Merge branch 'main' into renovate/all-go-dependencies

Author: akiioto

.github/actions/checkout/action.yml

@@ -14,15 +14,15 @@ runs:
       # Checkout code from the PR merge commit
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           ref: "refs/pull/${{ github.event.number }}/merge"
           fetch-depth: ${{ inputs.fetch-depth }}
         if: ${{ github.event_name == 'pull_request_target' || github.event_name == 'pull_request' }}
 
       # Checkout code from the merge group branch
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: ${{ inputs.fetch-depth }}
         if: ${{ github.event_name != 'pull_request_target' && github.event_name != 'pull_request' }}

.github/actions/expose-jwt-action/install/action.yml

@@ -3,7 +3,7 @@ description: 'Install Node.js 20 and @actions/core'
 runs:
   using: "composite"
   steps:
-    - uses: actions/setup-node@v5
+    - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
       with:
         node-version: 22
     - run: |

.github/actions/image-builder/action.yml

@@ -48,6 +48,10 @@ inputs:
     default: |
       linux/arm64
       linux/amd64
+  target:
+    description: Specify which build stage in the Dockerfile to use as the target
+    required: false
+    default: ""
 
 outputs:
   adoResult:
@@ -98,8 +102,8 @@ runs:
         echo "platforms=$result" >> $GITHUB_OUTPUT
       id: prepare-platforms
       shell: bash
-    
-    - uses: docker://europe-docker.pkg.dev/kyma-project/prod/image-builder:v20250924-935a21c6
+
+    - uses: docker://europe-docker.pkg.dev/kyma-project/prod/image-builder:v20251003-b9305fe9
       id: build
       with:
-        args: --name=${{ inputs.image-name }} --context=${{ inputs.context }} --dockerfile=${{ inputs.dockerfile }} --azure-access-token=${{ inputs.ado-token }} --oidc-token=${{ inputs.oidc-token }} ${{ steps.prepare-build-args.outputs.build-args }} ${{ steps.prepare-tags.outputs.tags }} ${{ steps.prepare-platforms.outputs.platforms }} --export-tags=${{ inputs.export-tags }} --config=${{ inputs.config }} --use-go-internal-sap-modules=${{ inputs.use-go-internal-sap-modules }}
+        args: --name=${{ inputs.image-name }} --context=${{ inputs.context }} --dockerfile=${{ inputs.dockerfile }} --target=${{ inputs.target }} --azure-access-token=${{ inputs.ado-token }} --oidc-token=${{ inputs.oidc-token }} ${{ steps.prepare-build-args.outputs.build-args }} ${{ steps.prepare-tags.outputs.tags }} ${{ steps.prepare-platforms.outputs.platforms }} --export-tags=${{ inputs.export-tags }} --config=${{ inputs.config }} --use-go-internal-sap-modules=${{ inputs.use-go-internal-sap-modules }}

.github/workflows/all-checks-passed.yml

@@ -20,7 +20,7 @@ jobs:
       checks: read
       contents: read
     steps:
-      - uses: wechuli/allcheckspassed@e22f45a4f25f4cf821d1273705ac233355400db1
+      - uses: wechuli/allcheckspassed@5b5009ffd707b7c6759574c984bb666034b441eb # v2.0.0
         with:
           delay: '3'
           retries: '30'

.github/workflows/auto-author-assign.yml

@@ -11,4 +11,4 @@ jobs:
   assign-author:
     runs-on: ubuntu-latest
     steps:
-      - uses: toshimaru/auto-author-assign@v2.1.1
+      - uses: toshimaru/auto-author-assign@16f0022cf3d7970c106d8d1105f75a1165edb516 # v2.1.1

.github/workflows/autobump-docs-index-md.yml

@@ -22,7 +22,7 @@ jobs:
       cancel-in-progress: false
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Setup git config
         run: |
@@ -35,14 +35,14 @@ jobs:
 
       - name: Authenticate in GCP
         id: 'auth'
-        uses: 'google-github-actions/auth@v3'
+        uses: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093' # v3
         with:
           project_id: ${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}
           workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}
 
