chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github/codeql-action	action	minor	v4.34.1 → v4.35.1
gradle/actions	action	patch	v6.0.0 → v6.0.1
sigstore/cosign-installer	action	patch	v4.1.0 → v4.1.1

---

Release Notes

github/codeql-action (github/codeql-action)

v4.35.1

Compare Source

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #​3781

v4.35.0

Compare Source

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #​3767
• Update default CodeQL bundle version to 2.25.1. #​3773

gradle/actions (gradle/actions)

v6.0.1

Compare Source

[!IMPORTANT]
The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post.
TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

The license changes in v6 introduced a gradle-actions-caching license notice that is printed in logs and in each job summary.

With this release, the license notice will be muted if build-scan terms have been accepted, or if a Develocity access key is provided.

What's Changed

• Bump actions used in docs by @​Goooler in #​792
• Add typing information for use by typesafegithub by @​bigdaz in #​910
• Mute license warning when terms are accepted by @​bigdaz in #​911
• Mention explicit license acceptance in notice by @​bigdaz in #​912
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.1 to 2.21.2 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​907

Full Changelog: gradle/actions@v6.0.0...v6.0.1

sigstore/cosign-installer (sigstore/cosign-installer)

v4.1.1

Compare Source

What's Changed

• chore: update default cosign-release to v3.0.5 in #​223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-233 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
pip	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

1 known vulnerabilities found (MEDIUM: 0 LOW: 1 CRITICAL: 0 HIGH: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
pip	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-233 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
pip	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.13s
✅ COPYPASTE	jscpd	yes		no	no	1.3s
✅ DOCKERFILE	hadolint	1		0	0	0.1s
✅ JSON	jsonlint	3		0	0	0.12s
✅ JSON	prettier	3		0	0	0.43s
✅ JSON	v8r	3		0	0	2.7s
✅ MARKDOWN	markdownlint	1		0	0	0.49s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.26s
✅ PYTHON	bandit	1		0	0	2.81s
✅ PYTHON	black	1		0	0	1.39s
✅ PYTHON	flake8	1		0	0	0.58s
✅ PYTHON	isort	1		0	0	0.2s
✅ PYTHON	mypy	1		0	0	3.38s
✅ PYTHON	pylint	1		0	0	2.43s
✅ PYTHON	pyright	1		0	0	1.73s
✅ PYTHON	ruff	1		0	0	0.03s
✅ REPOSITORY	checkov	yes		no	no	25.72s
✅ REPOSITORY	dustilock	yes		no	no	0.01s
✅ REPOSITORY	gitleaks	yes		no	no	0.33s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	44.33s
✅ REPOSITORY	kics	yes		no	no	3.31s
✅ REPOSITORY	kingfisher	yes		no	no	6.86s
✅ REPOSITORY	secretlint	yes		no	no	1.23s
✅ REPOSITORY	syft	yes		no	no	2.93s
✅ REPOSITORY	trivy	yes		no	no	9.92s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.16s
✅ REPOSITORY	trufflehog	yes		no	no	5.19s
✅ YAML	prettier	6		0	0	0.58s
✅ YAML	v8r	6		0	0	5.25s
✅ YAML	yamllint	6		0	0	0.81s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_KINGFISHER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

[github-actions]

🎉 This PR is included in version 1.11.21 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