Sync with fixes in master

.github/workflows/first-interaction.yaml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/first-interaction@v3
+      - uses: actions/first-interaction@v3.1.0
         with:
           repo_token: ${{ secrets.PAT_SECRET }}
           issue_message: |-

.github/workflows/release.yaml

@@ -92,7 +92,7 @@ jobs:
           - 5672:5672
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           ref: ${{ inputs.revision == '0-SNAPSHOT' && github.ref || inputs.revision }}
 
@@ -109,7 +109,7 @@ jobs:
           gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
       - name: Cache local Maven repository
-        uses: actions/cache@v5
+        uses: actions/cache@v5.0.4
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

.github/workflows/release_docker.yaml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
 
       - name: "Release ${{ inputs.revision }}"
         run: echo "Releasing ${{ inputs.revision }}"
@@ -57,7 +57,7 @@ jobs:
           done
 
       - name: Log into Docker Hub
-        uses: docker/login-action@v4
+        uses: docker/login-action@v4.1.0
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/reusable_workflow_license-scan.yaml

@@ -24,19 +24,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           ref: ${{ inputs.ref }}
 
       - name: Set up JDK & Maven Central credentials
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@v5.2.0
         with:
           distribution: 'temurin'
           java-version: 21
           cache: 'maven'
 
       - name: Cache local Maven repository
-        uses: actions/cache@v5
+        uses: actions/cache@v5.0.4
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

.github/workflows/reusable_workflow_tag.yaml

@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
 
       # should work with actions/checkout@v6 with fetch-tags: true, BUT it doesn't work as expected!
       # See https://github.com/actions/checkout/issues/1471.

.github/workflows/reusable_workflow_trivy-scan.yaml

@@ -23,12 +23,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2
         with:
           ref: ${{ inputs.ref }}
 
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@v5.2.0
         with:
           distribution: "temurin"
           java-version: 21
@@ -42,61 +42,110 @@ jobs:
           ./build_dev.sh && \
           cd ../../..
 
-      - name: Determine most recent Trivy version
-        run: |
-          echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \
-            grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV
+      - name: Create scan output directory
+        run: mkdir -p scans
 
-      - name: Install Trivy
-        run: |
-          wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf -
+      - name: Scan hawkbit-ddi-server
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: 'hawkbit/hawkbit-ddi-server:latest'
+          ignore-unfixed: true
+          trivyignores: .github/workflows/.trivyignore
+          severity: 'HIGH,CRITICAL'
+          vuln-type: 'library'
+          format: 'sarif'
+          output: 'scans/hawkbit-ddi-server.sarif'
 
-      - name: Scan Docker images
-        run: |
-          mkdir -p scans/eclipse-hawkbit/hawkbit
-          for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
-            echo "Scanning image ${IMAGE} ..."
-            ./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif
-          done
+      - name: Scan hawkbit-dmf-server
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: 'hawkbit/hawkbit-dmf-server:latest'
+          ignore-unfixed: true
+          trivyignores: .github/workflows/.trivyignore
+          severity: 'HIGH,CRITICAL'
+          vuln-type: 'library'
+          format: 'sarif'
+          output: 'scans/hawkbit-dmf-server.sarif'
 
-      - name: Check if to upload scan results
-        run: |
-          if [ "${{ inputs.upload }}" = "true" ]; then
-            echo "Uploading scan results..."
-          else
-            echo "Skipping upload of scan results."
-            exit 0
-          fi
+      - name: Scan hawkbit-mgmt-server
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: 'hawkbit/hawkbit-mgmt-server:latest'
+          ignore-unfixed: true
+          trivyignores: .github/workflows/.trivyignore
+          severity: 'HIGH,CRITICAL'
+          vuln-type: 'library'
+          format: 'sarif'
+          output: 'scans/hawkbit-mgmt-server.sarif'
+
+      - name: Scan hawkbit-ui
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: 'hawkbit/hawkbit-ui:latest'
+          ignore-unfixed: true
+          trivyignores: .github/workflows/.trivyignore
+          severity: 'HIGH,CRITICAL'
+          vuln-type: 'library'
+          format: 'sarif'
+          output: 'scans/hawkbit-ui.sarif'
+
+      - name: Scan hawkbit-update-server
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: 'hawkbit/hawkbit-update-server:latest'
+          ignore-unfixed: true
+          trivyignores: .github/workflows/.trivyignore
+          severity: 'HIGH,CRITICAL'
+          vuln-type: 'library'
+          format: 'sarif'
+          output: 'scans/hawkbit-update-server.sarif'
+
+      - name: Scan hawkbit-repository-jpa-init
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: 'hawkbit/hawkbit-repository-jpa-init:latest'
+          ignore-unfixed: true
+          trivyignores: .github/workflows/.trivyignore
+          severity: 'HIGH,CRITICAL'
+          vuln-type: 'library'
+          format: 'sarif'
+          output: 'scans/hawkbit-repository-jpa-init.sarif'
 
