chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github/codeql-action	action	patch	v4.35.2 → v4.35.3
step-security/harden-runner	action	patch	v2.19.0 → v2.19.1

---

Release Notes

github/codeql-action (github/codeql-action)

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

step-security/harden-runner (step-security/harden-runner)

v2.19.1

Compare Source

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in #​657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in #​657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-241 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-241 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.09s
✅ COPYPASTE	jscpd	yes		no	no	1.48s
✅ DOCKERFILE	hadolint	1		0	0	0.05s
✅ JSON	jsonlint	3		0	0	0.09s
✅ JSON	prettier	3		0	0	0.88s
✅ JSON	v8r	3		0	0	2.95s
✅ MARKDOWN	markdownlint	1		0	0	0.48s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.25s
✅ PYTHON	bandit	1		0	0	1.48s
✅ PYTHON	black	1		0	0	0.91s
✅ PYTHON	flake8	1		0	0	0.39s
✅ PYTHON	isort	1		0	0	0.22s
✅ PYTHON	mypy	1		0	0	3.8s
✅ PYTHON	pylint	1		0	0	2.8s
✅ PYTHON	pyright	1		0	0	1.8s
✅ PYTHON	ruff	1		0	0	0.02s
✅ REPOSITORY	checkov	yes		no	no	24.45s
✅ REPOSITORY	dustilock	yes		no	no	0.02s
✅ REPOSITORY	gitleaks	yes		no	no	0.4s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	48.87s
✅ REPOSITORY	kics	yes		no	no	4.23s
✅ REPOSITORY	kingfisher	yes		no	no	5.23s
✅ REPOSITORY	secretlint	yes		no	no	1.3s
✅ REPOSITORY	syft	yes		no	no	2.26s
✅ REPOSITORY	trivy	yes		no	no	12.8s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.19s
✅ REPOSITORY	trufflehog	yes		no	no	4.13s
✅ YAML	prettier	6		0	0	0.62s
✅ YAML	v8r	6		0	0	6.05s
✅ YAML	yamllint	6		0	0	0.61s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_KINGFISHER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

[github-actions]

🎉 This PR is included in version 1.11.28 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