Pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
SonarSource/ci-github-actions	action	pin	v1 → 1.4.0
SonarSource/gh-action_release	action	pin	v7 → 7.0.1

Add the preset :preserveSemverRanges to your config if you don't want to pin your dependencies.

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • "after 7am every weekday,before 8pm every weekday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Post-upgrade command 'pre-commit autoupdate --freeze || true' has not been added to the allowed list in allowedCommands

[sonar-review-alpha]

Summary

This PR pins two GitHub Actions to specific commit hashes, improving reproducibility and security. The changes affect two workflow files in .github/workflows/: build.yml and release.yml. Two SonarSource actions are updated from semantic version tags (v1 and v7) to pinned commit hashes with version comments for readability (1.4.0 and 7.0.1 respectively). This is a low-risk change with no functional impact on workflows.

What reviewers should know

What to review:

• Two files changed: .github/workflows/build.yml and .github/workflows/release.yml
• Same SonarSource action (ci-github-actions) updated in two places within build.yml (both pinned to the same hash)
• Each change replaces a flexible tag with an immutable commit hash plus a version comment

Why this matters:
Pinning to commit hashes instead of tags (v1, v7) prevents unexpected action updates if maintainers push commits to these tags. This is a security/stability best practice for CI/CD workflows.

No manual review needed for functionality — this is a straightforward dependency pinning change generated by Renovate.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

LGTM! ✅

Clean, complete pin. All three previously mutable action references (build-maven, promote, and gh-action_release) are now immutably pinned, and no mutable tags remain in either workflow file. The style (hash + version comment) matches the already-pinned actions/checkout on line 24 of build.yml. Both ci-github-actions sub-actions share the same commit hash, as expected for a single-repo multi-action tag. The Renovate config in .github/renovate.json inherits SonarSource's shared dev-infra-squad preset, so these pins will be kept up to date automatically.

🗣️ Give feedback