[deps]: Update gh minor

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/checkout	action	minor	v4.2.1 -> v4.3.0
actions/create-github-app-token	action	patch	v2.1.1 -> v2.1.4
actions/upload-artifact	action	minor	v4.4.3 -> v4.6.2
anchore/scan-action	action	minor	v6.2.0 -> v6.5.1
codecov/codecov-action	action	minor	v5.1.2 -> v5.5.1
docker/build-push-action	action	minor	v6.9.0 -> v6.18.0
docker/login-action	action	minor	v3.5.0 -> v3.6.0
github/codeql-action	action	patch	v4.30.7 -> v4.30.8	v4.30.9
ncipollo/release-action	action	minor	v1.14.0 -> v1.20.0
sigstore/cosign-installer	action	minor	v3.8.1 -> v3.10.0	v3.10.1
sigstore/cosign-installer	action	minor	v3.7.0 -> v3.10.0	v3.10.1

---

Release Notes

actions/checkout (actions/checkout)

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in https://github.com/actions/checkout/pull/1971
• Add internal repos for checking out multiple repositories by @​mouismail in https://github.com/actions/checkout/pull/1977
• Documentation update - add recommended permissions to Readme by @​benwells in https://github.com/actions/checkout/pull/2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in https://github.com/actions/checkout/pull/2044
• Update README.md by @​nebuk89 in https://github.com/actions/checkout/pull/2194
• Update CODEOWNERS for actions by @​TingluoHuang in https://github.com/actions/checkout/pull/2224
• Update package dependencies by @​salmanmkc in https://github.com/actions/checkout/pull/2236
• Prepare release v4.3.0 by @​salmanmkc in https://github.com/actions/checkout/pull/2237

New Contributors

• @​motss made their first contribution in https://github.com/actions/checkout/pull/1971
• @​mouismail made their first contribution in https://github.com/actions/checkout/pull/1977
• @​benwells made their first contribution in https://github.com/actions/checkout/pull/2043
• @​nebuk89 made their first contribution in https://github.com/actions/checkout/pull/2194
• @​salmanmkc made their first contribution in https://github.com/actions/checkout/pull/2236

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in #​1941
• Expand unit test coverage for isGhes by @​jww3 in #​1946

actions/create-github-app-token (actions/create-github-app-token)

v2.1.4

Compare Source

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#​257) (bef1eaf)

v2.1.3

Compare Source

Bug Fixes

• deps: bump undici from 7.8.0 to 7.10.0 in the production-dependencies group (#​254) (f3d5ec2)

v2.1.2

Compare Source

Bug Fixes

• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#​256) (5d7307b)

actions/upload-artifact (actions/upload-artifact)

v4.6.2

Compare Source

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

• @​salmanmkc made their first contribution in #​685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in #​673

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

Compare Source

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in #​662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

Compare Source

What's Changed

• fix: deprecated Node.js version in action by @​hamirmahal in #​578
• Add new artifact-digest output by @​bdehamer in #​656

New Contributors

• @​hamirmahal made their first contribution in #​578
• @​bdehamer made their first contribution in #​656

Full Changelog: actions/upload-artifact@v4.4.3...v4.5.0

anchore/scan-action (anchore/scan-action)

v6.5.1

Compare Source

New in scan-action v6.5.1

• Update Grype to v0.97.1 (#​495)

v6.5.0

Compare Source

New in scan-action v6.5.0

• Update Grype to v0.96.1 (#​493) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]
• fix: output stderr for nonzero exit code (#​491) [kzantow]

v6.4.0

Compare Source

New in scan-action v6.4.0

• Update Grype to v0.95.0 (#​486)
• chore(deps-dev): bump eslint from 9.30.0 to 9.30.1 (#​485)
• chore(deps-dev): bump lint-staged from 16.1.0 to 16.1.2 (#​476)
• chore(deps-dev): bump jest from 30.0.0 to 30.0.3 (#​481)
• chore(deps-dev): bump prettier from 3.5.3 to 3.6.2 (#​483)
• chore(deps-dev): bump eslint from 9.28.0 to 9.30.0 (#​484)

v6.3.0

Compare Source

New in scan-action v6.3.0

• Update Grype to v0.94.0 (#​470)

codecov/codecov-action (codecov/codecov-action)

v5.5.1

Compare Source

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in #​1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in #​1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in #​1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in #​1872
• docs: fix typo in README by @​datalater in #​1866
• Document a codecov-cli version reference example by @​webknjaz in #​1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in #​1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in #​1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

