Bump the actions group across 1 directory with 5 updates (#3337)

Bumps the actions group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
|
[step-security/harden-runner](https://github.com/step-security/harden-runner)
| `2.19.0` | `2.19.3` |
| [chainguard-dev/actions](https://github.com/chainguard-dev/actions) |
`1.6.16` | `1.6.19` |
|
[sigstore/cosign-installer](https://github.com/sigstore/cosign-installer)
| `4.1.1` | `4.1.2` |
|
[hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform)
| `4.0.0` | `4.0.1` |
|
[zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action)
| `0.5.3` | `0.5.6` |


Updates `step-security/harden-runner` from 2.19.0 to 2.19.3
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's
releases</a>.</em></p>
<blockquote>
<h2>v2.19.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Default to audit mode when api-key missing with use-policy-store by
<a
href="https://github.com/varunsh-coder"><code>@​varunsh-coder</code></a>
in <a
href="https://redirect.github.com/step-security/harden-runner/pull/665">step-security/harden-runner#665</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/step-security/harden-runner/compare/v2.19.2...v2.19.3">https://github.com/step-security/harden-runner/compare/v2.19.2...v2.19.3</a></p>
<h2>v2.19.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Update the Harden Runner agent for enterprise tier to use go 1.26
and fix minor bugs.</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/step-security/harden-runner/compare/v2.19.1...v2.19.2">https://github.com/step-security/harden-runner/compare/v2.19.1...v2.19.2</a></p>
<h2>v2.19.1</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: detect ubuntu-slim runners early and bail out by <a
href="https://github.com/devantler"><code>@​devantler</code></a> in <a
href="https://redirect.github.com/step-security/harden-runner/pull/657">step-security/harden-runner#657</a></li>
</ul>
<p>What the fix changes</p>
<ul>
<li>Harden-Runner will detect <code>ubuntu-slim</code> runners and exit
cleanly with an informational log message, instead of post harden runner
step failing on chown: invalid user: 'undefined'.</li>
</ul>
<p>What the fix does not do</p>
<ul>
<li>Jobs running on <code>ubuntu-slim</code> will not be monitored by
Harden-Runner. The agent relies on kernel-level features (that require
elevated capabilities).</li>
<li>Per GitHub's docs on <a
href="https://docs.github.com/en/actions/reference/runners/github-hosted-runners#single-cpu-runners">single-CPU
runners</a>: &quot;The container for ubuntu-slim runners runs in
unprivileged mode. This means that some operations requiring elevated
privileges such as mounting file systems, using Docker-in-Docker, or
accessing low-level kernel features are not supported.&quot; Those
low-level kernel features are what the agent needs, so monitoring inside
the unprivileged container is not feasible today.</li>
</ul>
<p>For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored,
you can block the use of <code>ubuntu-slim</code> via workflow run
policies see the <a
href="https://docs.stepsecurity.io/workflow-run-policies/policies#runner-label-policy">Runner
Label Policy</a> docs. This lets you enforce that jobs only run on
monitored runner types.</p>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/devantler"><code>@​devantler</code></a>
made their first contribution in <a
href="https://redirect.github.com/step-security/harden-runner/pull/657">step-security/harden-runner#657</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/step-security/harden-runner/compare/v2.19.0...v2.19.1">https://github.com/step-security/harden-runner/compare/v2.19.0...v2.19.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/step-security/harden-runner/commit/ab7a9404c0f3da075243ca237b5fac12c98deaa5"><code>ab7a940</code></a>
Merge pull request <a
href="https://redirect.github.com/step-security/harden-runner/issues/665">#665</a>
from step-security/fix/use-policy-store-default-audit</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/ec41b783c27ed7f0db6855a6d9970abd4572858c"><code>ec41b78</code></a>
Default to audit mode when api-key missing with use-policy-store</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/9ca718d3bf646d6534007c269a635b3e54cadf99"><code>9ca718d</code></a>
Merge pull request <a
href="https://redirect.github.com/step-security/harden-runner/issues/664">#664</a>
from step-security/update-agent-v1.8.5</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/1dee3df8d29f4225c582eee2ddb6053ca616c0df"><code>1dee3df</code></a>
Update agent to v1.8.5</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/a5ad31d6a139d249332a2605b85202e8c0b78450"><code>a5ad31d</code></a>
Merge pull request <a
href="https://redirect.github.com/step-security/harden-runner/issues/657">#657</a>
from devantler/fix/ubuntu-slim-user-env</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/6e928567d74554b8842dd434908da31c593ba85c"><code>6e92856</code></a>
build dist and trim ubuntu-slim message</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/4e0504ee086374bdec7064e5c26d48af41ba6209"><code>4e0504e</code></a>
Merge branch 'main' into fix/ubuntu-slim-user-env</li>
<li><a
href="https://github.com/step-security/harden-runner/commit/376d25a97f3a1640ff8cbbddaa4af25948df2cf3"><code>376d25a</code></a>
fix: detect ubuntu-slim runners early and bail out</li>
<li>See full diff in <a
href="https://github.com/step-security/harden-runner/compare/8d3c67de8e2fe68ef647c8db1e6a09f647780f40...ab7a9404c0f3da075243ca237b5fac12c98deaa5">compare
view</a></li>
</ul>
</details>
<br />

