chore(deps): update github actions (#1997)

oep-renovate[bot] · web-flow · commit 7fc111d0accc · 2026-01-02T11:22:09.000Z
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | major | `v6` → `v7` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v5.0.0` → `v6.0.0` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v5` → `v6` | | [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) | action | patch | `v7.1.5` → `v7.1.6` | | [codecov/codecov-action](https://redirect.github.com/codecov/codecov-action) | action | patch | `v5.5.1` → `v5.5.2` | | dtolnay/rust-toolchain | action | digest | `0b1efab` → `f7ccc83` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | `v4.31.7` → `v4.31.9` | | open-edge-platform/geti-ci | action | digest | `6665242` → `d30e322` | | [renovatebot/github-action](https://redirect.github.com/renovatebot/github-action) | action | minor | `v44.0.5` → `v44.2.2` | | [step-security/harden-runner](https://redirect.github.com/step-security/harden-runner) | action | minor | `v2.13.3` → `v2.14.0` | --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v7`](https://redirect.github.com/actions/download-artifact/compare/v6...v7) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v6...v7) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v6.0.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v6.0.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0) #### v6 - What's new > \[!IMPORTANT] > actions/upload-artifact\@&#8203;v6 now runs on Node.js 24 (`runs.using: node24`) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading. ##### Node.js 24 This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24. #### What's Changed - Upload Artifact Node 24 support by [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [#&#8203;719](https://redirect.github.com/actions/upload-artifact/pull/719) - fix: update [@&#8203;actions/artifact](https://redirect.github.com/actions/artifact) for Node.js 24 punycode deprecation by [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [#&#8203;744](https://redirect.github.com/actions/upload-artifact/pull/744) - prepare release v6.0.0 for Node.js 24 support by [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [#&#8203;745](https://redirect.github.com/actions/upload-artifact/pull/745) **Full Changelog**: <actions/upload-artifact@v5.0.0...v6.0.0> </details> <details> <summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary> ### [`v7.1.6`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v7.1.6): 🌈 add OS version to cache key to prevent binary incompatibility [Compare Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.1.5...v7.1.6) ##### Changes This release will invalidate your cache existing keys! The os version e.g. `ubuntu-22.04` is now part of the cache key. This prevents failing builds when a cache got populated with wheels built with different tools (e.g. glibc) than are present on the runner where the cache got restored. ##### 🐛 Bug fixes - feat: add OS version to cache key to prevent binary incompatibility [@&#8203;eifinger](https://redirect.github.com/eifinger) ([#&#8203;716](https://redirect.github.com/astral-sh/setup-uv/issues/716)) ##### 🧰 Maintenance - chore: update known checksums for 0.9.17 @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#&#8203;714](https://redirect.github.com/astral-sh/setup-uv/issues/714)) ##### ⬆️ Dependency updates - Bump actions/checkout from 5.0.0 to 6.0.1 @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#&#8203;712](https://redirect.github.com/astral-sh/setup-uv/issues/712)) - Bump actions/setup-node from 6.0.0 to 6.1.0 @&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot) ([#&#8203;715](https://redirect.github.com/astral-sh/setup-uv/issues/715)) </details> <details> <summary>codecov/codecov-action (codecov/codecov-action)</summary> ### [`v5.5.2`](https://redirect.github.com/codecov/codecov-action/blob/HEAD/CHANGELOG.md#v552) [Compare Source](https://redirect.github.com/codecov/codecov-action/compare/v5.5.1...v5.5.2) ##### What's Changed **Full Changelog**: <https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2> </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v4.31.9`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.8...v4.31.9) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.31.9 - 16 Dec 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.9/CHANGELOG.md) for more information. ### [`v4.31.8`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.7...v4.31.8) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.31.8 - 11 Dec 2025 - Update default CodeQL bundle version to 2.23.8. [#&#8203;3354](https://redirect.github.com/github/codeql-action/pull/3354) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.8/CHANGELOG.md) for more information. </details> <details> <summary>renovatebot/github-action (renovatebot/github-action)</summary> ### [`v44.2.2`](https://redirect.github.com/renovatebot/github-action/releases/tag/v44.2.2) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v44.2.1...v44.2.2) ##### Documentation - update references to ghcr.io/renovatebot/renovate to v42.66.11 ([9c0b56a](https://redirect.github.com/renovatebot/github-action/commit/9c0b56ab34cb14a58746d6c08b1dde9a477e4b72)) - update references to renovatebot/github-action to v44.2.1 ([906c039](https://redirect.github.com/renovatebot/github-action/commit/906c039a916ffd783ccbd76fdbbb845474c17bb3)) ##### Miscellaneous Chores - **deps:** update dependency esbuild to v0.27.2 ([bb5f07e](https://redirect.github.com/renovatebot/github-action/commit/bb5f07e3c9969d12c147c108687adcb110914930)) - **deps:** update dependency typescript-eslint to v8.50.0 ([b40a4bd](https://redirect.github.com/renovatebot/github-action/commit/b40a4bd7254ef4bc5b06ef668aebbfe77ff87e14)) - **deps:** update pnpm to v10.26.0 ([23acce4](https://redirect.github.com/renovatebot/github-action/commit/23acce431e3259ce696bf65e90ffde6f5ededdde)) - **deps:** update pnpm to v10.26.1 ([9eaf572](https://redirect.github.com/renovatebot/github-action/commit/9eaf57219202e7077766f442e42dc4eb8c180eae)) ##### Build System - **deps:** lock file maintenance ([79c82e7](https://redirect.github.com/renovatebot/github-action/commit/79c82e73b230664d999879c5fd8c7143fb19a561)) ##### Continuous Integration - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.0 ([afe7d71](https://redirect.github.com/renovatebot/github-action/commit/afe7d7182cb3bd5e1d4c1f1d33d34072d3278f10)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.1 ([898b73a](https://redirect.github.com/renovatebot/github-action/commit/898b73ae84b4d69ad66ee382ca5a427f61829717)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.10 ([3d1fd31](https://redirect.github.com/renovatebot/github-action/commit/3d1fd31eb1d11d98974f608317accb622d7d3065)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.11 ([0f6b0de](https://redirect.github.com/renovatebot/github-action/commit/0f6b0debed4e966a5c57a42e56e445d7c4ef6a16)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.2 ([b0a7f47](https://redirect.github.com/renovatebot/github-action/commit/b0a7f47b23b92f054c164c9fc67fd4738b38fa72)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.3 ([900ad8b](https://redirect.github.com/renovatebot/github-action/commit/900ad8b497320e840578c2aa6fb022d326aee83d)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.4 ([af30e3d](https://redirect.github.com/renovatebot/github-action/commit/af30e3dc6d15e6c571ae6a49c7c82919cf62ea5c)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.6 ([b5af880](https://redirect.github.com/renovatebot/github-action/commit/b5af880914852b25a330a650f2a8a755d3a87d00)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.7 ([4252d17](https://redirect.github.com/renovatebot/github-action/commit/4252d1759faa3719edde85386b4857ba1c457e68)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.8 ([5df582b](https://redirect.github.com/renovatebot/github-action/commit/5df582bd0681f78b953316c8cb025e5c4ddd4c97)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.66.9 ([b7d6423](https://redirect.github.com/renovatebot/github-action/commit/b7d64230288abf34b7f4b4f90cd6580684a0717d)) - **deps:** update renovate docker tag to v42.65.1 ([bc6b9c3](https://redirect.github.com/renovatebot/github-action/commit/bc6b9c3ae84d669a5c031f264e156758be5d57f0)) - **deps:** update renovate docker tag to v42.66.0 ([71aa71b](https://redirect.github.com/renovatebot/github-action/commit/71aa71bc61c00c3124a2a802b3ba13f28ee7892a)) - **deps:** update renovate docker tag to v42.66.1 ([2723a33](https://redirect.github.com/renovatebot/github-action/commit/2723a334f0f77f7ba9fdd78375ee290fd3516e92)) - **deps:** update renovate docker tag to v42.66.10 ([721cfa9](https://redirect.github.com/renovatebot/github-action/commit/721cfa905d8636b81782a7d9062d189ce4200e2c)) - **deps:** update renovate docker tag to v42.66.11 ([5c35d7d](https://redirect.github.com/renovatebot/github-action/commit/5c35d7dbd4951e20a1e9e0e0cb8d87ea4306a1ce)) - **deps:** update renovate docker tag to v42.66.2 ([9d99aa6](https://redirect.github.com/renovatebot/github-action/commit/9d99aa6c5d71d3a20cddbce90e2d8147e589f83e)) - **deps:** update renovate docker tag to v42.66.3 ([9fe00f9](https://redirect.github.com/renovatebot/github-action/commit/9fe00f9cdbabc0a650e2b692ca1b85e490c133dd)) - **deps:** update renovate docker tag to v42.66.4 ([6d78056](https://redirect.github.com/renovatebot/github-action/commit/6d78056fa75d57f04b139f01238a5b3a324487c1)) - **deps:** update renovate docker tag to v42.66.6 ([47006da](https://redirect.github.com/renovatebot/github-action/commit/47006daa2ce23861fe61d42431093a1e5a3b05c3)) - **deps:** update renovate docker tag to v42.66.7 ([b2ffaf3](https://redirect.github.com/renovatebot/github-action/commit/b2ffaf3f8a5d4ce7f7f0a25e97e0bd7d6187c6bc)) - **deps:** update