chore(deps): update all-ci-updates

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/cache	action	patch	v4.2.0 -> v4.2.3
actions/setup-go	action	minor	v5.3.0 -> v5.4.0
actions/upload-artifact	action	patch	v4.6.0 -> v4.6.2
aquasecurity/trivy-action	action	minor	v0.29.0 -> 0.30.0
capsule		patch	0.7.3 -> 0.7.4
codecov/codecov-action	action	minor	v5.3.1 -> v5.4.0
fossas/fossa-action	action	minor	v1.5.0 -> v1.6.0
github/codeql-action	action	patch	v3.28.9 -> v3.28.12
goreleaser/goreleaser-action	action	minor	v6.1.0 -> v6.2.1
ossf/scorecard-action	action	patch	v2.4.0 -> v2.4.1
securego/gosec	action	patch	v2.22.0 -> v2.22.2
sigstore/cosign-installer	action	patch	v3.8.0 -> v3.8.1
slsa-framework/slsa-github-generator	action	minor	v2.0.0 -> v2.1.0
zgosalvez/github-actions-ensure-sha-pinned-actions	action	patch	v3.0.21 -> v3.0.22

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/cache (actions/cache)

v4.2.3

Compare Source

What's Changed

• Update to use @​actions/cache 4.0.3 package & prepare for new release by @​salmanmkc in https://github.com/actions/cache/pull/1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

• @​salmanmkc made their first contribution in https://github.com/actions/cache/pull/1577

Full Changelog: actions/cache@v4.2.2...v4.2.3

v4.2.2

Compare Source

What's Changed

[!IMPORTANT]
As a reminder, there were important backend changes to release v4.2.0, see those release notes and the announcement for more details.

• Bump @​actions/cache to v4.0.2 by @​robherley in https://github.com/actions/cache/pull/1560

Full Changelog: actions/cache@v4.2.1...v4.2.2

v4.2.1

Compare Source

What's Changed

[!IMPORTANT]
As a reminder, there were important backend changes to release v4.2.0, see those release notes and the announcement for more details.

• docs: GitHub is spelled incorrectly in caching-strategies.md by @​janco-absa in https://github.com/actions/cache/pull/1526
• docs: Make the "always save prime numbers" example more clear by @​Tobbe in https://github.com/actions/cache/pull/1525
• Update force deletion docs due a recent deprecation by @​sebbalex in https://github.com/actions/cache/pull/1500
• Bump @​actions/cache to v4.0.1 by @​robherley in https://github.com/actions/cache/pull/1554

New Contributors

• @​janco-absa made their first contribution in https://github.com/actions/cache/pull/1526
• @​Tobbe made their first contribution in https://github.com/actions/cache/pull/1525
• @​sebbalex made their first contribution in https://github.com/actions/cache/pull/1500

Full Changelog: actions/cache@v4.2.0...v4.2.1

actions/setup-go (actions/setup-go)

v5.4.0

Compare Source

actions/upload-artifact (actions/upload-artifact)

v4.6.2

Compare Source

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in https://github.com/actions/upload-artifact/pull/685

New Contributors

• @​salmanmkc made their first contribution in https://github.com/actions/upload-artifact/pull/685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in https://github.com/actions/upload-artifact/pull/673

Full Changelog: actions/upload-artifact@v4...v4.6.1

aquasecurity/trivy-action (aquasecurity/trivy-action)

v0.30.0

Compare Source

What's Changed

• fix: Update default trivy version in README by @​derrix060 in https://github.com/aquasecurity/trivy-action/pull/444
• fix: typo in description of an input for action.yaml by @​yutatokoi in https://github.com/aquasecurity/trivy-action/pull/452
• Improve README/SBOM by @​AB-xdev in https://github.com/aquasecurity/trivy-action/pull/439
• chore: bump trivy to v0.60.0 by @​nikpivkin in https://github.com/aquasecurity/trivy-action/pull/453

