chore(deps): bump the github-actions group across 1 directory with 17 updates

.github/workflows/benchmark.yaml

@@ -32,7 +32,7 @@ jobs:
           echo "sha=$(git rev-parse HEAD~1)" >> "$GITHUB_OUTPUT"
 
       - name: "Restore benchmark from cache"
-        uses: "actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306" # v5.0.3
+        uses: "actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae" # v5.0.5
         with:
           path: "./cache/benchmark-data.json"
           key: "${{ steps.prev-sha.outputs.sha }}-${{ runner.os }}-go-benchmark"
@@ -43,7 +43,7 @@ jobs:
           go run mage.go benchmark:all | tee bench_output.txt
 
       - name: "Compare benchmark against HEAD~1"
-        uses: "benchmark-action/github-action-benchmark@a7bc2366eda11037936ea57d811a43b3418d3073" # v1.21.0
+        uses: "benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372" # v1.22.0
         with:
           # What benchmark tool the output.txt came from
           tool: "go"
@@ -63,7 +63,7 @@ jobs:
       - name: "Publish to gh-pages. See https://authzed.github.io/spicedb/dev/bench/"
         # Run even if the compare step failed on a regression, so the dashboard reflects reality.
         if: "${{ !cancelled() }}"
-        uses: "benchmark-action/github-action-benchmark@a7bc2366eda11037936ea57d811a43b3418d3073" # v1.21.0
+        uses: "benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372" # v1.22.0
         with:
           # What benchmark tool the output.txt came from
           tool: "go"
@@ -77,15 +77,15 @@ jobs:
       - name: "Save benchmark JSON"
         # Run even if the compare step failed on a regression, so the next run has a baseline.
         if: "${{ !cancelled() }}"
-        uses: "actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306" # v5.0.3
+        uses: "actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae" # v5.0.5
         with:
           path: "./cache/benchmark-data.json"
           # Save with commit hash to avoid "cache already exists"
           key: "${{ github.sha }}-${{ runner.os }}-go-benchmark"
 
       - name: "Notify in Slack if benchmark job failed"
         if: "${{ failure() }}"
-        uses: "slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a" # v2.1.1
+        uses: "slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c" # v3.0.3
         with:
           webhook: "${{ secrets.SLACK_BUILDS_WEBHOOK_URL }}"
           webhook-type: "incoming-webhook"

