chore(deps): update github actions

[oep-renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/setup-go	action	minor	v6.3.0 → v6.4.0
astral-sh/setup-uv	action	major	v7.5.0 → v8.0.0
debian	container	digest	74d56e3 → f065376
docker/login-action	action	minor	v4.0.0 → v4.1.0
github/codeql-action	action	minor	v4.32.6 → v4.35.1
open-edge-platform/geti-ci	action	digest	cc6fbe8 → 90a5d42
renovatebot/github-action	action	patch	v46.1.5 → v46.1.7
sigstore/cosign-installer	action	patch	v4.1.0 → v4.1.1
step-security/harden-runner	action	minor	v2.15.1 → v2.16.1

---

Release Notes

actions/setup-go (actions/setup-go)

v6.4.0

Compare Source

What's Changed

Enhancement

• Add go-download-base-url input for custom Go distributions by @​gdams in #​721

Dependency update

• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​727

Documentation update

• Rearrange README.md, add advanced-usage.md by @​priyagupta108 in #​724
• Fix Microsoft build of Go link by @​gdams in #​734

New Contributors

• @​gdams made their first contribution in #​721

Full Changelog: actions/setup-go@v6...v6.4.0

astral-sh/setup-uv (astral-sh/setup-uv)

v8.0.0: 🌈 Immutable releases and secure tags

Compare Source

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP]
Use the immutable tag as a version astral-sh/setup-uv@v8.0.0
Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

• Remove update-major-minor-tags workflow @​eifinger (#​826)
• Remove deprecrated custom manifest @​eifinger (#​813)

🧰 Maintenance

• Shortcircuit latest version from manifest @​eifinger (#​828)
• Simplify inputs.ts @​eifinger (#​827)
• Bump release-drafter to v7.1.1 @​eifinger (#​825)
• Refactor inputs @​eifinger (#​823)
• Replace inline compile args with tsconfig @​eifinger (#​824)
• chore: update known checksums for 0.11.2 @​github-actions[bot] (#​821)
• chore: update known checksums for 0.11.1 @​github-actions[bot] (#​817)
• chore: update known checksums for 0.11.0 @​github-actions[bot] (#​815)
• Fix latest-version workflow check @​eifinger (#​812)
• chore: update known checksums for 0.10.11/0.10.12 @​github-actions[bot] (#​811)

v7.6.0: 🌈 Fetch uv from Astral's mirror by default

Compare Source

Changes

We now default to download uv from releases.astral.sh.
This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.

🚀 Enhancements

• Fetch uv from Astral's mirror by default @​zsol (#​809)

🧰 Maintenance

• Switch to ESM for source and test, use CommonJS for dist @​eifinger (#​806)
• chore: update known checksums for 0.10.10 @​github-actions[bot] (#​804)

⬆️ Dependency updates

• chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 @​dependabot[bot] (#​808)
• Bump deps @​eifinger (#​805)

docker/login-action (docker/login-action)

v4.1.0

Compare Source

• Fix scoped Docker Hub cleanup path when registry is omitted by @​crazy-max in #​945
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1020.0 in #​930
• Bump @​docker/actions-toolkit from 0.77.0 to 0.86.0 in #​932 #​936
• Bump brace-expansion from 1.1.12 to 1.1.13 in #​952
• Bump fast-xml-parser from 5.3.4 to 5.3.6 in #​942
• Bump flatted from 3.3.3 to 3.4.2 in #​944
• Bump glob from 10.3.12 to 10.5.0 in #​940
• Bump handlebars from 4.7.8 to 4.7.9 in #​949
• Bump http-proxy-agent and https-proxy-agent to 8.0.0 in #​937
• Bump lodash from 4.17.23 to 4.18.1 in #​958
• Bump minimatch from 3.1.2 to 3.1.5 in #​941
• Bump picomatch from 4.0.3 to 4.0.4 in #​948
• Bump undici from 6.23.0 to 6.24.1 in #​938

Full Changelog: docker/login-action@v4.0.0...v4.1.0

github/codeql-action (github/codeql-action)

v4.35.1

Compare Source

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #​3781

v4.35.0

Compare Source

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #​3767
• Update default CodeQL bundle version to 2.25.1. #​3773

v4.34.1

Compare Source

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #​3762

v4.34.0

Compare Source

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #​3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #​3584
• Update default CodeQL bundle version to 2.25.0. #​3585

v4.33.0

Compare Source

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #​3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #​3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #​3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #​3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #​3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #​3570

renovatebot/github-action (renovatebot/github-action)

v46.1.7

Compare Source

Documentation

• update references to renovatebot/github-action to v46.1.6 (3afa29f)

Miscellaneous Chores

• deps: update dependency typescript-eslint to v8.57.1 (3a47fac)
• deps: update node.js to v24.14.1 (28bb013)

Build System

• deps: lock file maintenance (be2fc08)

Continuous Integration

• deps: update ghcr.io/renovatebot/renovate docker tag to v43.86.1 (8795f0b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.86.2 (9853f69)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.87.0 (f43553b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.87.1 (266e52c)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.0 (15d8db4)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.1 (b711f08)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.2 (06c1ac0)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.3 (4509fbc)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.4 (8dd874b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.5 (908aecf)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.6 (1a40ecc)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.89.8 (82662d1)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.91.1 (40328d7)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.91.4 (977b086)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.91.5 (398a399)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.91.6 (a416aeb)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.92.1 (8c59289)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.95.0 (5312d97)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.96.0 (6016202)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.98.0 (d4812c2)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.99.0 (47f20b6)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.99.1 (dadfa2f)

v46.1.6

Compare Source

Documentation

• update references to renovatebot/github-action to v46.1.5 (f73dab3)

Miscellaneous Chores

• deps: update actions/cache action to v5.0.4 (5d78527)
• deps: update commitlint monorepo to v20.4.4 (797b143)
• deps: update commitlint monorepo to v20.5.0 (1f1c4d0)
• deps: update dependency esbuild to v0.27.4 (f5e1677)
• deps: update dependency lint-staged to v16.3.3 (a40b316)
• deps: update dependency lint-staged to v16.3.4 (db5bf53)
• deps: update dependency lint-staged to v16.4.0 (24e6832)
• deps: update dependency typescript-eslint to v8.57.0 (5c3cd2d)
• deps: update pnpm to v10.32.0 (f8ce6e7)
• deps: update pnpm to v10.32.1 (75912db)

Build System

• deps: lock file maintenance (f21c5d7)

Continuous Integration

• deps: update ghcr.io/renovatebot/renovate docker tag to v43.76.3 (c2bf9c6)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.76.4 (85642ee)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.76.5 (5455749)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.77.0 (85690d1)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.77.2 (ac501fb)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.77.3 (0ef243b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.77.7 (c8dff7c)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.77.8 (79f4351)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.78.0 (8235b3d)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.80.0 (d443207)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.82.0 (a397fd4)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.83.0 (c026742)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.83.1 (2efa726)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.84.0 (c7f12c5)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.84.1 (d9cd99e)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.84.2 (72d5379)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.85.0 (12252d0)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.86.0 (6bf1d8f)

sigstore/cosign-installer (sigstore/cosign-installer)

v4.1.1

Compare Source

What's Changed

• chore: update default cosign-release to v3.0.5 in #​223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

step-security/harden-runner (step-security/harden-runner)

v2.16.1

Compare Source

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

v2.16.0

Compare Source

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • On day 1 and 15 of the month (* * 1,15 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.