Upgrade GitHub Actions to latest versions (#2346)

## Summary

Upgrade GitHub Actions to their latest versions for improved features,
bug fixes, and security updates.

## Changes

| Action | Old Version(s) | New Version | Release | Files |
|--------|---------------|-------------|---------|-------|
| `aws-actions/configure-aws-credentials` |
[`v1`](https://github.com/aws-actions/configure-aws-credentials/releases/tag/v1),
[`v4.1.0`](https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0)
|
[`v5.1.1`](https://github.com/aws-actions/configure-aws-credentials/releases/tag/v5.1.1)
|
[Release](https://github.com/aws-actions/configure-aws-credentials/releases/tag/v5)
| publish.yml, release.yml |
| `docker/build-push-action` |
[`v3`](https://github.com/docker/build-push-action/releases/tag/v3) |
[`v6`](https://github.com/docker/build-push-action/releases/tag/v6) |
[Release](https://github.com/docker/build-push-action/releases/tag/v6) |
publish.yml |
| `docker/login-action` |
[`v2`](https://github.com/docker/login-action/releases/tag/v2) |
[`v3`](https://github.com/docker/login-action/releases/tag/v3) |
[Release](https://github.com/docker/login-action/releases/tag/v3) |
publish.yml |
| `docker/metadata-action` |
[`v4`](https://github.com/docker/metadata-action/releases/tag/v4) |
[`v5`](https://github.com/docker/metadata-action/releases/tag/v5) |
[Release](https://github.com/docker/metadata-action/releases/tag/v5) |
publish.yml |
| `docker/setup-buildx-action` |
[`v2`](https://github.com/docker/setup-buildx-action/releases/tag/v2) |
[`v3`](https://github.com/docker/setup-buildx-action/releases/tag/v3) |
[Release](https://github.com/docker/setup-buildx-action/releases/tag/v3)
| publish.yml |
| `docker/setup-qemu-action` |
[`v2`](https://github.com/docker/setup-qemu-action/releases/tag/v2) |
[`v3`](https://github.com/docker/setup-qemu-action/releases/tag/v3) |
[Release](https://github.com/docker/setup-qemu-action/releases/tag/v3) |
publish.yml |

## Why upgrade?

Keeping GitHub Actions up to date ensures:
- **Security**: Latest security patches and fixes
- **Features**: Access to new functionality and improvements
- **Compatibility**: Better support for current GitHub features
- **Performance**: Optimizations and efficiency improvements

### Security Note

Actions that were previously pinned to commit SHAs remain pinned to SHAs
(updated to the latest release SHA) to maintain the security benefits of
immutable references.

### Testing

These changes only affect CI/CD workflow configurations and should not
impact application functionality. The workflows should be tested by
running them on a branch before merging.

Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>

Author: salmanmkc

.github/workflows/publish.yml

@@ -24,7 +24,7 @@ jobs:
         uses: actions/checkout@v6
 
       - id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             supabase/gotrue
@@ -42,7 +42,7 @@ jobs:
           tags: |
             type=raw,value=v${{ inputs.version }},enable=true
 
-      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-qemu-action@v3
         with:
           platforms: amd64,arm64
 
@@ -53,46 +53,46 @@ jobs:
 
           sed -i 's/RELEASE_VERSION=unspecified/RELEASE_VERSION=${{ inputs.version }}/' Dockerfile
 
-      - uses: docker/setup-buildx-action@v2
+      - uses: docker/setup-buildx-action@v3
 
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: configure aws credentials - prod
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
           aws-region: us-east-1
       - name: Login to ECR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: public.ecr.aws
       - name: Login to ECR account - prod
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: 646182064048.dkr.ecr.us-east-1.amazonaws.com
 
       - name: configure aws credentials - staging
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
           aws-region: us-east-1
       - name: Login to ECR account - staging
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: 436098097459.dkr.ecr.us-east-1.amazonaws.com
 
       - name: Login to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: docker/build-push-action@v3
+      - uses: docker/build-push-action@v6
         with:
           context: . # IMPORTANT: Dockerfile is modified above to include the release version. Don't remove this line: https://github.com/docker/build-push-action?tab=readme-ov-file#git-context
           push: true

.github/workflows/release.yml

@@ -135,14 +135,14 @@ jobs:
 
       - name: GitHub OIDC Auth
         if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
-        uses: aws-actions/configure-aws-credentials@v4.1.0
+        uses: aws-actions/configure-aws-credentials@v5.1.1
         with:
           aws-region: ap-southeast-1
           role-to-assume: arn:aws:iam::${{ secrets.SHARED_SERVICES_AWS_ACCOUNT_ID }}:role/supabase-github-oidc-role
           role-session-name: shared-services-jump
 
       - name: Assume destination role
-        uses: aws-actions/configure-aws-credentials@v4.1.0
+        uses: aws-actions/configure-aws-credentials@v5.1.1
         if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
         with:
           aws-region: ap-southeast-1