.github/workflows/build-test.yaml

@@ -27,7 +27,7 @@ jobs:
       protochange: "${{ steps.proto-filter.outputs.protochange }}"
     steps:
       - uses: "actions/checkout@v6"
-      - uses: "dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36" # v3.0.2
+      - uses: "dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d" # v4.0.1
         id: "code-filter"
         with:
           filters: |
@@ -40,7 +40,7 @@ jobs:
               - "pkg/**"
               - "e2e/**"
               - "internal/**"
-      - uses: "dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36" # v3.0.2
+      - uses: "dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d" # v4.0.1
         id: "proto-filter"
         with:
           filters: |
@@ -58,7 +58,7 @@ jobs:
     steps:
       - uses: "actions/checkout@v6"
       - uses: "authzed/actions/setup-go@main"
-      - uses: "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" # v3.7.0
+      - uses: "docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121" # v4.1.0
         with:
           username: "${{ env.DOCKERHUB_PUBLIC_USER }}"
           password: "${{ env.DOCKERHUB_PUBLIC_ACCESS_TOKEN }}"
@@ -80,7 +80,7 @@ jobs:
       - name: "Unit tests with coverage"
         run: "go run mage.go test:unitCover"
       - name: "Coverage"
-        uses: "codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de" # v5.5.2
+        uses: "codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2" # v6.0.0
         with:
           files: "./coverage.txt"
           token: "${{ secrets.CODECOV_TOKEN }}"
@@ -108,14 +108,14 @@ jobs:
     steps:
       - uses: "actions/checkout@v6"
       - uses: "authzed/actions/setup-go@main"
-      - uses: "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" # v3.7.0
+      - uses: "docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121" # v4.1.0
         with:
           username: "${{ env.DOCKERHUB_PUBLIC_USER }}"
           password: "${{ env.DOCKERHUB_PUBLIC_ACCESS_TOKEN }}"
       - name: "Integration tests with coverage"
         run: "go run mage.go test:integrationCover"
       - name: "Coverage"
-        uses: "codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de" # v5.5.2
+        uses: "codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2" # v6.0.0
         with:
           files: "./coverage.txt"
           token: "${{ secrets.CODECOV_TOKEN }}"
@@ -136,7 +136,7 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-      - uses: "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" # v3.7.0
+      - uses: "docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121" # v4.1.0
         if: |
           needs.paths-filter.outputs.codechange == 'true'
         with:
@@ -149,7 +149,7 @@ jobs:
       - name: "Coverage"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-        uses: "codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de" # v5.5.2
+        uses: "codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2" # v6.0.0
         with:
           files: "./coverage.txt"
           token: "${{ secrets.CODECOV_TOKEN }}"
@@ -170,7 +170,7 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-      - uses: "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" # v3.7.0
+      - uses: "docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121" # v4.1.0
         if: |
           needs.paths-filter.outputs.codechange == 'true'
         with:
@@ -183,7 +183,7 @@ jobs:
       - name: "Coverage"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-        uses: "codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de" # v5.5.2
+        uses: "codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2" # v6.0.0
         with:
           files: "./coverage.txt"
           token: "${{ secrets.CODECOV_TOKEN }}"
@@ -205,7 +205,7 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-      - uses: "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" # v3.7.0
+      - uses: "docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121" # v4.1.0
         if: |
           needs.paths-filter.outputs.codechange == 'true'
         with:
@@ -218,7 +218,7 @@ jobs:
       - name: "Coverage"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-        uses: "codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de" # v5.5.2
+        uses: "codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2" # v6.0.0
         with:
           files: "./coverage.txt"
           token: "${{ secrets.CODECOV_TOKEN }}"
@@ -240,7 +240,7 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-      - uses: "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" # v3.7.0
+      - uses: "docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121" # v4.1.0
         if: |
           needs.paths-filter.outputs.codechange == 'true'
         with:
@@ -253,7 +253,7 @@ jobs:
       - name: "Coverage"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-        uses: "codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de" # v5.5.2
+        uses: "codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2" # v6.0.0
         with:
           files: "./coverage.txt"
           token: "${{ secrets.CODECOV_TOKEN }}"
@@ -279,7 +279,7 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-      - uses: "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" # v3.7.0
+      - uses: "docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121" # v4.1.0
         if: |
           needs.paths-filter.outputs.codechange == 'true'
         with:
@@ -292,7 +292,7 @@ jobs:
       - name: "Coverage"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-        uses: "codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de" # v5.5.2
+        uses: "codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2" # v6.0.0
         with:
           files: "./coverage.txt"
           token: "${{ secrets.CODECOV_TOKEN }}"
@@ -318,7 +318,7 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-      - uses: "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" # v3.7.0
+      - uses: "docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121" # v4.1.0
         if: |
           needs.paths-filter.outputs.codechange == 'true'
         with:
@@ -331,7 +331,7 @@ jobs:
       - name: "Coverage"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-        uses: "codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de" # v5.5.2
+        uses: "codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2" # v6.0.0
         with:
           files: "./coverage.txt"
           token: "${{ secrets.CODECOV_TOKEN }}"
@@ -357,7 +357,7 @@ jobs:
           cache-dependency-path: "e2e/go.sum"
       - name: "Run e2e"
         run: "go run mage.go test:e2e ${{ matrix.crdbversion }}"
-      - uses: "actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f" # v7.0.0
+      - uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" # v7.0.1
         if: "always()"
         # this upload step is really flaky, don't fail the job if it fails
         continue-on-error: true
@@ -415,7 +415,7 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
       - name: "Generate Protos"
         run: "go run mage.go gen:proto"
-      - uses: "chainguard-dev/actions/nodiff@71714a76c3df10b544595a2294c16649dc3472e5" # main
+      - uses: "chainguard-dev/actions/nodiff@916fec00fb80f3cd124a0b41eef79ee63f607c5d" # main
         with:
           path: ""
           fixup-command: "go run mage.go gen:proto"
@@ -464,14 +464,14 @@ jobs:
           echo "sha=$SHA" >> $GITHUB_OUTPUT
 
