From e745f92bc55e812300a19eb4d49f90897c2bb747 Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Thu, 22 Jan 2026 12:38:08 -0800
Subject: [PATCH] actions: pin to latest actions (#11818) (#11909)

- actions/cache -> v5.0.2: A bugfix around not retrying cache entries on
  429s.
- actions/setup-go -> v6.2.0: NodeJS bump and internal actions/cache
  bump. We don't use the caching in setup-go so this ought to have no
  impact for us.
- actions/setup-node -> v6.2.0: internal bump of actions/cache.
- pnpm/action-setup -> v4.2.0: Adds support for .npmrc file.

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
---
 .github/actions/build-vault/action.yml           | 2 +-
 .github/actions/create-dynamic-config/action.yml | 2 +-
 .github/actions/install-tools/action.yml         | 2 +-
 .github/actions/set-up-go/action.yml             | 4 ++--
 .github/actions/set-up-pipeline/action.yml       | 2 +-
 .github/workflows/build.yml                      | 6 +++---
 .github/workflows/ci.yml                         | 4 ++--
 .github/workflows/plugin-update-check.yml        | 2 +-
 .github/workflows/security-scan.yml              | 2 +-
 .github/workflows/test-enos-scenario-ui.yml      | 4 ++--
 .github/workflows/test-go.yml                    | 4 ++--
 .github/workflows/test-run-enos-scenario.yml     | 4 ++--
 12 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/actions/build-vault/action.yml b/.github/actions/build-vault/action.yml
index 25efd006e2..7184931297 100644
--- a/.github/actions/build-vault/action.yml
+++ b/.github/actions/build-vault/action.yml
@@ -69,7 +69,7 @@ runs:
       shell: bash
       run: git config --global url."https://${{ inputs.github-token }}:@github.com".insteadOf "https://github.com"
     - name: Restore UI from cache
-      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+      uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
       with:
         # Restore the UI asset from the UI build workflow. Never use a partial restore key.
         enableCrossOsArchive: true
diff --git a/.github/actions/create-dynamic-config/action.yml b/.github/actions/create-dynamic-config/action.yml
index 4daa8345b0..7c71a915f1 100644
--- a/.github/actions/create-dynamic-config/action.yml
+++ b/.github/actions/create-dynamic-config/action.yml
@@ -39,7 +39,7 @@ runs:
         } | tee -a "$GITHUB_ENV"
     - name: Try to restore dynamic config from cache
       id: dyn-cfg-cache
-      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+      uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
       with:
         path: ${{ env.DYNAMIC_CONFIG_PATH }}
         key: dyn-cfg-${{ env.DYNAMIC_CONFIG_KEY }}
diff --git a/.github/actions/install-tools/action.yml b/.github/actions/install-tools/action.yml
index f43b274113..0b786060a7 100644
--- a/.github/actions/install-tools/action.yml
+++ b/.github/actions/install-tools/action.yml
@@ -69,7 +69,7 @@ runs:
           echo "VAULT_TOOLS_CACHE_KEY=${cache_key}"
         } | tee -a "$GITHUB_ENV"
     - id: cache-tools
-      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+      uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
       with:
         lookup-only: ${{ inputs.no-restore }}
         path: ${{ env.VAULT_TOOLS_PATH }}
diff --git a/.github/actions/set-up-go/action.yml b/.github/actions/set-up-go/action.yml
index cb4a2eec11..f0d2be66a6 100644
--- a/.github/actions/set-up-go/action.yml
+++ b/.github/actions/set-up-go/action.yml
@@ -40,7 +40,7 @@ runs:
         else
           echo "go-version=${{ inputs.go-version }}" | tee -a "$GITHUB_OUTPUT"
         fi
-    - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+    - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
       with:
         go-version: ${{ steps.go-version.outputs.go-version }}
         cache: false # We use our own caching strategy
@@ -63,7 +63,7 @@ runs:
           echo "cache-key=go-modules-${wd_hash}-${{ hashFiles('**/go.sum') }}"
         } | tee -a "$GITHUB_OUTPUT"
     - id: cache-modules
-      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+      uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
       with:
         enableCrossOsArchive: true
         lookup-only: ${{ inputs.no-restore }}
diff --git a/.github/actions/set-up-pipeline/action.yml b/.github/actions/set-up-pipeline/action.yml
index c81333a3f3..9ece8f1f61 100644
--- a/.github/actions/set-up-pipeline/action.yml
+++ b/.github/actions/set-up-pipeline/action.yml
@@ -33,7 +33,7 @@ runs:
         } | tee -a "$GITHUB_ENV"
     - name: Try to restore pipeline from cache
       id: pipeline-cache
-      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+      uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
       with:
         path: ${{ env.PIPELINE_PATH }}
         key: pipeline-${{ env.PIPELINE_HASH }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8e672e0318..10915c3e9f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -303,7 +303,7 @@ jobs:
         run: echo "ui-hash=$(git ls-tree HEAD ui --object-only)" | tee -a "$GITHUB_OUTPUT"
       - name: Set up UI asset cache
         id: cache-ui-assets
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
         with:
           enableCrossOsArchive: true
           lookup-only: true
@@ -313,13 +313,13 @@ jobs:
           key: ui-${{ steps.ui-hash.outputs.ui-hash }}
       - if: steps.cache-ui-assets.outputs.cache-hit != 'true'
         name: Install PNPM
-        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           run_install: false
           package_json_file: './ui/package.json'
       - if: steps.cache-ui-assets.outputs.cache-hit != 'true'
         name: Set up node and pnpm
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version-file: ui/package.json
           cache: pnpm
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 760eed2feb..4877b83d88 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -272,13 +272,13 @@ jobs:
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
       - name: Install PNPM
-        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           run_install: false
           package_json_file: './ui/package.json'
 
