ci: rollup of GitHub Actions bumps + cargo-audit SARIF upload (#288)

* ci(deps): bump actions/attest-build-provenance from 2.4.0 to 4.1.0

Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 2.4.0 to 4.1.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Commits](actions/attest-build-provenance@v2.4.0...v4.1.0)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* ci(deps): bump actions/cache from 4.3.0 to 5.0.5

Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Commits](actions/cache@v4.3.0...v5.0.5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* ci(deps): bump cargo-bins/cargo-binstall from 1.18.1 to 1.19.0

Bumps [cargo-bins/cargo-binstall](https://github.com/cargo-bins/cargo-binstall) from 1.18.1 to 1.19.0.
- [Release notes](https://github.com/cargo-bins/cargo-binstall/releases)
- [Changelog](https://github.com/cargo-bins/cargo-binstall/blob/main/release-plz.toml)
- [Commits](cargo-bins/cargo-binstall@v1.18.1...v1.19.0)

---
updated-dependencies:
- dependency-name: cargo-bins/cargo-binstall
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* ci(deps): bump oras-project/setup-oras from 1.2.4 to 2.0.0

Bumps [oras-project/setup-oras](https://github.com/oras-project/setup-oras) from 1.2.4 to 2.0.0.
- [Release notes](https://github.com/oras-project/setup-oras/releases)
- [Commits](oras-project/setup-oras@22ce207...38de303)

---
updated-dependencies:
- dependency-name: oras-project/setup-oras
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* ci(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4.6.2...v7.0.1)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* ci(main): upload v4 cargo-audit findings to GitHub Security as SARIF

Pipes `cargo audit --json` (which honors `v4/.cargo/audit.toml` ignores)
through a jq-based SARIF v2.1.0 converter and uploads via
`github/codeql-action/upload-sarif@v4`. Because `ci-v4.yml` only
triggers on the `v4` branch, advisories are now attributed to
`refs/heads/v4` instead of being invisible in the Security tab.

Avoids `rustsec/audit-check@v2` because it does not respect cargo-audit
ignores. The audit job still re-fails when cargo-audit reports
vulnerabilities, preserving the prior CI verdict.

Closes the post-reorg telemetry gap where v4 advisories had no path
into GitHub code-scanning UI.

Co-Authored-By: claude-flow <ruv@ruv.net>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: claude-flow <ruv@ruv.net>

Author: 3 people

.github/workflows/_ci-rust.yml

@@ -143,7 +143,7 @@ jobs:
           cargo build --release --workspace $target_arg $features_arg
       - name: Upload release binary
         if: ${{ inputs.target == 'x86_64-unknown-linux-musl' }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: sindri-${{ inputs.workspace_dir }}-binaries-${{ github.sha }}
           path: ${{ inputs.workspace_dir }}/target/${{ inputs.target }}/release/sindri

.github/workflows/_release-cargo-dist.yml

@@ -54,7 +54,7 @@ jobs:
         run: cargo install cross --git https://github.com/cross-rs/cross
 
       - name: Cache cargo registry + target
-        uses: actions/cache@v5
+        uses: actions/cache@v5.0.5
         with:
           path: |
             ~/.cargo/bin/
@@ -93,7 +93,7 @@ jobs:
           }
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: binary-${{ matrix.platform }}
           path: |

.github/workflows/check-links.yml

@@ -28,7 +28,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Restore lychee cache
-        uses: actions/cache@v5
+        uses: actions/cache@v5.0.5
         with:
           path: .lycheecache
           key: cache-lychee-${{ github.sha }}
@@ -55,7 +55,7 @@ jobs:
 
       - name: Upload internal link report
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: lychee-internal-report
           path: lychee-internal.md
@@ -71,7 +71,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Restore lychee cache
-        uses: actions/cache@v5
+        uses: actions/cache@v5.0.5
         with:
           path: .lycheecache
           key: cache-lychee-external-${{ github.sha }}
@@ -105,7 +105,7 @@ jobs:
 
       - name: Upload external link report
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: lychee-external-report
           path: lychee-external.md

.github/workflows/ci-v3.yml

@@ -67,7 +67,7 @@ jobs:
         with:
           workspaces: v3 -> target
       - name: Install cargo-binstall
-        uses: cargo-bins/cargo-binstall@v1.18.1
+        uses: cargo-bins/cargo-binstall@v1.19.0
       - name: Install cargo-machete
         run: cargo binstall cargo-machete --no-confirm
       - name: Scan for unused dependencies
@@ -110,7 +110,7 @@ jobs:
           workspaces: v3 -> target
 
       - name: Install cargo-binstall
-        uses: cargo-bins/cargo-binstall@v1.18.1
+        uses: cargo-bins/cargo-binstall@v1.19.0
 
       - name: Install cargo-llvm-cov
         run: cargo binstall cargo-llvm-cov --no-confirm --force
@@ -184,7 +184,7 @@ jobs:
           fail_ci_if_error: false
 