renovate docker tag to v42.66.8 ([adad170](https://redirect.github.com/renovatebot/github-action/commit/adad17015c735c8b1f417ddf1f7f19750a140881)) - **deps:** update renovate docker tag to v42.66.9 ([7f73763](https://redirect.github.com/renovatebot/github-action/commit/7f73763a4105e9c4c79618e437f48e0283fc2346)) ### [`v44.2.1`](https://redirect.github.com/renovatebot/github-action/releases/tag/v44.2.1) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v44.2.0...v44.2.1) ##### Documentation - update references to ghcr.io/renovatebot/renovate to v42.64.1 ([49d52c8](https://redirect.github.com/renovatebot/github-action/commit/49d52c8c479ec1539e1728b25daade20bd3c64cc)) - update references to renovatebot/github-action to v44.2.0 ([ffe582e](https://redirect.github.com/renovatebot/github-action/commit/ffe582e3352e844dfef40b305f093bdb062ff1e0)) ##### Miscellaneous Chores - **deps:** update dependency [@&#8203;semantic-release/npm](https://redirect.github.com/semantic-release/npm) to v13.1.3 ([3cc81a3](https://redirect.github.com/renovatebot/github-action/commit/3cc81a31082c98a7ebceae2c568267889604f548)) - **deps:** update dependency [@&#8203;types/node](https://redirect.github.com/types/node) to v20.19.26 ([35e2653](https://redirect.github.com/renovatebot/github-action/commit/35e26533206da53677b6130b515dfe80c1b6d242)) - **deps:** update dependency [@&#8203;types/node](https://redirect.github.com/types/node) to v20.19.27 ([6ffffc2](https://redirect.github.com/renovatebot/github-action/commit/6ffffc27bd735ccf37a9eef3462cc5ea8bbf5562)) - **deps:** update dependency typescript-eslint to v8.49.0 ([c778357](https://redirect.github.com/renovatebot/github-action/commit/c778357a67d73abb5d15d6c9207a9e03e4ef03a0)) - **deps:** update linters to v9.39.2 ([e0d4d32](https://redirect.github.com/renovatebot/github-action/commit/e0d4d32e564193f21c32a16a9e570f807893c44f)) - **deps:** update pnpm to v10.25.0 ([2fb813e](https://redirect.github.com/renovatebot/github-action/commit/2fb813ee7f880facb8b31b424322c78004a64d74)) ##### Build System - **deps:** lock file maintenance ([13f84c5](https://redirect.github.com/renovatebot/github-action/commit/13f84c5903634788a8b30015b3237e27ae464cca)) ##### Continuous Integration - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.55.0 ([4728f99](https://redirect.github.com/renovatebot/github-action/commit/4728f998795cc4173cbc33fa3847f1e5be2552c6)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.57.0 ([9b96e25](https://redirect.github.com/renovatebot/github-action/commit/9b96e25a5a3e71f7cd345625dd8111401b416cc5)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.57.1 ([dabc2a0](https://redirect.github.com/renovatebot/github-action/commit/dabc2a05a3d3ed0e81fe512d8397981799150cf3)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.58.0 ([395475b](https://redirect.github.com/renovatebot/github-action/commit/395475ba3920ed8084dbbdfc65519f689d8a8021)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.58.1 ([95fbfab](https://redirect.github.com/renovatebot/github-action/commit/95fbfab63b0195fb8040ad18a23fc3ddb8c471b2)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.58.2 ([e571d85](https://redirect.github.com/renovatebot/github-action/commit/e571d85ac0c21293ba7e5d4703f82d2a3d25c1a9)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.58.3 ([d21ed0e](https://redirect.github.com/renovatebot/github-action/commit/d21ed0efecd6022639ccde0ffbcea86b3d97e2c5)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.58.4 ([548f050](https://redirect.github.com/renovatebot/github-action/commit/548f050250150f81b438db816e0dbc792f311181)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.59.0 ([3fb872d](https://redirect.github.com/renovatebot/github-action/commit/3fb872de617cbf87248858ec154f6656f42505e1)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.59.1 ([b4fc770](https://redirect.github.com/renovatebot/github-action/commit/b4fc770ace6565e8c1c211ae957f0871eeefe8be)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.60.0 ([eed36ce](https://redirect.github.com/renovatebot/github-action/commit/eed36ceef6f05b8ee8748a1426d217feb6a923e8)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.61.0 ([53379d5](https://redirect.github.com/renovatebot/github-action/commit/53379d5ef5750ad5d63a5cb242b605aca3d93cd5)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.62.0 ([d400a8c](https://redirect.github.com/renovatebot/github-action/commit/d400a8c4ebb890584e40cbea19ffb14ab09cfca0)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.63.0 ([d0258c8](https://redirect.github.com/renovatebot/github-action/commit/d0258c833a72dc8a83ba1459399874edf74aabb8)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.64.0 ([#&#8203;985](https://redirect.github.com/renovatebot/github-action/issues/985)) ([f21124b](https://redirect.github.com/renovatebot/github-action/commit/f21124b7a99d4cd0841527a5f353c6264bd4c4b0)) - **deps:** update