ci: fix vendored dependabot PRs

[BridgeAR]

The main issue is AFAIK the Node.js version being used. This is now aligned with the installment of the bundle job.

That is done in a secure way where we use least privileges possible.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.16%. Comparing base (66ea7a3) to head (1f619aa).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #7306      +/-   ##
==========================================
+ Coverage   86.11%   86.16%   +0.04%     
==========================================
  Files         512      513       +1     
  Lines       22108    22147      +39     
==========================================
+ Hits        19039    19082      +43     
+ Misses       3069     3065       -4     

Flag	Coverage Δ
aiguard-macos	99.09% <ø> (ø)
aiguard-ubuntu	99.09% <ø> (ø)
aiguard-windows	99.09% <ø> (ø)
apm-capabilities-tracing-macos	58.13% <ø> (+0.09%)	⬆️
apm-capabilities-tracing-ubuntu	58.12% <ø> (+0.09%)	⬆️
apm-capabilities-tracing-windows	57.74% <ø> (+0.08%)	⬆️
apm-integrations-child-process	99.19% <ø> (ø)
apm-integrations-couchbase-18	100.00% <ø> (ø)
apm-integrations-couchbase-eol	100.00% <ø> (ø)
appsec-express	62.46% <ø> (ø)
appsec-fastify	58.48% <ø> (ø)
appsec-graphql	53.41% <ø> (ø)
appsec-kafka	43.98% <ø> (ø)
appsec-ldapjs	46.04% <ø> (ø)
appsec-lodash	47.29% <ø> (ø)
appsec-macos	93.74% <ø> (ø)
appsec-mongodb-core	51.82% <ø> (ø)
appsec-mongoose	50.73% <ø> (ø)
appsec-mysql	54.20% <ø> (ø)
appsec-node-serialize	43.92% <ø> (ø)
appsec-passport	48.10% <ø> (ø)
appsec-postgres	54.55% <ø> (ø)
appsec-sourcing	33.80% <ø> (ø)
appsec-template	43.92% <ø> (ø)
appsec-ubuntu	93.74% <ø> (ø)
appsec-windows	93.74% <ø> (ø)
llmobs-ai	55.32% <ø> (ø)
llmobs-anthropic	45.46% <ø> (ø)
llmobs-bedrock	42.83% <ø> (ø)
llmobs-google-genai	48.73% <ø> (ø)
llmobs-langchain	52.31% <ø> (ø)
llmobs-openai	55.50% <ø> (ø)
llmobs-vertex-ai	47.46% <ø> (ø)
platform-core	87.23% <ø> (ø)
platform-instrumentations-misc	73.68% <ø> (ø)
platform-shimmer	98.82% <ø> (ø)
platform-unit-guardrails	89.47% <ø> (ø)
profiling-macos	70.74% <ø> (ø)
profiling-ubuntu	70.74% <ø> (ø)
profiling-windows	74.18% <ø> (-1.00%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Overall package size

Self size: 4.44 MB
Deduped: 5.26 MB
No deduping: 5.26 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 2.0.0 | 68.46 kB | 797.03 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-01-22 13:06:03

Comparing candidate commit 1f619aa in PR branch BridgeAR/2026-01-22-fix-dependabot-further with baseline commit 66ea7a3 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 232 metrics, 28 unstable metrics.

[rochdev]

LGTM, but would like another review from @KSerrania as well on the security side.

[KSerrania]

Minor: I see that you switched to using a dd-octo-sts token to push the commit now. Therefore, I don't think you need this contents: write permission anymore.

[BridgeAR]

I believe it would just be a fallback