       - name: Upload coverage report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: coverage-lcov-${{ github.sha }}
           path: |
@@ -285,7 +285,7 @@ jobs:
 
       - name: Attest build provenance
         if: steps.build.outputs.digest != ''
-        uses: actions/attest-build-provenance@v4
+        uses: actions/attest-build-provenance@v4.1.0
         with:
           subject-name: ghcr.io/${{ github.repository }}
           subject-digest: ${{ steps.build.outputs.digest }}
@@ -405,7 +405,7 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
 
       - name: Install cargo-binstall
-        uses: cargo-bins/cargo-binstall@v1.18.1
+        uses: cargo-bins/cargo-binstall@v1.19.0
 
       - name: Install cargo-audit
         run: cargo binstall cargo-audit --no-confirm
@@ -726,7 +726,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: provider-test-results-${{ matrix.provider }}-${{ github.sha }}
           path: v3/provider-test-results.txt

.github/workflows/ci-v4.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           targets: ${{ matrix.target }}
       - name: Cache cargo
-        uses: actions/cache@v5
+        uses: actions/cache@v5.0.5
         with:
           path: |
             ~/.cargo/registry
@@ -91,10 +91,122 @@ jobs:
   audit:
     name: Security audit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@v6
       - name: Install cargo-audit
         run: cargo install cargo-audit --locked
-      - name: Run audit
+
+      # `cargo audit --json` honors v4/.cargo/audit.toml ignores, so SARIF
+      # output below reflects the same advisory set the human-readable
+      # `cargo audit` step would surface. The SARIF upload routes findings
+      # to the GitHub Security tab keyed to refs/heads/v4 (since this
+      # workflow only triggers on the v4 branch), keeping advisories
+      # attributed to the right branch after the April 2026 reorg.
+      - name: Run audit (JSON)
+        id: audit
         working-directory: v4
-        run: cargo audit
+        continue-on-error: true
+        run: |
+          set -o pipefail
+          cargo audit --json > "$RUNNER_TEMP/audit.json"
+
+      - name: Convert audit JSON to SARIF
+        if: always() && hashFiles(format('{0}/audit.json', runner.temp)) != ''
+        run: |
+          jq '
+            def sev_to_level:
+              ascii_downcase
+              | if   . == "critical" then "error"
+                elif . == "high"     then "error"
+                elif . == "medium"   then "warning"
+                elif . == "low"      then "note"
+                else "warning" end;
+            {
+              "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+              "version": "2.1.0",
+              "runs": [{
+                "tool": {
+                  "driver": {
+                    "name": "cargo-audit",
+                    "informationUri": "https://github.com/rustsec/rustsec/tree/main/cargo-audit",
+                    "rules": (
+                      [.vulnerabilities.list[]?
+                        | .advisory as $a
+                        | {
+                            "id": $a.id,
+                            "name": $a.id,
+                            "shortDescription": { "text": $a.title },
+                            "fullDescription":  { "text": ($a.description // $a.title) },
+                            "helpUri": ($a.url // "https://rustsec.org/advisories/\($a.id).html"),
+                            "defaultConfiguration": {
+                              "level": (($a.severity // "warning") | sev_to_level)
+                            },
+                            "properties": {
+                              "tags": ["security", "rust", "rustsec"],
+                              "security-severity": (
+                                if   ($a.severity // "" | ascii_downcase) == "critical" then "9.5"
+                                elif ($a.severity // "" | ascii_downcase) == "high"     then "7.5"
+                                elif ($a.severity // "" | ascii_downcase) == "medium"   then "5.0"
+                                elif ($a.severity // "" | ascii_downcase) == "low"      then "3.0"
+                                else "5.0" end
+                              )
+                            }
+                          }
+                      ] | unique_by(.id)
+                    )
+                  }
+                },
+                "results": (
+                  [.vulnerabilities.list[]?
+                    | {
+                        "ruleId": .advisory.id,
+                        "level":  ((.advisory.severity // "warning") | sev_to_level),
+                        "message": {
+                          "text": "\(.package.name) \(.package.version): \(.advisory.title) (\(.advisory.id))"
+                        },
+                        "locations": [{
+                          "physicalLocation": {
+                            "artifactLocation": { "uri": "v4/Cargo.lock" },
+                            "region": { "startLine": 1 }
+                          }
+                        }],
+                        "partialFingerprints": {
+                          "advisory/package/version":
+                            "\(.advisory.id)/\(.package.name)/\(.package.version)"
+                        }
+                      }
+                  ]
+                )
+              }]
+            }
+          ' "$RUNNER_TEMP/audit.json" > "$RUNNER_TEMP/audit.sarif"
+          echo "SARIF results:"
+          jq '.runs[0].results | length' "$RUNNER_TEMP/audit.sarif"
+
+      - name: Upload SARIF to GitHub Security
+        if: always() && hashFiles(format('{0}/audit.sarif', runner.temp)) != ''
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: ${{ runner.temp }}/audit.sarif
+          category: cargo-audit-v4
+
+      - name: Audit summary
+        if: always()
+        run: |
+          if [ -f "$RUNNER_TEMP/audit.json" ]; then
+            COUNT=$(jq '.vulnerabilities.count // 0' "$RUNNER_TEMP/audit.json")
+            echo "## cargo-audit (v4)" >> "$GITHUB_STEP_SUMMARY"
+            echo "- **Vulnerabilities reported (post-ignore):** $COUNT" >> "$GITHUB_STEP_SUMMARY"
+            echo "- **Ignores honored from:** \`v4/.cargo/audit.toml\`" >> "$GITHUB_STEP_SUMMARY"
+          fi
+
+      # Re-fail the job if cargo audit found anything, so CI status reflects
+      # the audit result even though the JSON step uses continue-on-error.
+      - name: Enforce audit verdict
+        if: steps.audit.outcome == 'failure'
+        run: |
+          echo "::error::cargo audit reported vulnerabilities (see SARIF / Security tab)"
+          exit 1

.github/workflows/integration-test-providers.yml

@@ -58,7 +58,7 @@ jobs:
         run: cd v3 && cargo build --release
 
       - name: Upload binary
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         with:
           name: sindri-integration-binary-${{ github.sha }}
           path: v3/target/release/sindri
@@ -230,7 +230,7 @@ jobs:
           echo "- Destroy: PASS" >> $GITHUB_STEP_SUMMARY
 
       - name: Upload test logs
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         if: always()
         with:
           name: runpod-integration-logs-${{ github.sha }}
@@ -293,7 +293,7 @@ jobs:
           echo "- Destroy: PASS" >> $GITHUB_STEP_SUMMARY
 
       - name: Upload test logs
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v7.0.1
         if: always()
         with:
           name: northflank-integration-logs-${{ github.sha }}

.github/workflows/registry-core-publish.yml

@@ -151,7 +151,7 @@ jobs:
           ref: v4
       - uses: dtolnay/rust-toolchain@stable
       - name: Cache cargo (sindri build)
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: |
             ~/.cargo/registry
@@ -175,7 +175,7 @@ jobs:
           fi
       - name: Upload lint report
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: registry-lint-report
           path: v4/lint-report.json
@@ -204,7 +204,7 @@ jobs:
           ref: v4
       - uses: dtolnay/rust-toolchain@stable
       - name: Cache cargo (sindri build)
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: |
             ~/.cargo/registry
@@ -283,7 +283,7 @@ jobs:
           python-version: "3.12"
 
       - name: Cache ScanCode pip install
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-scancode-32.x
@@ -395,7 +395,7 @@ jobs:
 
       - name: Upload ScanCode report
         if: ${{ always() || github.event.inputs.debug_scancode == 'true' }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: scancode-license-report
           path: |
@@ -421,7 +421,7 @@ jobs:
           ref: v4
       - uses: dtolnay/rust-toolchain@stable
       - name: Cache cargo (sindri build)
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: |
             ~/.cargo/registry
@@ -465,7 +465,7 @@ jobs:
           test -s "$out" || { echo "::error::index.yaml is empty"; exit 1; }
           echo "index-path=v4/$out" >> "$GITHUB_OUTPUT"
       - name: Upload generated index
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: registry-core-index
           path: v4/registry-core/index.yaml
@@ -483,7 +483,7 @@ jobs:
     if: ${{ needs.resolve-tag.outputs.dry_run == 'false' }}
     steps:
       - name: Install oras
-        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6  # v1.2.4
+        uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3  # v2.0.0
         with:
           version: ${{ env.ORAS_VERSION }}
       - name: Login to ghcr.io (read)
@@ -523,7 +523,7 @@ jobs:
           name: registry-core-index
           path: v4/registry-core/
       - name: Install oras
-        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6  # v1.2.4
+        uses: oras-project/setup-oras@38de303aac69abb66f3e6255b7198bff35f323e3  # v2.0.0
         with:
           version: ${{ env.ORAS_VERSION }}
       - name: Login to ghcr.io
@@ -638,7 +638,7 @@ jobs:
 
       - name: Generate SLSA provenance attestation
         id: attest
-        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be  # v2.4.0
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
         with:
           # Subject is the OCI artifact identified by its manifest digest.
           # We provide both the digest (for OCI attestation lookup) and the
@@ -653,7 +653,7 @@ jobs:
           show-summary: true
 
       - name: Upload attestation bundle
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: slsa-provenance-bundle
           path: ${{ steps.attest.outputs.bundle-path }}
@@ -757,7 +757,7 @@ jobs:
 
       - name: Upload verification result
         if: always()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: attestation-verify-result
           path: attestation-verify-result.json