chore(deps): bump the dependencies group with 4 updates (#408)

* chore(deps): bump the dependencies group with 4 updates

Bumps the dependencies group with 4 updates: [github/ospo-reusable-workflows](https://github.com/github/ospo-reusable-workflows), [github/contributors](https://github.com/github/contributors), [github/codeql-action](https://github.com/github/codeql-action) and [super-linter/super-linter](https://github.com/super-linter/super-linter).


Updates `github/ospo-reusable-workflows` from 0.5.2 to 0.5.3
- [Release notes](https://github.com/github/ospo-reusable-workflows/releases)
- [Changelog](https://github.com/github/ospo-reusable-workflows/blob/main/docs/release-image.md)
- [Commits](github/ospo-reusable-workflows@ebb4e21...c9afb9b)

Updates `github/contributors` from 1.5.11 to 1.7.0
- [Release notes](https://github.com/github/contributors/releases)
- [Commits](github/contributors@69e531b...ae62be2)

Updates `github/codeql-action` from 3.29.10 to 3.29.11
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@96f518a...3c3833e)

Updates `super-linter/super-linter` from 8.0.0 to 8.1.0
- [Release notes](https://github.com/super-linter/super-linter/releases)
- [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md)
- [Commits](super-linter/super-linter@5119dcd...ffde3b2)

---
updated-dependencies:
- dependency-name: github/ospo-reusable-workflows
  dependency-version: 0.5.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: github/contributors
  dependency-version: 1.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: github/codeql-action
  dependency-version: 3.29.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: super-linter/super-linter
  dependency-version: 8.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix: linting

- ensure credentials are not persisted past checkout of code
- add zizmor.yml file to linters to allow pull_request_target in actions for auto-labeler to work on fork pull requests
- add trivy.yml file to linters to ignore mypy_cache directory
- add HEALTHCHECK and non-root user to Dockerfile

Signed-off-by: jmeridth <[email protected]>

* fix: bad conflict line still present

Signed-off-by: jmeridth <[email protected]>

* fix: linting

Signed-off-by: jmeridth <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: jmeridth <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: jmeridth <[email protected]>

Author: dependabot[bot]

.github/linters/trivy.yaml

@@ -0,0 +1,3 @@
+scan:
+  skip-dirs:
+    - .mypy_cache

.github/linters/zizmor.yaml

@@ -0,0 +1,6 @@
+rules:
+  dangerous-triggers: # to allow pull_request_target for auto-labelling fork pull requests
+    ignore:
+      - auto-labeler.yml
+      - pr-title.yml
+      - release.yml

.github/workflows/auto-labeler.yml

@@ -11,7 +11,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       config-name: release-drafter.yml
     secrets:

.github/workflows/contributors_report.yaml

@@ -29,7 +29,7 @@ jobs:
           echo "END_DATE=$end_date" >> "$GITHUB_ENV"
 
       - name: Run contributor action
-        uses: github/contributors@69e531b620b7e5b0fad2e9823681607b54db447a
+        uses: github/contributors@ae62be2e3b1a3b2847955ec659d9bb6f88ffe628
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           START_DATE: ${{ env.START_DATE }}

.github/workflows/copilot-setup-steps.yml

@@ -27,9 +27,11 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5.6.0
+        uses: actions/setup-python@v6.0.0
         with:
           python-version: 3.12
 

.github/workflows/docker-ci.yml

@@ -15,5 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/[email protected]
+        with:
+          persist-credentials: false
       - name: Build the Docker image
         run: docker build . --file Dockerfile --platform linux/amd64

.github/workflows/pr-title.yml

@@ -12,6 +12,6 @@ jobs:
       contents: read
       pull-requests: read
       statuses: write
-    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/python-ci.yml

@@ -21,8 +21,10 @@ jobs:
         python-version: [3.11, 3.12]
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5.6.0
+        uses: actions/setup-python@v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

.github/workflows/release.yml

@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: read
-    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       publish: true
       release-config-name: release-drafter.yml
@@ -25,7 +25,7 @@ jobs:
       packages: write
       id-token: write
       attestations: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       image-name: ${{ github.repository }}
       full-tag: ${{ needs.release.outputs.full-tag }}
@@ -40,7 +40,7 @@ jobs:
     permissions:
       contents: read
       discussions: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       full-tag: ${{ needs.release.outputs.full-tag }}
       body: ${{ needs.release.outputs.body }}

.github/workflows/scorecard.yml

@@ -42,6 +42,6 @@ jobs:
           path: results.sarif
           retention-days: 5
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.5
+        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
         with:
           sarif_file: results.sarif