ghcr.io/renovatebot/renovate docker tag to v42.64.1 ([b62f456](https://redirect.github.com/renovatebot/github-action/commit/b62f4566b07fd1460d50e5f52d13a447d534340d)) - **deps:** update renovate docker tag to v42.55.0 ([f5951c5](https://redirect.github.com/renovatebot/github-action/commit/f5951c521b62b8fb767af3b6f4832177031a517f)) - **deps:** update renovate docker tag to v42.57.1 ([094e9c6](https://redirect.github.com/renovatebot/github-action/commit/094e9c6953ac21f42bf64fc88e674bb2f1d5ebeb)) - **deps:** update renovate docker tag to v42.58.0 ([07847d1](https://redirect.github.com/renovatebot/github-action/commit/07847d1ce30ae50d06573fbcd069724221a5b8d8)) - **deps:** update renovate docker tag to v42.58.1 ([635cf78](https://redirect.github.com/renovatebot/github-action/commit/635cf78cf095ba0308c103e69144c5df62369017)) - **deps:** update renovate docker tag to v42.58.2 ([efc82a7](https://redirect.github.com/renovatebot/github-action/commit/efc82a710f5b5ec6cc63d14935f936e18e470aae)) - **deps:** update renovate docker tag to v42.58.3 ([a05a773](https://redirect.github.com/renovatebot/github-action/commit/a05a7732a19217a54d51fa5e05cfc9ef8537f638)) - **deps:** update renovate docker tag to v42.58.4 ([7f353c2](https://redirect.github.com/renovatebot/github-action/commit/7f353c27aa24aed05cfca3f315c858c71e0a1233)) - **deps:** update renovate docker tag to v42.59.0 ([54ccfe8](https://redirect.github.com/renovatebot/github-action/commit/54ccfe8c995924046c6d08157831e7aa4c7b9a6b)) - **deps:** update renovate docker tag to v42.59.1 ([7359cca](https://redirect.github.com/renovatebot/github-action/commit/7359cca382dd5abe3d1c5e97640854dd1ad86620)) - **deps:** update renovate docker tag to v42.61.0 ([#&#8203;984](https://redirect.github.com/renovatebot/github-action/issues/984)) ([5045dec](https://redirect.github.com/renovatebot/github-action/commit/5045dec9063ec4d32999f811c427773d3a7bf33f)) - **deps:** update renovate docker tag to v42.62.0 ([cca0b86](https://redirect.github.com/renovatebot/github-action/commit/cca0b867025e196546741f6e440d9ea9644a888f)) - **deps:** update renovate docker tag to v42.64.0 ([a9fddb1](https://redirect.github.com/renovatebot/github-action/commit/a9fddb173a807d8d9a97362d28e89648c3ba31a2)) - **deps:** update renovate docker tag to v42.64.1 ([65f8b67](https://redirect.github.com/renovatebot/github-action/commit/65f8b67f77a057933e8e37115b7d13f83b1ea5c1)) - ensure `example/` passes `renovate-config-validator` ([#&#8203;962](https://redirect.github.com/renovatebot/github-action/issues/962)) ([5fde7be](https://redirect.github.com/renovatebot/github-action/commit/5fde7be597ce4e3c0c3f9832c0a0496cc06daa48)), closes [#&#8203;910](https://redirect.github.com/renovatebot/github-action/issues/910) ### [`v44.2.0`](https://redirect.github.com/renovatebot/github-action/releases/tag/v44.2.0) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v44.1.0...v44.2.0) ##### Features - show Renovate CLI version more prominently in logs ([#&#8203;983](https://redirect.github.com/renovatebot/github-action/issues/983)) ([fde0305](https://redirect.github.com/renovatebot/github-action/commit/fde03050379d532b357b6acc1e8fc7e72311c10a)), closes [#&#8203;969](https://redirect.github.com/renovatebot/github-action/issues/969) ##### Documentation - update references to actions/checkout to v6 ([5ccdc9c](https://redirect.github.com/renovatebot/github-action/commit/5ccdc9c834db906941da32301b73d5e6d6406239)) - update references to ghcr.io/renovatebot/renovate to v42.52.8 ([a7d997a](https://redirect.github.com/renovatebot/github-action/commit/a7d997abb9102dac05763671771478677f5f281b)) - update references to renovatebot/github-action to v44.1.0 ([877f1ed](https://redirect.github.com/renovatebot/github-action/commit/877f1edb5a9ab0c75e02fc65b89be71c611a4ec4)) ##### Miscellaneous Chores - **deps:** update actions/cache action to v5 ([#&#8203;981](https://redirect.github.com/renovatebot/github-action/issues/981)) ([5601672](https://redirect.github.com/renovatebot/github-action/commit/5601672bb186a806e02ea83b1547dc75b249bc0d)) - **deps:** update commitlint monorepo to v20 (major) ([#&#8203;975](https://redirect.github.com/renovatebot/github-action/issues/975)) ([9c94e7f](https://redirect.github.com/renovatebot/github-action/commit/9c94e7fd2be568f25c53fcafb9d1b310eea93b66)) - **deps:** update node.js to v24 ([#&#8203;977](https://redirect.github.com/renovatebot/github-action/issues/977)) ([1adf39f](https://redirect.github.com/renovatebot/github-action/commit/1adf39f4f8f8fd33c5d91e64a6c9ea1bf72da193)) - **deps:** update semantic-release monorepo (major) ([#&#8203;978](https://redirect.github.com/renovatebot/github-action/issues/978)) ([f90da8d](https://redirect.github.com/renovatebot/github-action/commit/f90da8d8bc315a501ce13d3d1fbaec0f2a708c9e)) ##### Continuous Integration - **deps:** update actions/checkout action to v6 ([#&#8203;982](https://redirect.github.com/renovatebot/github-action/issues/982)) ([ccbe4e5](https://redirect.github.com/renovatebot/github-action/commit/ccbe4e599c0cb464294daf53b2fcbdad069e269b)) - **deps:** update renovate docker tag to v42.52.0 ([92e7f7b](https://redirect.github.com/renovatebot/github-action/commit/92e7f7b274f4253329e27cdc401a24697eaeb589)) - **deps:** update renovate docker tag to v42.52.1 ([61dcbbd](https://redirect.github.com/renovatebot/github-action/commit/61dcbbd7bc701be4194c4310b3936e6118bd00c3)) - **deps:** update renovate docker tag to v42.52.2 ([c31dec6](https://redirect.github.com/renovatebot/github-action/commit/c31dec6b5954bfeb74ff49f277c2ebbc99abfce6)) - **deps:** update renovate docker tag to v42.52.3 ([c3a7384](https://redirect.github.com/renovatebot/github-action/commit/c3a73845430e55709d59bf9c3e705f42bee5aba9)) - **deps:** update renovate docker tag to v42.52.4 ([27c1757](https://redirect.github.com/renovatebot/github-action/commit/27c17575a98e8622d630abbc203cea047294fef5)) - **deps:** update renovate docker tag to v42.52.6 ([8091613](https://redirect.github.com/renovatebot/github-action/commit/80916137e713df77dfe3b104b11914795adf331d)) - **deps:** update renovate docker tag to v42.52.8 ([a163433](https://redirect.github.com/renovatebot/github-action/commit/a16343313844643e9561e458a67809bc87eb1ba6)) - **deps:** update renovate docker tag to v42.54.1 ([47283fa](https://redirect.github.com/renovatebot/github-action/commit/47283fac74ce0b7456a81f56b4cc4ca8958214bb)) ### [`v44.1.0`](https://redirect.github.com/renovatebot/github-action/releases/tag/v44.1.0) [Compare Source](https://redirect.github.com/renovatebot/github-action/compare/v44.0.5...v44.1.0) ##### Features - enable tty for docker run ([#&#8203;974](https://redirect.github.com/renovatebot/github-action/issues/974)) ([7f974c0](https://redirect.github.com/renovatebot/github-action/commit/7f974c0f8a2d1a5db895b0fef1c2ae0ed818d361)) ##### Documentation - update references to ghcr.io/renovatebot/renovate to v42.39.2 ([56ac2fc](https://redirect.github.com/renovatebot/github-action/commit/56ac2fc40390daa2a186592c671193678f5ceea7)) - update references to renovatebot/github-action to v44.0.5 ([afa2fa8](https://redirect.github.com/renovatebot/github-action/commit/afa2fa89b960b006375bb3dccbb20ecd6df5768e)) ##### Miscellaneous Chores - **deps:** update actions/setup-node action to v6.1.0 ([6eab2b7](https://redirect.github.com/renovatebot/github-action/commit/6eab2b7ef697c7d47fc3652a5abc0570ca87f38b)) - **deps:** update dependency esbuild to v0.27.1 ([9e1daf1](https://redirect.github.com/renovatebot/github-action/commit/9e1daf11101ecbe2df21fb98a1b82228870e1ad9)) - **deps:** update dependency prettier to v3.7.0 ([8109939](https://redirect.github.com/renovatebot/github-action/commit/8109939667445f46f5f203d18d9e5fd08ae15d16)) - **deps:** update dependency prettier to v3.7.1 ([c023f56](https://redirect.github.com/renovatebot/github-action/commit/c023f569b16c88e37554d1f63a5b55ad4c62b679)) - **deps:** update dependency prettier to v3.7.2 ([e022113](https://redirect.github.com/renovatebot/github-action/commit/e022113a52f17b8a7e8d288d76e7a0f91b68c167)) - **deps:** update dependency prettier to v3.7.3 ([df0b720](https://redirect.github.com/renovatebot/github-action/commit/df0b7203200d4c51524183e9c95b639bcac215ef)) - **deps:** update dependency prettier to v3.7.4 ([817bae1](https://redirect.github.com/renovatebot/github-action/commit/817bae1f423ad316fb14b2f371fb8e25daeee226)) - **deps:** update dependency prettier-plugin-packagejson to v2.5.20 ([f7337fd](https://redirect.github.com/renovatebot/github-action/commit/f7337fdf53f1158eaf9ff433a28a4b2e1d7ebcd1)) - **deps:** update dependency typescript-eslint to v8.48.0 ([fb6e56f](https://redirect.github.com/renovatebot/github-action/commit/fb6e56fcfa23e3c3736e824fccec2b490b751749)) - **deps:** update dependency typescript-eslint to v8.48.1 ([c558985](https://redirect.github.com/renovatebot/github-action/commit/c55898597d879a5194475e8d705218673feee59d)) - **deps:** update pnpm to v10.24.0 ([79de259](https://redirect.github.com/renovatebot/github-action/commit/79de2597ec3a45546a401509aa1c2b8ea3070553)) ##### Continuous Integration - **deps:** update renovate docker tag to v42.27.3 ([cb62681](https://redirect.github.com/renovatebot/github-action/commit/cb626814b5d85cad9e27f414747e49a0b744c20b)) - **deps:** update renovate docker tag to v42.27.5 ([8d95600](https://redirect.github.com/renovatebot/github-action/commit/8d95600783610b193a2f66e4b31856b34a42a57a)) - **deps:** update renovate docker tag to v42.28.0 ([6bbb048](https://redirect.github.com/renovatebot/github-action/commit/6bbb0487e807f7a9c3775f99a3efee1519f1f40d)) - **deps:** update renovate docker tag to v42.29.3 ([07abe3d](https://redirect.github.com/renovatebot/github-action/commit/07abe3d743f035f0677c3aa3cb112cdd5886dd16)) - **deps:** update renovate docker tag to v42.29.4 ([bbde94e](https://redirect.github.com/renovatebot/github-action/commit/bbde94e6b6c27a2cd0958bbe5931ed9fc9ced19b)) - **deps:** update renovate docker tag to v42.29.5 ([a014389](https://redirect.github.com/renovatebot/github-action/commit/a014389a0a68036ccce080eead835410ba6b79e0)) - **deps:** update renovate docker tag to v42.30.1 ([0a7b3c6](https://redirect.github.com/renovatebot/github-action/commit/0a7b3c6d79620c8c508c3ed5a4ed1814aa97fb5f)) - **deps:** update renovate docker tag to v42.30.2 ([9a03ec1](https://redirect.github.com/renovatebot/github-action/commit/9a03ec1eb43472d3011e2e0c7e63a4d6ec290535)) - **deps:** update renovate docker tag to v42.30.3 ([ad718be](https://redirect.github.com/renovatebot/github-action/commit/ad718be8b52d98eea8e15917a8bb5c56b91a5996)) - **deps:** update renovate docker tag to v42.30.4 ([39fbfa4](https://redirect.github.com/renovatebot/github-action/commit/39fbfa40c9373ed0cfc717b88b63c138bb3bbc84)) - **deps:** update renovate docker tag to v42.31.0 ([c654f3c](https://redirect.github.com/renovatebot/github-action/commit/c654f3ca908878ab1ec2425d8041a5945d0bbf94)) - **deps:** update renovate docker tag to v42.32.2 ([f8f972d](https://redirect.github.com/renovatebot/github-action/commit/f8f972df2b88491dec2ec13784ce48f32a10b4bb)) - **deps:** update renovate docker tag to v42.32.3 ([7dacb79](https://redirect.github.com/renovatebot/github-action/commit/7dacb799b6f984cdbee0f1290101eb54205a58c9)) - **deps:** update renovate docker tag to v42.34.0 ([a27b37e](https://redirect.github.com/renovatebot/github-action/commit/a27b37e61c4a7c02104663fdb3bf9077ae940819)) - **deps:** update renovate docker tag to v42.34.1 ([d7b2cb9](https://redirect.github.com/renovatebot/github-action/commit/d7b2cb950e82d5b0ac6e3b14fdc28a3c98a50f2b)) - **deps:** update renovate docker tag to v42.34.2 ([b6077f8](https://redirect.github.com/renovatebot/github-action/commit/b6077f89cf131188941610a1f855bb2bbdb58699)) - **deps:** update renovate docker tag to v42.35.1 ([a2e6f2c](https://redirect.github.com/renovatebot/github-action/commit/a2e6f2c8448b2528197b528a719f2561c08fe662)) - **deps:** update renovate docker tag to v42.37.0 ([cb999b8](https://redirect.github.com/renovatebot/github-action/commit/cb999b8888b8531bba23955e14410bfacece86d8)) - **deps:** update renovate docker tag to v42.37.1 ([280b58e](https://redirect.github.com/renovatebot/github-action/commit/280b58e85e33a0386ccc40816c8d69a483c19b81)) - **deps:** update renovate docker tag to v42.38.0 ([82475db](https://redirect.github.com/renovatebot/github-action/commit/82475db3949205e4e5ebc19db4574cff5e00a304)) - **deps:** update renovate docker tag to v42.38.1 ([d65800d](https://redirect.github.com/renovatebot/github-action/commit/d65800d5d4950f7b386f2b4726ee20e2a180d438)) - **deps:** update renovate docker tag to v42.39.0 ([82ec283](https://redirect.github.com/renovatebot/github-action/commit/82ec2836b7e485d64ba80be57cb837efe327a5aa)) - **deps:** update renovate docker tag to v42.39.1 ([ddf131e](https://redirect.github.com/renovatebot/github-action/commit/ddf131ed0c84e6258dfee6e479a55f5f7e04ed38)) - **deps:** update renovate docker tag to v42.39.2 ([eff7918](https://redirect.github.com/renovatebot/github-action/commit/eff79185c2c9d901dae66ab167a561b7cee69033)) - **deps:** update renovate docker tag to v42.39.4 ([5528b56](https://redirect.github.com/renovatebot/github-action/commit/5528b56de99f88995053b3817faca6eaadd9678f)) - **deps:** update renovate docker tag to v42.39.5 ([f2a3a2a](https://redirect.github.com/renovatebot/github-action/commit/f2a3a2ab0c5b7ac88047a7b0abe241e211872676)) - **deps:** update renovate docker tag to v42.40.0 ([c4a4a8e](https://redirect.github.com/renovatebot/github-action/commit/c4a4a8e9d4ba6059eb5100b7ed8aa5feabe70f45)) - **deps:** update renovate docker tag to v42.40.1 ([13dbfa2](https://redirect.github.com/renovatebot/github-action/commit/13dbfa24501a0a2e71ba2109d7f15e28372cbc40)) - **deps:** update renovate docker tag to v42.40.2 ([b8053ce](https://redirect.github.com/renovatebot/github-action/commit/b8053ce4b86cba688e6b4f78aa8977307568d731)) - **deps:** update renovate docker tag to v42.40.3 ([e6368fd](https://redirect.github.com/renovatebot/github-action/commit/e6368fdacaeadd0e86af20f1cf967414224d2c45)) - **deps:** update renovate docker tag to v42.41.0 ([6378a85](https://redirect.github.com/renovatebot/github-action/commit/6378a85217cf2c1e8f7b10149e5f9b42e8b428ba)) - **deps:** update renovate docker tag to v42.41.1 ([e9008ac](https://redirect.github.com/renovatebot/github-action/commit/e9008ac40d1904f739e5deec5466a3746c8ce193)) - **deps:** update renovate docker tag to v42.42.0 ([b1b6377](https://redirect.github.com/renovatebot/github-action/commit/b1b6377177d274f050ab33559dbbf657ff12eb03)) - **deps:** update