chore(deps): Update GitHub Actions

[williaby]

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package	Change	Type	Update	Age	Adoption	Passing	Confidence	OpenSSF
ByronWilliamsCPA/.github (changelog)	961eb17 → 74c633a	action	digest
github/codeql-action	v4.35.5 → v4.36.0	action	minor
redis	d146f83 → 0916059	service	digest

Impact

• ✅ Patch update: bug fixes and security patches only
• ✅ No breaking changes

Acceptance Criteria

• All CI checks pass

Testing

• CI gates pass (tests, lint, type checking, security scan)

Notes

---

Release Notes

github/codeql-action (github/codeql-action)

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • "after 10pm every weekday,before 5am every weekday,every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

Summary by CodeRabbit

• Chores
  • Updated continuous integration and deployment pipeline workflow configurations to current versions for improved reliability and compatibility.

[coderabbitai]

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 20 minutes and 31 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: dc3fcc78-bb92-48b1-a1d5-b95755f9549e

📥 Commits

Reviewing files that changed from the base of the PR and between 7444e7b and 94b0fba.

📒 Files selected for processing (1)

• .github/workflows/sbom.yml

Walkthrough

This PR updates GitHub Actions workflow dependencies across 18 files. The primary change pins 16 ByronWilliamsCPA/.github reusable workflows to a new commit SHA, alongside bumping the CodeQL action to v4.36.0 and updating the Redis container image digest.

Changes

GitHub Actions Workflow Dependencies Update

Layer / File(s)	Summary
Org-level reusable workflow SHA updates .github/workflows/ci.yml, codecov.yml, container-security.yml, coverage.yml, docs.yml, mutation-testing.yml, performance-regression.yml, pr-validation.yml, publish-pypi.yml, python-compatibility.yml, qlty.yml, release.yml, sbom.yml, scorecard.yml, security-analysis.yml, sonarcloud.yml	All references to ByronWilliamsCPA/.github reusable workflows across CI validation, analysis, coverage, release, and testing pipelines are pinned to the new commit SHA 74c633acfdd5f707ab154fd59bd212c6df663dd6 (replacing 961eb17d8e9b7fe0d8bfc5dbe9d23c824484fb11).
External action and container image updates .github/workflows/codeql.yml, postman-api-tests.yml	GitHub CodeQL action steps are updated from v4.35.5 to v4.36.0 in initialization and analysis, and the Redis service container image digest is updated in the Postman API test workflow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• Dependency Dashboard cookiecutter-python-template#35: Updates to multiple pinned ByronWilliamsCPA/.github reusable workflow SHAs and github/codeql-action version match the Renovate dependency updates.
• Dependency Dashboard reference-library#10: Pinned reusable-workflow SHAs and codeql-action version updates directly correspond to Renovate dependency dashboard entries.
• ByronWilliamsCPA/taxdome#7: Updates to scorecard, security-analysis, and other reusable workflow pins match the Renovate dependency-dashboard goals.
• fix(ci): pin org reusable workflow references to SHA instead of @main audio-processor#9: Both changes modify the same GitHub Actions reusable workflow uses: references by updating pinned commit SHAs.

Possibly related PRs

• ByronWilliamsCPA/rag-processor#19: Both PRs update .github/workflows/codeql.yml by bumping github/codeql-action versions.
• ByronWilliamsCPA/rag-processor#42: Both PRs update .github/workflows/postman-api-tests.yml by modifying the pinned Redis service image digest.
• ByronWilliamsCPA/rag-processor#41: Both PRs update multiple GitHub Actions workflow configuration files by pinning newer uses: references to reusable workflows.

