chore: update CI workflows versions

[mwirikia]

What type of PR is this? (check all applicable)

• Refactor
• Feature
• Bug Fix
• Optimization
• Documentation Update

What

Update CI workflows versions to fixed hash for consistency and upgrade MegaLinter to version 9.5.0 to leverage the latest features and improvements. No new tests or documentation are necessary as these changes are related to configuration updates.

Testing

Have any new tests been added as part of this issue? If not, try to explain why test coverage is not needed here.

• Yes
• No
  Please write a brief description of why test coverage is not necessary here.
• Not as part of this ticket. (Could be done at a later point)

Documentation

Has any new documentation been written as part of this issue? We should try to keep documentation up to date
as new code is added, rather than leaving it for the future.

• Yes
• No
  Please write a brief description of why documentation is not necessary here.
• Not as part of this ticket. (Could be done at a later point)

Related issues

Provide links to any related issues.

How to review

Describe the steps required to test the changes.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
❌ ACTION	zizmor	3		22	0	1.53s
⚠️ BASH	bash-exec	6		4	0	0.02s
✅ BASH	shellcheck	6		0	0	0.14s
✅ BASH	shfmt	6		0	0	0.02s
✅ CSHARP	csharpier	1		0	0	0.42s
✅ DOCKERFILE	hadolint	1		0	0	0.1s
✅ JSON	jsonlint	2		0	0	0.1s
✅ JSON	prettier	2		0	0	0.28s
✅ JSON	v8r	2		0	0	3.13s
✅ MARKDOWN	markdownlint	6		0	0	2.13s
✅ REPOSITORY	checkov	yes		no	no	26.66s
✅ REPOSITORY	dustilock	yes		no	no	0.1s
✅ REPOSITORY	gitleaks	yes		no	no	15.25s
✅ REPOSITORY	grype	yes		no	no	61.15s
❌ REPOSITORY	kingfisher	yes		1	no	11.32s
❌ REPOSITORY	osv-scanner	yes		3	no	0.75s
✅ REPOSITORY	secretlint	yes		no	no	1.07s
✅ REPOSITORY	syft	yes		no	no	3.36s
✅ REPOSITORY	trivy	yes		no	no	9.86s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.39s
✅ TERRAFORM	terraform-fmt	6		0	0	0.4s
❌ YAML	prettier	8		1	2	0.45s
✅ YAML	v8r	8		0	0	7.95s
❌ YAML	yamllint	8		4	0	0.58s

Detailed Issues

❌ REPOSITORY / kingfisher - 1 error

New Kingfisher release 1.102.0 available
 INFO kingfisher: Launching with 8 concurrent scan jobs. Use --num-jobs to override.
 INFO kingfisher::rule_loader: Loaded 921 rules
 INFO kingfisher::scanner::runner: Starting secret validation phase...
URI WITH USERNAME AND SECRET => [KINGFISHER.URI.1]
 |Finding.......: [REDACTED:5e5aaa11]
 |Fingerprint...: 8556787628595224833
 |Confidence....: medium
 |Entropy.......: 4.31
 |Validation....: Not Attempted
 |Language......: Shell
 |Line Num......: 25
 |Path..........: ./concourse/scripts/terraform_infra.sh


==========================================
Scan Summary:
==========================================
 |Findings....................: 1
 |__Successful Validations....: 0
 |__Failed Validations........: 0
 |__Skipped Validations.......: 0
 |Rules Applied...............: 921
 |__Blobs Scanned.............: 106
 |Bytes Scanned...............: 4.16 MiB
 |Scan Duration...............: 127ms 588us 487ns
 |Scan Date...................: 2026-06-09 11:53:02 +00:00
 |Kingfisher Version..........: 1.99.0
 |__Latest Version............: 1.102.0
New Kingfisher release 1.102.0 available

❌ REPOSITORY / osv-scanner - 3 errors

Scanning dir .
Starting filesystem walk for root: /
Scanned poetry.lock file and found 61 packages
End status: 35 dirs visited, 117 inodes visited, 1 Extract calls, 29.561775ms elapsed, 29.562025ms wall time

Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 2 Medium, 1 Low, 0 Unknown) from 1 ecosystem.
3 vulnerabilities can be fixed.

+-------------------------------------+------+-----------+--------------------+---------+---------------+-------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE            | VERSION | FIXED VERSION | SOURCE      |
+-------------------------------------+------+-----------+--------------------+---------+---------------+-------------+
| https://osv.dev/GHSA-5239-wwwm-4pmq | 3.3  | PyPI      | pygments (dev)     | 2.19.2  | 2.20.0        | poetry.lock |
| https://osv.dev/GHSA-62q4-447f-wv8h | 4.3  | PyPI      | pymdown-extensions | 10.16.1 | 10.21.3       | poetry.lock |
| https://osv.dev/GHSA-6w46-j5rx-g56g | 6.8  | PyPI      | pytest (dev)       | 8.4.1   | 9.0.3         | poetry.lock |
+-------------------------------------+------+-----------+--------------------+---------+---------------+-------------+

❌ YAML / prettier - 1 error

Checking formatting...
[warn] .github/workflows/ci.yml
[warn] Code style issues found in the above file. Run Prettier with --write to fix.

❌ YAML / yamllint - 4 errors

.checkov.yml
  25:4      warning  missing starting space in comment  (comments)

.github/workflows/ci.yml
  27:13     error    wrong indentation: expected 10 but found 12  (indentation)

.github/workflows/deploy_mkdocs.yml
  4:1       warning  truthy value should be one of [false, true]  (truthy)

concourse/ci.yml
  33:3      warning  comment not indented like content  (comments-indentation)

❌ ACTION / zizmor - 22 errors

INFO zizmor: 🌈 zizmor v1.25.0
 INFO audit: zizmor: 🌈 completed .github/workflows/ci.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/deploy_mkdocs.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/megalinter.yml
info[template-injection]: code injection via template expansion
   --> .github/workflows/megalinter.yml:163:33
    |
162 |         run: |
    |         --- this run block
163 |           echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
    |                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Low
    = note: this finding has an auto-fix
    = help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

info[template-injection]: code injection via template expansion
   --> .github/workflows/megalinter.yml:164:30
    |
162 |         run: |
    |         --- this run block
163 |           echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
164 |           echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
    |                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Low
    = note: this finding has an auto-fix
    = help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

22 findings (20 suppressed, 2 unsafe fixes): 2 informational, 0 low, 0 medium, 0 high

⚠️ BASH / bash-exec - 4 errors

Results of bash-exec linter (version 5.3.3)
See documentation on https://megalinter.io/9.5.0/descriptors/bash_bash_exec/
-----------------------------------------------

❌ [ERROR] concourse/scripts/assume_role.sh
    Error: File:[concourse/scripts/assume_role.sh] is not executable

✅ [SUCCESS] concourse/scripts/build_image.sh
✅ [SUCCESS] concourse/scripts/set_pipeline.sh
❌ [ERROR] concourse/scripts/terraform_infra.sh
    Error: File:[concourse/scripts/terraform_infra.sh] is not executable

❌ [ERROR] shell_scripts/md_fix.sh
    Error: File:[shell_scripts/md_fix.sh] is not executable

❌ [ERROR] shell_scripts/md_lint.sh
    Error: File:[shell_scripts/md_lint.sh] is not executable

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ZIZMOR,BASH_EXEC,BASH_SHELLCHECK,BASH_SHFMT,CSHARP_CSHARPIER,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_KINGFISHER,TERRAFORM_TERRAFORM_FMT,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository