chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/setup-node	action	minor	v6.3.0 → v6.4.0
aquasecurity/trivy		minor	0.69.3 → 0.70.0
astral-sh/setup-uv	action	minor	v8.0.0 → v8.1.0
github/codeql-action	action	patch	v4.35.1 → v4.35.2
step-security/harden-runner	action	minor	v2.17.0 → v2.19.0
zizmor (source)		patch	1.24.0 → 1.24.1

---

Release Notes

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

aquasecurity/trivy (aquasecurity/trivy)

v0.70.0

Compare Source

⚡ Highlights ⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/10546

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0700-2026-04-16

astral-sh/setup-uv (astral-sh/setup-uv)

v8.1.0: 🌈 New input no-project

Compare Source

Changes

This add the a new boolean input no-project.
It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#​856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#​860)
• Add a release-gate step to the release workflow @​zanieb (#​859)
• Draft commitish releases @​eifinger (#​858)
• Add action-types.yml to instructions @​eifinger (#​857)
• chore: update known checksums for 0.11.7 @​github-actions[bot] (#​853)
• Refactor version resolving @​eifinger (#​852)
• chore: update known checksums for 0.11.6 @​github-actions[bot] (#​850)
• chore: update known checksums for 0.11.5 @​github-actions[bot] (#​845)
• chore: update known checksums for 0.11.4 @​github-actions[bot] (#​843)
• Add a release workflow @​zanieb (#​839)
• chore: update known checksums for 0.11.3 @​github-actions[bot] (#​836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#​833)
• Pin setup-uv docs to v8 @​eifinger (#​829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @​dependabot[bot] (#​855)

github/codeql-action (github/codeql-action)

v4.35.2

Compare Source

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #​3807
• Update default CodeQL bundle version to 2.25.2. #​3823

step-security/harden-runner (step-security/harden-runner)

v2.19.0

Compare Source

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

• Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
• System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

Compare Source

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

zizmorcore/zizmor (zizmor)

v1.24.1

Compare Source

Bug Fixes 🐛🔗

• Fixed a bug where the ref-version-mismatch audit would incorrectly flag some version comments as not containing an appropriate version (#​1900)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.16s
✅ COPYPASTE	jscpd	yes		no	no	1.35s
✅ DOCKERFILE	hadolint	1		0	0	0.11s
✅ JSON	jsonlint	3		0	0	0.13s
✅ JSON	prettier	3		0	0	0.62s
✅ JSON	v8r	3		0	0	2.67s
✅ MARKDOWN	markdownlint	1		0	0	0.58s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.27s
✅ PYTHON	bandit	1		0	0	2.29s
✅ PYTHON	black	1		0	0	0.92s
✅ PYTHON	flake8	1		0	0	0.58s
✅ PYTHON	isort	1		0	0	0.23s
✅ PYTHON	mypy	1		0	0	4.04s
✅ PYTHON	pylint	1		0	0	3.33s
✅ PYTHON	pyright	1		0	0	1.88s
✅ PYTHON	ruff	1		0	0	0.03s
✅ REPOSITORY	checkov	yes		no	no	24.44s
✅ REPOSITORY	dustilock	yes		no	no	0.02s
✅ REPOSITORY	gitleaks	yes		no	no	0.31s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	44.23s
✅ REPOSITORY	kics	yes		no	no	3.22s
✅ REPOSITORY	kingfisher	yes		no	no	5.23s
✅ REPOSITORY	secretlint	yes		no	no	1.42s
✅ REPOSITORY	syft	yes		no	no	2.29s
✅ REPOSITORY	trivy	yes		no	no	11.78s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.2s
✅ REPOSITORY	trufflehog	yes		no	no	4.46s
✅ YAML	prettier	6		0	0	0.65s
✅ YAML	v8r	6		0	0	6.24s
✅ YAML	yamllint	6		0	0	0.63s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_KINGFISHER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-240 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-240 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

🎉 This PR is included in version 1.11.27 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