ci(deps): bump the github-actions group with 6 updates

[dependabot]

Bumps the github-actions group with 6 updates:

Package	From	To
step-security/harden-runner	2.11.1	2.12.0
docker/build-push-action	6.15.0	6.16.0
anchore/sbom-action	0.18.0	0.19.0
actions/download-artifact	4.2.1	4.3.0
oxsecurity/megalinter	8.5.0	8.6.0
github/codeql-action	3.28.15	3.28.16

Updates step-security/harden-runner from 2.11.1 to 2.12.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.12.0

What's Changed

1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

Commits

• 0634a26 Merge pull request #541 from step-security/rc-20
• 2e3c511 Update action.yml
• 40873e6 Update README.md
• 484c279 Update README.md
• 4c8582f Update agent versions
• e8d595c fix disable_sudo_and_containers bug
• 5d277fc fix journalctl related bug
• ff2ab22 Merge pull request #536 from rohan-stepsecurity/feat/flag/disable-sudo-and-co...
• b81d650 fix: run sudo command only when both disable-sudo and disable-sudo-and-docker...
• 769df4e Update agent
• Additional commits viewable in compare view

Updates docker/build-push-action from 6.15.0 to 6.16.0

Release notes

Sourced from docker/build-push-action's releases.

v6.16.0

• Handle no default attestations env var by @​crazy-max in docker/build-push-action#1343
• Only print secret keys in build summary output by @​crazy-max in docker/build-push-action#1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in docker/build-push-action#1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

Commits

• 14487ce Merge pull request #1343 from crazy-max/fix-no-default-attest
• 0ec9126 Merge pull request #1366 from crazy-max/pr-assign-author
• b749522 pr-assign-author workflow
• c566248 Merge pull request #1363 from crazy-max/fix-codecov
• 13275dd ci: fix missing source for codecov
• 67dc78b Merge pull request #1361 from mschoettle/patch-1
• 0760504 docs: add validating build configuration example
• 1c198f4 chore: update generated content
• 288d9e2 handle no default attestations env var
• 88844b9 Merge pull request #1353 from crazy-max/summary-secret-keys
• Additional commits viewable in compare view

Updates anchore/sbom-action from 0.18.0 to 0.19.0

Release notes

Sourced from anchore/sbom-action's releases.

v0.19.0

Changes in v0.19.0

• chore(deps): update Syft to v1.23.0 (#521)
• chore(deps): bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 (#519)
• chore(deps): bump cross-spawn (#514)

Commits

• 9f73021 chore(deps): update Syft to v1.23.0 (#521)
• a669da5 chore(deps): update Syft to v1.22.0 (#517)
• 5aeee89 chore(deps): bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 (#519)
• 79202ae chore(deps): bump cross-spawn (#514)
• See full diff in compare view

Updates actions/download-artifact from 4.2.1 to 4.3.0

Release notes

Sourced from actions/download-artifact's releases.

v4.3.0

What's Changed

• feat: implement new artifact-ids input by @​GrantBirki in actions/download-artifact#401
• Fix workflow example for downloading by artifact ID by @​joshmgross in actions/download-artifact#402
• Prep for v4.3.0 release by @​robherley in actions/download-artifact#404

New Contributors

• @​GrantBirki made their first contribution in actions/download-artifact#401

Full Changelog: actions/download-artifact@v4.2.1...v4.3.0

Commits

• d3f86a1 Merge pull request #404 from actions/robherley/v4.3.0
• fc02353 prep for v4.3.0 release
• 7745437 Merge pull request #402 from actions/joshmgross/download-by-id-example
• 84fc7a0 Remove path filters from Check dist workflow
• 67f2bc3 Fix workflow example for downloading by artifact ID
• 8ea3c2c Merge pull request #401 from actions/download-by-id
• d219c63 add supporting unit tests for artifact downloads with ids
• 54124fb revert getArtifact() changes - for now we have to list and filter by artifa...
• b83057b bundle
• 171183c use the same artifactClient.getArtifact structure as seen above in `isSingl...
• Additional commits viewable in compare view

Updates oxsecurity/megalinter from 8.5.0 to 8.6.0

Release notes

Sourced from oxsecurity/megalinter's releases.

v8.6.0

What's Changed

• Core

  • New config property ENABLE_ERRORS_LINTERS. If set, only the listed linters will be considered as blocking