       - name: "Download benchmark from Main"
-        uses: "actions/cache/restore@cdf6c1fa76f9f475f3d7449005a359c84ca0f306" # v5.0.3
+        uses: "actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae" # v5.0.5
         id: "downloadbenchmark"
         with:
           path: "./cache/benchmark-data.json"
           key: "${{ steps.get-main-branch-sha.outputs.sha }}-${{ runner.os }}-go-benchmark"
 
       - name: "Compare benchmarks with Main"
-        uses: "benchmark-action/github-action-benchmark@a7bc2366eda11037936ea57d811a43b3418d3073" # v1.21.0
+        uses: "benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372" # v1.22.0
         if: "steps.downloadbenchmark.outputs.cache-hit == 'true'"
         with:
           alert-threshold: "200%"
@@ -491,7 +491,7 @@ jobs:
           summary-always: true
 
       - name: "Run benchmarks but don't compare to Main branch"
-        uses: "benchmark-action/github-action-benchmark@a7bc2366eda11037936ea57d811a43b3418d3073" # v1.21.0
+        uses: "benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372" # v1.22.0
         if: "steps.downloadbenchmark.outputs.cache-hit != 'true'"
         with:
           # What benchmark tool the output.txt came from

.github/workflows/commit-messages.yaml

@@ -18,7 +18,7 @@ jobs:
     runs-on: "depot-ubuntu-24.04-small"
     steps:
       - uses: "actions/checkout@v6"
-      - uses: "webiny/action-conventional-commits@v1.3.1"
+      - uses: "webiny/action-conventional-commits@v1.4.2"
       - uses: "amannn/action-semantic-pull-request@v6.1.1"
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/docs.yaml

@@ -60,7 +60,7 @@ jobs:
           committer: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
 
       - name: "Approve Pull Request in target"
-        uses: "juliangruber/approve-pull-request-action@b71c44ff142895ba07fad34389f1938a4e8ee7b0" # v2.0.6
+        uses: "juliangruber/approve-pull-request-action@68fcc9a5a73b5641cadf757cf99d73720dcb05d0" # v2.1.0
         if: "steps.check-changes.outputs.docs_changed == 'true'"
         with:
           repo: "authzed/docs"
@@ -75,7 +75,7 @@ jobs:
 
       - name: "Notify in Slack if failure"
         if: "${{ failure() }}"
-        uses: "slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a" # v2.1.1
+        uses: "slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c" # v3.0.3
         with:
           webhook: "${{ secrets.SLACK_BUILDS_WEBHOOK_URL }}"
           webhook-type: "incoming-webhook"

.github/workflows/keep-a-changelog.yaml

@@ -23,7 +23,7 @@ jobs:
   changelog:
     runs-on: "depot-ubuntu-24.04-small"
     steps:
-      - uses: "dangoslen/changelog-enforcer@ea6a56764870c323a4563f450c0a50c5f2d72cd6"
+      - uses: "dangoslen/changelog-enforcer@43d9d695c578fb444f2e5bd23c0e9ec7c97b1d37"
         with:
           skipLabels: "Skip-Changelog,dependencies,tests"
           missingUpdateErrorMessage: "If your PR has a change that users might care about, please add an entry to CHANGELOG.md, run 'npx keep-a-changelog', and commit the changes. Otherwise, add the Skip-Changelog label to your PR."