       - name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server
-        uses: github/codeql-action/upload-sarif@v4
+        if: ${{ inputs.upload }}
+        uses: github/codeql-action/upload-sarif@v4.35.1
         with:
-          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif'
+          sarif_file: 'scans/hawkbit-ddi-server.sarif'
           category: "Container Images (hawkbit-ddi-server)"
       - name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server
-        uses: github/codeql-action/upload-sarif@v4
+        if: ${{ inputs.upload }}
+        uses: github/codeql-action/upload-sarif@v4.35.1
         with:
-          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif'
+          sarif_file: 'scans/hawkbit-dmf-server.sarif'
           category: "Container Images (hawkbit-dmf-server)"
       - name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server
-        uses: github/codeql-action/upload-sarif@v4
+        if: ${{ inputs.upload }}
+        uses: github/codeql-action/upload-sarif@v4.35.1
         with:
-          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif'
+          sarif_file: 'scans/hawkbit-mgmt-server.sarif'
           category: "Container Images (hawkbit-mgmt-server)"
       - name: Upload Docker image scan results to GitHub Security tab hawkbit-ui
-        uses: github/codeql-action/upload-sarif@v4
+        if: ${{ inputs.upload }}
+        uses: github/codeql-action/upload-sarif@v4.35.1
         with:
-          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ui:latest.sarif'
+          sarif_file: 'scans/hawkbit-ui.sarif'
           category: "Container Images (hawkbit-ui)"
 
       - name: Upload Docker image scan results to GitHub Security tab hawkbit-update-server
-        uses: github/codeql-action/upload-sarif@v4
+        if: ${{ inputs.upload }}
+        uses: github/codeql-action/upload-sarif@v4.35.1
         with:
-          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif'
+          sarif_file: 'scans/hawkbit-update-server.sarif'
           category: "Container Images (hawkbit-update-server)"
 
       - name: Upload Docker image scan results to GitHub Security tab hawkbit-repository-jpa-init
-        uses: github/codeql-action/upload-sarif@v4
+        if: ${{ inputs.upload }}
+        uses: github/codeql-action/upload-sarif@v4.35.1
         with:
-          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
+          sarif_file: 'scans/hawkbit-repository-jpa-init.sarif'
           category: "Container Images (hawkbit-repository-jpa-init)"

.github/workflows/reusable_workflow_verify.yaml

@@ -41,20 +41,20 @@ jobs:
           echo "Ref: ${{ inputs.ref }},"
           echo "Maven Properties: ${{ inputs.maven_properties }}"
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           repository: ${{ inputs.repository }}
           ref: ${{ inputs.ref }}
 
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@v5.2.0
         with:
           distribution: 'temurin'
           java-version: 21
           cache: 'maven'
 
       - name: Cache local Maven repository
-        uses: actions/cache@v5
+        uses: actions/cache@v5.0.4
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

.github/workflows/stale.yaml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@v10.2.0
         with:
           repo-token: ${{ secrets.PAT_SECRET }}
           # disables automatic marking of issues as stale

.github/workflows/style_check.yaml

@@ -16,13 +16,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v6.0.2
         with:
           repository: ${{ inputs.repository }}
           ref: ${{ inputs.ref }}
 
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@v5.2.0
         with:
           distribution: 'temurin'
           java-version: 21

hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/management/JpaRolloutManagement.java

@@ -607,7 +607,7 @@ private int updateTargetAssignedDsWithFirstActiveAction(List<Long> targetIds) {
                         "SET t.assigned_distribution_set = ( " +
                         "SELECT a.distribution_set" +
                         "   FROM sp_action a" +
-                        "   WHERE a.target = t.id AND a.active = 1" +
+                        "   WHERE a.target = t.id AND a.active = TRUE" +
                         "   ORDER BY a.id ASC" +
                         "   LIMIT 1" +
                         ") " +