chore(deps): update workflows (#2264)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/stale](https://redirect.github.com/actions/stale) | action |
minor | `v10.0.0` -> `v10.1.0` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | patch | `v3.30.5` -> `v3.30.6` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | patch | `v2.4.2` -> `v2.4.3` |

---

### Release Notes

<details>
<summary>actions/stale (actions/stale)</summary>

###
[`v10.1.0`](https://redirect.github.com/actions/stale/releases/tag/v10.1.0)

[Compare
Source](https://redirect.github.com/actions/stale/compare/v10.0.0...v10.1.0)

#### What's Changed

- Add `only-issue-types` option to filter issues by type by
[@&#8203;Bibo-Joshi](https://redirect.github.com/Bibo-Joshi) in
[#&#8203;1255](https://redirect.github.com/actions/stale/pull/1255)

#### New Contributors

- [@&#8203;Bibo-Joshi](https://redirect.github.com/Bibo-Joshi) made
their first contribution in
[#&#8203;1255](https://redirect.github.com/actions/stale/pull/1255)

**Full Changelog**:
<actions/stale@v10...v10.1.0>

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.30.6`](https://redirect.github.com/github/codeql-action/releases/tag/v3.30.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.30.5...v3.30.6)

### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

#### 3.30.6 - 02 Oct 2025

- Update default CodeQL bundle version to 2.23.2.
[#&#8203;3168](https://redirect.github.com/github/codeql-action/pull/3168)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.30.6/CHANGELOG.md)
for more information.

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.3`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.3)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.4.2...v2.4.3)

#### What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a
complete list of changes, please refer to the [Scorecard v5.3.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.3.0).

#### Documentation

- docs: clarify `GITHUB_TOKEN` permissions needed for private repos by
[@&#8203;pankajtaneja5](https://redirect.github.com/pankajtaneja5) in
[#&#8203;1574](https://redirect.github.com/ossf/scorecard-action/pull/1574)
- 📖 Fix recommended command to test the image in development by
[@&#8203;deivid-rodriguez](https://redirect.github.com/deivid-rodriguez)
in
[#&#8203;1583](https://redirect.github.com/ossf/scorecard-action/pull/1583)

#### Other

- add missing top-level token permissions to workflows by
[@&#8203;timothyklee](https://redirect.github.com/timothyklee) in
[#&#8203;1566](https://redirect.github.com/ossf/scorecard-action/pull/1566)
- setup codeowners for requesting reviews by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[#&#8203;1576](https://redirect.github.com/ossf/scorecard-action/pull/1576)
- 🌱 Improve printing options by
[@&#8203;deivid-rodriguez](https://redirect.github.com/deivid-rodriguez)
in
[#&#8203;1584](https://redirect.github.com/ossf/scorecard-action/pull/1584)

#### New Contributors

- [@&#8203;timothyklee](https://redirect.github.com/timothyklee) made
their first contribution in
[#&#8203;1566](https://redirect.github.com/ossf/scorecard-action/pull/1566)
- [@&#8203;pankajtaneja5](https://redirect.github.com/pankajtaneja5)
made their first contribution in
[#&#8203;1574](https://redirect.github.com/ossf/scorecard-action/pull/1574)
-
[@&#8203;deivid-rodriguez](https://redirect.github.com/deivid-rodriguez)
made their first contribution in
[#&#8203;1584](https://redirect.github.com/ossf/scorecard-action/pull/1584)

**Full Changelog**:
<ossf/scorecard-action@v2.4.2...v2.4.3>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzEuOSIsInVwZGF0ZWRJblZlciI6IjQxLjEzMS45IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Author: renovate-bot

.github/workflows/codeql-analysis.yml

@@ -48,7 +48,7 @@ jobs:
           go-version-file: go.mod
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -59,7 +59,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/autobuild@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -73,4 +73,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6

.github/workflows/scorecards.yml

@@ -38,7 +38,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -68,6 +68,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
         with:
           sarif_file: results.sarif

.github/workflows/staleness.yml

@@ -13,7 +13,7 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:
           days-before-stale: 60
           days-before-close: 14