ci(deps): bump the github-actions group across 1 directory with 9 updates

[dependabot]

Bumps the github-actions group with 9 updates in the / directory:

Package	From	To
step-security/harden-runner	2.11.1	2.12.0
reproducible-containers/buildkit-cache-dance	3.1.2	3.2.0
docker/build-push-action	6.15.0	6.16.0
anchore/sbom-action	0.18.0	0.19.0
actions/attest-build-provenance	2.2.3	2.3.0
actions/download-artifact	4.2.1	4.3.0
oxsecurity/megalinter	8.5.0	8.7.0
github/codeql-action	3.28.15	3.28.17
actions/create-github-app-token	2.0.2	2.0.6

Updates step-security/harden-runner from 2.11.1 to 2.12.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.12.0

What's Changed

1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

Commits

• 0634a26 Merge pull request #541 from step-security/rc-20
• 2e3c511 Update action.yml
• 40873e6 Update README.md
• 484c279 Update README.md
• 4c8582f Update agent versions
• e8d595c fix disable_sudo_and_containers bug
• 5d277fc fix journalctl related bug
• ff2ab22 Merge pull request #536 from rohan-stepsecurity/feat/flag/disable-sudo-and-co...
• b81d650 fix: run sudo command only when both disable-sudo and disable-sudo-and-docker...
• 769df4e Update agent
• Additional commits viewable in compare view

Updates reproducible-containers/buildkit-cache-dance from 3.1.2 to 3.2.0

Release notes

Sourced from reproducible-containers/buildkit-cache-dance's releases.

v3.2.0

What's Changed

• Allow overriding container image by @​relu in reproducible-containers/buildkit-cache-dance#44
• Added support for running with different builder by @​ty2 in reproducible-containers/buildkit-cache-dance#45
• Determine default cache map from Dockerfile by @​bennesp in reproducible-containers/buildkit-cache-dance#49

New Contributors

• @​relu made their first contribution in reproducible-containers/buildkit-cache-dance#44
• @​ty2 made their first contribution in reproducible-containers/buildkit-cache-dance#45
• @​bennesp made their first contribution in reproducible-containers/buildkit-cache-dance#49

Full Changelog: reproducible-containers/buildkit-cache-dance@v3.1.2...v3.2.0

Commits

• 653a570 Merge pull request #49 from bennesp/automatic-cache-map-discovery
• 429cead generate dist folder
• 611d172 add messages to make debugging easier
• 58a25ae simplify getCacheMapFromDockerfile by hardcoding target
• 5000ee0 apply review suggestions
• dd1601e update README.md
• 2e3c72c update github action yml
• 74013b1 add automatic discovery of caches in Dockerfiles
• 61bd187 Merge pull request #45 from ty2/main
• d39a221 add builder arg
• Additional commits viewable in compare view

Updates docker/build-push-action from 6.15.0 to 6.16.0

Release notes

Sourced from docker/build-push-action's releases.

v6.16.0

• Handle no default attestations env var by @​crazy-max in docker/build-push-action#1343
• Only print secret keys in build summary output by @​crazy-max in docker/build-push-action#1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in docker/build-push-action#1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

Commits

• 14487ce Merge pull request #1343 from crazy-max/fix-no-default-attest
• 0ec9126 Merge pull request #1366 from crazy-max/pr-assign-author
• b749522 pr-assign-author workflow
• c566248 Merge pull request #1363 from crazy-max/fix-codecov
• 13275dd ci: fix missing source for codecov
• 67dc78b Merge pull request #1361 from mschoettle/patch-1
• 0760504 docs: add validating build configuration example
• 1c198f4 chore: update generated content
• 288d9e2 handle no default attestations env var
• 88844b9 Merge pull request #1353 from crazy-max/summary-secret-keys
• Additional commits viewable in compare view

Updates anchore/sbom-action from 0.18.0 to 0.19.0

Release notes

Sourced from anchore/sbom-action's releases.

v0.19.0

Changes in v0.19.0

• chore(deps): update Syft to v1.23.0 (#521)
• chore(deps): bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 (#519)
• chore(deps): bump cross-spawn (#514)

Commits

• 9f73021 chore(deps): update Syft to v1.23.0 (#521)
• a669da5 chore(deps): update Syft to v1.22.0 (#517)
• 5aeee89 chore(deps): bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 (#519)
• 79202ae chore(deps): bump cross-spawn (#514)
• See full diff in compare view

Updates actions/attest-build-provenance from 2.2.3 to 2.3.0

Release notes

Sourced from actions/attest-build-provenance's releases.