Compare Source

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in #​1864
• Pin actions/github-script by Git SHA by @​martincostello in #​1859
• fix: check reqs exist by @​joseph-sentry in #​1835
• fix: Typo in README by @​spalmurray in #​1838
• docs: Refine OIDC docs by @​spalmurray in #​1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in #​1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

Compare Source

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in #​1822
• fix: OIDC on forks by @​joseph-sentry in #​1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.1..v5.4.2

v5.4.1

Compare Source

What's Changed

• fix: use the github core methods by @​thomasrockhu-codecov in #​1807
• build(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @​app/dependabot in #​1803
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.12 by @​app/dependabot in #​1797
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @​app/dependabot in #​1798
• chore(release): wrapper -0.2.1 by @​app/codecov-releaser-app in #​1788
• build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @​app/dependabot in #​1786

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.0..v5.4.1

v5.4.0

Compare Source

What's Changed

• update wrapper submodule to 0.2.0, add recurse_submodules arg by @​matt-codecov in #​1780
• build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @​app/dependabot in #​1775
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @​app/dependabot in #​1776
• build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 by @​app/dependabot in #​1777
• Clarify in README that use_pypi bypasses integrity checks too by @​webknjaz in #​1773
• Fix use of safe.directory inside containers by @​Flamefire in #​1768
• Fix description for report_type input by @​craigscott-crascit in #​1770
• build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 by @​app/dependabot in #​1765
• Fix a typo in the example by @​miranska in #​1758
• build(deps): bump github/codeql-action from 3.28.5 to 3.28.8 by @​app/dependabot in #​1757
• build(deps): bump github/codeql-action from 3.28.1 to 3.28.5 by @​app/dependabot in #​1753

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.3.1..v5.4.0

v5.3.1

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.3.0..v5.3.1

v5.3.0

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.2.0..v5.3.0

v5.2.0

Compare Source

What's Changed

• Fix typo in README by @​tserg in #​1747
• Th/add commands by @​thomasrockhu-codecov in #​1745
• use correct audience when requesting oidc token by @​juho9000 in #​1744
• build(deps): bump github/codeql-action from 3.27.9 to 3.28.1 by @​app/dependabot in #​1742
• build(deps): bump actions/upload-artifact from 4.4.3 to 4.6.0 by @​app/dependabot in #​1743
• chore(deps): bump wrapper to 0.0.32 by @​thomasrockhu-codecov in #​1740
• feat: add disable-telem feature by @​thomasrockhu-codecov in #​1739
• fix: remove erroneous linebreak in readme by @​Vampire in #​1734

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.1.2..v5.2.0

docker/build-push-action (docker/build-push-action)

v6.18.0

Compare Source

• Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1 in #​1381

[!NOTE]
Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

Compare Source

• Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0 by @​crazy-max in #​1364

[!NOTE]
Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

Compare Source

• Handle no default attestations env var by @​crazy-max in #​1343
• Only print secret keys in build summary output by @​crazy-max in #​1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in #​1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

v6.15.0

Compare Source

• Bump @​docker/actions-toolkit from 0.55.0 to 0.56.0 in #​1330

Full Changelog: docker/build-push-action@v6.14.0...v6.15.0

v6.14.0

Compare Source

• Bump @​docker/actions-toolkit from 0.53.0 to 0.55.0 in #​1324

Full Changelog: docker/build-push-action@v6.13.0...v6.14.0

v6.13.0

Compare Source

• Bump @​docker/actions-toolkit from 0.51.0 to 0.53.0 in #​1308

Full Changelog: docker/build-push-action@v6.12.0...v6.13.0

v6.12.0

Compare Source

• Bump @​docker/actions-toolkit from 0.49.0 to 0.51.0 in #​1300

Full Changelog: docker/build-push-action@v6.11.0...v6.12.0

v6.11.0

Compare Source

• Handlebar defaultContext support for build-contexts input by @​crazy-max in #​1283
• Bump @​docker/actions-toolkit from 0.46.0 to 0.49.0 in #​1281

Full Changelog: docker/build-push-action@v6.10.0...v6.11.0

v6.10.0

Compare Source

• Add call input to set method for evaluating build by @​crazy-max in #​1265
• Bump @​actions/core from 1.10.1 to 1.11.1 in #​1238
• Bump @​docker/actions-toolkit from 0.39.0 to 0.46.0 in #​1268
• Bump cross-spawn from 7.0.3 to 7.0.6 in #​1261

