SONARJAVA-6299 Unpin SonarSource GitHub actions

[tomasz-tylenda-sonarsource]

No description provided.

[sonar-review-alpha]

Summary

This PR unpins the SonarSource/vault-action-wrapper action across two workflow files (build.yml and dogfood.yml) by replacing pinned commit SHAs with the v3 semantic version tag.

Changes:

• .github/workflows/build.yml: Two instances changed from pinned SHAs (320bd31... @ v3.1.0 and c154b4a... @ v3.4.0) to v3
• .github/workflows/dogfood.yml: One instance changed from pinned SHA (c154b4a... @ v3.4.0) to v3

This allows the action maintainers to automatically ship bugfixes and security updates without requiring manual SHA updates.

What reviewers should know

What to check:

• Verify that v3 is a stable/supported version tag for SonarSource/vault-action-wrapper (not pre-release or deprecated)
• Confirm the action's release policy: does the maintainer responsibly update v3 with only backward-compatible fixes, or does it include breaking changes?
• Check if there were specific reasons the commits were pinned originally (search git history or issues if available)

Context:

• Three workflow files were modified, all with the same action type
• Version comments in the old code indicate these were previously at v3.1.0 and v3.4.0, so v3 should cover both
• This is a dependency management change with minimal risk if the maintainer follows semantic versioning properly

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

SONARJAVA-6299

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

LGTM! ✅

Clean consistency fix. Looking at the full build.yml, the sanity, test-analyze, custom-rules-license-check, and autoscan jobs were already using SonarSource/vault-action-wrapper@v3 without SHA pinning — so the ruling-qa and plugin-qa jobs were the last two holdouts. This PR brings them in line with the rest.

The repo follows a clear policy: SonarSource-owned actions use semantic version tags (vault-action-wrapper@v3, ci-github-actions/build-maven@v1, gh-action_dogfood_merge@v1), while third-party actions are pinned to SHAs (actions/checkout, jdx/mise-action, slackapi/slack-github-action). This change is consistent with that policy.

The two pinned SHA instances in build.yml were also at different versions (v3.1.0 vs the rest of the file being on v3), so this also resolves a version drift.

🗣️ Give feedback