ci(workflows): upgrade all GitHub Actions to latest versions

appleboy · claude · appleboy · commit 2234c296419e · 2026-03-08T11:31:26.000+08:00
- Upgrade goreleaser-action from v6 to v7
- Upgrade docker actions (setup-qemu v4, setup-buildx v4, login v4, metadata v6, build-push v7)
- Upgrade codeql-action from v3 to v4
- Upgrade trivy-action from 0.33.1 to 0.35.0
- Upgrade hadolint-action from v3.1.0 to v3.3.0

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -41,7 +41,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,4 +50,4 @@ jobs:
           # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -31,29 +31,29 @@ jobs:
           make build_linux_arm
           make build_linux_arm64
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Login to Docker Hub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker meta
         id: docker-meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ${{ github.repository }}
@@ -65,7 +65,7 @@ jobs:
             type=semver,pattern={{major}}
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: linux/amd64,linux/arm,linux/arm64
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -23,7 +23,7 @@ jobs:
           go-version-file: go.mod
           check-latest: true
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
         with:
           # either 'goreleaser' (default) or 'goreleaser-pro'
           distribution: goreleaser
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -22,7 +22,7 @@ jobs:
           version: v2.7
           args: --verbose
 
-      - uses: hadolint/hadolint-action@v3.1.0
+      - uses: hadolint/hadolint-action@v3.3.0
         name: hadolint for Dockerfile
         with:
           dockerfile: docker/Dockerfile
diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
@@ -23,7 +23,7 @@ jobs:
           fetch-depth: 0
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -41,20 +41,20 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run Trivy vulnerability scanner (Docker Hub)
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           image-ref: 'appleboy/gorush:latest'
           format: 'sarif'
           output: 'trivy-dockerhub-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab (Docker Hub)
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-dockerhub-results.sarif'
 
       - name: Run Trivy vulnerability scanner (Docker Hub Table format)
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           image-ref: 'appleboy/gorush:latest'
           format: 'table'
@@ -73,20 +73,20 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run Trivy vulnerability scanner (GHCR)
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           image-ref: 'ghcr.io/appleboy/gorush:latest'
           format: 'sarif'
           output: 'trivy-ghcr-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab (GHCR)
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-ghcr-results.sarif'
 
       - name: Run Trivy vulnerability scanner (GHCR Table format)
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           image-ref: 'ghcr.io/appleboy/gorush:latest'
           format: 'table'