• New linters

  • Add cppcheck linter, by @​bdovaz in oxsecurity/megalinter#5224

• Media

  • Integrating MegaLinter to Automate Linting Across Multiple Codebases. A Technical Description, by Thorsten Foltz

• Linters enhancements

  • editorconfig_checker Changes default EditorConfig-Checker config filename by @​llaville in oxsecurity/megalinter#5061
  • TruffleHog: Ignore .git by default if not already done using --exclude-paths option

• Fixes

  • Sanitize all linter outputs by default, by @​nvuillam in oxsecurity/megalinter#5266

• Doc

  • Add j2lint to plugins, by @​wesley-dean in oxsecurity/megalinter#5151
  • Add fmlint (frontmatter linter) to plugins list by @​wesley-dean in oxsecurity/megalinter#5257
  • Remove trailing spaces by @​parkerbxyz in oxsecurity/megalinter#5185

• CI

  • Initial Renovate automerge configuration, by @​echoix in oxsecurity/megalinter#5057
  • Set update schedule for checkov updates, by @​echoix in oxsecurity/megalinter#5064
  • Always upgrade packages from base image for updated security fixes, by @​echoix in oxsecurity/megalinter#5152
  • build-command: Unshallow pull or full pull before committing changes, by @​echoix in oxsecurity/megalinter#5201

• Linter versions upgrades (50)

  • ansible-lint from 25.1.3 to 25.2.1
  • bicep_linter from 0.34.1 to 0.34.44
  • cfn-lint from 1.32.0 to 1.34.1
  • checkov from 3.2.390 to 3.2.404
  • checkstyle from 10.21.4 to 10.23.0
  • clippy from 0.1.85 to 0.1.86
  • clj-kondo from 2025.02.20 to 2025.04.07
  • cpplint from 2.0.0 to 2.0.2
  • cspell from 8.17.5 to 8.19.2
  • dartanalyzer from 3.7.2 to 3.7.3
  • devskim from 1.0.52 to 1.0.56
  • dotnet-format from 9.0.104 to 9.0.105
  • flake8 from 7.1.2 to 7.2.0
  • gitleaks from 8.24.2 to 8.24.3
  • grype from 0.90.0 to 0.91.2
  • kics from 2.1.6 to 2.1.7
  • kubescape from 3.0.32 to 3.0.34
  • lightning-flow-scanner from 3.2.0 to 3.4.0
  • ls-lint from 2.2.3 to 2.3.0

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] (beta, main branch content)

Note: Can be used with oxsecurity/megalinter@beta in your GitHub Action mega-linter.yml file, or with oxsecurity/megalinter:beta docker image

• Core

• New linters

• Disabled linters

• Media

• Linters enhancements

• Fixes

• Reporters

• Doc

• Flavors

• CI

• mega-linter-runner

• Linter versions upgrades (N)

[v8.6.0] - 2024-04-27

• Core

  • New config property ENABLE_ERRORS_LINTERS. If set, only the listed linters will be considered as blocking

• New linters

  • Add cppcheck linter, by @​bdovaz in oxsecurity/megalinter#5224

• Media

  • Integrating MegaLinter to Automate Linting Across Multiple Codebases. A Technical Description, by Thorsten Foltz

• Linters enhancements

  • editorconfig_checker Changes default EditorConfig-Checker config filename by @​llaville in oxsecurity/megalinter#5061
  • TruffleHog: Ignore .git by default if not already done using --exclude-paths option

... (truncated)

Commits

• 04cf22b Release MegaLinter v8.6.0
• 08e1f53 [automation] Auto-update linters version, help and documentation (#5268)
• 75538ac Sanitize all linter outputs by default (#5266)
• e195f05 chore(deps): update dependency v8r to v4.3.0 (#5262)
• 7bcf821 [automation] Auto-update linters version, help and documentation (#5263)
• 389e87d Add fmlint (frontmatter linter) to plugins list (#5257)
• f72c1a8 [automation] Auto-update linters version, help and documentation (#5259)
• 05901b1 chore(deps): update dependency stylelint to v16.19.0 (#5261)
• c88bbe5 chore(deps): update dependency sfdx-hardis to v5.28.0 (#5260)
• 81f99d9 chore(deps): update dependency cfn-lint to v1.34.1 (#5258)
• Additional commits viewable in compare view

Updates github/codeql-action from 3.28.15 to 3.28.16

Release notes

Sourced from github/codeql-action's releases.

v3.28.16

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

3.28.14 - 07 Apr 2025

• Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

• Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
• Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #2793

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

3.28.9 - 07 Feb 2025

• Update default CodeQL bundle version to 2.20.4. #2753

3.28.8 - 29 Jan 2025

• Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

3.28.7 - 29 Jan 2025

No user facing changes.

... (truncated)

Commits

• 28deaed Merge pull request #2865 from github/update-v3.28.16-2a8cbadc0
• 03c5d71 Update changelog for v3.28.16
• 2a8cbad Merge pull request #2863 from github/update-bundle/codeql-bundle-v2.21.1
• f76eaf5 Add changelog note
• e63b3f5 Update default bundle to codeql-bundle-v2.21.1
• 4c3e536 Merge pull request #2853 from github/dependabot/npm_and_yarn/npm-7d84c66b66
• 56dd02f Merge pull request #2852 from github/dependabot/github_actions/actions-457587...
• 192406d Merge branch 'main' into dependabot/github_actions/actions-4575878e06
• c7dbb20 Merge pull request #2857 from github/nickfyson/address-vulns
• 9a45cd8 move use of input variables into env vars
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Compressed layer size comparison

Comparing ghcr.io/philips-software/amp-devcontainer-rust:latest to ghcr.io/philips-software/amp-devcontainer-rust@sha256:0833dc6595b9af2f4828633ee6bb59ff8105e1004e12f49e56ebe881db1e4bac

OS/Platform	Previous Size	Current Size	Delta
linux/amd64	482.86M	482.86M	0.00 (+0.00%)
linux/arm64	434.30M	434.30M	0.00 (+0.00%)

[github-actions]

Compressed layer size comparison

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:latest to ghcr.io/philips-software/amp-devcontainer-cpp@sha256:eec24b4ca48eca30d35f6f49ed83ab203ef4d31648ee5c94d2a07172650344ec

OS/Platform	Previous Size	Current Size	Delta
linux/amd64	692.87M	692.87M	0.00 (+0.00%)
linux/arm64	674.96M	674.96M	0.00 (+0.00%)

[github-actions]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	17		0	0	0.28s
✅ DOCKERFILE	hadolint	2		0	0	0.65s
✅ GHERKIN	gherkin-lint	2		0	0	1.09s
✅ JSON	npm-package-json-lint	yes		no	no	0.42s
✅ JSON	prettier	15	1	0	0	0.36s
✅ JSON	v8r	15		0	0	14.99s
✅ MARKDOWN	markdownlint	9	0	0	0	0.76s
✅ MARKDOWN	markdown-table-formatter	9	0	0	0	0.24s
✅ REPOSITORY	checkov	yes		no	no	14.84s
✅ REPOSITORY	gitleaks	yes		no	no	0.32s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	21.67s
✅ REPOSITORY	secretlint	yes		no	no	0.91s
✅ REPOSITORY	syft	yes		no	no	1.06s
✅ REPOSITORY	trivy	yes		no	no	6.03s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.1s
✅ REPOSITORY	trufflehog	yes		no	no	3.44s
✅ SPELL	lychee	60		0	0	12.5s
✅ YAML	prettier	22	0	0	0	0.64s
✅ YAML	v8r	22		0	0	5.57s
✅ YAML	yamllint	22		0	0	0.48s

See detailed report in MegaLinter reports

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/dotnet@v8.6.0 (64 linters)
• oxsecurity/megalinter/flavors/dotnetweb@v8.6.0 (73 linters)

[github-actions]

Test Results

 2 files   2 suites   1m 23s ⏱️
29 tests 29 ✅ 0 💤 0 ❌
31 runs  31 ✅ 0 💤 0 ❌

Results for commit 6d3e5aa.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.

[github-actions]

Pull Request Report (#788)

Static measures

Description	Value
Number of added lines	11
Number of deleted lines	11
Number of changed files	7
Number of commits	1
Number of reviews	0
Number of comments (w/o review comments)	6
Number of reviews that contains a comment to resolve	0
Number of reviews that requested a change from the author	0
Number of reviews that approved the Pull Request	0
Get the total number of participants of a Pull Request	4

Time related measures

Description	Value
PR lead time (from creation to close of PR)	7 Days
Time that was spend on the branch before the PR was created	2 Sec
Time that was spend on the branch before the PR was merged	0 Sec
Time to merge after last review	0 Sec

Status check related measures

Description	Value
Total runtime for last status check run (Workflow for PR)	17.2 Min
Total time spend in last status check run on PR	7 Days