v2.3.0

What's Changed

• Bump actions/attest from 2.2.1 to 2.3.0 by @​bdehamer in actions/attest-build-provenance#615
  • Updates @sigstore/oci from 0.4.0 to 0.5.0

Full Changelog: actions/attest-build-provenance@v2.2.3...v2.3.0

Commits

• db473fd bump actions/attest from 2.2.1 to 2.3.0 (#615)
• d3b713a Bump the actions-minor group with 2 updates (#566)
• e042adb Bump the npm-development group with 4 updates (#567)
• 9d3beef Bump the npm-development group with 4 updates (#554)
• 877f50d Bump typescript-eslint in the npm-development group (#516)
• b7ab740 Bump the npm-development group across 1 directory with 6 updates (#506)
• See full diff in compare view

Updates actions/download-artifact from 4.2.1 to 4.3.0

Release notes

Sourced from actions/download-artifact's releases.

v4.3.0

What's Changed

• feat: implement new artifact-ids input by @​GrantBirki in actions/download-artifact#401
• Fix workflow example for downloading by artifact ID by @​joshmgross in actions/download-artifact#402
• Prep for v4.3.0 release by @​robherley in actions/download-artifact#404

New Contributors

• @​GrantBirki made their first contribution in actions/download-artifact#401

Full Changelog: actions/download-artifact@v4.2.1...v4.3.0

Commits

• d3f86a1 Merge pull request #404 from actions/robherley/v4.3.0
• fc02353 prep for v4.3.0 release
• 7745437 Merge pull request #402 from actions/joshmgross/download-by-id-example
• 84fc7a0 Remove path filters from Check dist workflow
• 67f2bc3 Fix workflow example for downloading by artifact ID
• 8ea3c2c Merge pull request #401 from actions/download-by-id
• d219c63 add supporting unit tests for artifact downloads with ids
• 54124fb revert getArtifact() changes - for now we have to list and filter by artifa...
• b83057b bundle
• 171183c use the same artifactClient.getArtifact structure as seen above in `isSingl...
• Additional commits viewable in compare view

Updates oxsecurity/megalinter from 8.5.0 to 8.7.0

Release notes

Sourced from oxsecurity/megalinter's releases.

v8.7.0

What's Changed

• Core

  • Replace pychalk (not maintained for 7 years) by termcolor, by @​nvuillam in oxsecurity/megalinter#5316
  • Update make scripts so they also work on Windows, by @​nvuillam in oxsecurity/megalinter#5316
  • Align number columns of markdown tables in reports, by @​nvuillam in oxsecurity/megalinter#4835

• Linters enhancements

  • Add new CSharpier supported file extensions, by @​bdovaz in oxsecurity/megalinter#5292

• Fixes

  • Exclude from sanitization the regular expressions that have awful performances, by @​nvuillam in oxsecurity/megalinter#5308
  • New variable SKIP_LINTER_OUTPUT_SANITIZATION to skip sanitization to improve performances if you are on a private repository with secured access, by @​nvuillam in oxsecurity/megalinter#5308

• Linter versions upgrades (27)

  • ansible-lint from 25.2.1 to 25.4.0
  • bicep_linter from 0.34.44 to 0.35.1
  • cfn-lint from 1.34.1 to 1.34.2
  • checkov from 3.2.404 to 3.2.413
  • checkstyle from 10.23.0 to 10.23.1
  • csharpier from 0.30.6 to 1.0.1
  • cspell from 8.19.2 to 8.19.4
  • gitleaks from 8.24.3 to 8.25.1
  • golangci-lint from 1.64.8 to 2.1.5
  • lightning-flow-scanner from 3.4.0 to 3.8.0
  • phpstan from 2.1.12 to 2.1.14
  • pmd from 7.12.0 to 7.13.0
  • powershell from 7.5.0 to 7.5.1
  • protolint from 0.53.0 to 0.54.1
  • psalm from 6.10.1 to 6.10.2
  • rubocop from 1.75.3 to 1.75.4
  • ruff from 0.11.6 to 0.11.8
  • ruff-format from 0.11.6 to 0.11.8
  • secretlint from 9.3.1 to 9.3.2
  • stylelint from 16.19.0 to 16.19.1
  • terragrunt from 0.77.22 to 0.78.0
  • tflint from 0.56.0 to 0.57.0
  • trivy from 0.61.1 to 0.62.0
  • trivy-sbom from 0.61.1 to 0.62.0
  • v8r from 4.3.0 to 4.4.0
  • yamllint from 1.37.0 to 1.37.1

Full Changelog: oxsecurity/megalinter@v8.6.0...v8.7.0

v8.6.0

What's Changed

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] (beta, main branch content)

Note: Can be used with oxsecurity/megalinter@beta in your GitHub Action mega-linter.yml file, or with oxsecurity/megalinter:beta docker image

• Core

• New linters

• Disabled linters

• Media

• Linters enhancements

• Fixes

• Reporters

• Doc

• Flavors

• CI

• mega-linter-runner

• Linter versions upgrades (N)

  • golangci-lint from 2.1.5 to 2.1.6 on 2025-05-04
  • pylint from 3.3.6 to 3.3.7 on 2025-05-04

[v8.7.0] - 2024-05-04

• Core

  • Replace pychalk (not maintained for 7 years) by termcolor, by @​nvuillam in oxsecurity/megalinter#5316
  • Update make scripts so they also work on Windows, by @​nvuillam in oxsecurity/megalinter#5316
  • Align number columns of markdown tables in reports, by @​nvuillam in oxsecurity/megalinter#4835

• Linters enhancements

  • Add new CSharpier supported file extensions, by @​bdovaz in oxsecurity/megalinter#5292

• Fixes

  • Exclude from sanitization the regular expressions that have awful performances, by @​nvuillam in oxsecurity/megalinter#5308
  • New variable SKIP_LINTER_OUTPUT_SANITIZATION to skip sanitization to improve performances if you are on a private repository with secured access, by @​nvuillam in oxsecurity/megalinter#5308

... (truncated)

Commits

• 5a91fb0 Release MegaLinter v8.7.0
• 940b9d0 [automation] Auto-update linters version, help and documentation (#5334)
• 61a6678 chore(deps): update ghcr.io/astral-sh/uv docker tag to v0.7.2 (#5336)
• 4f16aac chore(deps): update dependency astral-sh/uv to v0.7.2 (#5335)
• c0d5a5c Align number columns of markdown tables in reports (#4835)
• b52216a [automation] Auto-update linters version, help and documentation (#5330)
• 636085e chore(deps): update dependency yamllint to v1.37.1 (#5333)
• d96277c chore(deps): update dependency eslint-plugin-prettier to v5.3.1 (#5332)
• 8b2f83f chore(deps): update dependency redis to v6 (#5329)
• 87cb4a8 chore(deps): update zricethezav/gitleaks docker tag to v8.25.1 (#5328)
• Additional commits viewable in compare view

Updates github/codeql-action from 3.28.15 to 3.28.17

Release notes

Sourced from github/codeql-action's releases.

v3.28.17

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.17 - 02 May 2025

• Update default CodeQL bundle version to 2.21.2. #2872

See the full CHANGELOG.md for more information.

v3.28.16

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.28.17 - 02 May 2025

• Update default CodeQL bundle version to 2.21.2. #2872

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

3.28.14 - 07 Apr 2025

• Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

• Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
• Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #2793

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

3.28.9 - 07 Feb 2025

• Update default CodeQL bundle version to 2.20.4. #2753

3.28.8 - 29 Jan 2025

• Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

... (truncated)

Commits

• 60168ef Merge pull request #2886 from github/update-v3.28.17-97a2bfd2a
• 0d5a311 Update changelog for v3.28.17
• 97a2bfd Merge pull request #2872 from github/update-bundle/codeql-bundle-v2.21.2
• 9aba20e Merge branch 'main' into update-bundle/codeql-bundle-v2.21.2
• 81a9508 Merge pull request #2876 from github/henrymercer/fix-diff-informed-multiple-a...
• 1569f4c Disable diff-informed queries in code scanning config tests
• 62fbeb6 Merge branch 'main' into henrymercer/fix-diff-informed-multiple-analyze
• f122d1d Address test failures from computing temporary directory too early
• 083772a Do not fail diff informed analyses when analyze is run twice in the same job
• 5db14d0 Merge branch 'main' into update-bundle/codeql-bundle-v2.21.2
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 2.0.2 to 2.0.6

Release notes

Sourced from actions/create-github-app-token's releases.

v2.0.6

2.0.6 (2025-05-03)

Bug Fixes

• replace - with _ (#246) (3336784)

v2.0.5

2.0.5 (2025-05-02)

Bug Fixes

• deps: bump the production-dependencies group with 3 updates (#240) (d64d7d7)

v2.0.4

2.0.4 (2025-05-02)

Bug Fixes

• permission input handling (#243) (2950cbc)

v2.0.3

2.0.3 (2025-05-01)

Bug Fixes

• README: use v2 in examples (#234) (9ba274d), closes #232
• use core.getBooleanInput() to retrieve boolean input values (#223) (c3c17c7)

Commits

• df432ce build(release): 2.0.6 [skip ci]
• 3336784 fix: replace - with _ (#246)
• db3cdf4 build(release): 2.0.5 [skip ci]
• d64d7d7 fix(deps): bump the production-dependencies group with 3 updates (#240)
• 1b6f53e build(deps-dev): bump the development-dependencies group across 1 directory w...
• 061a84d build(deps-dev): bump @​octokit/openapi from 18.2.0 to 19.0.0 (#242)
• c8f34a6 build(deps): bump stefanzweifel/git-auto-commit-action from 5.1.0 to 5.2.0 in...
• 4821f52 build(release): 2.0.4 [skip ci]
• 2950cbc fix: permission input handling (#243)
• 30bf625 build(release): 2.0.3 [skip ci]
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Compressed layer size comparison

Comparing ghcr.io/philips-software/amp-devcontainer-rust:latest to ghcr.io/philips-software/amp-devcontainer-rust@sha256:773a8256b38992522ef178857face078da2d0a8e30217fec3fecf1008bdd4db2

OS/Platform	Previous Size	Current Size	Delta
linux/amd64	482.86M	482.86M	0.00 (+0.00%)
linux/arm64	434.30M	434.30M	0.00 (+0.00%)

[github-actions]

Compressed layer size comparison

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:latest to ghcr.io/philips-software/amp-devcontainer-cpp@sha256:f9f7c03b5b5106b60f50d8af0dda7e8ad8f70a6b65751434c26ca1607c0062b3

OS/Platform	Previous Size	Current Size	Delta
linux/amd64	692.87M	692.87M	0.00 (+0.00%)
linux/arm64	674.96M	674.96M	0.00 (+0.00%)

[github-actions]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ DOCKERFILE	hadolint	2		0	0	0.7s
✅ GHERKIN	gherkin-lint	2		0	0	1.03s
✅ JSON	npm-package-json-lint	yes		no	no	0.34s
✅ JSON	prettier	15	1	0	0	0.35s
✅ JSON	v8r	15		0	0	8.37s
✅ MARKDOWN	markdownlint	9	0	0	0	0.7s
✅ MARKDOWN	markdown-table-formatter	9	0	0	0	0.25s
✅ REPOSITORY	checkov	yes		no	no	15.46s
✅ REPOSITORY	gitleaks	yes		no	no	0.27s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	21.87s
✅ REPOSITORY	secretlint	yes		no	no	0.9s
✅ REPOSITORY	syft	yes		no	no	1.02s
✅ REPOSITORY	trivy	yes		no	no	6.61s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.09s
✅ REPOSITORY	trufflehog	yes		no	no	3.59s
✅ SPELL	lychee	60		0	0	11.43s
✅ YAML	prettier	22	0	0	0	0.7s
✅ YAML	v8r	22		0	0	6.1s
✅ YAML	yamllint	22		0	0	0.48s

See detailed report in MegaLinter reports

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

• oxsecurity/megalinter/flavors/dotnet@v8.7.0 (64 linters)
• oxsecurity/megalinter/flavors/dotnetweb@v8.7.0 (73 linters)

[github-actions]

Test Results

 2 files   2 suites   1m 18s ⏱️
29 tests 29 ✅ 0 💤 0 ❌
31 runs  31 ✅ 0 💤 0 ❌

Results for commit 41da09a.

[github-actions]

Pull Request Report (#790)

Static measures

Description	Value
Number of added lines	17
Number of deleted lines	17
Number of changed files	9
Number of commits	1
Number of reviews	1
Number of comments (w/o review comments)	5
Number of reviews that contains a comment to resolve	0
Number of reviews that requested a change from the author	0
Number of reviews that approved the Pull Request	1
Get the total number of participants of a Pull Request	4

Time related measures

Description	Value
PR lead time (from creation to close of PR)	2 Days
Time that was spend on the branch before the PR was created	2 Sec
Time that was spend on the branch before the PR was merged	2 Days
Time to merge after last review	1 Sec

Status check related measures

Description	Value
Total runtime for last status check run (Workflow for PR)	17.9 Min
Total time spend in last status check run on PR	2 Days

[github-actions]

🎉 Hooray! The changes in this pull request went live with the release of v6.0.2 🎉