Pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
SonarSource/ci-github-actions	action	pinDigest	→ 6c76730
SonarSource/unified-dogfooding-actions	action	pin	v1 → 1.0.0

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • "after 7am every weekday,before 8pm every weekday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Post-upgrade command 'pre-commit autoupdate --freeze || true' has not been added to the allowed list in allowedCommands

[sonar-review-alpha]

Summary

Pins GitHub Actions to specific commit SHAs for reproducibility and security

This Renovate-generated PR replaces two dynamic action references with pinned commits:

1. check-sca.yml: SonarSource/ci-github-actions/check-sca@master → pinned digest 6c76730 (current master at pin time)
2. unified-dogfooding.yml: SonarSource/unified-dogfooding-actions/run-iris@v1 → pinned digest 54cee68 (equivalent to 1.0.0)

Pinning action commits ensures CI runs the exact same code every time, preventing unexpected breaking changes if upstream repositories update their branch or tag references.

What reviewers should know

For reviewers:

• Both pins correspond to code versions already in use (master and v1.0.0), so this is not a version upgrade—just making the versions immutable.
• The workflow functionality remains unchanged; this is purely about reference stability.
• Future Renovate PRs will separately propose updates to newer versions if/when they're available.
• The GitHub comment syntax (# master and # 1.0.0) makes the original reference visible for future maintenance.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: BUILD-11423

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

LGTM! ✅

Clean, mechanical change with no bugs. Both SHAs check out: the short form 6c76730 in the PR description is the correct prefix of the full SHA applied in the diff, and both comments (# master, # 1.0.0) accurately document what was pinned from.

One pre-existing gap worth a follow-up: four workflows (RequestReview.yml, SubmitReview.yml, PullRequestCreated.yml, PullRequestClosed.yml) each reference sonarsource/gh-action-lt-backlog/*@v2 without a commit SHA — Renovate appears not to manage that action. This is not a blocker here, but the pinning strategy is incomplete until those are addressed.

🗣️ Give feedback