       # Setup node.js with caching using the pnpm-lock.yaml file
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version-file: './ui/package.json'
           cache: pnpm
diff --git a/.github/workflows/plugin-update-check.yml b/.github/workflows/plugin-update-check.yml
index 89d409ab5e..2f589ecb32 100644
--- a/.github/workflows/plugin-update-check.yml
+++ b/.github/workflows/plugin-update-check.yml
@@ -29,7 +29,7 @@ jobs:
           # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
           token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
 
-      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
           go-version-file: .go-version
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 34ece8b62d..46c5f9f173 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -27,7 +27,7 @@ jobs:
     - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
     - name: Set up Go
-      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
       with:
         cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
         go-version: 'stable'
diff --git a/.github/workflows/test-enos-scenario-ui.yml b/.github/workflows/test-enos-scenario-ui.yml
index 5bd63d7a50..b96f41516d 100644
--- a/.github/workflows/test-enos-scenario-ui.yml
+++ b/.github/workflows/test-enos-scenario-ui.yml
@@ -88,13 +88,13 @@ jobs:
       - name: Set Up Git
         run: git config --global url."https://${{ secrets.elevated_github_token }}:@github.com".insteadOf "https://github.com"
       - name: Set Up Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version-file: './ui/package.json'
           cache: pnpm
           cache-dependency-path: ui/pnpm-lock.yaml
       - name: Install PNPM
-        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           package_json_file: './ui/package.json'
       - name: Set Up Terraform
diff --git a/.github/workflows/test-go.yml b/.github/workflows/test-go.yml
index d4b64206db..9fd71e0942 100644
--- a/.github/workflows/test-go.yml
+++ b/.github/workflows/test-go.yml
@@ -145,7 +145,7 @@ jobs:
       - uses: ./.github/actions/install-tools # for gotestsum
       - run: mkdir -p ${{ steps.local-metadata.outputs.go-test-dir }}
       - if: inputs.test-timing-cache-restore || inputs.test-timing-cache-save
-        uses: actions/cache/restore@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
         with:
           path: ${{ steps.local-metadata.outputs.go-test-dir }}
           key: ${{ inputs.test-timing-cache-key }}-${{ github.run_number }}
@@ -647,7 +647,7 @@ jobs:
           } | tee -a "$GITHUB_OUTPUT"
       # Aggregate, prune, and cache our timing data
       - if: ${{ ! cancelled() && needs.test-go.result == 'success' && inputs.test-timing-cache-save }}
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
         with:
           path: ${{ needs.test-matrix.outputs.go-test-dir }}
           key: ${{ inputs.test-timing-cache-key }}-${{ github.run_number }}
diff --git a/.github/workflows/test-run-enos-scenario.yml b/.github/workflows/test-run-enos-scenario.yml
index 1d09418bd4..f84f5746df 100644
--- a/.github/workflows/test-run-enos-scenario.yml
+++ b/.github/workflows/test-run-enos-scenario.yml
@@ -67,14 +67,14 @@ jobs:
       - name: Configure Git
         run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
       - name: Set up node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version-file: './ui/package.json'
           cache: pnpm
           cache-dependency-path: ui/pnpm-lock.yaml
 
       - name: Install PNPM
-        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
         with:
           package_json_file: './ui/package.json'
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2