Full Changelog: docker/build-push-action@v6.9.0...v6.10.0

docker/login-action (docker/login-action)

v3.6.0

Compare Source

• Add registry-auth input for raw authentication to registries by @​crazy-max in #​887
• Bump @​aws-sdk/client-ecr to 3.890.0 in #​882 #​890
• Bump @​aws-sdk/client-ecr-public to 3.890.0 in #​882 #​890
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​883
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​880
• Bump undici from 5.28.4 to 5.29.0 in #​879
• Bump tmp from 0.2.3 to 0.2.4 in #​881

Full Changelog: docker/login-action@v3.5.0...v3.6.0

github/codeql-action (github/codeql-action)

v4.30.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

ncipollo/release-action (ncipollo/release-action)

v1.20.0

Compare Source

What's Changed

• Fixes #​542 Add previous tag option by @​ncipollo in #​550

Full Changelog: ncipollo/release-action@v1...v1.20.0

v1.19.2

Compare Source

What's Changed

• Update immutableCreate's default in the documentation by @​bblanchon in #​547
• Fixes #​548 Add support body + generated release notes by @​ncipollo in #​549

New Contributors

• @​bblanchon made their first contribution in #​547

Full Changelog: ncipollo/release-action@v1...v1.19.2

v1.19.1

Compare Source

Defaults immutableCreate to false if it is omitted.

Full Changelog: ncipollo/release-action@v1.19.0...v1.19.1

v1.19.0

Compare Source

What's Changed

• Fixes #​540 Add support for immutable releases by @​ncipollo in #​544
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​541
• Bump glob from 11.0.2 to 11.0.3 by @​dependabot[bot] in #​534

Full Changelog: ncipollo/release-action@v1...v1.19.0

v1.18.0

Compare Source

• Fixes #​529 Collect asset URLs into output

Full Changelog: ncipollo/release-action@v1...v1.18.0

v1.17.0

Compare Source

What's Changed

• Bump ts-jest from 29.2.5 to 29.2.6 by @​dependabot in #​506
• Bump @​types/node from 22.13.4 to 22.13.8 by @​dependabot in #​505
• Bump @​octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @​dependabot in #​507
• Bump @​octokit/request from 8.1.6 to 8.4.1 by @​dependabot in #​508
• Fixes #​513 Don't generate release notes if omitBody is set by @​ncipollo in #​517
• Bump typescript from 5.7.3 to 5.8.3 by @​dependabot in #​518
• Bump ts-jest from 29.2.6 to 29.3.2 by @​dependabot in #​521
• Bump glob from 11.0.1 to 11.0.2 by @​dependabot in #​520
• Bump @​types/node from 22.13.8 to 22.15.3 by @​dependabot in #​519
• Bump ts-jest from 29.3.2 to 29.3.4 by @​dependabot in #​526
• Bump @​actions/github from 6.0.0 to 6.0.1 by @​dependabot in #​525
• Bump @​types/node from 22.15.18 to 22.15.29 by @​dependabot in #​524
• Fixes #​529 Add zip and tarball urls to output

Full Changelog: ncipollo/release-action@v1...v1.17.0

v1.16.0

Compare Source

What's Changed

• Bump @​octokit/request-error from 5.0.1 to 5.1.1 by @​dependabot in #​498
• Update checkout action version in example by @​Cycloctane in #​496
• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in #​499
• Bump glob from 11.0.0 to 11.0.1 by @​dependabot in #​495
• Bump @​types/node from 22.10.3 to 22.13.4 by @​dependabot in #​500
• Regenerate release notes on release updates by @​rantoniuk in #​497

New Contributors

• @​rantoniuk made their first contribution in #​497

Full Changelog: ncipollo/release-action@v1...v1.16.0

v1.15.0

Compare Source

What's Changed

Add more explicit error when release list API call fails.

TLDR below - many dependency updates.