Updates `chainguard-dev/actions` from 1.6.16 to 1.6.19
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/chainguard-dev/actions/releases">chainguard-dev/actions's
releases</a>.</em></p>
<blockquote>
<h2>v1.6.19</h2>
<h2>What's Changed</h2>
<ul>
<li>build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 in
/inky-build-pkg by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/892">chainguard-dev/actions#892</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 in
/wolfi-build-pkg by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/891">chainguard-dev/actions#891</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/886">chainguard-dev/actions#886</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 in
/melange-build by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/890">chainguard-dev/actions#890</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 in
/goimports by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/889">chainguard-dev/actions#889</a></li>
<li>build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/887">chainguard-dev/actions#887</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 in
/gofmt by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/888">chainguard-dev/actions#888</a></li>
<li>otel-export: regenerate dist files by <a
href="https://github.com/joshrwolf"><code>@​joshrwolf</code></a> in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/879">chainguard-dev/actions#879</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/chainguard-dev/actions/compare/v1.6.18...v1.6.19">https://github.com/chainguard-dev/actions/compare/v1.6.18...v1.6.19</a></p>
<h2>v1.6.18</h2>
<h2>What's Changed</h2>
<ul>
<li>build(deps): bump chainguard-dev/actions from 1.6.16 to 1.6.17 in
/wolfi-build-pkg by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/885">chainguard-dev/actions#885</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.16 to 1.6.17 in
/melange-build by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/884">chainguard-dev/actions#884</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.16 to 1.6.17 in
/inky-build-pkg by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/883">chainguard-dev/actions#883</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.16 to 1.6.17 in
/goimports by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/882">chainguard-dev/actions#882</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.16 to 1.6.17 in
/gofmt by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/881">chainguard-dev/actions#881</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.17 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/880">chainguard-dev/actions#880</a></li>
<li>build(deps): bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1
by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/870">chainguard-dev/actions#870</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/chainguard-dev/actions/compare/v1.6.17...v1.6.18">https://github.com/chainguard-dev/actions/compare/v1.6.17...v1.6.18</a></p>
<h2>v1.6.17</h2>
<h2>What's Changed</h2>
<ul>
<li>build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in
/wolfi-build-pkg by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/876">chainguard-dev/actions#876</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in
/melange-build by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/875">chainguard-dev/actions#875</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in
/inky-build-pkg by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/874">chainguard-dev/actions#874</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in
/goimports by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/873">chainguard-dev/actions#873</a></li>
<li>build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in
/gofmt by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/872">chainguard-dev/actions#872</a></li>
<li>fix(setup-knative): make resource_blaster fail loudly on HTTP errors
by <a href="https://github.com/jml"><code>@​jml</code></a> in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/878">chainguard-dev/actions#878</a></li>
<li>otel-export: use RUNNER_NAME for the current job by <a
href="https://github.com/joshrwolf"><code>@​joshrwolf</code></a> in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/877">chainguard-dev/actions#877</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/jml"><code>@​jml</code></a> made their
first contribution in <a
href="https://redirect.github.com/chainguard-dev/actions/pull/878">chainguard-dev/actions#878</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/chainguard-dev/actions/compare/v1.6.16...v1.6.17">https://github.com/chainguard-dev/actions/compare/v1.6.16...v1.6.17</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/chainguard-dev/actions/commit/c69a264ec2a5934c3186c618f368fc1c86f16cff"><code>c69a264</code></a>
otel-export: regenerate dist files (<a
href="https://redirect.github.com/chainguard-dev/actions/issues/879">#879</a>)</li>
<li><a
href="https://github.com/chainguard-dev/actions/commit/22e1462fe474a8f6719caa583d0b7ef145cd6344"><code>22e1462</code></a>
build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 in /gofmt
(<a
href="https://redirect.github.com/chainguard-dev/actions/issues/888">#888</a>)</li>
<li><a
href="https://github.com/chainguard-dev/actions/commit/f8571424abbd904adcb33431461fd9aaedb9e10b"><code>f857142</code></a>
build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (<a
href="https://redirect.github.com/chainguard-dev/actions/issues/887">#887</a>)</li>
<li><a
href="https://github.com/chainguard-dev/actions/commit/a0c649bcd90b8ef84b9a2be2865d6575ac61036c"><code>a0c649b</code></a>
build(deps): bump chainguard-dev/actions in /goimports (<a
href="https://redirect.github.com/chainguard-dev/actions/issues/889">#889</a>)</li>
<li><a
href="https://github.com/chainguard-dev/actions/commit/99fe91423382f3762cf6c63c040aa8f8c254d3bb"><code>99fe914</code></a>
build(deps): bump chainguard-dev/actions in /melange-build (<a
href="https://redirect.github.com/chainguard-dev/actions/issues/890">#890</a>)</li>
<li><a
href="https://github.com/chainguard-dev/actions/commit/d686fcc2347210ac4ce1971bbcf4ddfe431dc49b"><code>d686fcc</code></a>
build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 (<a
href="https://redirect.github.com/chainguard-dev/actions/issues/886">#886</a>)</li>
<li><a
href="https://github.com/chainguard-dev/actions/commit/aa569d979dd6a5751832d54fed1fcc8d05978ec1"><code>aa569d9</code></a>
build(deps): bump chainguard-dev/actions in /wolfi-build-pkg (<a
href="https://redirect.github.com/chainguard-dev/actions/issues/891">#891</a>)</li>
<li><a
href="https://github.com/chainguard-dev/actions/commit/b57e4fe401b890cdc78d60401065dc33e1241282"><code>b57e4fe</code></a>
build(deps): bump chainguard-dev/actions in /inky-build-pkg (<a
href="https://redirect.github.com/chainguard-dev/actions/issues/892">#892</a>)</li>
<li><a
href="https://github.com/chainguard-dev/actions/commit/4a81273c8653122cf4e48cc248f9073b660c5e6d"><code>4a81273</code></a>
build(deps): bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 (<a
href="https://redirect.github.com/chainguard-dev/actions/issues/870">#870</a>)</li>
<li><a
href="https://github.com/chainguard-dev/actions/commit/00249ebe9bab2b24e478586f1064d3fac44dfafb"><code>00249eb</code></a>
build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.17 (<a
href="https://redirect.github.com/chainguard-dev/actions/issues/880">#880</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/chainguard-dev/actions/compare/0cba302c40fce067ec0d39f1d91b10580d4b06b0...c69a264ec2a5934c3186c618f368fc1c86f16cff">compare
view</a></li>
</ul>
</details>
<br />

Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sigstore/cosign-installer/releases">sigstore/cosign-installer's
releases</a>.</em></p>
<blockquote>
<h2>v4.1.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Bump cosign to 3.0.6 in <a
href="https://redirect.github.com/sigstore/cosign-installer/pull/232">sigstore/cosign-installer#232</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sigstore/cosign-installer/commit/6f9f17788090df1f26f669e9d70d6ae9567deba6"><code>6f9f177</code></a>
Bump cosign to 3.0.6 (<a
href="https://redirect.github.com/sigstore/cosign-installer/issues/232">#232</a>)</li>
<li><a
href="https://github.com/sigstore/cosign-installer/commit/b5e753ae2d39589c7b38850b463739151fc67f07"><code>b5e753a</code></a>
Bump actions/github-script from 8.0.0 to 9.0.0 (<a
href="https://redirect.github.com/sigstore/cosign-installer/issues/230">#230</a>)</li>
<li><a
href="https://github.com/sigstore/cosign-installer/commit/115e4ce455e573aa6e9ba51e8d040ddd5c1378af"><code>115e4ce</code></a>
Bump actions/setup-go from 6.3.0 to 6.4.0 (<a
href="https://redirect.github.com/sigstore/cosign-installer/issues/226">#226</a>)</li>
<li>See full diff in <a
href="https://github.com/sigstore/cosign-installer/compare/cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003...6f9f17788090df1f26f669e9d70d6ae9567deba6">compare
view</a></li>
</ul>
</details>
<br />

