Update GitHub Actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/attest-build-provenance	action	minor	v3.1.0 → v3.2.0
actions/cache	action	patch	v5.0.2 → v5.0.3
aquasecurity/trivy-action	action	minor	v0.33.1 → 0.34.0	0.34.1
docker/build-push-action	action	minor	v6.18.0 → v6.19.2
docker/login-action	action	minor	v3.6.0 → v3.7.0
github/codeql-action	action	minor	v4.31.11 → v4.32.3	v4.32.4
hoverkraft-tech/compose-action	action	minor	v2.4.3 → v2.5.0
zizmorcore/zizmor-action	action	minor	v0.4.1 → v0.5.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v3.2.0

Compare Source

What's Changed

• Bump @​actions/core from 1.11.1 to 2.0.1 by @​dependabot[bot] in #​776
• Add more documentation on Artifact Metadata Storage Records by @​malancas in #​797
• Update actions/attest to latest version v3.2.0 by @​malancas in #​812

Full Changelog: actions/attest-build-provenance@v3.1.0...v3.2.0

actions/cache (actions/cache)

v5.0.3

Compare Source

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

aquasecurity/trivy-action (aquasecurity/trivy-action)

v0.34.0

Compare Source

What's Changed

• ci: use setup-bats in bump-trivy workflow by @​nikpivkin in #​494
• chore: update README by @​nikpivkin in #​493
• ci: install trivy in bump-trivy workflow and update tests by @​nikpivkin in #​495
• chore(deps): Update trivy to v0.68.1 by @​aqua-bot in #​496
• ci: use checks bundle v2 in sync workflow by @​nikpivkin in #​505
• chore(deps): Update trivy to v0.69.1 by @​aqua-bot in #​506

Full Changelog: aquasecurity/trivy-action@0.33.1...0.34.0

docker/build-push-action (docker/build-push-action)

v6.19.2

Compare Source

• Preserve port in GIT_AUTH_TOKEN host by @​crazy-max in #​1458

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

Compare Source

• Derive GIT_AUTH_TOKEN host from GitHub server URL by @​crazy-max in #​1456

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

Compare Source

• Scope default git auth token to github.com by @​crazy-max in #​1451
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​1396
• Bump form-data from 2.5.1 to 2.5.5 in #​1391
• Bump js-yaml from 3.14.1 to 3.14.2 in #​1429
• Bump lodash from 4.17.21 to 4.17.23 in #​1446
• Bump tmp from 0.2.3 to 0.2.4 in #​1398
• Bump undici from 5.28.4 to 5.29.0 in #​1397

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

docker/login-action (docker/login-action)

v3.7.0

Compare Source

• Add scope input to set scopes for the authentication token by @​crazy-max in #​912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in #​914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in #​911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in #​915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

github/codeql-action (github/codeql-action)

v4.32.3

Compare Source

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #​3466

v4.32.2

Compare Source

v4.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v4.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

hoverkraft-tech/compose-action (hoverkraft-tech/compose-action)

v2.5.0

Compare Source

Release Summary

Fix ensures docker-compose is installed when a compose-version is specified, improving reliability, and documentation for actions and workflows has been updated.

Internal: deps scope updates (actions/checkout, docker/setup-docker-action, docker-compose, npm/actions groups) and minor refactoring.

Breaking change(s)

No breaking changes.

What's Changed

• chore(deps): bump docker/setup-docker-action from 4.6.0 to 4.7.0 in the github-actions-dependencies group by @​dependabot[bot] in #​218
• docs: update actions and workflows documentation by @​hoverkraft-bot[bot] in #​219
• chore(deps): bump the actions-dependencies group with 3 updates by @​dependabot[bot] in #​217
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the github-actions-dependencies group by @​dependabot[bot] in #​223
• chore(deps): bump the npm-actions-dependencies group with 3 updates by @​dependabot[bot] in #​224
• chore(deps): bump docker-compose from 1.3.0 to 1.3.1 by @​dependabot[bot] in #​225
• fix: install docker-compose when compose-version is specified by @​jmpargana in #​234
• chore: minor refactoring by @​neilime in #​235

New Contributors

• @​jmpargana made their first contribution in #​234

Full Changelog: hoverkraft-tech/compose-action@v2...v2.5.0

zizmorcore/zizmor-action (zizmorcore/zizmor-action)

v0.5.0

Compare Source

What's Changed

• Expose output-file as an output when advanced-security: true by @​unlobito in #​87

New Contributors

• @​unlobito made their first contribution in #​87

Full Changelog: zizmorcore/zizmor-action@v0.4.1...v0.5.0

---

Configuration

📅 Schedule: Branch creation - "every weekend" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR updates the github/codeql-action from v4.31.10 to v4.31.11, a routine patch version update that brings improved error handling and stability improvements.

• Updated SHA hash for github/codeql-action/upload-sarif action in the Trivy security scanning job
• No breaking changes or behavioral modifications
• Patch version includes improved error handling throughout the action

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it's a routine patch update from a trusted GitHub action
• This is a standard automated dependency update for a trusted GitHub-maintained action. The change is minimal (single SHA hash update), the version increment is a patch release with no breaking changes, and the release notes indicate only improvements (error handling, artifact naming). The action is pinned to a specific SHA for security, and the workflow permissions are already properly scoped.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/regular.yaml	Updated github/codeql-action/upload-sarif from v4.31.10 to v4.31.11 (patch version bump with improved error handling)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!