chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group #21018

	name: "CodeQL"

	on:
	push:
	branches:
	- main
	- release-*
	pull_request:
	# The branches below must be a subset of the branches above
	branches:
	- main
	merge_group:
	schedule:
	- cron: "36 6 * * 4" # run every Thursday at 06:36 UTC

	concurrency:
	group: ${{ github.ref_name }}-codeql
	cancel-in-progress: true

	permissions:
	contents: read

	jobs:
	checks:
	name: Checks and variables
	runs-on: ubuntu-24.04
	outputs:
	docs_only: ${{ github.event.pull_request && steps.docs.outputs.docs_only == 'true' }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	fetch-depth: 0

	- name: Filter only docs changes
	id: docs
	run: \|
	files=$(git diff --name-only HEAD^ \| egrep -v "^examples/" \| egrep -v "^README.md")
	if [ -z "$files" ]; then
	echo "docs_only=true" >> $GITHUB_OUTPUT
	else
	echo "docs_only=false" >> $GITHUB_OUTPUT
	fi
	echo $files
	cat $GITHUB_OUTPUT
	shell: bash --noprofile --norc -o pipefail {0}

	analyze:
	if: ${{ needs.checks.outputs.docs_only != 'true' }}
	needs: [checks]
	name: Analyze
	permissions:
	actions: read # for github/codeql-action/init to get workflow details
	contents: read # for actions/checkout to fetch code
	packages: read
	security-events: write # for github/codeql-action/autobuild to send a status report
	uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@a27656f8f9a8748085b434ebe007f5b572709aad # v0.2
	with:
	requested_languages: go,python

Provide feedback