Updates `hashicorp/setup-terraform` from 4.0.0 to 4.0.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/hashicorp/setup-terraform/releases">hashicorp/setup-terraform's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.1</h2>
<p>BUG FIXES:</p>
<ul>
<li>Fix Node 24 DEP0169 url.parse() deprecation warning by updating
<code>@​hashicorp/js-releases</code> to v1.7.7 (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/549">#549</a>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md">hashicorp/setup-terraform's
changelog</a>.</em></p>
<blockquote>
<h2>4.0.1 (2026-05-12)</h2>
<p>BUG FIXES:</p>
<ul>
<li>Fix Node 24 DEP0169 url.parse() deprecation warning by updating
<code>@​hashicorp/js-releases</code> to v1.7.7 (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/549">#549</a>)</li>
</ul>
<h2>4.0.0 (2026-02-24)</h2>
<p>BREAKING CHANGES:</p>
<ul>
<li>Upgrade to Node.js 24 - setup-terraform now requires Node.js 24 (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/503">#503</a>)</li>
</ul>
<h2>3.1.2 (2024-08-19)</h2>
<p>NOTES:</p>
<ul>
<li>This release introduces no functional changes. It does however
include dependency updates which address upstream CVEs. (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/430">#430</a>)</li>
</ul>
<h2>3.1.1 (2024-05-07)</h2>
<p>BUG FIXES:</p>
<ul>
<li>wrapper: Fix wrapper to output to stdout and stderr immediately when
data is received (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/395">#395</a>)</li>
</ul>
<h2>3.1.0 (2024-04-23)</h2>
<p>ENHANCEMENTS:</p>
<ul>
<li>Automatically fallback to darwin/amd64 for Terraform versions before
1.0.2 as releases for darwin/arm64 are not available (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/409">#409</a>)</li>
</ul>
<h2>3.0.0 (2023-10-30)</h2>
<p>NOTES:</p>
<ul>
<li>Updated default runtime to node20 (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/346">#346</a>)</li>
<li>The wrapper around the installed Terraform binary has been fixed to
return the exact STDOUT and STDERR from Terraform when executing
commands. Previous versions of setup-terraform may have required
workarounds to process the STDOUT in bash, such as filtering out the
first line or selectively parsing STDOUT with jq. These workarounds may
need to be adjusted with <code>v3.0.0</code>, which will now return just
the STDOUT/STDERR from Terraform with no errant characters/statements.
(<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/367">#367</a>)</li>
</ul>
<p>BUG FIXES:</p>
<ul>
<li>Fixed malformed stdout when wrapper is enabled (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/367">#367</a>)</li>
</ul>
<h1>[2.0.3] (2022-11-01)</h1>
<h3>NOTES</h3>
<ul>
<li>Reduced occurrences of GitHub Actions warnings for setting output <a
href="https://redirect.github.com/hashicorp/setup-terraform/pull/247">#247</a></li>
</ul>
<h1>[2.0.2] (2022-10-12)</h1>
<h3>BUG FIXES</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/dfe3c3f87815947d99a8997f908cb6525fc44e9e"><code>dfe3c3f</code></a>
Update package version</li>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/61e02cfaae51652216689d0f5039f8961c9778d9"><code>61e02cf</code></a>
Update changelog</li>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/36079f969ac7c6b98d9dcda2c19f4e712e57e4a7"><code>36079f9</code></a>
fix: update <code>@​hashicorp/js-releases</code> to v1.7.7 to resolve
Node 24 DEP0169 warni...</li>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/af2ccf23849ea6681902b63ddd0c7cda8836d4a7"><code>af2ccf2</code></a>
update axios brace expansion flatted picomatch (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/551">#551</a>)</li>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/5b1ab0e78ebe92dd62371fe966bbcaade67a56bd"><code>5b1ab0e</code></a>
Bump follow-redirects from 1.15.11 to 1.16.0 (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/542">#542</a>)</li>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/ca190bffd60a22b94d9c768a629662e7ab234687"><code>ca190bf</code></a>
Bump miniscruff/changie-action in the github-actions group (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/541">#541</a>)</li>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/30128a2540ad2f28092bd93ffff3b5dde1401edc"><code>30128a2</code></a>
chore: update CI node version from 20 to 24 (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/544">#544</a>)</li>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/b0cc02d63867e0daaa034a47e2cdf5d525a863a1"><code>b0cc02d</code></a>
Bump undici from 6.23.0 to 6.24.1 (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/539">#539</a>)</li>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/3d7cd03ed5908256196968397f60042ce8707128"><code>3d7cd03</code></a>
Update README.md with latest versions (<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/536">#536</a>)</li>
<li><a
href="https://github.com/hashicorp/setup-terraform/commit/fa682877de17bf470768b970f8dab06ac4bc9650"><code>fa68287</code></a>
Bump actions/setup-node from 6.2.0 to 6.3.0 in the github-actions group
(<a
href="https://redirect.github.com/hashicorp/setup-terraform/issues/537">#537</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/hashicorp/setup-terraform/compare/5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85...dfe3c3f87815947d99a8997f908cb6525fc44e9e">compare
view</a></li>
</ul>
</details>
<br />

