chore(deps): update GitHub Actions

[williaby]

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package	Change	Type	Update	Age	Adoption	Passing	Confidence	OpenSSF
ByronWilliamsCPA/.github (changelog)	799ebd6 → 74c633a	action	digest
SonarSource/sonarqube-scan-action	v8.0.0 → v8.1	action	minor
github/codeql-action	v4.35.5 → v4.36.0	action	minor
step-security/harden-runner	v2.19.3 → v2.19.4	action	patch

Impact

• ✅ Patch update: bug fixes and security patches only
• ✅ No breaking changes

Acceptance Criteria

• All CI checks pass

Testing

• CI gates pass (tests, lint, type checking, security scan)

Notes

---

Release Notes

SonarSource/sonarqube-scan-action (SonarSource/sonarqube-scan-action)

v8.1

Compare Source

v8.1.0

Compare Source

What's Changed

• SQSCANGHA-146 Add proxy support for GPG keyserver access by @​henryju in #​244
• SQSCANGHA-148 Update SonarScanner CLI to 8.1.0.6389 by @​github-actions[bot] in #​232

Full Changelog: SonarSource/sonarqube-scan-action@v8...v8.1.0

github/codeql-action (github/codeql-action)

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed

• Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "after 10pm every weekday,before 5am every weekday,every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions dependencies across all CI/CD workflows to newer pinned versions
  • Upgraded runner hardening security action to latest version
  • Updated organization-level reusable workflow references to newer commits

[coderabbitai]

Walkthrough

This PR updates pinned versions of GitHub Actions and org-level reusable workflows across 22 CI/CD workflow files, upgrading the runner hardening action from v2.19.3 to v2.19.4, refreshing reusable workflow SHAs to a newer main-branch commit, and bumping security scanning tool action versions for CodeQL and SonarCloud.

Changes

GitHub Actions and Workflow Infrastructure Updates

Layer / File(s)	Summary
Runner hardening action version upgrade .github/workflows/ci.yml, cifuzzy.yml, codecov.yml, codeql.yml, fips-compatibility.yml, pr-title.yml, pr-validation.yml, release-sign.yml, reuse.yml, dependency-review.yml, sonarcloud.yml, validate-cruft.yml	step-security/harden-runner action is updated from v2.19.3 to v2.19.4 in 17 step references across workflows to apply newer security hardening patches.
Org-level reusable workflow reference updates .github/workflows/ci.yml, codecov.yml, coverage.yml, docs.yml, publish-pypi.yml, python-compatibility.yml, qlty.yml, release.yml, reuse.yml, sbom.yml, scorecard.yml, security-analysis.yml, slsa-provenance.yml	Reusable workflow references to ByronWilliamsCPA/.github (python-ci.yml, python-docs.yml, python-codecov.yml, python-qlty-coverage.yml, python-release.yml, python-reuse.yml, python-sbom.yml, python-scorecard.yml, python-security-analysis.yml, python-slsa.yml, and related workflows) are pinned from commit 799ebd... to 74c633... across 13 job definitions.
Extended security scanning action upgrades .github/workflows/cifuzzy.yml, codeql.yml, sonarcloud.yml	CodeQL actions (github/codeql-action/init and /upload-sarif) are upgraded from v4.35.5 to v4.36.0, and SonarSource/sonarqube-scan-action is bumped from v8.0.0 to v8.1 for improved analysis capabilities.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• Dependency Dashboard rag-processor#12: Addresses the same GitHub Actions dependency updates (reusable workflow commit pins and harden-runner version bumps) tracked in the Dependency Dashboard.
• Dependency Dashboard reference-library#10: Implements the same GitHub Actions version updates (step-security/harden-runner and github/codeql-action version bumps) from the Dependency Dashboard.
• ByronWilliamsCPA/taxdome#7: Updates the same runner-hardening action across .github/workflows files with consistent version bumps.
• fix(ci): pin org reusable workflow references to SHA instead of @main #9: Modifies the same reusable-workflow uses: reference pinned SHA updates across multiple workflow files.

Possibly related PRs

• ByronWilliamsCPA/audio-processor#39: Complements this PR by adding a Renovate rule to automate future tracking and refreshing of the same org workflow SHA pins and action versions that are manually updated here.
• ByronWilliamsCPA/audio-processor#28: Performs similar direct updates to GitHub Actions workflow wiring, including harden-runner and reusable workflow pinned references across the same .github/workflows files.

Suggested labels

ci, security

Poem

A rabbit hops through CI/CD with glee,
Bumping versions one-two-three!
From 799 to 74 the workflows now run,
With hardened runners—security's won! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'chore(deps): update GitHub Actions' clearly and concisely summarizes the main change—updating GitHub Actions dependencies across multiple workflows.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/github-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Copilot]

Pull request overview

This Renovate-generated PR bumps four GitHub Actions dependencies across the repository's workflow files. All updates are SHA-pinned with matching version comments, consistent with the repo's pinning convention. Two org workflow callers (container-security.yml, mutation-testing.yml) intentionally remain on a different SHA and are out of scope for this update.

Changes:

• Bump step-security/harden-runner from v2.19.3 to v2.19.4 across all workflow callers.
• Bump github/codeql-action (init/analyze/upload-sarif) from v4.35.5 to v4.36.0.
• Bump SonarSource/sonarqube-scan-action from v8.0.0 to v8.1, and bump ByronWilliamsCPA/.github reusable workflow SHA from 799ebd6 to e75a86b.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/ci.yml	Bumps org reusable workflow SHA and harden-runner.
.github/workflows/cifuzzy.yml	Bumps harden-runner and codeql-action/upload-sarif.
.github/workflows/codecov.yml	Bumps org reusable workflow SHA and harden-runner.
.github/workflows/codeql.yml	Bumps harden-runner and codeql-action init/analyze.
.github/workflows/coverage.yml	Bumps python-qlty-coverage reusable workflow SHA.
.github/workflows/dependency-review.yml	Bumps harden-runner.
.github/workflows/docs.yml	Bumps python-docs reusable workflow SHA.
.github/workflows/fips-compatibility.yml	Bumps harden-runner in two jobs.
.github/workflows/pr-title.yml	Bumps harden-runner (block mode preserved).
.github/workflows/pr-validation.yml	Bumps reusable workflow SHA and three harden-runner refs.
.github/workflows/publish-pypi.yml	Bumps python-publish-pypi reusable workflow SHA.
.github/workflows/python-compatibility.yml	Bumps python-compatibility reusable workflow SHA.
.github/workflows/qlty.yml	Bumps python-qlty-coverage reusable workflow SHA.
.github/workflows/release-sign.yml	Bumps harden-runner.
.github/workflows/release.yml	Bumps python-release reusable workflow SHA.
.github/workflows/reuse.yml	Bumps python-reuse reusable workflow SHA and harden-runner.
.github/workflows/sbom.yml	Bumps python-sbom reusable workflow SHA.
.github/workflows/scorecard.yml	Bumps python-scorecard reusable workflow SHA.
.github/workflows/security-analysis.yml	Bumps python-security-analysis reusable workflow SHA.
.github/workflows/slsa-provenance.yml	Bumps harden-runner and python-slsa reusable workflow SHA.
.github/workflows/sonarcloud.yml	Bumps two harden-runner refs and sonarqube-scan-action to v8.1.
.github/workflows/validate-cruft.yml	Bumps harden-runner.

[williaby]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved. There was a single conflict in .github/workflows/release.yml — main had added permissions and an if condition to the release job while the PR had updated the ByronWilliamsCPA/.github SHA. The resolved version keeps both: the structural changes from main and the updated SHA (74c633a) from this PR.

[coderabbitai]

Actionable comments posted: 0

[williaby]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[williaby]

PR Review

BUILD FAILING -- 1 Critical finding must be resolved before merge.

Critical (must fix)

CI: Validate PR Title failing -- The subject "Update GitHub Actions" begins with an uppercase `U`, which violates the project's `subjectPattern: ^(?![A-Z]).+$` rule (pr-title.yml). Renovate auto-capitalizes action names; the project validator requires lowercase subjects.

Immediate fix: Edit the PR title to `chore(deps): update GitHub Actions` (lowercase `u`).

Systemic fix: Add `"commitMessageAction": "update"` to `renovate.json` (PR being raised separately).

Important (should address)

• PR description inaccuracy: `github/codeql-action v4.36.0` has a documented breaking change: "Bump the minimum required CodeQL bundle version to 2.19.4." The description claims "No breaking changes." GitHub hosted runners are unaffected (they auto-update bundles), but the claim is technically incorrect. Consider adding: "codeql-action v4.36.0 requires CodeQL bundle >= 2.19.4; GitHub hosted runners handle this automatically."

• Org workflow SHA opacity: The `ByronWilliamsCPA/.github` bump from `799ebd6` to `74c633a` is accepted without a link to the diff. Consider linking the compare URL for audit trail.

Verified clean

• All 17 `harden-runner` references consistently use new SHA `9af89fc...` (v2.19.4)
• All 3 `codeql-action` sub-actions (`init`, `analyze`, `upload-sarif`) locked to same SHA `7211b7c...` (v4.36.0)
• All 14 org workflow refs updated to `74c633a...`
• Zero floating-tag references -- full SHA pinning maintained throughout
• CHANGELOG exemption correct (chore commits do not require CHANGELOG)

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud