chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/create-github-app-token	action	minor	v3.1.1 → v3.2.0
docker.io/library/python	final	patch	3.14.4-slim → 3.14.5-slim
docker/build-push-action	action	minor	v7.1.0 → v7.2.0
docker/login-action	action	minor	v4.1.0 → v4.2.0
docker/metadata-action	action	minor	v6.0.0 → v6.1.0
docker/setup-buildx-action	action	minor	v4.0.0 → v4.1.0
github/codeql-action	action	minor	v4.35.4 → v4.36.0
oxsecurity/megalinter	action	minor	v9.4.0 → v9.5.0
step-security/harden-runner	action	patch	v2.19.1 → v2.19.4
zizmor (source)		minor	1.24.1 → 1.25.2

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

docker/build-push-action (docker/build-push-action)

v7.2.0

Compare Source

docker/login-action (docker/login-action)

v4.2.0

Compare Source

• Bump @​actions/core from 3.0.0 to 3.0.1 in #​976
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1050.0 in #​960
• Bump @​docker/actions-toolkit from 0.86.0 to 0.90.0 in #​970
• Bump brace-expansion from 2.0.1 to 5.0.6 in #​993
• Bump fast-xml-builder from 1.1.4 to 1.2.0 in #​985
• Bump fast-xml-parser from 5.3.6 to 5.8.0 in #​963
• Bump http-proxy-agent and https-proxy-agent to 9.0.0 in #​961
• Bump postcss from 8.5.6 to 8.5.10 in #​979
• Bump tar from 6.2.1 to 7.5.15 in #​991
• Bump vite from 7.3.1 to 7.3.3 in #​986

Full Changelog: docker/login-action@v4.1.0...v4.2.0

docker/metadata-action (docker/metadata-action)

v6.1.0

Compare Source

docker/setup-buildx-action (docker/setup-buildx-action)

v4.1.0

Compare Source

• Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in #​489
• Bump brace-expansion from 1.1.12 to 5.0.6 in #​547 #​508
• Bump fast-xml-builder from 1.0.0 to 1.2.0 in #​540
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​496
• Bump flatted from 3.3.3 to 3.4.2 in #​499
• Bump glob from 10.3.12 to 13.0.6 in #​495
• Bump handlebars from 4.7.8 to 4.7.9 in #​504
• Bump lodash from 4.17.23 to 4.18.1 in #​523
• Bump picomatch from 4.0.3 to 4.0.4 in #​503
• Bump postcss from 8.5.6 to 8.5.10 in #​537
• Bump tar from 6.2.1 to 7.5.15 in #​545
• Bump undici from 6.23.0 to 6.25.0 in #​492
• Bump vite from 7.3.1 to 7.3.2 in #​520

Full Changelog: docker/setup-buildx-action@v4.0.0...v4.1.0

github/codeql-action (github/codeql-action)

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

oxsecurity/megalinter (oxsecurity/megalinter)

v9.5.0

Compare Source

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

  • Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved
  • YAML_V8R_CONFIG_FILE / JSON_V8R_CONFIG_FILE are now correctly applied (the v8r --catalogs option is wired through)
  • lychee: fix the configured headers / Accept settings being ignored
  • Custom flavor builder: works correctly for repositories whose name contains uppercase characters
  • Docs: corrected the documented default value for the pre-commands cwd option

• Reporters

  • Comment reporters (GitHub, GitLab, Azure DevOps, Bitbucket) now work when running MegaLinter from Jenkins CI
  • GitlabCommentReporter activates as soon as GITLAB_ACCESS_TOKEN_MEGALINTER is set (no longer requires CI_JOB_TOKEN)
  • BitbucketCommentReporter: per-linter sections rendered as ### headings (Bitbucket Cloud markdown was displaying the previous <details> HTML tags as literal text)
  • Display a default user notification on PR/console reports inviting users to read the MegaLinter 9.5.0 release announcement. Can be disabled by setting SECURITY_SUGGESTIONS: false.

• Flavors

  • Multi-arch images: In custom flavors, linters can now build for linux/arm64 in addition to linux/amd64 whenever possible (Apple Silicon, AWS Graviton, Ampere…)

• Doc

  • Add documentation for the megalinter-ado Azure DevOps extension and the megalinter-mcp-server MCP server
  • Explicitly discourage the use of Personal Access Tokens (PAT) in workflows for security reasons

• mega-linter-runner

  • New --list-vars [pattern] flag (with --json) lists every MegaLinter env variable that can be passed via -e, with type, default, allowed values and examples (handy for AI coding agents)
  • -e ENABLE_LINTERS=YAML_PRETTIER,YAML_YAMLLINT no longer silently drops values after the first comma (#​7500). The --env=KEY=VALUE long form is also accepted.

• Dev

  • Add CLAUDE.md and a set of /add-linter, /update-linter-version, /review-descriptor, /fix-linter-test, /add-reporter, /add-flavor, /build, /diagnose-config, /fix-security-issue skills to help work on MegaLinter with coding agents (Claude Code, GitHub Copilot, Codex, gemini-cli…)
  • Migrate copilot-instructions into Claude Code Agents & Skills
  • New descriptor capabilities for custom linter integrations: cli_lint_extra_args_after per lint mode (list_of_files / project / file), a {file} template variable usable in command-line args, and a customizable files separator

• CI

  • Run ARM linter jobs only when the commit message contains "ARM" (avoids 200 jobs per PR)
  • Do not push a fix commit if only markdown or JSON files were updated
  • Run osv-scanner on MegaLinter's own sources
  • Optimize the linter-job matrix for dependabot and renovate PRs
  • Exclude test dependencies from dependabot
  • Faster Docker image builds: optimized Dockerfile layer order, buildx layer cache (type=gha, zstd-compressed) on all deploy workflows, DEV pipeline split into parallel jobs sharing the image via cache, and cargo-based tools (sarif-fmt, zizmor, shellcheck-sarif, stylua) built in parallel multi-stage builders so the Rust toolchain no longer ships in the final image (except for clippy)
  • Hardened MegaLinter's own GitHub Actions workflows against script injection via untrusted PR contexts (zizmor findings)

• Linter versions upgrades (62)

  • actionlint from 1.7.11 to 1.7.12
  • ansible-lint from 26.2.0 to 26.4.0
  • bicep_linter from 0.41.2 to 0.43.8
  • black from 26.1.0 to 26.3.1
  • cfn-lint from 1.45.0 to 3.14
  • checkov from 3.2.506 to 3.2.529
  • clippy from 0.1.93 to 0.1.95
  • clj-kondo from 2026.01.19 to 2025.01.16
  • code-analyzer-apex from 5.10.0 to 5.12.0
  • code-analyzer-aura from 5.10.0 to 5.12.0
  • code-analyzer-lwc from 5.10.0 to 5.12.0
  • codespell from 2.4.1 to 2.4.2
  • cspell from 9.7.0 to 10.0.0
  • dartanalyzer from 3.11.1 to 3.11.6
  • dotnet-format from 9.0.114 to 10.0.108
  • eslint from 9.39.4 to 10.3.0
  • gitleaks from 8.30.0 to 8.30.1
  • golangci-lint from 2.10.1 to 2.11.4
  • grype from 0.109.0 to 0.112.0
  • htmlhint from 1.9.1 to 1.9.2
  • isort from 8.0.0 to 8.0.1
  • jscpd from 4.0.8 to 4.1.1
  • kics from 2.1.19 to 2.1.20
  • kingfisher from 1.84.0 to 1.99.0
  • kubescape from 4.0.2 to 4.0.8
  • lychee from 0.18.0 to 0.24.2
  • markdownlint from 0.47.0 to 0.48.0
  • npm-groovy-lint from 16.2.0 to 17.0.5
  • npm-package-json-lint from 9.1.0 to 10.4.0
  • osv-scanner from 2.3.5 to 2.3.8
  • php-cs-fixer from 3.94.2 to 3.95.2
  • phpstan from 2.1.40 to 2.1.54
  • pmd from 7.22.0 to 7.24.0
  • powershell from 7.5.4 to 7.6.1
  • powershell_formatter from 7.5.4 to 7.6.1
  • prettier from 3.8.1 to 3.8.3
  • psalm from Psalm.6.15.1@​ to Psalm.6.16.1@​
  • pyright from 1.1.408 to 1.1.409
  • raku from 2025.11 to 2026.03
  • revive from 1.14.0 to 1.15.0
  • robocop from 8.2.2 to 8.2.8
  • rubocop from 1.85.0 to 1.86.2
  • ruff from 0.15.4 to 0.15.13
  • ruff-format from 0.15.4 to 0.15.13
  • rumdl from 0.1.32 to 0.1.93
  • secretlint from 11.3.1 to 11.7.1
  • semgrep from 1.153.1 to 1.163.0
  • shfmt from 3.12.0 to 3.13.1
  • snakefmt from 0.11.4 to 1.1.0
  • snakemake from 9.16.3 to 9.21.0
  • sqlfluff from 4.0.4 to 4.2.1
  • stylelint from 16.26.1 to 17.11.0
  • stylua from 2.0.0 to 2.4.1
  • syft from 1.42.1 to 1.44.0
  • terraform-fmt from 1.14.5 to 1.15.2
  • terragrunt from 0.99.4 to 1.0.4
  • tflint from 0.61.0 to 0.62.1
  • trivy from 0.69.1 to 0.70.0
  • trivy-sbom from 0.69.1 to 0.70.0
  • trufflehog from 3.93.6 to 3.95.3
  • vale from 3.13.1 to 3.14.2
  • zizmor from 1.23.1 to 1.25.0

