chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/login-action	action	minor	v4.0.0 → v4.1.0
gradle/actions	action	minor	v6.0.1 → v6.1.0
marocchino/sticky-pull-request-comment	action	patch	v3.0.2 → v3.0.3
step-security/harden-runner	action	patch	v2.16.0 → v2.16.1

---

Release Notes

docker/login-action (docker/login-action)

v4.1.0

Compare Source

• Fix scoped Docker Hub cleanup path when registry is omitted by @​crazy-max in #​945
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1020.0 in #​930
• Bump @​docker/actions-toolkit from 0.77.0 to 0.86.0 in #​932 #​936
• Bump brace-expansion from 1.1.12 to 1.1.13 in #​952
• Bump fast-xml-parser from 5.3.4 to 5.3.6 in #​942
• Bump flatted from 3.3.3 to 3.4.2 in #​944
• Bump glob from 10.3.12 to 10.5.0 in #​940
• Bump handlebars from 4.7.8 to 4.7.9 in #​949
• Bump http-proxy-agent and https-proxy-agent to 8.0.0 in #​937
• Bump lodash from 4.17.23 to 4.18.1 in #​958
• Bump minimatch from 3.1.2 to 3.1.5 in #​941
• Bump picomatch from 4.0.3 to 4.0.4 in #​948
• Bump undici from 6.23.0 to 6.24.1 in #​938

Full Changelog: docker/login-action@v4.0.0...v4.1.0

gradle/actions (gradle/actions)

v6.1.0

Compare Source

New: Basic Cache Provider

A new MIT-licensed Basic Caching provider is now available as an alternative to the proprietary Enhanced Caching provided by gradle-actions-caching. Choose Basic Caching by setting cache-provider: basic on setup-gradle or dependency-submission actions.

• Built on @actions/cache -- fully open source
• Caches ~/.gradle/caches and ~/.gradle/wrapper directories
• Cache key derived from build files (*.gradle*, gradle-wrapper.properties, etc.)
• Clean cache on build file changes (no restore keys, preventing stale entry accumulation)

Limitations vs Enhanced Caching: No cache cleanup, no deduplication of cached content, cached content is fixed unless build files change.

Revamped Licensing & Distribution Documentation

• New DISTRIBUTION.md documents the licensing of each component (particularly Basic Caching vs Enhanced Caching)
• Simplified licensing notices in README, docs, and runtime log output
• Clear usage tiers: Enhanced Caching is free for public repos and in Free Preview for private repos

What's Changed

• Use a unique cache entry for wrapper-validation test by @​bigdaz in #​921
• Update Dependencies by @​bigdaz in #​922
• Update dependencies and resolve npm vulnerabilities by @​bigdaz in #​933
• Add open-source 'basic' cache provider and revamp licensing documentation by @​bigdaz in #​930
• Restructure caching documentation for basic and enhanced providers by @​bigdaz in #​934

Full Changelog: gradle/actions@v6.0.1...v6.1.0

marocchino/sticky-pull-request-comment (marocchino/sticky-pull-request-comment)

v3.0.3

Compare Source

step-security/harden-runner (step-security/harden-runner)

v2.16.1

Compare Source

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-235 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
pip	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

1 known vulnerabilities found (LOW: 1 CRITICAL: 0 HIGH: 0 MEDIUM: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
pip	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

[github-actions]

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-235 (debian 13.4)

No Vulnerabilities found

No Misconfigurations found

Python

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
pip	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.11s
✅ COPYPASTE	jscpd	yes		no	no	1.28s
✅ DOCKERFILE	hadolint	1		0	0	0.23s
✅ JSON	jsonlint	3		0	0	0.34s
✅ JSON	prettier	3		0	0	0.55s
✅ JSON	v8r	3		0	0	2.6s
✅ MARKDOWN	markdownlint	1		0	0	0.5s
✅ MARKDOWN	markdown-table-formatter	1		0	0	0.3s
✅ PYTHON	bandit	1		0	0	1.51s
✅ PYTHON	black	1		0	0	0.86s
✅ PYTHON	flake8	1		0	0	0.45s
✅ PYTHON	isort	1		0	0	0.23s
✅ PYTHON	mypy	1		0	0	3.82s
✅ PYTHON	pylint	1		0	0	3.11s
✅ PYTHON	pyright	1		0	0	1.87s
✅ PYTHON	ruff	1		0	0	0.04s
✅ REPOSITORY	checkov	yes		no	no	24.06s
✅ REPOSITORY	dustilock	yes		no	no	0.02s
✅ REPOSITORY	gitleaks	yes		no	no	0.31s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	41.21s
✅ REPOSITORY	kics	yes		no	no	3.21s
✅ REPOSITORY	kingfisher	yes		no	no	5.24s
✅ REPOSITORY	secretlint	yes		no	no	1.36s
✅ REPOSITORY	syft	yes		no	no	1.95s
✅ REPOSITORY	trivy	yes		no	no	12.69s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.15s
✅ REPOSITORY	trufflehog	yes		no	no	4.04s
✅ YAML	prettier	6		0	0	0.66s
✅ YAML	v8r	6		0	0	6.31s
✅ YAML	yamllint	6		0	0	0.61s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_KINGFISHER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

[github-actions]

🎉 This PR is included in version 1.11.22 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