chore(deps): update github actions monthly minor/patch

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	minor	v3.1.0 → v3.2.0
actions/checkout	action	patch	v6.0.1 → v6.0.2
actions/setup-python	action	minor	v6.1.0 → v6.2.0
anchore/sbom-action	action	minor	v0.21.0 → v0.22.1
docker/login-action	action	minor	v3.6.0 → v3.7.0
github/codeql-action	action	minor	v4.31.9 → v4.32.0

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v3.2.0

Compare Source

What's Changed

• Bump @​actions/core from 1.11.1 to 2.0.1 by @​dependabot[bot] in #​776
• Add more documentation on Artifact Metadata Storage Records by @​malancas in #​797
• Update actions/attest to latest version v3.2.0 by @​malancas in #​812

Full Changelog: actions/attest-build-provenance@v3.1.0...v3.2.0

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

actions/setup-python (actions/setup-python)

v6.2.0

Compare Source

anchore/sbom-action (anchore/sbom-action)

v0.22.1

Compare Source

v0.22.1

⬆️ Dependencies

• chore(deps): update Syft to v1.41.0 (#​576) [@​anchore-actions-token-generator[bot]]
• chore(deps): bump lodash from 4.17.21 to 4.17.23 (#​573) [@​dependabot[bot]]

v0.22.0

Compare Source

Changes in v0.22.0

⬆️ Dependencies

• chore(deps-dev): bump the dev-dependencies group with 19 updates (#​566) [@​dependabot]
• chore(deps): bump npm-check-updates from 17.1.3 to 19.3.1 (#​567) [@​dependabot]
• chore(deps): update Syft to v1.40.1 (#​563) [@​anchore-actions-token-generator[bot]]

v0.21.1

Compare Source

Changes in v0.21.1

• chore(deps): update Syft to v1.40.0 (#​562) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]

docker/login-action (docker/login-action)

v3.7.0

Compare Source

• Add scope input to set scopes for the authentication token by @​crazy-max in #​912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in #​914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in #​911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in #​915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

github/codeql-action (github/codeql-action)

v4.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v4.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v4.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/attest-build-provenance	96278af6caaf10aea03fd8d33a09a777ca52d62f	Unknown	Unknown
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6.6	Details Check Score Reason Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/anchore/sbom-action	deef08a0db64bfad603422135db61477b16cef56	🟢 7.1	Details Check Score Reason Maintained 🟢 10 20 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 9 binaries present in source code Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/docker/login-action	c94ce9fb468520275223c153574b00df6fe4bcc9	🟢 5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 5 Found 2/4 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities ⚠️ 0 15 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 9 SAST tool detected but not run on all commits
actions/actions/attest-build-provenance	96278af6caaf10aea03fd8d33a09a777ca52d62f	Unknown	Unknown
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6.6	Details Check Score Reason Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/anchore/sbom-action	deef08a0db64bfad603422135db61477b16cef56	🟢 7.1	Details Check Score Reason Maintained 🟢 10 20 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 9 binaries present in source code Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
actions/docker/login-action	c94ce9fb468520275223c153574b00df6fe4bcc9	🟢 5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 5 Found 2/4 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities ⚠️ 0 15 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 9 SAST tool detected but not run on all commits
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6.6	Details Check Score Reason Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 8 2 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-python	a309ff8b426b58ec0e2a45f0f869d46889d02405	🟢 5.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9

Scanned Files

• .github/workflows/drush-alias-image.yaml
• .github/workflows/logs-dispatcher-image.yaml
• .github/workflows/release-tracker.yaml