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed

• Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

Compare Source

What's Changed

• Default to audit mode when api-key missing with use-policy-store by @​varunsh-coder in #​665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

zizmorcore/zizmor (zizmor)

v1.25.2

Compare Source

Bug Fixes 🐛🔗

• Fixed a bug where the unpinned-tools audit would incorrectly flag the aquasecurity/trivy-action action as installing an unpinned tool version, rather than aquasecurity/setup-trivy (#​2018)

v1.25.1

Compare Source

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning audit would fail to consider release events as exempt from cache usage findings when filtered by a tag condition (#​2004)

• Fixed a typo when suggesting --fix flags for findings (#​2010)

  Many thanks to @​0xdea for implementing this fix!

• Fixed a typo in unpinned-tools annotations (#​2008)

  Many thanks to @​martincostello for implementing this fix!

• Fixed a bug where the github-app audit would incorrectly flag some safe uses of actions/create-github-app-token as unsafe (#​2011)

v1.25.0

Compare Source

New Features 🌈🔗

• zizmor's finding severities can now be remapped on a per-audit basis. See the configuration for details (#​1913)

  Many thanks to @​Proximyst for proposing and implementing this improvement!

• New audit: github-app detects dangerous usages of GitHub App installation tokens (#​1926)

• New audit: [unpinned-tools] detects actions that install tools without pinning to a specific version (#​1820)

• zizmor now accepts the --no-ignores flag to disable all ignore comments and configurations when reporting findings (#​1935)

• zizmor's LSP now honors the --persona flag on the CLI (#​1943)

• zizmor is now aware of Docker-based action definitions, in addition to the pre-existing support for "composite" actions (#​1965)

Enhancements🔗

• Recommend gh issue edit --add-label / gh pr edit --add-label as a replacement for actions-ecosystem/action-add-labels in superfluous-actions

• Recommend gh issue edit --remove-label / gh pr edit --remove-label as a replacement for actions-ecosystem/action-remove-labels in superfluous-actions

• Recommend jq as a replacement for sergeysova/jq-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for stefanzweifel/git-auto-commit-action in superfluous-actions

• Recommend git add, git commit, and git push as a replacement for EndBug/add-and-commit in superfluous-actions

• tibdex/github-app-token is now recognized as an archived action by archived-uses (#​1910)

• The [dangerous-triggers] audit now explicitly exempts workflows that only invoke actions/labeler (#​1956)

• The unpinned-images audit now detects unpinned image references in Docker-based action definitions (#​1965)

• zizmor's SARIF output now provides slightly more detailed finding messages (#​1972)

• The archived-uses audit now detects more archived actions (#​1978)

• deno is now recognized as a package-ecosystem in dependabot.yml (#​1991)

Performance Improvements 🚄🔗

• The impostor-commit audit is now significantly faster (in addition to being more correct) when the user has pinned their action to a tag SHA instead of a commit SHA (#​1998)
  Bug Fixes 🐛🔗

• Fixed a crash in the template-injection audit when a workflow uses a parenthesized compound expression in context position (#​1904)

• Fixed a bug where local directory input collection could miss workflows for relative-path invocations from within .github subdirectories (#​1909)

• Fixed a bug where the unpinned-images audit would miss images defined in container: clauses (#​1944)

• Fixed a bug where inline ignore comments could not be easily applied to superfluous-actions findings (#​1945)

• Fixed a bug where the cache-poisoning audit would fail to detect some release trigger patterns (#​1946)

• Fixed a bug where inline ignore comments could not be easily applied to cache-poisoning findings (#​1962)

• Fixed a class of imprecisions where the cache-poisoning audit would incorrectly flag cache usage that doesn't actually occur on release events (#​1940)

  Many thanks to @​reubenwong97 for implementing this fix!