• Bump semver from 6.3.0 to 6.3.1 by @​dependabot in #​350
• Bump actions/checkout from 3 to 4 by @​dependabot in #​364
• Bump glob from 10.3.1 to 10.3.4 by @​dependabot in #​361
• Bump jest-circus from 29.5.0 to 29.6.4 by @​dependabot in #​359
• Bump typescript from 5.1.6 to 5.2.2 by @​dependabot in #​362
• Bump @​types/node from 20.3.3 to 20.6.0 by @​dependabot in #​366
• Bump jest and @​types/jest by @​dependabot in #​367
• Bump @​babel/traverse from 7.17.3 to 7.23.2 by @​dependabot in #​378
• Bump jest and @​types/jest by @​dependabot in #​377
• Bump jest-circus from 29.6.4 to 29.7.0 by @​dependabot in #​376
• Bump @​types/node from 20.6.0 to 20.8.6 by @​dependabot in #​379
• Bump @​actions/core from 1.10.0 to 1.10.1 by @​dependabot in #​375
• Bump @​types/jest from 29.5.5 to 29.5.7 by @​dependabot in #​386
• Bump actions/setup-node from 3 to 4 by @​dependabot in #​381
• Bump @​types/node from 20.8.6 to 20.9.0 by @​dependabot in #​390
• Bump typescript from 5.2.2 to 5.3.2 by @​dependabot in #​396
• Bump @​types/node from 20.9.0 to 20.10.1 by @​dependabot in #​395
• Bump @​types/jest from 29.5.7 to 29.5.11 by @​dependabot in #​399
• Bump @​actions/github from 5.1.1 to 6.0.0 by @​dependabot in #​385
• Bump typescript from 5.3.2 to 5.3.3 by @​dependabot in #​403
• Bump @​types/node from 20.10.1 to 20.10.6 by @​dependabot in #​402
• Upgrade to Node 20 by @​aovens-quantifi in #​411
• Bump undici from 5.28.2 to 5.28.3 by @​dependabot in #​423
• Bump @​types/jest from 29.5.11 to 29.5.12 by @​dependabot in #​427
• Bump @​types/node from 20.10.6 to 20.11.24 by @​dependabot in #​426
• Bump ts-jest from 29.1.1 to 29.1.2 by @​dependabot in #​409
• Bump undici from 5.28.3 to 5.28.4 by @​dependabot in #​439
• Bump typescript from 5.3.3 to 5.4.3 by @​dependabot in #​438
• Bump @​types/node from 20.11.24 to 20.12.2 by @​dependabot in #​437
• Bump glob from 10.3.10 to 10.3.12 by @​dependabot in #​436
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot in #​449
• Bump glob from 10.3.12 to 11.0.0 by @​dependabot in #​457
• Bump typescript from 5.4.3 to 5.5.4 by @​dependabot in #​459
• Bump ts-jest from 29.1.2 to 29.2.4 by @​dependabot in #​460
• Bump @​types/node from 20.12.2 to 22.0.2 by @​dependabot in #​458
• Bump cross-spawn from 7.0.3 to 7.0.6 by @​dependabot in #​480
• Bump micromatch from 4.0.4 to 4.0.8 by @​dependabot in #​463
• Bump @​types/node from 22.0.2 to 22.10.3 by @​dependabot in #​487
• Bump @​types/jest from 29.5.12 to 29.5.14 by @​dependabot in #​476
• Bump ts-jest from 29.2.4 to 29.2.5 by @​dependabot in #​464
• Bump @​actions/core from 1.10.1 to 1.11.1 by @​dependabot in #​488
• Bump typescript from 5.5.4 to 5.7.3 by @​dependabot in #​490

New Contributors

• @​aovens-quantifi made their first contribution in #​411

Full Changelog: ncipollo/release-action@v1.13.0...v1.15.0

sigstore/cosign-installer (sigstore/cosign-installer)

v3.10.0

Compare Source

What's Changed

• Bump default Cosign to v2.6.0 in #​200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

v3.9.2

Compare Source

What's Changed

• not fail fast and setup permissions in #​195
• drop old unsupported versions <v2.0.0 in #​192
• Update default to v2.5.3 in #​196

Full Changelog: sigstore/cosign-installer@v3.9.1...v3.9.2

v3.9.1

Compare Source

What's Changed

• default action install to use release v2.5.1 by @​cpanato in #​193
• default cosign to v2.5.2 by @​cpanato in #​194

Full Changelog: sigstore/cosign-installer@v3.9.0...v3.9.1

v3.9.0

Compare Source

What's Changed

• Bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in #​189
• bump cosign install to use release v2.5.0 as default by @​cpanato in #​191

Full Changelog: sigstore/cosign-installer@v3...v3.9.0

v3.8.2

Compare Source

What's Changed

• install cosign v2 from main in #​186

Full Changelog: sigstore/cosign-installer@v3...v3.8.2

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 7.04%. Comparing base (7cd9101) to head (6161b31).

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #224   +/-   ##
=====================================
  Coverage   7.04%   7.04%           
=====================================
  Files         49      49           
  Lines       1818    1818           
  Branches      99      99           
=====================================
  Hits         128     128           
  Misses      1685    1685           
  Partials       5       5           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Checkmarx One – Scan Summary & Details – cdfc8224-b0c4-40b1-aa92-c2a96d933e55

Great job! No new security vulnerabilities introduced in this pull request

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud