chore(deps): update github-actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/create-github-app-token	action	minor	v3.1.1 → v3.2.0
cachix/install-nix-action	action	patch	v31.10.5 → v31.10.6
docker/login-action	action	minor	v4.1.0 → v4.2.0
github/codeql-action	action	minor	v4.35.2 → v4.36.0
golangci/golangci-lint-action	action	patch	v9.2.0 → v9.2.1
goreleaser/goreleaser-action	action	patch	v7.2.1 → v7.2.2
step-security/harden-runner	action	patch	v2.19.0 → v2.19.4
trufflesecurity/trufflehog	action	patch	v3.95.2 → v3.95.3
useblacksmith/setup-docker-builder (changelog)	action	digest	ac083cc → 722e97d

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

cachix/install-nix-action (cachix/install-nix-action)

v31.10.6

Compare Source

What's Changed

• nix: 2.34.6 -> 2.34.7 by @​github-actions[bot] in #​275
  GHSA-vh5x-56v6-4368: Fixes a coroutine stack-to-heap overflow via unbounded recursion in the NAR directory parser. Severity: High.
  GHSA-gr92-w2r5-qw5p: Fixes an absolute path traversal vulnerability when unpacking archives to disk. Severity: Moderate.

Full Changelog: cachix/install-nix-action@v31...v31.10.6

docker/login-action (docker/login-action)

v4.2.0

Compare Source

• Bump @​actions/core from 3.0.0 to 3.0.1 in #​976
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1050.0 in #​960
• Bump @​docker/actions-toolkit from 0.86.0 to 0.90.0 in #​970
• Bump brace-expansion from 2.0.1 to 5.0.6 in #​993
• Bump fast-xml-builder from 1.1.4 to 1.2.0 in #​985
• Bump fast-xml-parser from 5.3.6 to 5.8.0 in #​963
• Bump http-proxy-agent and https-proxy-agent to 9.0.0 in #​961
• Bump postcss from 8.5.6 to 8.5.10 in #​979
• Bump tar from 6.2.1 to 7.5.15 in #​991
• Bump vite from 7.3.1 to 7.3.3 in #​986

Full Changelog: docker/login-action@v4.1.0...v4.2.0

github/codeql-action (github/codeql-action)

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

golangci/golangci-lint-action (golangci/golangci-lint-action)

v9.2.1

Compare Source

What's Changed

IMPORTANT: this is the first immutable release.

Changes

• chore: improve workflows by @​ldez in #​1394

Dependencies

• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in #​1325
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1326
• build(deps): bump the dependencies group with 4 updates by @​dependabot[bot] in #​1327
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1328
• build(deps): bump @​types/node from 25.0.2 to 25.0.3 in the dependencies group by @​dependabot[bot] in #​1329
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1330
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1332
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1333
• build(deps): bump the dependencies group with 6 updates by @​dependabot[bot] in #​1334
• build(deps-dev): bump the dev-dependencies group with 4 updates by @​dependabot[bot] in #​1335
• build(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in #​1336
• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in #​1337
• build(deps): bump @​types/node from 25.0.9 to 25.0.10 in the dependencies group by @​dependabot[bot] in #​1338
• build(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 by @​dependabot[bot] in #​1339
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1340
• build(deps-dev): bump the dev-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​1344
• build(deps): bump fast-xml-parser from 5.3.4 to 5.3.6 by @​dependabot[bot] in #​1346
• build(deps): bump minimatch by @​dependabot[bot] in #​1348
• build(deps): bump minimatch from 3.1.3 to 3.1.5 by @​dependabot[bot] in #​1350
• build(deps): bump fast-xml-parser from 5.3.6 to 5.4.1 by @​dependabot[bot] in #​1351
• build(deps): bump fast-xml-parser from 5.4.1 to 5.5.6 by @​dependabot[bot] in #​1357
• build(deps): bump fast-xml-parser from 5.5.6 to 5.5.7 by @​dependabot[bot] in #​1358
• build(deps-dev): bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in #​1359
• build(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in #​1364
• build(deps): bump yaml from 2.8.2 to 2.8.3 by @​dependabot[bot] in #​1365
• build(deps): bump brace-expansion by @​dependabot[bot] in #​1370
• build(deps-dev): bump the dev-dependencies group across 1 directory with 7 updates by @​ldez in #​1374
• build(deps): bump github/codeql-action from 4 to 4.35.2 by @​dependabot[bot] in #​1384
• build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 by @​dependabot[bot] in #​1386
• build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 by @​dependabot[bot] in #​1389
• build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 by @​dependabot[bot] in #​1391

Full Changelog: golangci/golangci-lint-action@v9.2.0...v9.2.1

goreleaser/goreleaser-action (goreleaser/goreleaser-action)

v7.2.2

Compare Source

What's Changed

• ci(deps): bump the actions group with 3 updates by @​dependabot[bot] in #​560
• fix: nightly resolution to select newest published release by @​Copilot in #​562

New Contributors

• @​Copilot made their first contribution in #​562

Full Changelog: goreleaser/goreleaser-action@v7...v7.2.2

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed

• Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

Compare Source

What's Changed

• Default to audit mode when api-key missing with use-policy-store by @​varunsh-coder in #​665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

Compare Source

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in #​657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in #​657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

trufflesecurity/trufflehog (trufflesecurity/trufflehog)

v3.95.3

Compare Source

What's Changed

• Renamed AnypointOAuth2 detector's AnalysisInfo keys to make it consistent with its Analyzer by @​MuneebUllahKhan222 in #​4906
• Rename AnalysisInfo field to SecretParts on detectors.Result by @​mcastorina in #​4911
• Document SecretParts contract in detector-authoring docs by @​mcastorina in #​4912
• Add a static check for detectors that don't set SecretParts by @​mcastorina in #​4913
• Populate SecretParts on all detectors by @​mcastorina in #​4919
• Make checksecretparts required in CI by @​mcastorina in #​4921
• Deduplicate concurrent credential verification requests via singleflight by @​kashifkhan0771 in #​4314
• log non-critical chunk errors at V(2).Info instead of Error by @​johnelliott in #​4928
• [INS-320] Cloudinary detector by @​MuneebUllahKhan222 in #​4747
• ci: bump JS actions to Node 24 majors (incl. CodeQL v4 + WIF auth v3) by @​bryanbeverly in #​4933
• chore: bump golangci-lint-action v7 → v9 (Node 24) by @​bryanbeverly in #​4936
• Add default Content-Type: application/json header for custom detector verification request by @​MuneebUllahKhan222 in #​4947
• Make detector Result.SecretParts initialization stricter by @​mcastorina in #​4948
• Add Pinecone API key detector by @​dylanTruffle in #​4917
• adding customizable successRanges and rotatedRanges to customDetector by @​jordanTunstill in #​4892

Full Changelog: trufflesecurity/trufflehog@v3.95.2...v3.95.3

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.