[pull] main from openwallet-foundation:main

.github/workflows/codeql.yml

@@ -24,9 +24,9 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
         with:
           languages: python
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0

.github/workflows/publish.yml

@@ -52,7 +52,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
         with:
           cache-binary: false
           install: true
@@ -107,7 +107,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
         with:
           cache-binary: false
           install: true

.github/workflows/scorecard.yml

@@ -40,7 +40,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -71,6 +71,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
         with:
           sarif_file: results.sarif

.github/workflows/snyk-lts.yml

@@ -52,6 +52,6 @@ jobs:
         sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
 
     - name: Upload result to GitHub Code Scanning
-      uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+      uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
       with:
         sarif_file: snyk.sarif

.github/workflows/snyk.yml

@@ -45,6 +45,6 @@ jobs:
         sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
 
     - name: Upload result to GitHub Code Scanning
-      uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+      uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
       with:
         sarif_file: snyk.sarif

.github/workflows/sonar-merge-main.yml

@@ -24,7 +24,7 @@ jobs:
             os: "ubuntu-latest"
             is_pr: "false" 
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # master
+        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # master
         env:
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/sonar-pr.yml

@@ -20,7 +20,7 @@ jobs:
         with:
             fetch-depth: 0
       - name: Download PR number artifact
-        uses: dawidd6/action-download-artifact@07ab29fd4a977ae4d2b275087cf67563dfdf0295 # v9
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
         with:
           workflow: Tests
           run_id: ${{ github.event.workflow_run.id }}
@@ -31,7 +31,7 @@ jobs:
         with:
           path: ./PR_NUMBER
       - name: Download Test Coverage
-        uses: dawidd6/action-download-artifact@07ab29fd4a977ae4d2b275087cf67563dfdf0295 # v9
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5 # v11
         with:
           workflow: Tests
           run_id: ${{ github.event.workflow_run.id }}
@@ -57,7 +57,7 @@ jobs:
 
           git checkout -B temp-branch-for-scanning upstream/${{ fromJson(steps.get_pr_data.outputs.data).head.ref }}
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # master
+        uses: SonarSource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/tag-recreate-lts.yml

@@ -0,0 +1,86 @@
+# This Action will run when a release is published from the LTS branches 
+# and create new LTS tag, release and publish the image in GHCR
+
+name: Tag and Recreate LTS Release
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  recreate-lts-release:
+    # This job is disabled by default for main, should be enabled for LTS branches and tags.
+    # To enable it, you can set the condition in the `if` statement below.
+    # The condition should check if the release tag starts with the LTS version prefix.
+    # For example, if your LTS versions are prefixed with '1.2.', you can use:
+    #   if: startsWith(github.event.release.tag_name, '1.2.')
+    # This will ensure that the job only runs for releases that are tagged with LTS versions.
+    if: false 
+    name: Recreate LTS Release
+    runs-on: ubuntu-latest
+    outputs:
+      lts_tag: ${{ steps.vars.outputs.LTS_TAG }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Git identity
+        run: |
+          git config user.name "github-actions"
+          git config user.email "[email protected]"
+
+      - name: Determine LTS tag and update
+        id: vars
+        env:
+          BRANCH_REF: ${{ github.event.release.target_commitish }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+          RELEASE_BODY: ${{ github.event.release.body }}
+        run: |
+          echo "Release published from branch: $BRANCH_REF"
+
+          # Creating a LTS tag from the branch name
+          SHORT_TAG=$(echo "$RELEASE_TAG" | cut -d. -f1,2)
+          LTS_TAG="${SHORT_TAG}-lts"
+          echo "LTS_TAG=$LTS_TAG" >> "$GITHUB_OUTPUT"
+
+          # Force update the tag to the current commit
+          git tag -f "$LTS_TAG" $GITHUB_SHA
+          git push origin -f "$LTS_TAG" 
+
+          # Write release notes into env (for multiline input)
+          echo "RELEASE_BODY<<EOF" >> "$GITHUB_ENV"
+          echo "${RELEASE_BODY}" >> "$GITHUB_ENV"
+          echo "EOF" >> "$GITHUB_ENV"
+
+      - name: Delete existing LTS release (if any)
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LTS_TAG: ${{ steps.vars.outputs.LTS_TAG }}
+        run: |
+          echo "Trying to delete existing release for $LTS_TAG"
+          gh release delete "$LTS_TAG" -y
+
+      - name: Create fresh LTS release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LTS_TAG: ${{ steps.vars.outputs.LTS_TAG }}
+          RELEASE_BODY: ${{ env.RELEASE_BODY }}
+        run: |
+          echo "Creating new GitHub release for $LTS_TAG"
+          gh release create "$LTS_TAG" --title "$LTS_TAG" --notes "$RELEASE_BODY"
+
+  call-publish-image:
+    name: Publish LTS Image in GHCR
+    needs: recreate-lts-release
+    uses: ./.github/workflows/publish.yml
+    with:
+      tag: ${{ needs.recreate-lts-release.outputs.lts_tag }}
+      ref: ${{ github.event.release.tag_name }}