chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
aquasecurity/trivy		patch	0.68.1 -> 0.68.2
docker/setup-buildx-action	action	minor	v3.11.1 -> v3.12.0
github/codeql-action	action	patch	v4.31.8 -> v4.31.9
zizmor (source)		minor	1.18.0 -> 1.19.0

---

Release Notes

aquasecurity/trivy (aquasecurity/trivy)

v0.68.2

Compare Source

Changelog

• 0c40a8d release: v0.68.2 [release/v0.68] (#​9950)
• db28945 fix(deps): bump alpine from 3.22.1 to 3.23.0 [backport: release/v0.68] (#​9949)

docker/setup-buildx-action (docker/setup-buildx-action)

v3.12.0

Compare Source

• Deprecate install input by @​crazy-max in #​455
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​434
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​436
• Bump form-data from 2.5.1 to 2.5.5 in #​432
• Bump undici from 5.28.4 to 5.29.0 in #​435

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

github/codeql-action (github/codeql-action)

v4.31.9

Compare Source

zizmorcore/zizmor (zizmor)

v1.19.0

Compare Source

New Features 🌈🔗

• New audit: archived-uses detects usages of archived repositories in uses: clauses (#​1411)

Enhancements 🌱🔗

• The use-trusted-publishing audit now detects additional publishing command patterns, including common "wrapped" patterns like bundle exec gem publish (#​1394)

• zizmor now produces better error messages on a handful of error cases involving invalid input files. Specifically, a subset of syntax and schema errors now produce more detailed and actionable error messages (#​1396)

• The use-trusted-publishing audit now detects additional publishing command patterns, including uv run ..., uvx ..., and poetry publish (#​1402)

• zizmor now produces more useful and less ambiguous spans for many findings, particularly those from the anonymous-definition audit (#​1416)

• zizmor now discovers configuration files named zizmor.yaml, in addition to zizmor.yml (#​1431)

• zizmor now produces a more useful error message when input collection yields no inputs (#​1439)

• The --render-links flag now allows users to control zizmor's OSC 8 terminal link rendering behavior. This is particularly useful in environments that advertise themselves as terminals but fail to correctly render or ignore OSC 8 links (#​1454)

Performance Improvements 🚄🔗

• The [impostor-commit] audit is now significantly faster on true positives, making true positive detection virtually as fast as true negative detection. In practice, true positive runs are over 100 times faster than before (#​1429)

Bug Fixes 🐛🔗

• Fixed a bug where the obfuscation audit would crash if it encountered a CMD shell that was defined outside of the current step block (i.e. as a job or workflow default) (#​1418)

• Fixed a bug where the opentofu ecosystem was not recognized in Dependabot configuration files (#​1452)

• --color=always no longer implies --render-links=always, as some environments (like GitHub Actions) support ANSI color codes but fail to handle OSC escapes gracefully (#​1454)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-217 (debian 13.2)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.2)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-217 (debian 13.2)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.22s
✅ COPYPASTE	jscpd	yes		no	no	1.4s
✅ DOCKERFILE	hadolint	1		0	0	0.23s
✅ JSON	jsonlint	3		0	0	0.23s
✅ JSON	prettier	3		0	0	0.49s
✅ JSON	v8r	3		0	0	3.74s
✅ MARKDOWN	markdownlint	1		0	0	0.58s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.41s
✅ PYTHON	bandit	1		0	0	2.22s
✅ PYTHON	black	1		0	0	0.78s
✅ PYTHON	flake8	1		0	0	0.86s
✅ PYTHON	isort	1		0	0	0.22s
✅ PYTHON	mypy	1		0	0	3.2s
✅ PYTHON	pylint	1		0	0	2.68s
✅ PYTHON	pyright	1		0	0	1.74s
✅ PYTHON	ruff	1		0	0	0.04s
✅ REPOSITORY	checkov	yes		no	no	23.51s
✅ REPOSITORY	dustilock	yes		no	no	0.03s
✅ REPOSITORY	gitleaks	yes		no	no	0.3s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	35.4s
✅ REPOSITORY	kics	yes		no	no	3.69s
✅ REPOSITORY	secretlint	yes		no	no	1.58s
✅ REPOSITORY	syft	yes		no	no	2.89s
✅ REPOSITORY	trivy	yes		no	no	8.71s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.1s
✅ REPOSITORY	trufflehog	yes		no	no	3.8s
✅ YAML	prettier	6		0	0	1.22s
✅ YAML	v8r	6		0	0	6.98s
✅ YAML	yamllint	6		0	0	0.64s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.2.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

🎉 This PR is included in version 1.11.11 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