Updates `zizmorcore/zizmor-action` from 0.5.3 to 0.5.6
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/zizmorcore/zizmor-action/releases">zizmorcore/zizmor-action's
releases</a>.</em></p>
<blockquote>
<h2>v0.5.6</h2>
<ul>
<li>1.25.2 is now available via the action</li>
<li>1.25.2 is now the default version of zizmor used by the action</li>
</ul>
<h2>v0.5.5</h2>
<p>This is a no-op release.</p>
<h2>v0.5.4</h2>
<ul>
<li>1.25.0 is now available via the action</li>
<li>1.25.0 is now the default version of zizmor used by the action</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/5f14fd08f7cf1cb1609c1e344975f152c7ee938d"><code>5f14fd0</code></a>
Sync zizmor versions (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/114">#114</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/a16621b09c6db4281f81a93cb393b05dcd7b7165"><code>a16621b</code></a>
Bump pins in README (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/112">#112</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/1c03e047a3633631b1e5648c48243045b1de0d25"><code>1c03e04</code></a>
chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 in the
github-ac...</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/b572f7b1a1c2d41efaab43d504f68d215c3cd727"><code>b572f7b</code></a>
Sync zizmor versions (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/111">#111</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/06928c5dcba418c7d6108a4bd6e2d34cbf3c9377"><code>06928c5</code></a>
chore(deps): bump github/codeql-action in the github-actions group (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/109">#109</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/5ea8b96e1078453e04a1b81443890d9e7da5ddf3"><code>5ea8b96</code></a>
docs: Update link to GitHub docs (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/108">#108</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/849ac260951adeb7c02481da6c7e749b39f4ea6d"><code>849ac26</code></a>
chore(deps): bump the github-actions group with 2 updates (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/106">#106</a>)</li>
<li><a
href="https://github.com/zizmorcore/zizmor-action/commit/814f9778aceea8641503a8cd8f0cffebc55d790c"><code>814f977</code></a>
Bump pins in README (<a
href="https://redirect.github.com/zizmorcore/zizmor-action/issues/103">#103</a>)</li>
<li>See full diff in <a
href="https://github.com/zizmorcore/zizmor-action/compare/b1d7e1fb5de872772f31590499237e7cce841e8e...5f14fd08f7cf1cb1609c1e344975f152c7ee938d">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: dependabot[bot]