• Fixed a bug where dependabot.yml files containing a private cargo repository couldn't be parsed (#​1976)

• Fixed a bug where zizmor's input validation warnings lacked a mention of which files failed to validate (#​1980)

• Fixed a bug where the impostor-commit audit would falsely indicate impostor commits if an action was pinned to a tag SHA instead of a commit SHA (#​1998)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.28s
✅ ACTION	zizmor	4		0	0	3.96s
✅ COPYPASTE	jscpd	yes		no	no	1.3s
✅ DOCKERFILE	hadolint	1		0	0	0.31s
✅ JSON	jsonlint	3		0	0	0.11s
✅ JSON	prettier	3		0	0	0.47s
✅ JSON	v8r	3		0	0	3.61s
✅ MARKDOWN	markdownlint	1		0	0	0.79s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.49s
✅ PYTHON	bandit	1		0	0	2.69s
✅ PYTHON	black	1		0	0	2.35s
✅ PYTHON	flake8	1		0	0	1.7s
✅ PYTHON	isort	1		0	0	0.22s
✅ PYTHON	mypy	1		0	0	4.05s
✅ PYTHON	pylint	1		0	0	4.07s
✅ PYTHON	pyright	1		0	0	2.17s
✅ PYTHON	ruff	1		0	0	0.25s
✅ REPOSITORY	checkov	yes		no	no	34.37s
✅ REPOSITORY	dustilock	yes		no	no	0.08s
✅ REPOSITORY	gitleaks	yes		no	no	0.79s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	61.37s
✅ REPOSITORY	kingfisher	yes		no	no	10.81s
✅ REPOSITORY	osv-scanner	yes		no	no	0.14s
✅ REPOSITORY	secretlint	yes		no	no	1.77s
✅ REPOSITORY	syft	yes		no	no	3.28s
✅ REPOSITORY	trivy	yes		no	no	10.66s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.15s
✅ REPOSITORY	trufflehog	yes		no	no	4.41s
✅ YAML	prettier	7		0	0	0.97s
✅ YAML	v8r	7		0	0	7.43s
✅ YAML	yamllint	7		0	0	0.61s

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,ACTION_ZIZMOR,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_KINGFISHER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[chgl]

@copilot follow the tips here to use tip: use repositories: 'repo1,repo2' to scope the token to specific repositories. Use the name of the repository in which the reusable workflow is used in.

error[github-app]: dangerous use of GitHub App tokens
--> .github/workflows/standard-release.yaml:52:11
|
46 | - uses: actions/create-github-app-token@HIDDEN_BY_MEGALINTER# v3.2.0
| ------------------------------------------------------------------------ app token requested here
...
52 | owner: ${{ github.repository_owner }}
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ token granted access to all repositories for this owner's app installation
|
= note: audit confidence → High
= tip: use repositories: 'repo1,repo2' to scope the token to specific repositories
= help: audit documentation → https://docs.zizmor.sh/audits/#github-app

error[github-app]: dangerous use of GitHub App tokens
--> .github/workflows/standard-release.yaml:46:15
|
46 | - uses: actions/create-github-app-token@HIDDEN_BY_MEGALINTER# v3.2.0
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ app token inherits blanket installation permissions
|
= note: audit confidence → High
= tip: specify at least one permission-<name> input to limit the token's permissions
= help: audit documentation → https://docs.zizmor.sh/audits/#github-app

3 findings (1 ignored): 0 informational, 0 low, 0 medium, 2 high

[Copilot]

@copilot follow the tips here to use tip: use repositories: 'repo1,repo2' to scope the token to specific repositories. Use the name of the repository in which the reusable workflow is used in.

er...

Fixed in commit 8475af2. The issue was that github.repository returns owner/repo format, but actions/create-github-app-token expects just the repository name. Changed to repositories: ${{ github.event.repository.name }} which returns only the repository name, properly scoping the token to the current repository.

[chgl]

@copilot the ci-inserted .zizmor-standard-lint-defaults.yaml file (standard-lint.yaml) fails with:

1:1       warning  missing document start "---"  (document-start)
8:1       error    too many blank lines (1 > 0)  (empty-lines)

re-format the inline string in the workflow

[Copilot]

@copilot the ci-inserted .zizmor-standard-lint-defaults.yaml file (standard-lint.yaml) fails with:

1:1       warning  missing document start "---"  (document-start)

...

Fixed in commit 75ec35f. Changed the block scalar from | to |- (strips trailing newline so echo doesn't add a second one) and added --- as the first line to satisfy yamllint's document-start rule.

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-244 (debian 13.5)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.5)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-244 (debian 13.5)

No Vulnerabilities found

No Misconfigurations found

Python

No Vulnerabilities found

No Misconfigurations found

[github-actions]

🎉 This PR is included in version 1.11.34 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