New Contributors

• @​derrix060 made their first contribution in https://github.com/aquasecurity/trivy-action/pull/444
• @​yutatokoi made their first contribution in https://github.com/aquasecurity/trivy-action/pull/452
• @​AB-xdev made their first contribution in https://github.com/aquasecurity/trivy-action/pull/439

Full Changelog: aquasecurity/trivy-action@0.29.0...0.30.0

projectcapsule/capsule (capsule)

v0.7.4

Compare Source

Changelog

🚀 Build process updates

• b7a2072: ci: generate seccomp profile within pipeline (#​1325) (@​alegrey91)

Full Changelog: projectcapsule/capsule@v0.7.3...v0.7.4

Docker Images

• ghcr.io/projectcapsule/capsule:0.7.4
• ghcr.io/projectcapsule/capsule:latest

Helm Chart
View this release on Artifact Hub or use the OCI helm chart:

• ghcr.io/projectcapsule/charts/capsule:0.7.4

Review the Major Changes section first before upgrading to a new version

Kubernetes compatibility

[!IMPORTANT]
Note that the Capsule project offers support only for the latest minor version of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is offered by vendors.

Kubernetes version	Minimum required
v1.31	>= 1.31.0

Thanks to all the contributors! 🚀 🦄

codecov/codecov-action (codecov/codecov-action)

v5.4.0

Compare Source

What's Changed

• update wrapper submodule to 0.2.0, add recurse_submodules arg by @​matt-codecov in https://github.com/codecov/codecov-action/pull/1780
• build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @​app/dependabot in https://github.com/codecov/codecov-action/pull/1775
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @​app/dependabot in https://github.com/codecov/codecov-action/pull/1776
• build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 by @​app/dependabot in https://github.com/codecov/codecov-action/pull/1777
• Clarify in README that use_pypi bypasses integrity checks too by @​webknjaz in https://github.com/codecov/codecov-action/pull/1773
• Fix use of safe.directory inside containers by @​Flamefire in https://github.com/codecov/codecov-action/pull/1768
• Fix description for report_type input by @​craigscott-crascit in https://github.com/codecov/codecov-action/pull/1770
• build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 by @​app/dependabot in https://github.com/codecov/codecov-action/pull/1765
• Fix a typo in the example by @​miranska in https://github.com/codecov/codecov-action/pull/1758
• build(deps): bump github/codeql-action from 3.28.5 to 3.28.8 by @​app/dependabot in https://github.com/codecov/codecov-action/pull/1757
• build(deps): bump github/codeql-action from 3.28.1 to 3.28.5 by @​app/dependabot in https://github.com/codecov/codecov-action/pull/1753

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.3.1..v5.4.0

fossas/fossa-action (fossas/fossa-action)

v1.6.0

Compare Source

What's Changed

• Upgrade node to v20 by @​jssblck in https://github.com/fossas/fossa-action/pull/60
• Update dependencies, enable auto dependabot by @​jssblck in https://github.com/fossas/fossa-action/pull/61

Full Changelog: fossas/fossa-action@v1.5.0...v1.6.0

github/codeql-action (github/codeql-action)

v3.28.12

Compare Source

v3.28.11

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #​2793

See the full CHANGELOG.md for more information.

v3.28.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #​2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #​2768

See the full CHANGELOG.md for more information.

goreleaser/goreleaser-action (goreleaser/goreleaser-action)

v6.2.1

Compare Source

What's Changed

This version of the actions adds support for GoReleaser Pro v2.7.0 versioning (which dropped the -pro suffix).
Older versions should work fine.

[!WARNING]
This version is required for GoReleaser Pro v2.7.0+.
Read more here.

Full Changelog: goreleaser/goreleaser-action@v6.2.0...v6.2.1

v6.2.0

Compare Source

What's Changed

This version of the actions adds support for GoReleaser Pro v2.7.0 versioning (which dropped the -pro suffix).
Older versions should work fine.

[!WARNING]
This version is required for GoReleaser Pro v2.7.0+.
Read more here.

Full Changelog: goreleaser/goreleaser-action@v6.1.0...v6.2.0

ossf/scorecard-action (ossf/scorecard-action)

v2.4.1

Compare Source

What's Changed

• This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the v5.1.0 and v5.1.1 release notes.
• Publishing results now uses half the API quota as before. The exact savings depends on the repository in question.
  • use Scorecard library entrypoint instead of Cobra hooking by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1423
• Some errors were made into annotations to make them more visible
  • Make default branch error more prominent by @​jsoref in https://github.com/ossf/scorecard-action/pull/1459
• There is now an optional file_mode input which controls how repository files are fetched from GitHub. The default is archive, but git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed.
  • add input for specifying --file-mode by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1509
• The underlying container for the action is now hosted on GitHub Container Registry. There should be no functional changes.
  • 🌱 publish docker images to GitHub Container Registry by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1453

Docs

• Installation docs update by @​JeremiahAHoward in https://github.com/ossf/scorecard-action/pull/1416

New Contributors

• @​JeremiahAHoward made their first contribution in https://github.com/ossf/scorecard-action/pull/1416
• @​jsoref made their first contribution in https://github.com/ossf/scorecard-action/pull/1459
  Full Changelog: ossf/scorecard-action@v2.4.0...v2.4.1

securego/gosec (securego/gosec)

v2.22.2

Compare Source

Changelog

• 136f6c0 Update to go version 1.24.1 and 1.23.7 (#​1313)
• 047453a chore(deps): update all dependencies (#​1310)
• 76ccee5 chore(deps): update all dependencies (#​1308)
• a9eb1c9 Update gosec version in the GitHub action to v2.22.1 (#​1307)
• 89c5da3 chore(deps): update module google.golang.org/api to v0.221.0 (#​1305)

v2.22.1

Compare Source

Changelog

• 43fee88 Update cosign to v2.4.2 (#​1303)
• 7723829 Add support for go 1.24 and phased out support for go 1.22 (#​1302)
• 9552f03 chore(deps): update all dependencies (#​1300)
• f4d2576 Update to go version 1.23.6 and 1.22.12 (#​1299)
• 2258e31 chore(deps): update module google.golang.org/api to v0.219.0 (#​1296)
• fbb0833 chore(deps): update module google.golang.org/api to v0.218.0 (#​1294)
• c66cb56 Add test to conver unit parssing for G115 rule (#​1293)
• 59291a0 Update to go version 1.23.5 and 1.22.11 (#​1291)
• 7466b7c chore(deps): update all dependencies (#​1290)
• 32dcc8a Update gosec in github action to 2.22.0 (#​1286)

sigstore/cosign-installer (sigstore/cosign-installer)

v3.8.1

Compare Source

What's Changed

• use cosign 2.4.3 and other updates by @​cpanato in https://github.com/sigstore/cosign-installer/pull/182

Full Changelog: sigstore/cosign-installer@v3...v3.8.1

slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)

v2.1.0

Compare Source

v2.1.0: Sigstore Bundles for Generic Generator and Go Builder

The workflows generator_generic_slsa3.yml and builder_go_slsa3.yml
have been updated to produce signed Sigstore Bundles, just like all the other builders
that use the BYOB framework.

The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on
https://search.sigstore.dev/.

v2.1.0: Vars context recorded in provenance

• Updated: GitHub vars context is now recorded in provenance for the generic and
  container generators. The vars context cannot affect the build in the Go
  builder so it is not recorded.

zgosalvez/github-actions-ensure-sha-pinned-actions (zgosalvez/github-actions-ensure-sha-pinned-actions)

v3.0.22

Compare Source

What's Changed

• Bump eslint from 9.20.0 to 9.20.1 by @​dependabot in https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/pull/215

Full Changelog: zgosalvez/github-actions-ensure-sha-pinned-actions@v3...v3.0.22

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 0.00%. Comparing base (dbab8d1) to head (8bb242a).
Report is 8 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #652   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files          1       1           
  Lines        271     271           
=====================================
  Misses       271     271           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.