notdodo · notdodo · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026
@@ -32,10 +32,10 @@ jobs:
           ## Setting this to not fail the workflow while deleting cache keys.
           set +e
           echo "Deleting caches..."
-          for cacheKey in $cacheKeysForPR
-          do
+          while IFS= read -r cacheKey; do
+              [ -z "$cacheKey" ] && continue
               gh cache delete "$cacheKey"
-          done
+          done <<< "$cacheKeysForPR"
           echo "Done"
         env:
           GH_TOKEN: ${{ github.token }}

@@ -140,7 +140,7 @@ jobs:
       - name: Build and push
         id: build
         if: inputs.push
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           annotations: ${{ steps.metadata.outputs.annotations }}
           cache-from: type=gha
@@ -155,7 +155,7 @@ jobs:
       - name: Build push locally
         id: build-local
         if: ${{ !inputs.push }}
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           cache-from: type=gha
           cache-to: type=gha,mode=max
@@ -173,10 +173,12 @@ jobs:
           IMAGE_REF: ${{ inputs.push && format('{0}/{1}@{2}', inputs.registry, inputs.image, steps.build.outputs.digest) || '' }}
           LOCAL_IMAGE_REF: ${{ !inputs.push && format('localimage:{0}', github.sha) || '' }}
         run: |
-          echo "image_name=${IMAGE_NAME}" >> "${GITHUB_OUTPUT}"
-          echo "image_digest=${IMAGE_DIGEST}" >> "${GITHUB_OUTPUT}"
-          echo "image_ref=${IMAGE_REF}" >> "${GITHUB_OUTPUT}"
-          echo "local_image_ref=${LOCAL_IMAGE_REF}" >> "${GITHUB_OUTPUT}"
+          {
+            echo "image_name=${IMAGE_NAME}"
+            echo "image_digest=${IMAGE_DIGEST}"
+            echo "image_ref=${IMAGE_REF}"
+            echo "local_image_ref=${LOCAL_IMAGE_REF}"
+          } >> "${GITHUB_OUTPUT}"
       - name: Generate artifact attestation
         if: inputs.push
         uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
@@ -186,7 +188,7 @@ jobs:
           push-to-registry: true
           create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }}
       - name: Run Trivy Scan
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
         if: inputs.scan-image
         with:
           format: sarif
@@ -197,7 +199,7 @@ jobs:
           output: ${{ inputs.working-directory }}/trivy_results.sarif
           github-pat: ${{ secrets.GITHUB_TOKEN }}
       - name: Generate SBOM
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
         if: inputs.push
         with:
           format: spdx-json

@@ -101,7 +101,7 @@ jobs:
           filter_mode: nofilter
 
       - name: Run Trivy Scan
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
         with:
           hide-progress: true
           format: sarif
@@ -175,9 +175,11 @@ jobs:
         id: plan
         run: |
           terraform plan -no-color -input=false | tee plan.txt
-          echo "plan<<EOF" >> $GITHUB_OUTPUT
-          cat plan.txt >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+          {
+            echo "plan<<EOF"
+            cat plan.txt
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
         continue-on-error: true
       - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         if: github.event_name == 'pull_request'