chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/dependency-review-action	action	patch	v4.8.0 -> v4.8.1
aquasecurity/trivy		patch	0.67.0 -> 0.67.2
docker.io/library/python	final	minor	3.13.7-slim -> 3.14.0-slim
github/codeql-action	action	patch	v3.30.6 -> v3.30.8
oxsecurity/megalinter	action	minor	v9.0.1 -> v9.1.0
softprops/action-gh-release	action	minor	v2.3.4 -> v2.4.1

---

Release Notes

actions/dependency-review-action (actions/dependency-review-action)

v4.8.1: Dependency Review Action v4.8.1

Compare Source

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in #​1000
• Bump version for 4.8.1 release by @​ahpook in #​1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

aquasecurity/trivy (aquasecurity/trivy)

v0.67.2

Compare Source

Changelog

• 60c57ad release: v0.67.2 [release/v0.67] (#​9639)
• f3ee80c fix: Use fetch-level: 1 to check out trivy-repo in the release workflow [backport: release/v0.67] (#​9638)

v0.67.1

Compare Source

Changelog

• cbed239 release: v0.67.1 [release/v0.67] (#​9614)
• 1a84093 fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#​9631)
• 3bc1490 fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#​9629)
• 542eee7 fix: add buildInfo for BlobInfo in rpc package [backport: release/v0.67] (#​9615)
• f65dd05 fix(vex): don't use reused BOM [backport: release/v0.67] (#​9612)

github/codeql-action (github/codeql-action)

v3.30.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.7 - 06 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

oxsecurity/megalinter (oxsecurity/megalinter)

v9.1.0

Compare Source

• New linters

  • Add Robocop linter, by @​bdovaz in #​6232

• Linters enhancements

  • Python Linting: Added more file type supports for various linters. Full description here

• Doc

  • Add OLLAMA_BASE_URL is MegaLinter config Json schema

• Flavors

  • Custom flavors: Add workflow to automate detection of new MegaLinter versions and generation of new Custom Flavor

• CI

  • Fix v9 release issue + mark hardcoded versions to upgrade at each new major release.

• Linter versions upgrades (22)

  • ansible-lint from 25.9.0 to 25.9.1
  • bicep_linter from 0.37.4 to 0.38.33
  • cfn-lint from 1.39.1 to 1.40.0
  • checkstyle from 11.0.1 to 11.1.0
  • clj-kondo from 2025.09.19 to 2025.09.22
  • golangci-lint from 2.4.0 to 2.5.0
  • hadolint from 2.13.1 to 2.14.0
  • isort from 6.0.1 to 6.1.0
  • kics from 2.1.13 to 2.1.14
  • npm-groovy-lint from 15.2.1 to 15.2.2
  • php-cs-fixer from 3.87.2 to 3.88.2
  • phpstan from 2.1.28 to 2.1.30
  • pylint from 3.3.8 to 3.3.9
  • pyright from 1.1.405 to 1.1.406
  • robocop from 6.7.0 to 6.7.2
  • rubocop from 1.80.2 to 1.81.1
  • ruff-format from 0.13.1 to 0.13.3
  • ruff from 0.13.1 to 0.13.3
  • snakemake from 9.11.4 to 9.11.9
  • terraform-fmt from 1.13.2 to 1.13.3
  • terragrunt from 0.87.2 to 0.88.1
  • trivy from 0.66.0 to 0.67.0

softprops/action-gh-release (softprops/action-gh-release)

v2.4.1

Compare Source

What's Changed

Other Changes 🔄

• fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in #​672
• fix: gracefully fallback to body when body_path cannot be read by @​Copilot in #​671

Full Changelog: softprops/action-gh-release@v2...v2.4.1

v2.4.0

Compare Source

What's Changed

Exciting New Features 🎉

• feat(action): respect working_directory for files globs by @​stephenway in #​667

Other Changes 🔄

• chore(deps): bump the npm group with 2 updates by @​dependabot[bot] in #​668

Full Changelog: softprops/action-gh-release@v2.3.4...v2.4.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-197 (debian 13.1)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.1)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-197 (debian 13.1)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.12s
✅ COPYPASTE	jscpd	yes		no	no	1.33s
✅ DOCKERFILE	hadolint	1		0	0	0.05s
✅ JSON	jsonlint	3		0	0	0.16s
⚠️ JSON	prettier	3		1	0	0.37s
✅ JSON	v8r	3		0	0	3.57s
✅ MARKDOWN	markdownlint	1		0	0	0.43s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.26s
✅ PYTHON	bandit	1		0	0	1.98s
✅ PYTHON	black	1		0	0	0.93s
✅ PYTHON	flake8	1		0	0	0.7s
✅ PYTHON	isort	1		0	0	0.25s
✅ PYTHON	mypy	1		0	0	3.49s
✅ PYTHON	pylint	1		0	0	2.99s
✅ PYTHON	pyright	1		0	0	1.64s
✅ PYTHON	ruff	1		0	0	0.03s
✅ REPOSITORY	dustilock	yes		no	no	0.02s
✅ REPOSITORY	gitleaks	yes		no	no	0.35s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	30.72s
✅ REPOSITORY	kics	yes		no	no	3.64s
✅ REPOSITORY	secretlint	yes		no	no	1.61s
✅ REPOSITORY	syft	yes		no	no	2.35s
✅ REPOSITORY	trivy	yes		no	no	10.08s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.1s
✅ REPOSITORY	trufflehog	yes		no	no	4.23s
✅ YAML	prettier	6		0	0	0.68s
✅ YAML	v8r	6		0	0	6.22s
✅ YAML	yamllint	6		0	0	0.62s

Detailed Issues

⚠️ JSON / prettier - 1 error

Checking formatting...
[warn] .renovaterc.json
[warn] Code style issues found in the above file. Run Prettier with --write to fix.

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.1.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

🎉 This PR is included in version 1.10.63 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