.github/workflows/lint.yaml

@@ -35,7 +35,7 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
       - name: "Generate docs"
         run: "go run mage.go gen:docs"
-      - uses: "chainguard-dev/actions/nodiff@71714a76c3df10b544595a2294c16649dc3472e5" # main
+      - uses: "chainguard-dev/actions/nodiff@916fec00fb80f3cd124a0b41eef79ee63f607c5d" # main
         with:
           path: ""
           fixup-command: "mage gen:docs"
@@ -47,7 +47,7 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
       - name: "Lint Everything"
         run: "go run mage.go lint:all"
-      - uses: "chainguard-dev/actions/nodiff@71714a76c3df10b544595a2294c16649dc3472e5" # main
+      - uses: "chainguard-dev/actions/nodiff@916fec00fb80f3cd124a0b41eef79ee63f607c5d" # main
         with:
           path: ""
           fixup-command: "go run mage.go lint:all"

.github/workflows/nightly.yaml

@@ -28,9 +28,9 @@ jobs:
           quayio_token: "${{ secrets.QUAYIO_PASSWORD }}"
           github_token: "${{ secrets.GITHUB_TOKEN }}"
           dockerhub_token: "${{ secrets.DOCKERHUB_ACCESS_TOKEN }}"
-      - uses: "docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130" # v3.7.0
-      - uses: "docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f" # v3.12.0
-      - uses: "goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29" # v7.0.0
+      - uses: "docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a" # v4.0.0
+      - uses: "docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd" # v4.0.0
+      - uses: "goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8" # v7.2.1
         with:
           distribution: "goreleaser-pro"
           version: "2.15.2"

.github/workflows/release-windows.yaml

@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0
       - uses: "authzed/actions/setup-go@main"
-      - uses: "nowsprinting/check-version-format-action@bb1181a02ee5d9ae4feead2842236183c85152c6" # v4.0.7
+      - uses: "nowsprinting/check-version-format-action@976544c127ab571b88419766cc9d3b459f8d7b82" # v5.0.1
         id: "version"
         with:
           prefix: "v"
@@ -27,7 +27,7 @@ jobs:
           quayio_token: "${{ secrets.QUAYIO_PASSWORD }}"
           github_token: "${{ secrets.GITHUB_TOKEN }}"
           dockerhub_token: "${{ secrets.DOCKERHUB_ACCESS_TOKEN }}"
-      - uses: "goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29" # v7.0.0
+      - uses: "goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8" # v7.2.1
         with:
           distribution: "goreleaser-pro"
           # NOTE: keep in sync with goreleaser version in other job.
@@ -40,7 +40,7 @@ jobs:
           CHOCOLATEY_API_KEY: "${{ secrets.CHOCOLATEY_API_KEY }}"
       - name: "Notify Slack if failure"
         if: "failure()"
-        uses: "slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a" # v2.1.1
+        uses: "slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c" # v3.0.3
         with:
           webhook: "${{ secrets.SLACK_WEBHOOK_URL }}"
           webhook-type: "incoming-webhook"

.github/workflows/release.yaml

@@ -19,7 +19,7 @@ jobs:
         with:
           fetch-depth: 0
       - uses: "authzed/actions/setup-go@main"
-      - uses: "nowsprinting/check-version-format-action@bb1181a02ee5d9ae4feead2842236183c85152c6" # v4.0.7
+      - uses: "nowsprinting/check-version-format-action@976544c127ab571b88419766cc9d3b459f8d7b82" # v5.0.1
         id: "version"
         with:
           prefix: "v"
@@ -37,9 +37,9 @@ jobs:
           quayio_token: "${{ secrets.QUAYIO_PASSWORD }}"
           github_token: "${{ secrets.GITHUB_TOKEN }}"
           dockerhub_token: "${{ secrets.DOCKERHUB_ACCESS_TOKEN }}"
-      - uses: "docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130" # v3.7.0
-      - uses: "docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f" # v3.12.0
-      - uses: "goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29" # v7.0.0
+      - uses: "docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a" # v4.0.0
+      - uses: "docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd" # v4.0.0
+      - uses: "goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8" # v7.2.1
         with:
           distribution: "goreleaser-pro"
           # NOTE: keep in sync with goreleaser version in other job.
@@ -54,7 +54,7 @@ jobs:
           SNAPCRAFT_STORE_CREDENTIALS: "${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}"
       - name: "Notify Slack of goreleaser status"
         if: "always()"
-        uses: "slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a" # v2.1.1
+        uses: "slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c" # v3.0.3
         with:
           webhook: "${{ secrets.SLACK_WEBHOOK_URL }}"
           webhook-type: "incoming-webhook"