From: romeroalx <alexis.romero@open-xchange.com>
Date: Wed, 18 Mar 2026 10:18:42 +0000 (+0100)
Subject: gh actions: upgrade actions to the most recent version
X-Git-Tag: auth-5.1.0-beta1~133^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=961aba0bd1f5370bbedcb53798ed63fa0c7d462d;p=thirdparty%2Fpdns.git

gh actions: upgrade actions to the most recent version
---

diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml
index a0f0d3521e..f7f8703937 100644
--- a/.github/actions/cache/action.yml
+++ b/.github/actions/cache/action.yml
@@ -20,7 +20,7 @@ runs:
       run: mkdir -p ~/.ccache
       working-directory: .
     - name: let GitHub cache our ccache data
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       with:
         path: ~/.ccache
         key: ${{ inputs.cache-key-base }}-${{ steps.get-stamp.outputs.stamp }}
diff --git a/.github/workflows/build-and-test-all.yml b/.github/workflows/build-and-test-all.yml
index 9662f2b0f2..5085227adb 100644
--- a/.github/workflows/build-and-test-all.yml
+++ b/.github/workflows/build-and-test-all.yml
@@ -70,7 +70,7 @@ jobs:
       run:
         working-directory: ./pdns-${{ env.BUILDER_VERSION }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -126,7 +126,7 @@ jobs:
           mkdir -p /opt/pdns-auth/sbin; mv /opt/pdns-auth/bin/pdns_server /opt/pdns-auth/sbin/
       - if: ${{ matrix.builder == 'meson' }}
         name: Store the binaries
-        uses: actions/upload-artifact@v5 # this takes 30 seconds, maybe we want to tar
+        uses: actions/upload-artifact@v7 # this takes 30 seconds, maybe we want to tar
         with:
           name: pdns-auth-${{ matrix.builder}}-${{ env.normalized-branch-name }}
           path: /opt/pdns-auth
@@ -159,7 +159,7 @@ jobs:
       run:
         working-directory: ./pdns/recursordist/pdns-recursor-${{ env.BUILDER_VERSION }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -203,7 +203,7 @@ jobs:
         if: ${{ matrix.builder == 'meson' }}
       - if: ${{ matrix.builder == 'meson' }}
         name: Store the binaries
-        uses: actions/upload-artifact@v5 # this takes 30 seconds, maybe we want to tar
+        uses: actions/upload-artifact@v7 # this takes 30 seconds, maybe we want to tar
         with:
           name: pdns-recursor-${{ matrix.features }}-${{ matrix.sanitizers }}-${{ matrix.builder}}-${{ env.normalized-branch-name }}
           path: /opt/pdns-recursor
@@ -241,7 +241,7 @@ jobs:
       run:
         working-directory: ./pdns/dnsdistdist/dnsdist-${{ env.BUILDER_VERSION }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -305,7 +305,7 @@ jobs:
           for i in $(find . -maxdepth 1 -type f -executable); do cp ${i} /opt/dnsdist/bin/; done
       - name: Store the binaries
         if: ${{ matrix.builder == 'meson' }}
-        uses: actions/upload-artifact@v5 # this takes 30 seconds, maybe we want to tar
+        uses: actions/upload-artifact@v7 # this takes 30 seconds, maybe we want to tar
         with:
           name: dnsdist-${{ matrix.features }}-${{ matrix.sanitizers }}-${{ matrix.builder}}${{ matrix.architecture_suffix }}-${{ env.normalized-branch-name }}
           path: /opt/dnsdist
@@ -350,7 +350,7 @@ jobs:
         options: >-
           --restart always
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -360,7 +360,7 @@ jobs:
         uses: ./.github/actions/problem-matchers
       - uses: ./.github/actions/normalize-branch-name
       - name: Fetch the binaries
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: pdns-auth-meson-${{ env.normalized-branch-name }}
           path: /opt/pdns-auth
@@ -485,7 +485,7 @@ jobs:
         options: >-
           --restart always
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -495,7 +495,7 @@ jobs:
         uses: ./.github/actions/problem-matchers
       - uses: ./.github/actions/normalize-branch-name
       - name: Fetch the binaries
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: pdns-auth-meson-${{ env.normalized-branch-name }}
           path: /opt/pdns-auth
@@ -533,7 +533,7 @@ jobs:
         ASAN_OPTIONS: detect_leaks=0
       options: --sysctl net.ipv6.conf.all.disable_ipv6=0
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -543,7 +543,7 @@ jobs:
         uses: ./.github/actions/problem-matchers
       - uses: ./.github/actions/normalize-branch-name
       - name: Fetch the binaries
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: pdns-auth-meson-${{ env.normalized-branch-name }}
           path: /opt/pdns-auth
@@ -586,7 +586,7 @@ jobs:
         TSAN_OPTIONS: "halt_on_error=1:suppressions=${{ env.REPO_HOME }}/pdns/recursordist/recursor-tsan.supp"
       options: --sysctl net.ipv6.conf.all.disable_ipv6=0
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -596,7 +596,7 @@ jobs:
         uses: ./.github/actions/problem-matchers
       - uses: ./.github/actions/normalize-branch-name
       - name: Fetch the binaries
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: pdns-recursor-full-${{ matrix.sanitizers }}-meson-${{ env.normalized-branch-name }}
           path: /opt/pdns-recursor
@@ -643,7 +643,7 @@ jobs:
       options: --sysctl net.ipv6.conf.all.disable_ipv6=0
     steps:
       # - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -653,7 +653,7 @@ jobs:
       - name: add problem matchers
         uses: ./.github/actions/problem-matchers
       - name: Fetch the binaries
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: pdns-recursor-full-${{ matrix.sanitizers }}-meson-${{ env.normalized-branch-name }}
           path: /opt/pdns-recursor
@@ -701,7 +701,7 @@ jobs:
         TSAN_OPTIONS: "halt_on_error=1:suppressions=${{ env.REPO_HOME }}/pdns/recursordist/recursor-tsan.supp"
       options: --sysctl net.ipv6.conf.all.disable_ipv6=0
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -711,7 +711,7 @@ jobs:
         uses: ./.github/actions/problem-matchers
       - uses: ./.github/actions/normalize-branch-name
       - name: Fetch the binaries
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: pdns-recursor-full-${{ matrix.sanitizers }}-meson-${{ env.normalized-branch-name }}
           path: /opt/pdns-recursor
@@ -750,7 +750,7 @@ jobs:
         shards: [1024]
         IPv6: [0, 1]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -760,7 +760,7 @@ jobs:
         uses: ./.github/actions/problem-matchers
       - uses: ./.github/actions/normalize-branch-name
       - name: Fetch the binaries
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: pdns-recursor-full-${{ matrix.sanitizers }}-meson-${{ env.normalized-branch-name }}
           path: /opt/pdns-recursor
@@ -811,7 +811,7 @@ jobs:
         COVERAGE: no
       options: --sysctl net.ipv6.conf.all.disable_ipv6=0 --privileged
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -821,7 +821,7 @@ jobs:
         uses: ./.github/actions/problem-matchers
       - uses: ./.github/actions/normalize-branch-name
       - name: Fetch the binaries
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           name: dnsdist-full-${{ matrix.sanitizers }}-meson-${{ env.normalized-branch-name }}
           path: /opt/dnsdist
@@ -853,7 +853,7 @@ jobs:
       image: "${{ needs.get-runner-container-image.outputs.id }}:${{ needs.get-runner-container-image.outputs.tag }}"
       options: --sysctl net.ipv6.conf.all.disable_ipv6=0
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -898,7 +898,7 @@ jobs:
         run: "sudo apt-get update && sudo apt-get install jq jc"
       - name: Fail job if any of the previous jobs failed
         run: "for i in `echo ${NEEDS} | jq -r '.[].result'`; do if [[ $i == 'failure' ]]; then echo ${NEEDS}; exit 1; fi; done;"
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
index f9f1e2ed82..e7e305b1ee 100644
--- a/.github/workflows/build-docker-images.yml
+++ b/.github/workflows/build-docker-images.yml
@@ -60,7 +60,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           submodules: recursive
@@ -104,30 +104,30 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           submodules: recursive
           ref: ${{ inputs.ref }}
           persist-credentials: false
       - name: Set up Docker Buildx for multi-platform builds
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
       - name: Login to Docker Hub
         if: ${{ inputs.push }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Docker image metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME || 'powerdns' }}/${{ inputs.image-name }}
       - name: Build and load powerdns product images
         id: build-image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           file: Dockerfile-${{ inputs.product }}
@@ -139,7 +139,7 @@ jobs:
           outputs: type=image,push-by-digest=true,name-canonical=true
       - name: Update repo description
         if: ${{ inputs.push }}
-        uses: peter-evans/dockerhub-description@v4
+        uses: peter-evans/dockerhub-description@v5
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -155,7 +155,7 @@ jobs:
           # generate suffix for digest file
           echo "PLATFORM_PAIR=${ARCH//\//-}" >> $GITHUB_ENV
       - name: Upload digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: digests-${{ inputs.product }}-${{ env.PLATFORM_PAIR }}
           path: ${{ runner.temp }}/digests/*
@@ -178,24 +178,24 @@ jobs:
       IMAGE_NAME: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ inputs.image-name }}
     steps:
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3.7.0
+        uses: sigstore/cosign-installer@v4.1.0
       - name: Download digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-${{ inputs.product }}-*
           merge-multiple: true
       - name: Login to Docker Hub
         if: ${{ inputs.push }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ${{ env.IMAGE_NAME }}
           tags: ${{ inputs.image-tags }}
diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
index 484a04e436..aa711cfcda 100644
--- a/.github/workflows/build-packages.yml
+++ b/.github/workflows/build-packages.yml
@@ -80,7 +80,7 @@ jobs:
       # but, as this whole workflow needs at least 30 minutes to run, I prefer spending a few seconds here
       # so that the command remains readable, because jo is simpler to use.
       - run: sudo apt-get update && sudo apt-get -y install jo
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
           submodules: recursive
@@ -146,7 +146,7 @@ jobs:
       PRODUCT: ${{ inputs.product }}
       OS: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0 # for correct version numbers
           submodules: recursive
@@ -180,7 +180,7 @@ jobs:
           TARGET_ARCH: ${{ steps.getarch.outputs.target-arch }}
         run: for f in $(ls ./built_pkgs/*/*/*-${OS}.tar.bz2 | sed 's/\.tar.bz2$//'); do mv $f.tar.bz2 $f-${TARGET_ARCH}.tar.bz2; done
       - name: Upload packages as GH artifacts
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ inputs.product }}-${{ matrix.os }}-${{ steps.getversion.outputs.version }}-${{ steps.getarch.outputs.target-arch }}
           path: built_pkgs/
@@ -257,7 +257,7 @@ jobs:
       actions: read   # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To be able to upload assets as release artifacts
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: "${{ needs.build.outputs[format('pkghashes-{0}-{1}', matrix.os, matrix.architecture)] }}"
       upload-assets: false
@@ -271,7 +271,7 @@ jobs:
       actions: read   # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To be able to upload assets as release artifacts
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: "${{ needs.build.outputs.srchashes }}"
       upload-assets: false
@@ -289,12 +289,12 @@ jobs:
     steps:
       - name: Download source tarball provenance for ${{ inputs.product }} (${{ inputs.ref }})
         id: download-src-provenance
-        uses: actions/download-artifact@v4 # be careful, this needs to match what https://github.com/slsa-framework/slsa-github-generator is using
+        uses: actions/download-artifact@v8
         with:
           name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-src.intoto.jsonl"
       - name: Download provenance for ${{ inputs.product }} (${{ inputs.ref }}) for ${{ matrix.os }}
         id: download-provenance
-        uses: actions/download-artifact@v4 # be careful, this needs to match what https://github.com/slsa-framework/slsa-github-generator is using
+        uses: actions/download-artifact@v8
         with:
           name: "${{ inputs.product }}-${{ needs.build.outputs.version }}-${{ matrix.os }}-${{ matrix.architecture }}.intoto.jsonl"
       - name: Upload provenance artifacts to downloads.powerdns.com
@@ -340,12 +340,12 @@ jobs:
     outputs:
       check-finished: ${{ steps.check-finished.outputs.completed }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
           persist-credentials: false
       - name: Download packages
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           pattern: "${{ inputs.product }}-${{ matrix.os }}-${{ needs.build.outputs.version }}-${{ matrix.architecture }}"
           path: "${{ runner.temp }}/files"
@@ -410,12 +410,12 @@ jobs:
       PRODUCT: ${{ needs.build.outputs.product-name }}
       VERSION: ${{ needs.build.outputs.version }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
           persist-credentials: false
       - name: Download packages
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           pattern: "${{ inputs.product }}-${{ matrix.os }}-${{ env.VERSION }}-${{ matrix.architecture }}"
           path: "${{ runner.temp }}/files"
@@ -449,12 +449,12 @@ jobs:
       PRODUCT: ${{ needs.build.outputs.product-name }}
       VERSION: ${{ needs.build.outputs.version }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
           persist-credentials: false
       - name: Download provenance files
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           pattern: "${{ inputs.product }}-${{ env.VERSION }}-*.intoto.jsonl"
           path: "${{ runner.temp }}/files"
@@ -463,7 +463,7 @@ jobs:
         run: |
           echo "OS=$(echo ${OSLIST} | awk '{print $1}')" >> $GITHUB_ENV
       - name: Download a package artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           pattern: "${{ inputs.product }}-${{ env.OS }}-${{ env.VERSION }}-x86_64"
           path: "${{ runner.temp }}/files"
@@ -495,7 +495,7 @@ jobs:
     outputs:
       check-finished: ${{ steps.check-finished.outputs.completed }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
           persist-credentials: false
@@ -543,7 +543,7 @@ jobs:
       SHORTVERSION: ${{ needs.build.outputs.shortversion }}
       DEBIAN_FRONTEND: noninteractive
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
           persist-credentials: false
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index 596c934e48..f4e70b465a 100644
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -41,7 +41,7 @@ jobs:
         runner-os: ${{ fromJson(needs.prepare.outputs.runnerlist )}}
       fail-fast: false
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0  # for correct version numbers
           submodules: recursive
@@ -58,7 +58,7 @@ jobs:
           echo "target-arch=$(uname -m)" >> $GITHUB_OUTPUT
         id: getarch
       - name: Upload packages
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.product }}-${{ matrix.os }}-${{ steps.getversion.outputs.version }}-${{ steps.getarch.outputs.target-arch }}
           path: built_pkgs/
diff --git a/.github/workflows/check-rust-dependencies-on-pr.yml b/.github/workflows/check-rust-dependencies-on-pr.yml
index 7771db21c3..1696f261e8 100644
--- a/.github/workflows/check-rust-dependencies-on-pr.yml
+++ b/.github/workflows/check-rust-dependencies-on-pr.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Rust dependencies check
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
           submodules: recursive
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 8abc12222e..f3275a24d9 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -62,7 +62,7 @@ jobs:
     steps:
     - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -285,7 +285,7 @@ jobs:
     if: ${{ github.event_name == 'pull_request' }}
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         fetch-depth: 2
         persist-credentials: false
@@ -297,7 +297,7 @@ jobs:
     if: ${{ github.event_name == 'pull_request' }}
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0
         persist-credentials: false
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index e25e49b1d3..1fe11fe6ab 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -32,7 +32,7 @@ jobs:
       UNIT_TESTS: no
     steps:
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -63,7 +63,7 @@ jobs:
       REPO_HOME: ${{ github.workspace }}
     steps:
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
@@ -107,7 +107,7 @@ jobs:
       CARGO_USE_DEV: 1
     steps:
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
diff --git a/.github/workflows/daily-rust-audit.yml b/.github/workflows/daily-rust-audit.yml
index b77880b2bb..92d553d844 100644
--- a/.github/workflows/daily-rust-audit.yml
+++ b/.github/workflows/daily-rust-audit.yml
@@ -23,7 +23,7 @@ jobs:
           - rel/rec-5.1.x
       fail-fast: false
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 1
           submodules: recursive
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 8595cdd6a5..215b35c926 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -47,7 +47,7 @@ jobs:
       pdns_version: ${{ steps.get-version.outputs.pdns_version }}
     steps:
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
       - uses: actions/setup-python@v6
@@ -68,12 +68,12 @@ jobs:
         working-directory: ./docs/_build
       - run: tar cf auth-html-docs.tar auth-html-docs
         working-directory: ./docs/_build
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v7
         with:
           name: authoritative-html-docs-${{steps.get-version.outputs.pdns_version}}
           path: ./docs/_build/auth-html-docs.tar
       - run: inv ci-docs-build-pdf
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v7
         with:
           name: PowerDNS-Authoritative-${{steps.get-version.outputs.pdns_version}}.pdf
           path: ./docs/_build/latex/PowerDNS-Authoritative.pdf
@@ -91,13 +91,13 @@ jobs:
         working-directory: ./pdns/recursordist/docs/_build
       - run: tar cf rec-html-docs.tar rec-html-docs
         working-directory: ./pdns/recursordist/docs/_build
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v7
         with:
           name: recursor-html-docs-${{steps.get-version.outputs.pdns_version}}
           path: ./pdns/recursordist/docs/_build/rec-html-docs.tar
       - run: inv ci-docs-build-pdf
         working-directory: ./pdns/recursordist
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v7
         with:
           name: PowerDNS-Recursor-${{steps.get-version.outputs.pdns_version}}.pdf
           path: ./pdns/recursordist/docs/_build/latex/PowerDNS-Recursor.pdf
@@ -114,13 +114,13 @@ jobs:
         working-directory: ./pdns/dnsdistdist/docs/_build
       - run: tar cf dnsdist-html-docs.tar dnsdist-html-docs
         working-directory: ./pdns/dnsdistdist/docs/_build
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v7
         with:
           name: dnsdist-html-docs-${{steps.get-version.outputs.pdns_version}}
           path: ./pdns/dnsdistdist/docs/_build/dnsdist-html-docs.tar
       - run: inv ci-docs-build-pdf
         working-directory: ./pdns/dnsdistdist
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v7
         with:
           name: dnsdist-${{steps.get-version.outputs.pdns_version}}.pdf
           path: ./pdns/dnsdistdist/docs/_build/latex/dnsdist.pdf
@@ -132,7 +132,7 @@ jobs:
       - name: Build website
         run: |
           tar cf website.tar website
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v7
         with:
           name: website-${{steps.get-version.outputs.pdns_version}}
           path: website.tar
@@ -163,11 +163,11 @@ jobs:
             exit 1
           fi
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
       - run: build-scripts/gh-actions-setup-inv-no-dist-upgrade
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@v8
         with:
           path: artifacts
       - id: setup-ssh
@@ -218,10 +218,10 @@ jobs:
             echo "Error: The following secrets/variables are missing: ${missing_secrets[*]}"
             exit 1
           fi
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v6
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -239,7 +239,7 @@ jobs:
           region = $AWS_REGION
           EOF
       - name: Download artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           path: artifacts
       - name: Publish to AWS
diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
index baad58721e..5337a18675 100644
--- a/.github/workflows/formatting.yml
+++ b/.github/workflows/formatting.yml
@@ -14,7 +14,7 @@ jobs:
     # on an ubuntu-24.04 VM
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 30532f7d30..7a688f49ed 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -8,7 +8,7 @@ jobs:
   Fuzzing:
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 5
         submodules: recursive
@@ -26,7 +26,7 @@ jobs:
         fuzz-seconds: 600
         dry-run: false
     - name: Upload Crash
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v7
       if: failure()
       with:
         name: artifacts
diff --git a/.github/workflows/misc-dailies.yml b/.github/workflows/misc-dailies.yml
index d5916fd05e..9e57d7430e 100644
--- a/.github/workflows/misc-dailies.yml
+++ b/.github/workflows/misc-dailies.yml
@@ -31,7 +31,7 @@ jobs:
     if: ${{ vars.SCHEDULED_MISC_DAILIES }}
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 5
         submodules: recursive
@@ -80,7 +80,7 @@ jobs:
         IPv6: [0, 1]
       max-parallel: 1
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
diff --git a/.github/workflows/secpoll.yml b/.github/workflows/secpoll.yml
index 9854a088b5..961d48d428 100644
--- a/.github/workflows/secpoll.yml
+++ b/.github/workflows/secpoll.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 5
           submodules: recursive
diff --git a/.github/workflows/verify-pinned-python-packages.yml b/.github/workflows/verify-pinned-python-packages.yml
index d04bf96427..36251b7ca8 100644
--- a/.github/workflows/verify-pinned-python-packages.yml
+++ b/.github/workflows/verify-pinned-python-packages.yml
@@ -35,7 +35,7 @@ jobs:
     outputs:
       req-files: ${{ steps.get-list-requirements.outputs.files }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: Get all requirements.txt files and export them as outputs
@@ -66,7 +66,7 @@ jobs:
     steps:
       - run: echo "${REQUIREMENTS_FILE}"
       - uses: PowerDNS/pdns/set-ubuntu-mirror@meta
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           persist-credentials: false
       - name: add problem matchers