From 5d463f78a2b1fcd2c98a85ec97d7c40c83769634 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 20 Feb 2026 09:31:29 +0000
Subject: [PATCH 1/2] [#patch](deps): Bump the actions-deps group with 2
 updates

Bumps the actions-deps group with 2 updates: [docker/build-push-action](https://github.com/docker/build-push-action) and [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action).


Updates `docker/build-push-action` from 6.18.0 to 6.19.2
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/263435318d21b8e681c14492fe198d362a7d2c83...10e90e3645eae34f1e60eeb005ba3a3d33f178e8)

Updates `aquasecurity/trivy-action` from 0.33.1 to 0.34.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](https://github.com/aquasecurity/trivy-action/compare/b6643a29fecd7f34b3597bc6acb0a98b03d33ff8...c1824fd6edce30d7ab345a9989de00bbd46ef284)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: 6.19.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-deps
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.34.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/docker-build-and-push.yml | 8 ++++----
 .github/workflows/terraform-ci.yml          | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
index dff3b70..9df6680 100644
--- a/.github/workflows/docker-build-and-push.yml
+++ b/.github/workflows/docker-build-and-push.yml
@@ -140,7 +140,7 @@ jobs:
       - name: Build and push
         id: build
         if: inputs.push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           annotations: ${{ steps.metadata.outputs.annotations }}
           cache-from: type=gha
@@ -155,7 +155,7 @@ jobs:
       - name: Build push locally
         id: build-local
         if: ${{ !inputs.push }}
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           cache-from: type=gha
           cache-to: type=gha,mode=max
@@ -186,7 +186,7 @@ jobs:
           push-to-registry: true
           create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }}
       - name: Run Trivy Scan
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
         if: inputs.scan-image
         with:
           format: sarif
@@ -197,7 +197,7 @@ jobs:
           output: ${{ inputs.working-directory }}/trivy_results.sarif
           github-pat: ${{ secrets.GITHUB_TOKEN }}
       - name: Generate SBOM
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
         if: inputs.push
         with:
           format: spdx-json
diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
index 5cbb4c7..787a8a7 100644
--- a/.github/workflows/terraform-ci.yml
+++ b/.github/workflows/terraform-ci.yml
@@ -101,7 +101,7 @@ jobs:
           filter_mode: nofilter
 
       - name: Run Trivy Scan
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
         with:
           hide-progress: true
           format: sarif

From 69c1424aefeee2166700edc0b731ba305859519c Mon Sep 17 00:00:00 2001
From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com>
Date: Fri, 20 Feb 2026 11:10:57 +0100
Subject: [PATCH 2/2] fix: shellcheck

---
 .github/workflows/clean-branch-cache.yml    |  6 +++---
 .github/workflows/docker-build-and-push.yml | 10 ++++++----
 .github/workflows/terraform-ci.yml          |  8 +++++---
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/clean-branch-cache.yml b/.github/workflows/clean-branch-cache.yml
index 0d8b3a0..b36af0c 100644
--- a/.github/workflows/clean-branch-cache.yml
+++ b/.github/workflows/clean-branch-cache.yml
@@ -32,10 +32,10 @@ jobs:
           ## Setting this to not fail the workflow while deleting cache keys.
           set +e
           echo "Deleting caches..."
-          for cacheKey in $cacheKeysForPR
-          do
+          while IFS= read -r cacheKey; do
+              [ -z "$cacheKey" ] && continue
               gh cache delete "$cacheKey"
-          done
+          done <<< "$cacheKeysForPR"
           echo "Done"
         env:
           GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
index 9df6680..9cacf45 100644
--- a/.github/workflows/docker-build-and-push.yml
+++ b/.github/workflows/docker-build-and-push.yml
@@ -173,10 +173,12 @@ jobs:
           IMAGE_REF: ${{ inputs.push && format('{0}/{1}@{2}', inputs.registry, inputs.image, steps.build.outputs.digest) || '' }}
           LOCAL_IMAGE_REF: ${{ !inputs.push && format('localimage:{0}', github.sha) || '' }}
         run: |
-          echo "image_name=${IMAGE_NAME}" >> "${GITHUB_OUTPUT}"
-          echo "image_digest=${IMAGE_DIGEST}" >> "${GITHUB_OUTPUT}"
-          echo "image_ref=${IMAGE_REF}" >> "${GITHUB_OUTPUT}"
-          echo "local_image_ref=${LOCAL_IMAGE_REF}" >> "${GITHUB_OUTPUT}"
+          {
+            echo "image_name=${IMAGE_NAME}"
+            echo "image_digest=${IMAGE_DIGEST}"
+            echo "image_ref=${IMAGE_REF}"
+            echo "local_image_ref=${LOCAL_IMAGE_REF}"
+          } >> "${GITHUB_OUTPUT}"
       - name: Generate artifact attestation
         if: inputs.push
         uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
index 787a8a7..0d2b13f 100644
--- a/.github/workflows/terraform-ci.yml
+++ b/.github/workflows/terraform-ci.yml
@@ -175,9 +175,11 @@ jobs:
         id: plan
         run: |
           terraform plan -no-color -input=false | tee plan.txt
-          echo "plan<<EOF" >> $GITHUB_OUTPUT
-          cat plan.txt >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+          {
+            echo "plan<<EOF"
+            cat plan.txt
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
         continue-on-error: true
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         if: github.event_name == 'pull_request'