renovate docker tag to v42.42.1 ([4f9787f](https://redirect.github.com/renovatebot/github-action/commit/4f9787fc9d8718e9a548c3e6d480fc3027176414)) - **deps:** update renovate docker tag to v42.42.2 ([dc35895](https://redirect.github.com/renovatebot/github-action/commit/dc3589581a9dd458b496835e24a8a073ec15ffe9)) - **deps:** update renovate docker tag to v42.42.3 ([700b895](https://redirect.github.com/renovatebot/github-action/commit/700b8952df25e642e0ef057fb0ff926ed08c4ec7)) - **deps:** update renovate docker tag to v42.42.4 ([de82540](https://redirect.github.com/renovatebot/github-action/commit/de82540087694d5a55a375384884bf44b249dfdd)) - **deps:** update renovate docker tag to v42.42.5 ([5b820c1](https://redirect.github.com/renovatebot/github-action/commit/5b820c1cd9275f449eabcb8eb620f99475cc904e)) - **deps:** update renovate docker tag to v42.43.0 ([7aecb0a](https://redirect.github.com/renovatebot/github-action/commit/7aecb0a372d771d79abdbb56e9fe2df7f5e7e100)) - **deps:** update renovate docker tag to v42.44.0 ([c9c06da](https://redirect.github.com/renovatebot/github-action/commit/c9c06da449e4a68682829d92664b1e019bc9a2d7)) - **deps:** update renovate docker tag to v42.44.1 ([80e45c2](https://redirect.github.com/renovatebot/github-action/commit/80e45c233d7735a1666f656f59d589f1f366922b)) - **deps:** update renovate docker tag to v42.46.0 ([a272caf](https://redirect.github.com/renovatebot/github-action/commit/a272caf98b2af3998fd08aad2115557748c09e96)) - **deps:** update renovate docker tag to v42.47.0 ([8380aa8](https://redirect.github.com/renovatebot/github-action/commit/8380aa89417e0f7d846cfe13b550485998f1ab1a)) - **deps:** update renovate docker tag to v42.49.0 ([8342c93](https://redirect.github.com/renovatebot/github-action/commit/8342c937a80f45e383262316a736628e32cb1d24)) - **deps:** update renovate docker tag to v42.50.0 ([6856feb](https://redirect.github.com/renovatebot/github-action/commit/6856febbe5599364858ab45bd1cc9aa3274055cc)) </details> <details> <summary>step-security/harden-runner (step-security/harden-runner)</summary> ### [`v2.14.0`](https://redirect.github.com/step-security/harden-runner/releases/tag/v2.14.0) [Compare Source](https://redirect.github.com/step-security/harden-runner/compare/v2.13.3...v2.14.0) ##### What's Changed - Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip\_harden\_runner, allowing organizations to opt out specific repos. - Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it. **Full Changelog**: <step-security/harden-runner@v2.13.3...v2.14.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - On day 1 of the month ( * * 1 * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).  Signed-off-by: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com> Co-authored-by: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
@@ -43,13 +43,13 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
+        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
           queries: security-extended
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
+        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - name: "Checkout Repository"
diff --git a/.github/workflows/docs_latest.yml b/.github/workflows/docs_latest.yml
@@ -16,7 +16,7 @@ jobs:
       contents: write
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
@@ -26,7 +26,7 @@ jobs:
           persist-credentials: false
 
       - name: Install uv and set the python version
-        uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
         with:
           enable-cache: false
           python-version: "3.10"
diff --git a/.github/workflows/docs_stable.yml b/.github/workflows/docs_stable.yml
@@ -14,7 +14,7 @@ jobs:
       contents: write
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       
@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: Install uv and set the python version
-        uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
         with:
           enable-cache: false
           python-version: "3.10"
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -48,15 +48,15 @@ jobs:
       contents: read
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
       - name: Run Zizmor scan
-        uses: open-edge-platform/geti-ci/actions/zizmor@66652424b4ec87ff529dce5ae4a03f339e58a84b
+        uses: open-edge-platform/geti-ci/actions/zizmor@d30e32248aa6bd06adeda7129b50a38bdbceca12
         with:
           scan-scope: "changed"
           severity-level: "LOW"
@@ -68,15 +68,15 @@ jobs:
       contents: read
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
       - name: Run Bandit scan
-        uses: open-edge-platform/geti-ci/actions/bandit@66652424b4ec87ff529dce5ae4a03f339e58a84b
+        uses: open-edge-platform/geti-ci/actions/bandit@d30e32248aa6bd06adeda7129b50a38bdbceca12
         with:
           scan-scope: "changed"
           severity-level: "LOW"
