[TASK] Update and SHA-pin all GitHub Actions

[CybotTM]

Summary

Updates and SHA-pins all GitHub Actions in non-CI workflow files for supply
chain security.

main.yaml is excluded from this PR — it will be migrated to shared reusable
workflows via #1196.

Files changed

• .github/workflows/docker.yaml — metadata-action, login-action, setup-qemu, setup-buildx, build-push, upload/download-artifact
• .github/workflows/docker-test.yaml — checkout version comment
• .github/workflows/deploy-azure-assets.yaml — checkout version comment
• .github/workflows/split-repositories.yaml — checkout, cache, use-github-token, use-subsplit-publish
• .github/workflows/pr-auto-merge.yaml — dependabot/fetch-metadata
• .github/workflows/pr-auto-approve.yaml — dependabot/fetch-metadata

Version updates

Action	Old	New	SHA
docker/metadata-action	SHA only	v5.10.0	c299e40c
docker/login-action	SHA only	v3.7.0	c94ce9fb
docker/setup-qemu-action	SHA only	v3.7.0	c7c53464
docker/setup-buildx-action	SHA only	v3.12.0	8d2750c6
docker/build-push-action	SHA only	v6.19.2	10e90e36
actions/upload-artifact	SHA only	v6.0.0	b7c566a7
actions/download-artifact	SHA only	v7.0.0	37930b1c
dependabot/fetch-metadata	SHA only	v2.5.0	21025c70
frankdejonge/use-github-token	SHA only	1.1.0	15e6289d
frankdejonge/use-subsplit-publish	SHA only	1.1.0	00010151

Related

• #1196 — Migrates main.yaml to shared reusable workflows

[linawolf]

The best course of action seems to be to merge this and try it out and watch the first runs of the pipelines.

I see less risk in hardening the versions but you made major upgrades to some versions so we would have to watch the pipelines closely. Best would be to merge this when no TYPO3 Core releases are planned that week so we dont have suddenly all the important manuals rendering.

[sbuerk]

Despite switching to commit hashes not discussing it for now, this pull-requests misses to provide a detail analysis and risk-assesment about raising marketplace action one or in some cases two major versions.

Actions following semver could introduce breaking things with new versions, dropping stuff and similar and possibile need adjustments. None of them is contained or mentioned in the pull-request nor the single commit messages.

Taken into account that this pull-request not only changes the version of official github provided actions, but also 3rd party market place actions this is would have to read that up.

Can you please provide a detailed risk-assesment about the raises and the analysis if there are changes or a statement about that it is okay with a reasoning for each of the updated action ?

Note

The list needs to be reviewable and easy verifiable, providing links
corresponding releases and/or upgrade information would be helpfull.

Important

DISCLAIMER Not part of the documentation team, above mentioned
statements are my personal view on this.

[CybotTM]

I am done with the PR, close it if it does not meet your ad-hoc requirements. I'm fine with rejecting this PR, would just be nice to have such requirements defined upfront not afterwards.

[CybotTM]

I added the major version changes, I skipped minor and bugfix, as these are already auto-merged currently.

[CybotTM]

Save CO² - update your node! ;-)

Waiting for your discussion to resolve

[linawolf]

To make review easie rand reduce scope, I would suggest to avoid mixing concerns and do the SHA pinning and Major version bumbs in separate PRs.

That way we can review the structural change (pinning) independently from the version upgrades.