.github/workflows/actionlint.yaml

@@ -24,7 +24,7 @@ jobs:
     name: Action lint
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: block
           allowed-endpoints: >

.github/workflows/autodocs-platform.yaml

@@ -22,15 +22,15 @@ jobs:
 
     steps:
     - name: 'Github Actions Runner'
-      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
       with:
         egress-policy: audit
 
     - name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: 'Setup gitsign'
-      uses: chainguard-dev/actions/setup-gitsign@0cba302c40fce067ec0d39f1d91b10580d4b06b0 # v1.6.16
+      uses: chainguard-dev/actions/setup-gitsign@c69a264ec2a5934c3186c618f368fc1c86f16cff # v1.6.19
 
     - name: Authenticate to Google Cloud
       id: auth

.github/workflows/build-terminal-images.yaml

@@ -34,11 +34,11 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: audit
 
-      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: 'Checkout default branch to $GITHUB_WORKSPACE dir'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/check-links.yaml

@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: 'Github Actions Runner'
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
         with:
           egress-policy: audit
 

.github/workflows/cloud-run.yaml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
     - name: 'Github Actions Runner'
-      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
       with:
         egress-policy: audit
 
@@ -76,7 +76,7 @@ jobs:
         tags: '${{ secrets.REGISTRY_URL }}/${{ secrets.PROJECT_ID }}/${{ secrets.REPOSITORY }}/${{ secrets.SERVICE }}:${{ github.sha }}'
 
     # Attempt to deploy the terraform configuration
-    - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
+    - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
       with:
         terraform_version: '1.10.x'
     - env:

.github/workflows/compile-ai-docs-from-gcs.yaml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -210,7 +210,7 @@ jobs:
 
     - name: Install cosign
       if: github.ref == 'refs/heads/main'
-      uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
     - name: Login to GHCR
       if: github.ref == 'refs/heads/main'

.github/workflows/compile-docs-on-webhook.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
       with:
         egress-policy: audit
 

.github/workflows/compile-docs.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
     - name: Harden the runner
-      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -166,7 +166,7 @@ jobs:
         tar -tzf chainguard-complete-docs.tar.gz > /dev/null
 
     - name: Install cosign
-      uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
     - name: Sign documentation with cosign
       run: |

.github/workflows/compile-public-docs.yml

@@ -37,7 +37,7 @@ jobs:
 
     steps:
     - name: Harden the runner
-      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
       with:
         egress-policy: block
         allowed-endpoints: >
@@ -69,7 +69,7 @@ jobs:
         python-version: '3.10'
 
     - name: Install cosign
-      uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
     - name: Install dependencies
       run: |

.github/workflows/export-edu-docs-to-gcs.yaml

@@ -26,7 +26,7 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
       with:
         egress-policy: audit