diff --git a/.github/workflows/pr_check.yml b/.github/workflows/pr_check.yml
@@ -36,7 +36,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
@@ -45,12 +45,12 @@ jobs:
           persist-credentials: false
 
       - name: Installing Rust toolchain
-        uses: dtolnay/rust-toolchain@0b1efabc08b657293548b77fb76cc02d26091c7e
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561
         with:
           toolchain: stable
 
       - name: Install uv and set the python version
-        uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v7.1.5
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
         with:
           enable-cache: false
           python-version: ${{ matrix.python-version }}
@@ -63,7 +63,7 @@ jobs:
         run: uv run pytest --cov --cov-report=xml
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           flags: ${{ matrix.os }}_Python-${{ matrix.python-version }}
           use_oidc: true
diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml
@@ -19,7 +19,7 @@ jobs:
         os: ["ubuntu-24.04", "windows-2022", "macos-13", "macos-15"]
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - name: Checkout
@@ -37,7 +37,7 @@ jobs:
         env:
           MACOSX_DEPLOYMENT_TARGET: 11.0
         run: python -m cibuildwheel --output-dir wheelhouse
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: artifact-wheels_${{ matrix.os }}
           path: ./wheelhouse/*.whl
@@ -46,7 +46,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - name: Checkout
@@ -61,7 +61,7 @@ jobs:
         run: python -m pip install build
       - name: Build sdist
         run: python -m build --sdist
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: artifact-sdist_${{ matrix.os }}
           path: dist/*.tar.gz
@@ -75,11 +75,11 @@ jobs:
       id-token: write
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - name: Download artifacts
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           path: dist
           pattern: artifact-*
@@ -94,7 +94,7 @@ jobs:
       # Publish the built wheel and source tarball to github
       - name: Upload wheel and source files as github artifact
         if: ${{ steps.check-tag.outputs.match != '' }}
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: datumaro
           path: dist/*
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -72,7 +72,7 @@ jobs:
           private-key: ${{ secrets.RENOVATE_APP_PEM }}
 
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@5712c6a41dea6cdf32c72d92a763bd417e6606aa # v44.0.5
+        uses: renovatebot/github-action@8b7941943a108b2cc2150730963164aa8baeab8c # v44.2.2
         with:
           configurationFile: .github/renovate.json5
           token: "${{ steps.get-github-app-token.outputs.token }}"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
 
@@ -40,6 +40,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -20,15 +20,15 @@ jobs:
       security-events: write # Needed to upload the results to code-scanning dashboard
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
       - name: Run Zizmor scan
-        uses: open-edge-platform/geti-ci/actions/zizmor@66652424b4ec87ff529dce5ae4a03f339e58a84b
+        uses: open-edge-platform/geti-ci/actions/zizmor@d30e32248aa6bd06adeda7129b50a38bdbceca12
         with:
           scan-scope: "all"
           severity-level: "LOW"
@@ -42,15 +42,15 @@ jobs:
       security-events: write # Needed to upload the results to code-scanning dashboard
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - name: Checkout code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
       - name: Run Bandit scan
-        uses: open-edge-platform/geti-ci/actions/bandit@66652424b4ec87ff529dce5ae4a03f339e58a84b
+        uses: open-edge-platform/geti-ci/actions/bandit@d30e32248aa6bd06adeda7129b50a38bdbceca12
         with:
           scan-scope: "all"
           severity-level: "LOW"
@@ -65,7 +65,7 @@ jobs:
       security-events: write # Needed to upload the results to code-scanning dashboard
     steps:
       - name: Harden the runner (audit all outbound calls)
-        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: audit
       - name: Checkout code
@@ -75,7 +75,7 @@ jobs:
 
       - name: Run Trivy scan
         id: trivy
-        uses: open-edge-platform/geti-ci/actions/trivy@66652424b4ec87ff529dce5ae4a03f339e58a84b
+        uses: open-edge-platform/geti-ci/actions/trivy@d30e32248aa6bd06adeda7129b50a38bdbceca12
         with:
           scan_type: "fs"
           scan-scope: all
@@ -97,7 +97,7 @@ jobs:
           persist-credentials: false
       - name: Run Semgrep scan
         id: semgrep
-        uses: open-edge-platform/geti-ci/actions/semgrep@66652424b4ec87ff529dce5ae4a03f339e58a84b
+        uses: open-edge-platform/geti-ci/actions/semgrep@d30e32248aa6bd06adeda7129b50a38bdbceca12
         with:
           scan-scope: "all"
           severity: "LOW"