       - name: Get kyma bot token from Secret Manager
         id: 'secrets'
-        uses: 'google-github-actions/get-secretmanager-secrets@v3'
+        uses: 'google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262' # v3
         with:
           secrets: |-
             kyma-autobump-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME }}
@@ -59,6 +59,6 @@ jobs:
             --workdir /github/test-infra \
             --privileged \
             --cap-drop ALL \
-            europe-docker.pkg.dev/kyma-project/prod/markdown-index:v20250924-935a21c6 \
+            europe-docker.pkg.dev/kyma-project/prod/markdown-index:v20250929-51244ae0 \
             --config=${{ env.AUTOBUMP_CONFIG_PATH }} \
             --labels-override=kind/chore,area/documentation

.github/workflows/autobump-security-config.yaml

@@ -33,7 +33,7 @@ jobs:
       cancel-in-progress: false
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         # Setup git config with commiter data from config
         # Prevent silent passing github token
         # see https://stackoverflow.com/a/69979203/23148781
@@ -47,14 +47,14 @@ jobs:
           git config --unset-all http.https://github.com/.extraheader
       - name: Authenticate in GCP
         id: 'auth'
-        uses: 'google-github-actions/auth@v3'
+        uses: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093' # v3
         with:
           project_id: ${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}
           workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}
 
       - name: Get kyma bot token from Secret Manager
         id: 'secrets'
-        uses: 'google-github-actions/get-secretmanager-secrets@v3'
+        uses: 'google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262' # v3
         with:
           secrets: |-
             kyma-autobump-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME }}
@@ -72,7 +72,7 @@ jobs:
             --rm \
             --privileged \
             --cap-drop ALL \
-            europe-docker.pkg.dev/kyma-project/prod/image-detector:v20250924-935a21c6 \
+            europe-docker.pkg.dev/kyma-project/prod/image-detector:v20250929-51244ae0 \
             --terraform-dir=${{ env.TERRAFORM_CONFIGS_DIR }} \
             --sec-scanner-config=${{ env.SEC_SCANNERS_CONFIG_PATH }} \
             --autobump-config=${{ env.AUTOBUMP_CONFIG_PATH }}

.github/workflows/build-markdown-index.yml

@@ -16,3 +16,4 @@ jobs:
       context: .
       platforms: |
         linux/amd64
+      target: runtime

.github/workflows/code-checks-python.yml

@@ -57,7 +57,7 @@ jobs:
         uses: kyma-project/test-infra/.github/actions/checkout@main
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
 
       - name: Set up python venv
         run: |
@@ -94,7 +94,7 @@ jobs:
         uses: kyma-project/test-infra/.github/actions/checkout@main
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
 
       - name: Set up venv
         run: |

.github/workflows/image-builder.yml

@@ -47,6 +47,12 @@ on:
         default: |
           linux/arm64
           linux/amd64
+      target:
+        description: Specify which build stage in the Dockerfile to use as the target
+        required: false
+        type: string
+        default: ""
+
     outputs:
       images:
         description: JSON list of images built by image-builder
@@ -79,7 +85,7 @@ jobs:
           exit 1
 
       - name: Checkout test-infra repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           repository: kyma-project/test-infra
           ref: main
@@ -95,14 +101,14 @@ jobs:
 
       - name: Authenticate in GCP
         id: "auth"
-        uses: "google-github-actions/auth@v3"
+        uses: "google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093" # v3
         with:
           project_id: ${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}
           workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}
 
       - name: Get ADO PAT from Secret Manager
         id: "secrets"
-        uses: "google-github-actions/get-secretmanager-secrets@v3"
+        uses: "google-github-actions/get-secretmanager-secrets@bc9c54b29fdffb8a47776820a7d26e77b379d262" # v3
         with:
           secrets: |-
             ado-pat:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.IMAGE_BUILDER_ADO_PAT_GCP_SECRET_NAME }}
@@ -122,6 +128,7 @@ jobs:
           config: "./configs/image-builder-client-config.yaml"
           use-go-internal-sap-modules: ${{ inputs.use-go-internal-sap-modules }}
           platforms: ${{ inputs.platforms }}
+          target: ${{ inputs.target }}
 
       - name: Print built images
         run: |