chore(deps): update github actions monthly minor/patch

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	minor	v3.0.0 → v3.1.0
actions/checkout	action	patch	v6.0.0 → v6.0.1
anchore/sbom-action	action	minor	v0.20.10 → v0.21.0
docker/setup-buildx-action	action	minor	v3.11.1 → v3.12.0
github/codeql-action	action	patch	v4.31.6 → v4.31.9
rhysd/actionlint	docker	patch	1.7.0 → 1.7.10
tj-actions/changed-files	action	patch	v47.0.0 → v47.0.1

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v3.1.0

Compare Source

What's Changed

• Prepare v3 release by @​bdehamer in #​697
• Bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​749
• Bump tar from 7.5.1 to 7.5.2 by @​dependabot[bot] in #​753
• Bump glob from 10.4.5 to 10.5.0 by @​dependabot[bot] in #​754
• Bump @​types/node from 24.10.1 to 25.0.2 by @​dependabot[bot] in #​774
• Bump @​actions/attest from 1.6.0 to 2.0.0 by @​dependabot[bot] in #​736
• Bump @​actions/attest from 2.0.0 to 2.1.0 by @​dependabot[bot] in #​775
• Add support for creating artifact metadata storage records by @​malancas in #​779

New Contributors

• @​malancas made their first contribution in #​779

Full Changelog: actions/attest-build-provenance@v3...v3.1.0

actions/checkout (actions/checkout)

v6.0.1

Compare Source

anchore/sbom-action (anchore/sbom-action)

v0.21.0

Compare Source

• chore(deps): update Syft to v1.39.0 (#​561)
• chore(deps): bump @​octokit/request-error, @​octokit/core and @​octokit/webhooks (#​560)
• chore(deps): bump peter-evans/create-pull-request from 7.0.11 to 8.0.0 (#​558)

v0.20.11

Compare Source

Changes in v0.20.11

• update Syft to v1.38.2 (#​557)
• bump @​octokit/plugin-paginate-rest, @​actions/artifact and @​actions/github (#​550) [[dependabot[bot]](https://github.com/dependabot[bot])]
• bump js-yaml (#​552) [[dependabot[bot]](https://github.com/dependabot[bot])]

docker/setup-buildx-action (docker/setup-buildx-action)

v3.12.0

Compare Source

• Deprecate install input by @​crazy-max in #​455
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​434
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​436
• Bump form-data from 2.5.1 to 2.5.5 in #​432
• Bump undici from 5.28.4 to 5.29.0 in #​435

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

github/codeql-action (github/codeql-action)

v4.31.9

Compare Source

v4.31.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #​3354

See the full CHANGELOG.md for more information.

v4.31.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #​3343

See the full CHANGELOG.md for more information.

tj-actions/changed-files (tj-actions/changed-files)

