Fix Dependabot PRs failing due to missing secrets

.github/workflows/binary_provenance.yml

@@ -34,7 +34,7 @@ jobs:
             matrix:
                 artifact: ${{fromJson(inputs.artifacts)}}
         steps:
-        - uses: actions/checkout@v4
+        - uses: actions/checkout@v6
 
         - uses: actions/download-artifact@v4
           with:

.github/workflows/daily-cli-tests.yml

@@ -11,7 +11,7 @@ jobs:
     outputs:
       trail_name: ${{ steps.prep.outputs.trail_name }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Prepare
         id: prep

.github/workflows/docker.yml

@@ -21,6 +21,10 @@ on:
       kosli_org:
         required: true
         type: string
+      checkout_ref:
+        required: false
+        type: string
+        default: ''
     secrets:
       slack_channel:
         required: true
@@ -50,9 +54,10 @@ jobs:
       packages: write
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 3
+        ref: ${{ inputs.checkout_ref || github.sha }}
 
     - uses: actions/setup-go@v5
       with:

.github/workflows/helm-chart.yml

@@ -23,7 +23,7 @@ jobs:
           app-id: ${{ vars.CI_SIGNED_COMMIT_APP_ID }}
           private-key: ${{ secrets.CI_SIGNED_COMMIT_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           token: ${{ steps.generate_token.outputs.token }}
           fetch-depth: 0

.github/workflows/init_kosli.yml

@@ -15,6 +15,10 @@ on:
           kosli_org:
             required: true
             type: string
+          checkout_ref:
+            required: false
+            type: string
+            default: ''
         secrets:        
             kosli_api_token:
                 required: true
@@ -31,9 +35,10 @@ jobs:
             pull-requests: read
         steps:
 
-        - uses: actions/checkout@v4
+        - uses: actions/checkout@v6
           with:
             fetch-depth: 0
+            ref: ${{ inputs.checkout_ref || github.sha }}
 
         - name: setup-kosli-cli
           uses: kosli-dev/setup-cli-action@v2

.github/workflows/main.yml

@@ -2,34 +2,46 @@ name: Main
 
 on:
   push:
-    branches:
-      - "**"
+    branches-ignore:
+      - "dependabot/**"
+  pull_request_target:
+    types: [opened, synchronize, reopened]
 
 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
 
 jobs:
   pre-build:
+    if: github.event_name == 'push' || github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
     outputs:
       tag: ${{ steps.prep.outputs.tag }}
       trail_name: ${{ steps.prep.outputs.trail_name }}
       trail_template_file: ${{ steps.prep.outputs.trail_template_file }}
+      checkout_ref: ${{ steps.prep.outputs.checkout_ref }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Prepare
         id: prep
         run: |
-          TAG=$(echo $GITHUB_SHA | head -c7)
+          if [ "${{ github.event_name }}" == "pull_request_target" ]; then
+            SHA=${{ github.event.pull_request.head.sha }}
+          else
+            SHA=$GITHUB_SHA
+          fi
+          TAG=$(echo $SHA | head -c7)
           echo "TAG=${TAG}" >> ${GITHUB_ENV}
           echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "checkout_ref=$SHA" >> $GITHUB_OUTPUT
 
           if [ "${GITHUB_REF}" == refs/tags/* ]; then
             TRAIL_NAME=${GITHUB_REF##refs/tags/}
             TRAIL_TEMPLATE_FILE=release-flow-template.yml
           else
-            TRAIL_NAME=$(echo $GITHUB_SHA | head -c 7)
+            TRAIL_NAME=$(echo $SHA | head -c 7)
             TRAIL_TEMPLATE_FILE=main-flow-template.yml
           fi
           echo "TRAIL_NAME=${TRAIL_NAME}" >> $GITHUB_ENV
@@ -46,6 +58,7 @@ jobs:
       TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }}
       FLOW_TEMPLATE_FILE: ${{ needs.pre-build.outputs.trail_template_file }}
       KOSLI_ORG: kosli-public
+      checkout_ref: ${{ needs.pre-build.outputs.checkout_ref }}
     secrets:
       kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }}
       pr_github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -59,6 +72,7 @@ jobs:
       FLOW_NAME: cli
       TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }}
       KOSLI_ORG: kosli-public
+      checkout_ref: ${{ needs.pre-build.outputs.checkout_ref }}
     secrets:
       github_access_token: ${{ secrets.KOSLI_GITHUB_TOKEN }}
       gitlab_access_token: ${{ secrets.KOSLI_GITLAB_TOKEN }}
@@ -83,6 +97,7 @@ jobs:
       flow_name: cli
       trail_name: ${{ needs.pre-build.outputs.trail_name }}
       kosli_org: kosli-public
+      checkout_ref: ${{ needs.pre-build.outputs.checkout_ref }}
     secrets:
       slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
       slack_channel: ci-failures

.github/workflows/never_alone_trail.yml

@@ -40,7 +40,7 @@ jobs:
             pull-requests: read
         steps:
 
-        - uses: actions/checkout@v4
+        - uses: actions/checkout@v6
           with:
             fetch-depth: 0
 

.github/workflows/publish_branch_docs.yml

@@ -10,7 +10,7 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Generate json
         run: |

.github/workflows/publish_docs.yml

@@ -14,7 +14,7 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       # Deploy to local repo
       - name: Deploy

.github/workflows/release.yml

@@ -19,7 +19,7 @@ jobs:
       trail_name: ${{ steps.prep.outputs.trail_name }}
       trail_template_file: ${{ steps.prep.outputs.trail_template_file }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Get tag
         id: tag
@@ -111,7 +111,7 @@ jobs:
       artifacts: ${{ steps.prepare-artifacts-list.outputs.artifacts }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -200,7 +200,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0 # needed to be able to generate legacy versions reference.
 

.github/workflows/test.yml

@@ -30,6 +30,10 @@ on:
         required: false
         type: boolean
         default: true
+      checkout_ref:
+        required: false
+        type: string
+        default: ''
     secrets:
       slack_channel:
         required: true
@@ -69,8 +73,10 @@ jobs:
       contents: write
     steps:
 
-    - uses: actions/checkout@v4
-
+    - uses: actions/checkout@v6
+      with:
+        ref: ${{ inputs.checkout_ref || github.sha }}
+
     - uses: actions/setup-go@v5
       with:
         go-version: '1.25.0'
@@ -80,7 +86,7 @@ jobs:
       with:
         version:
           ${{ vars.KOSLI_CLI_VERSION }}
-    
+
     - name: Run golangci-lint
       id: lint
       uses: golangci/golangci-lint-action@v9
@@ -107,9 +113,10 @@ jobs:
       contents: write
     steps:
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0 # needed for some tests referencing older commits
+        ref: ${{ inputs.checkout_ref || github.sha }}
 
     - uses: actions/setup-go@v5
       with:
@@ -176,7 +183,9 @@ jobs:
       contents: write
     steps:
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
+      with:
+        ref: ${{ inputs.checkout_ref || github.sha }}
 
     - name: setup Snyk
       uses: snyk/actions/setup@master
@@ -213,7 +222,9 @@ jobs:
       contents: write
     steps:
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
+      with:
+        ref: ${{ inputs.checkout_ref || github.sha }}
 
     - name: setup Snyk
       uses: snyk/actions/setup@master

.github/workflows/upload-cli-layer.yml

@@ -20,7 +20,7 @@ jobs:
       id-token: write
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4