434 in #​240

Full Changelog: SonarSource/ci-github-actions@1.3.31...1.3.32

v1.3.31

Compare Source

What's Changed

Improvements

• PREQ-4933 Use plain poetry install to respect lock file by @​tomverin in #​241

Full Changelog: SonarSource/ci-github-actions@1.3.30...1.3.31

v1.3.30

Compare Source

What's Changed

Improvements

• Update GitHub actions by @​renovate[bot] in #​239

  Package	Type	Update	Change
  SonarSource/gh-action_cache	action	patch	v1.4.2 → v1.4.3

  This release sets AWS S3 as the default cache backend for gh-action_cache.
  Use CACHE_BACKEND env var to use GitHub cache backend.
  Use CACHE_IMPORT_GITHUB env var to opt-in/out migration scenario from GitHub to S3.

Full Changelog: SonarSource/ci-github-actions@1.3.29...1.3.30

SonarSource/gh-action_releasability (SonarSource/gh-action_releasability)

v3.0.5

Compare Source

Improvements

• BUILD-10764 Update AWS role to v2 by @​mikolaj-matuszny-ext-sonarsource in #​136
• chore(deps): update dependency mise to 2026.2.3 by @​renovate[bot] in #​125
• chore(deps): update python:3.14-slim docker digest to fa0acdc by @​renovate[bot] in #​126
• chore(deps): update aws-actions/configure-aws-credentials action to v6 by @​renovate[bot] in #​127
• chore(deps): update jdx/mise-action action to v3.6.2 by @​renovate[bot] in #​132

Full Changelog: SonarSource/gh-action_releasability@3.0.4...3.0.5

SonarSource/gh-action_release (SonarSource/gh-action_release)

v6.7.1

Compare Source

What's Changed

Improvements

• BUILD-10764 Update releasability ref to latest by @​mikolaj-matuszny-ext-sonarsource in #​390
• chore(deps): update amazon/aws-cli docker tag to v2.33.14 by @​renovate[bot] in #​361
• chore(deps): update dependency mise to 2026.2.3 by @​renovate[bot] in #​362
• chore(deps): update python:3.14-slim docker digest to fa0acdc by @​renovate[bot] in #​363
• chore(deps): update aws-actions/configure-aws-credentials action to v6 by @​renovate[bot] in #​364

Full Changelog: SonarSource/gh-action_release@6.7.0...6.7.1

v6.7.0

Compare Source

What's Changed

• PREQ-5134 Add optional oidcEnvironment input for repos using environment-based OIDC sub claims by @​henryju in #​385

Full Changelog: SonarSource/gh-action_release@6.6.1...6.7.0

v6.6.1

Compare Source

What's Changed

• BUILD-10930: Add useNpmTrustedPublisher input to gh-action_release workflows by @​jayadeep-km-sonarsource in #​386

Full Changelog: SonarSource/gh-action_release@6.5.0...6.6.1

v6.6.0

Compare Source

SonarSource/release-github-actions (SonarSource/release-github-actions)

v1.5.4

Compare Source

What's Changed

• GHA-239 Change PM for IDE releases by @​damien-urruty-sonarsource in #​135

Full Changelog: SonarSource/release-github-actions@1.5.3...1.5.4

v1.5.3

Compare Source

What's Changed

• GHA-225 Lock branch during IDE releases by @​damien-urruty-sonarsource in #​132

Full Changelog: SonarSource/release-github-actions@1.5.2...1.5.3

v1.5.2

Compare Source

What's Changed

• GHA-227 Fix unfreeze-branch not being run by @​jonas-wielage-sonarsource in #​134

Full Changelog: SonarSource/release-github-actions@1.5.1...1.5.2

v1.5.1

Compare Source

What's Changed

• GHA-226 Fix automated-release silent abort due to transitive skipped status by @​jonas-wielage-sonarsource in #​133

Full Changelog: SonarSource/release-github-actions@1.5.0...1.5.1

v1.5.0

Compare Source

What's Changed

• GHA-219 Only send Slack notification when a PR is created or updated by @​nils-werner-sonarsource in #​128
• GHA-222 Fix script injection vulnerabilities in create-integration-ticket action by @​nils-werner-sonarsource in #​129
• GHA-224 Add notify-failure action for rich CI failure Slack notifications by @​nils-werner-sonarsource in #​131
• GHA-221 Improve automated-release with features required by cloud-security by @​jonas-wielage-sonarsource in #​124

Full Changelog: SonarSource/release-github-actions@1.4.3...1.5.0

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

---

Configuration

📅 Schedule: (in timezone CET)

• Branch creation
  • "after 7am every weekday,before 7pm every weekday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: SLCORE-2268

[sonar-review-alpha]

Summary

This PR updates multiple GitHub Actions dependencies across 5 workflow files. Despite the PR title indicating only a ci-github-actions update to v1.3.30, the actual changes are more comprehensive:

• SonarSource/ci-github-actions: 1.3.29 → 1.3.34 (not v1.3.30 as stated in the title)
• SonarSource/release-github-actions: 1.4.3 → 1.5.4
• SonarSource/gh-action_release: 6.5.0 → 6.7.1
• SonarSource/gh-action_releasability: 3.0.4 → 3.0.5
• actions/upload-artifact: v7.0.0 → v7.0.1
• peter-evans/create-pull-request: v8 (commit hash updated)

All changes are pinned to specific commit SHAs with version tags. The updates appear to come from automated dependency management (Renovate).

What reviewers should know

Key points for review:

1. Discrepancy in PR metadata: The PR title and author description state "v1.3.30" but the actual ci-github-actions version updated is v1.3.34. Verify this is intentional (may indicate the PR was auto-updated after initial creation).

2. Scope is broader than described: This isn't just a single action patch — it updates SonarSource action dependencies across all major workflows (build, QA, release, shadow scans).

3. No code changes: Only workflow YAML files are modified; no application code is affected.

4. Workflow impact areas to spot-check:

   • build.yml: get-build-number, build-maven, cache, config-maven, promote
   • QA workflows: cache and config steps
   • Release workflows: potential breaking changes in 1.5.4 and 6.7.1 versions (significant bumps)
   • Shadow scans: build-maven update

5. Consider testing: Release workflow updates (release-github-actions 1.4.3→1.5.4 and gh-action_release 6.5.0→6.7.1) are substantial version changes that may warrant running a test release or validating release process workflows.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[sonar-review-alpha]

All action references are correctly pinned to full 40-character SHAs, internally consistent (same SHA used everywhere for the same action), and no untouched workflow files are left with stale references. The update is broader than the PR title implies — ci-github-actions lands at 1.3.34 (not 1.3.30), and several other SonarSource release/releasability actions are bumped alongside it.

One behavioral change warrants explicit confirmation: the ci-github-actions/cache action now defaults to AWS S3 as its cache backend (via the internal gh-action_cache v1.4.3 bump). The two cache steps in build.yml have no CACHE_BACKEND or CACHE_IMPORT_GITHUB env var set.

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube