adorsys · forkimenjeckayang · May 28, 2025 · May 28, 2025 · May 28, 2025 · May 16, 2025
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -47,6 +47,6 @@
 
 /themes/                                                    @keycloak/ui-maintainers @keycloak/maintainers
 /js/                                                        @keycloak/ui-maintainers
-/js/**/maven-resources-community/**/messages_*.properties   @keycloak/ui-maintainers @keycloak/maintainers
+/js/**/messages_*.properties                                @keycloak/ui-maintainers @keycloak/maintainers
 /adapters/oidc/js/                                          @keycloak/ui-maintainers
 /rest/admin-ui-ext/                                         @keycloak/ui-maintainers
diff --git a/.github/actions/archive-surefire-reports/action.yml b/.github/actions/archive-surefire-reports/action.yml
@@ -37,7 +37,7 @@ runs:
     - id: upload-surefire-linux
       name: Upload Surefire reports
       if: (!cancelled() && contains(fromJSON(inputs.release-branches), github.ref) && contains(fromJSON('["push", "workflow_dispatch"]'), github.event_name))
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: surefire-${{ inputs.job-id }}
         path: |

diff --git a/.github/actions/build-keycloak/action.yml b/.github/actions/build-keycloak/action.yml
@@ -49,7 +49,7 @@ runs:
     - id: upload-keycloak-maven-repository
       name: Upload Keycloak Maven artifacts
       if: inputs.upload-m2-repo == 'true'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: m2-keycloak.tzts
         path: m2-keycloak.tzts
@@ -58,7 +58,7 @@ runs:
     - id: upload-keycloak-dist
       name: Upload Keycloak dist
       if: inputs.upload-dist == 'true'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: keycloak-dist
         path: quarkus/dist/target/keycloak*.tar.gz

diff --git a/.github/actions/conditional/conditions b/.github/actions/conditional/conditions
@@ -36,6 +36,7 @@ docs/documentation/                         documentation
 js/                                         js
 rest/admin-ui-ext/                          js
 services/                                   js
+themes/                                     js
 js/apps/account-ui/                         ci ci-webauthn
 js/libs/ui-shared/                          ci ci-webauthn
 

diff --git a/.github/actions/integration-test-setup/action.yml b/.github/actions/integration-test-setup/action.yml
@@ -35,7 +35,7 @@ runs:
 
     - id: download-keycloak
       name: Download Keycloak Maven artifacts
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: m2-keycloak.tzts
 

diff --git a/.github/actions/java-setup/action.yml b/.github/actions/java-setup/action.yml
@@ -16,7 +16,7 @@ runs:
   steps:
     - id: setup-java
       name: Setup Java
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
       with:
         distribution: ${{ inputs.distribution }}
         java-version: ${{ inputs.java-version }}
diff --git a/.github/actions/maven-cache/action.yml b/.github/actions/maven-cache/action.yml
@@ -19,7 +19,7 @@ runs:
 
     - id: cache-maven-repository
       name: Maven cache
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       if: inputs.create-cache-if-it-doesnt-exist == 'true'
       with:
         # Two asterisks are needed to make the follow-up exclusion work
@@ -39,12 +39,14 @@ runs:
       # On Windows, the .m2 folder is in different location, so move all the contents to the right folder here.
       # Also, not using the C: drive will speed up the build, see https://github.com/actions/runner-images/issues/8755
       run: |
-        mkdir -p ../../../.m2/repository
+        mkdir -p ..\..\..\.m2
+        mkdir -p D:\.m2\repository
         cmd /c mklink /d $HOME\.m2\repository D:\.m2\repository
+        cmd /c mklink /d $PWD\..\..\..\.m2\repository D:\.m2\repository
 
     - id: restore-maven-repository
       name: Maven cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       if: inputs.create-cache-if-it-doesnt-exist == 'false'
       with:
         # This needs to repeat the same path pattern as above to find the matching cache

diff --git a/.github/actions/node-cache/action.yml b/.github/actions/node-cache/action.yml
@@ -12,7 +12,7 @@ runs:
         echo "pnpm=$(cat js/pom.xml | grep '<pnpm.version>' | cut -d '>' -f 2 | cut -d '<' -f 1 | cut -c 1-)" >> $GITHUB_OUTPUT
 
     # Downloading Node.js often fails due to network issues, therefore we cache the artifacts downloaded by the frontend plugin.
-    - uses: actions/cache@v4
+    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       id: cache-binaries
       name: Cache Node.js and PNPM binaries
       with:

diff --git a/.github/actions/pnpm-setup/action.yml b/.github/actions/pnpm-setup/action.yml
@@ -11,7 +11,7 @@ runs:
   using: composite
   steps:
     - name: Set up Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: ${{ inputs.node-version }}
         check-latest: true

diff --git a/.github/actions/pnpm-store-cache/action.yml b/.github/actions/pnpm-store-cache/action.yml
@@ -9,7 +9,7 @@ runs:
       shell: bash
       run: echo "key=pnpm-store-`date -u "+%Y-%U"`" >> $GITHUB_OUTPUT
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
       name: Cache PNPM store
       with:
         # See: https://pnpm.io/npmrc#store-dir

diff --git a/.github/actions/upload-flaky-tests/action.yml b/.github/actions/upload-flaky-tests/action.yml
@@ -47,9 +47,9 @@ runs:
           echo "EOF" >> $GITHUB_OUTPUT
         fi
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       if: ${{ steps.flaky-tests.outputs.flakes }}
       with:
         name: flaky-tests-${{ github.job }}-${{ join(matrix.*, '-') }}
         path: ${{ steps.flaky-tests.outputs.flakes }}
-        if-no-files-found: error
+        if-no-files-found: error
diff --git a/.github/actions/upload-heapdumps/action.yml b/.github/actions/upload-heapdumps/action.yml
@@ -8,7 +8,7 @@ runs:
       name: Upload JVM Heapdumps
       # Windows runners are running into https://github.com/actions/upload-artifact/issues/240
       if: runner.os != 'Windows'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: jvm-heap-dumps
         path: |

diff --git a/.github/mvn-rel-settings.xml b/.github/mvn-rel-settings.xml
diff --git a/.github/workflows/aurora-delete.yml b/.github/workflows/aurora-delete.yml
@@ -20,7 +20,7 @@ jobs:
     name: Delete Aurora DB
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Initialize AWS client
         run: |