From 03bce4454249a1e02da9befdb4ac56d4f8f48c5d Mon Sep 17 00:00:00 2001
From: Nuno Simoes <nunosimoes58@gmail.com>
Date: Fri, 20 Mar 2026 15:47:11 +0100
Subject: [PATCH 1/2] ci: add scaners actions

---
 .github/workflows/ci.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 9c52c7d..b08dff2 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -67,5 +67,14 @@ jobs:
         with:
           version: v0.7.1
 
+      - name: ci/scan-docker-security
+        uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
+        with:
+          image: "mattermost/node-rotator"
+          output-format: table
+          only-fixed: true
+          fail-build: false
+          severity-cutoff: critical
+
       - name: ci/docker-push-pr
         run: make push-image-pr

From ca81ebb1392e5fe25df5350b671097419223d0f5 Mon Sep 17 00:00:00 2001
From: Nuno Simoes <nunosimoes58@gmail.com>
Date: Fri, 20 Mar 2026 15:50:58 +0100
Subject: [PATCH 2/2] ci: bump all actions

---
 .github/workflows/cd.yaml |  7 +++----
 .github/workflows/ci.yaml | 14 ++++++--------
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
index 57fb1c1..9bf283a 100644
--- a/.github/workflows/cd.yaml
+++ b/.github/workflows/cd.yaml
@@ -22,12 +22,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: ci/setup-buildx
-        uses: docker/setup-buildx-action@15c905b16b06416d2086efa066dd8e3a35cc7f98 # v2.4.0
-        with:
-          version: v0.7.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
       - name: cd/docker-push
         run: make push-image
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index b08dff2..285d6b2 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -19,12 +19,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "1.19"
           cache: true
@@ -36,12 +36,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Setup Go
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "1.19"
           cache: true
@@ -58,14 +58,12 @@ jobs:
     needs: [lint, test]
     steps:
       - name: Checkout repo
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: ci/setup-buildx
-        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
-        with:
-          version: v0.7.1
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: ci/scan-docker-security
         uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2