chore(deps): pin dependencies

[renovate-sh-app]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	pinDigest	→ 34e1148
actions/setup-go	action	pinDigest	→ 40f1582
alpine	final	pinDigest	→ 2510918
anchore/sbom-action	action	pinDigest	→ ab5d7b5
docker/login-action	action	pinDigest	→ c94ce9f
docker/setup-buildx-action	action	pinDigest	→ 8d2750c
docker/setup-qemu-action	action	pinDigest	→ c7c5346
goreleaser/goreleaser-action	action	pinDigest	→ 5742e2a

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[github-actions]

😢 zizmor failed with exit code 14.

Expand for full output

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/base-goreleaser-ci.yaml:29:9
   |
29 |         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
39 |         uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
   |         --------------------------------------------------------------------------- runtime artifacts usually published here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/base-release.yaml:31:9
   |
31 |         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
48 |         uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
   |         --------------------------------------------------------------------------- runtime artifacts usually published here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/ci-delta-to-cumulative.yaml:3:1
  |
3 | / on:
4 | |   workflow_run:
5 | |     workflows: [Continuous Integration]
6 | |     types:
7 | |       - completed
  | |_________________^ workflow_run is almost always used insecurely
  |
  = note: audit confidence → Medium

error[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/release-delta-to-cumulative.yaml:14:5
   |
 8 | /   release:
 9 | |     name: Release delta-to-cumulative
10 | |     uses: ./.github/workflows/base-release.yaml
11 | |     with:
12 | |       distribution: delta-to-cumulative
13 | |     secrets: inherit
14 | |     permissions: write-all
   | |_____^^^^^^^^^^^^^^^^^^^^^^- this job
   |       |
   |       uses write-all permissions
   |
   = note: audit confidence → High

18 findings (7 ignored, 7 suppressed, 2 fixable): 0 informational, 0 low, 0 medium, 4 high