deps: Assorted Dependabot updates

.github/workflows/_precheck_deps.yml

@@ -66,4 +66,4 @@ jobs:
         ref: ${{ fromJSON(inputs.request).request.sha }}
         persist-credentials: false
     - name: Dependency Review
-      uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3  # v4.8.0
+      uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a  # v4.8.1

.github/workflows/codeql-daily.yml

@@ -34,7 +34,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93  # codeql-bundle-v3.30.5
+      uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047  # codeql-bundle-v4.30.9
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -75,6 +75,6 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93  # codeql-bundle-v3.30.5
+      uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047  # codeql-bundle-v4.30.9
       with:
         trap-caching: false

.github/workflows/codeql-push.yml

@@ -67,7 +67,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93  # codeql-bundle-v3.30.5
+      uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047  # codeql-bundle-v4.30.9
       with:
         languages: cpp
         trap-caching: false
@@ -112,6 +112,6 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93  # codeql-bundle-v3.30.5
+      uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047  # codeql-bundle-v4.30.9
       with:
         trap-caching: false

.github/workflows/envoy-release.yml

@@ -142,19 +142,19 @@ jobs:
     steps:
     - id: appauth
       name: App auth
-      uses: envoyproxy/toolshed/gh-actions/[email protected].25
+      uses: envoyproxy/toolshed/gh-actions/[email protected].26
       with:
         app_id: ${{ secrets.ENVOY_CI_PUBLISH_APP_ID }}
         key: ${{ secrets.ENVOY_CI_PUBLISH_APP_KEY }}
     - id: checkout
       name: Checkout Envoy repository
-      uses: envoyproxy/toolshed/gh-actions/github/[email protected].25
+      uses: envoyproxy/toolshed/gh-actions/github/[email protected].26
       with:
         committer-name: ${{ env.COMMITTER_NAME }}
         committer-email: ${{ env.COMMITTER_EMAIL }}
         strip-prefix: release/
         token: ${{ steps.appauth.outputs.token }}
-    - uses: envoyproxy/toolshed/gh-actions/github/[email protected].25
+    - uses: envoyproxy/toolshed/gh-actions/github/[email protected].26
       name: Re-open branch
       with:
         command: >-
@@ -169,7 +169,7 @@ jobs:
       name: Dev version
       id: dev
     - name: Create a PR
-      uses: envoyproxy/toolshed/gh-actions/github/[email protected].25
+      uses: envoyproxy/toolshed/gh-actions/github/[email protected].26
       with:
         base: ${{ github.ref_name }}
         commit: false

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93  # v3.30.5
+      uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047  # v4.30.9
       with:
         sarif_file: results.sarif

ci/Dockerfile-buildkit

@@ -1,3 +1,3 @@
 # We dont build from this dockerfile - we just parse the version, but storing
 # here means we get the dependabot updates
-FROM moby/buildkit:v0.25.0
+FROM moby/buildkit:v0.25.1