v47.0.1

Compare Source

What's Changed

• Upgraded to v47 by @​github-actions[bot] in #​2663
• chore(deps-dev): bump @​types/node from 24.3.1 to 24.4.0 by @​dependabot[bot] in #​2664
• chore(deps-dev): bump ts-jest from 29.4.1 to 29.4.3 by @​dependabot[bot] in #​2671
• chore(deps-dev): bump @​vercel/ncc from 0.38.3 to 0.38.4 by @​dependabot[bot] in #​2670
• chore(deps-dev): bump @​types/uuid from 10.0.0 to 11.0.0 by @​dependabot[bot] in #​2668
• chore(deps-dev): bump @​types/node from 24.4.0 to 24.5.2 by @​dependabot[bot] in #​2669
• chore(deps): bump github/codeql-action from 3.30.3 to 3.30.4 by @​dependabot[bot] in #​2675
• chore(deps-dev): bump ts-jest from 29.4.3 to 29.4.4 by @​dependabot[bot] in #​2672
• chore(deps): bump github/codeql-action from 3.30.4 to 3.30.5 by @​dependabot[bot] in #​2676
• chore(deps-dev): bump jest from 30.1.3 to 30.2.0 by @​dependabot[bot] in #​2677
• chore(deps-dev): bump @​types/node from 24.5.2 to 24.6.1 by @​dependabot[bot] in #​2679
• chore(deps-dev): bump @​types/node from 24.6.1 to 24.6.2 by @​dependabot[bot] in #​2681
• chore(deps): bump github/codeql-action from 3.30.5 to 3.30.6 by @​dependabot[bot] in #​2680
• chore(deps-dev): bump @​types/node from 24.6.2 to 24.9.1 by @​dependabot[bot] in #​2695
• chore(deps): bump github/codeql-action from 3.30.6 to 4.30.9 by @​dependabot[bot] in #​2693
• chore(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​2690
• chore(deps): bump github/codeql-action from 4.30.9 to 4.31.2 by @​dependabot[bot] in #​2702
• chore(deps-dev): bump @​types/node from 24.9.1 to 24.9.2 by @​dependabot[bot] in #​2700
• chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in #​2698
• chore(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​2697
• chore(deps-dev): bump @​types/micromatch from 4.0.9 to 4.0.10 by @​dependabot[bot] in #​2699
• chore(deps-dev): bump ts-jest from 29.4.4 to 29.4.5 by @​dependabot[bot] in #​2688
• chore(deps-dev): bump @​types/node from 24.9.2 to 24.10.0 by @​dependabot[bot] in #​2707
• chore(deps): bump @​octokit/rest from 22.0.0 to 22.0.1 by @​dependabot[bot] in #​2705
• chore(deps-dev): bump eslint-plugin-jest from 29.0.1 to 29.1.0 by @​dependabot[bot] in #​2710
• chore(deps-dev): bump @​types/node from 24.10.0 to 24.10.1 by @​dependabot[bot] in #​2711
• chore(deps): bump github/codeql-action from 4.31.2 to 4.31.4 by @​dependabot[bot] in #​2715
• chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 by @​dependabot[bot] in #​2714
• chore(deps): bump nrwl/nx-set-shas from 4.3.3 to 4.4.0 by @​dependabot[bot] in #​2712
• chore(deps-dev): bump prettier from 3.6.2 to 3.7.1 by @​dependabot[bot] in #​2722
• chore(deps): bump github/codeql-action from 4.31.4 to 4.31.5 by @​dependabot[bot] in #​2720
• chore(deps-dev): bump eslint-plugin-jest from 29.1.0 to 29.2.1 by @​dependabot[bot] in #​2719
• chore(deps-dev): bump @​types/lodash from 4.17.20 to 4.17.21 by @​dependabot[bot] in #​2718
• chore(deps): bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 by @​dependabot[bot] in #​2717
• Updated README.md by @​github-actions[bot] in #​2723
• chore(deps): bump yaml from 2.8.1 to 2.8.2 by @​dependabot[bot] in #​2724
• chore(deps-dev): bump @​types/node from 24.10.1 to 25.0.0 by @​dependabot[bot] in #​2738
• chore(deps): bump @​actions/exec from 1.1.1 to 2.0.0 by @​dependabot[bot] in #​2737
• chore(deps-dev): bump ts-jest from 29.4.5 to 29.4.6 by @​dependabot[bot] in #​2727
• chore(deps): bump peter-evans/create-pull-request from 7.0.9 to 8.0.0 by @​dependabot[bot] in #​2735
• chore(deps): bump github/codeql-action from 4.31.5 to 4.31.7 by @​dependabot[bot] in #​2732
• chore(deps): bump actions/setup-node from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​2730
• chore(deps-dev): bump prettier from 3.7.1 to 3.7.4 by @​dependabot[bot] in #​2731
• chore(deps): bump @​actions/core from 1.11.1 to 2.0.0 by @​dependabot[bot] in #​2736
• chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​2729

Full Changelog: tj-actions/changed-files@v47...v47.0.1

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/attest-build-provenance	00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8	Unknown	Unknown
actions/actions/checkout	8e8c483db84b4bee98b60c0593521ed34d9990e8	🟢 6.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/anchore/sbom-action	a930d0ac434e3182448fe678398ba5713717112a	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	8d2750c68a42422c14e847fe6c8ac0403b4cbd6f	🟢 4.5	Details Check Score Reason Maintained 🟢 5 4 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 5 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/attest-build-provenance	00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8	Unknown	Unknown
actions/actions/checkout	8e8c483db84b4bee98b60c0593521ed34d9990e8	🟢 6.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/anchore/sbom-action	a930d0ac434e3182448fe678398ba5713717112a	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 9 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	8d2750c68a42422c14e847fe6c8ac0403b4cbd6f	🟢 4.5	Details Check Score Reason Maintained 🟢 5 4 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 5 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	8e8c483db84b4bee98b60c0593521ed34d9990e8	🟢 6.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/drush-alias-image.yaml
• .github/workflows/logs-dispatcher-image.yaml
• .github/workflows/release-tracker.yaml