chore(deps): update all non-major dependencies

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/create-github-app-token	action	patch	v2.1.1 -> v2.1.4
actions/dependency-review-action	action	minor	v4.7.3 -> v4.8.0
astral-sh/setup-uv	action	minor	v6.6.1 -> v6.7.0
github/codeql-action	action	patch	v3.30.1 -> v3.30.5
gradle/actions	action	patch	v4.4.2 -> v4.4.3
sigstore/cosign-installer	action	minor	v3.9.2 -> v3.10.0
step-security/harden-runner	action	patch	v2.13.0 -> v2.13.1
zizmor		minor	1.12.1 -> 1.14.1

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v2.1.4

Compare Source

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#​257) (bef1eaf)

v2.1.3

Compare Source

Bug Fixes

• deps: bump undici from 7.8.0 to 7.10.0 in the production-dependencies group (#​254) (f3d5ec2)

v2.1.2

Compare Source

Bug Fixes

• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#​256) (5d7307b)

actions/dependency-review-action (actions/dependency-review-action)

v4.8.0

Compare Source

What's Changed

• Make Ruby Code Scannable by @​ljones140 in #​978
• Batch some contributions for release by @​brrygrdn in #​986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in #​978
• @​jasperkamerling made their first contribution in #​986
• @​MattMencel made their first contribution in #​986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

v4.7.4

Compare Source

astral-sh/setup-uv (astral-sh/setup-uv)

v6.7.0: 🌈 New inputs restore-cache and save-cache

Compare Source

Changes

This release adds fine-grained control over the caching steps.

• The input restore-cache (true by default) can be set to false to skip restoring the cache while still allowing to save the cache.
• The input save-cache (true by default) can be set to false to skip saving the cache.

Skipping cache saving can be useful if you know, that you will never use this version of the cache again and don't want to waste storage space:

- name: Save cache only on main branch
  uses: astral-sh/setup-uv@v6
  with:
    enable-cache: true
    save-cache: ${{ github.ref == 'refs/heads/main' }}

🚀 Enhancements

• Add inputs restore-cache and save-cache @​eifinger (#​568)

🧰 Maintenance

• bump deps @​eifinger (#​569)
• Automatically push updated known versions @​eifinger (#​565)
• chore: update known versions for 0.8.16/0.8.17 @​github-actions[bot] (#​562)
• chore: update known versions for 0.8.15 @​github-actions[bot] (#​550)
• chore(ci): address CI lint findings @​woodruffw (#​545)

⬆️ Dependency updates

• Bump github/codeql-action from 3.29.11 to 3.30.3 @​dependabot[bot] (#​566)
• Bump actions/setup-node from 4.4.0 to 5.0.0 @​dependabot[bot] (#​551)

github/codeql-action (github/codeql-action)

v3.30.5

Compare Source

v3.30.4

Compare Source

v3.30.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.3 - 10 Sep 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.2 - 09 Sep 2025

• Fixed a bug which could cause language autodetection to fail. #​3084
• Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #​3064

See the full CHANGELOG.md for more information.

gradle/actions (gradle/actions)

v4.4.3

Compare Source

What's Changed

• Adapt tests to future new Build Scan publication message by @​alextu in #​708
• Add missing Gradle version input to setup-gradle by @​jprinet in #​713
• Bump the github-actions group across 2 directories with 4 updates by @​dependabot[bot] in #​710
• Bump references to Develocity Gradle plugin from 4.1 to 4.1.1 by @​bot-githubaction in #​712
• Update known wrapper checksums by @​github-actions[bot] in #​709
• Bump the npm-dependencies group across 1 directory with 4 updates by @​dependabot[bot] in #​711
• Do not run setup-gradle post action if workflow is cancelled by @​jprinet in #​716
• Bump the github-actions group across 2 directories with 2 updates by @​dependabot[bot] in #​715
• Bump the npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​720
• Bump github/codeql-action from 3.29.11 to 3.30.0 in the github-actions group across 1 directory by @​dependabot[bot] in #​719
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.19.2 to 2.20.0 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​718
• Update known wrapper checksums by @​github-actions[bot] in #​723
• Bump the npm-dependencies group in /sources with 5 updates by @​dependabot[bot] in #​725

Full Changelog: gradle/actions@v4.4.2...v4.4.3

sigstore/cosign-installer (sigstore/cosign-installer)

v3.10.0

Compare Source

What's Changed

• Bump default Cosign to v2.6.0 in #​200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

step-security/harden-runner (step-security/harden-runner)

v2.13.1

Compare Source

What's Changed

• Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

• Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

• Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🦙 MegaLinter status: ⚠️ WARNING

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.08s
✅ COPYPASTE	jscpd	yes		no	no	1.14s
✅ DOCKERFILE	hadolint	1		0	0	0.46s
✅ JSON	jsonlint	3		0	0	0.28s
⚠️ JSON	prettier	3		1	0	0.46s
✅ JSON	v8r	3		0	0	3.32s
✅ MARKDOWN	markdownlint	1		0	0	0.4s
✅ MARKDOWN	markdown-link-check	1		0	0	0.57s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.23s
✅ PYTHON	bandit	1		0	0	2.18s
✅ PYTHON	black	1		0	0	0.65s
✅ PYTHON	flake8	1		0	0	0.6s
✅ PYTHON	isort	1		0	0	0.22s
✅ PYTHON	mypy	1		0	0	3.3s
✅ PYTHON	pylint	1		0	0	2.42s
✅ PYTHON	pyright	1		0	0	1.52s
✅ PYTHON	ruff	1		0	0	0.04s
✅ REPOSITORY	checkov	yes		no	no	21.66s
✅ REPOSITORY	dustilock	yes		no	no	0.02s
✅ REPOSITORY	gitleaks	yes		no	no	0.27s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	35.73s
✅ REPOSITORY	kics	yes		no	no	3.47s
✅ REPOSITORY	secretlint	yes		no	no	1.37s
✅ REPOSITORY	syft	yes		no	no	2.76s
✅ REPOSITORY	trivy	yes		no	no	9.71s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.1s
✅ REPOSITORY	trufflehog	yes		no	no	4.0s
✅ YAML	prettier	6		0	0	0.76s
✅ YAML	v8r	6		0	0	4.74s
✅ YAML	yamllint	6		0	0	0.61s

See detailed report in MegaLinter reports

You could have same capabilities but better runtime performances if you request a new MegaLinter flavor.

• Click here to request the new flavor

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.1)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-190 (debian 13.1)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-190 (debian 13.1)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

🎉 This PR is included in version 1.10.59 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