Suggested labels

ci, security

Poem

🐰 With whiskers twitching, I spotted the changes,
Seventeen workflows dance through new ranges,
Pinned SHAs updated, CodeQL ascends,
Redis flows faster—the dependency never ends! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore(deps): Update GitHub Actions' accurately describes the main change—updating GitHub Actions workflow references and digests across 16 workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/github-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/pr-validation.yml

Package	Version	License	Issue Type
ByronWilliamsCPA/.github/.github/workflows/python-ci.yml	74c633acfdd5f707ab154fd59bd212c6df663dd6	Null	Unknown License

.github/workflows/sbom.yml

Package	Version	License	Issue Type
ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml	e070932adbacf11d72cf6fab5962c9398621104c	Null	Unknown License

.github/workflows/sonarcloud.yml

Package	Version	License	Issue Type
ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml	74c633acfdd5f707ab154fd59bd212c6df663dd6	Null	Unknown License

Denied Licenses:

GPL-2.0, GPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
actions/ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml	74c633acfdd5f707ab154fd59bd212c6df663dd6	Unknown	Unknown
actions/ByronWilliamsCPA/.github/.github/workflows/python-ci.yml	74c633acfdd5f707ab154fd59bd212c6df663dd6	Unknown	Unknown
actions/ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml	e070932adbacf11d72cf6fab5962c9398621104c	Unknown	Unknown
actions/ByronWilliamsCPA/.github/.github/workflows/python-sonarcloud.yml	74c633acfdd5f707ab154fd59bd212c6df663dd6	Unknown	Unknown

Scanned Files

• .github/workflows/coverage.yml
• .github/workflows/pr-validation.yml
• .github/workflows/sbom.yml
• .github/workflows/sonarcloud.yml

[github-actions]

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric	Baseline (main)	PR Branch	Change
p95_ms	2.33	2.23	-4.5%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric	Baseline	PR	Change
p50_ms	1.93	1.91	📉 -0.9%
p95_ms	2.33	2.23	📉 -4.5%
p99_ms	3.51	2.34	📉 -33.4%
mean_ms	1.41	1.36	📉 -3.5%
min_ms	0.05	0.05	📉 -3.8%
max_ms	3.57	2.38	📉 -33.5%
throughput_ops	710.56	736.55	📈 3.7%
total_iterations	500.00	500.00	➡️ 0.0%
avg_p95_all_benchmarks_ms	0.93	0.90	📉 -3.3%
avg_throughput_all_benchmarks_ops	1141106.73	1150262.32	📈 0.8%

About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

• Regression Threshold: 10%
• Warmup Iterations: 5
• Benchmark Iterations: 50
• Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

[Copilot]

Pull request overview

Renovate dependency update bumping pinned SHAs for the shared ByronWilliamsCPA/.github reusable workflows, github/codeql-action (v4.35.5 → v4.36.0), and the redis:8-alpine service image digest used by Postman API tests.

Changes:

• Update all reusable workflow references from SHA 961eb17 to e75a86b across 15 workflow files.
• Bump github/codeql-action/init and analyze from v4.35.5 to v4.36.0 (new SHA 7211b7c).
• Update redis:8-alpine image digest in postman-api-tests.yml.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/ci.yml	Bump reusable python-ci.yml SHA
.github/workflows/codecov.yml	Bump reusable python-codecov.yml SHA
.github/workflows/codeql.yml	Upgrade codeql-action init/analyze to v4.36.0
.github/workflows/container-security.yml	Bump reusable python-container-security.yml SHA
.github/workflows/coverage.yml	Bump reusable python-qlty-coverage.yml SHA
.github/workflows/docs.yml	Bump reusable python-docs.yml SHA
.github/workflows/mutation-testing.yml	Bump reusable python-mutation.yml SHA
.github/workflows/performance-regression.yml	Bump reusable python-performance-regression.yml SHA
.github/workflows/postman-api-tests.yml	Update redis:8-alpine image digest
.github/workflows/pr-validation.yml	Bump reusable python-ci.yml SHA
.github/workflows/publish-pypi.yml	Bump reusable python-publish-pypi.yml SHA
.github/workflows/python-compatibility.yml	Bump reusable python-compatibility.yml SHA
.github/workflows/qlty.yml	Bump reusable python-qlty-coverage.yml SHA
.github/workflows/release.yml	Bump reusable python-release.yml SHA
.github/workflows/sbom.yml	Bump reusable python-sbom.yml SHA
.github/workflows/scorecard.yml	Bump reusable python-scorecard.yml SHA
.github/workflows/security-analysis.yml	Bump reusable python-security-analysis.yml SHA
.github/workflows/sonarcloud.yml	Bump reusable python-sonarcloud.yml SHA

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric	Baseline (main)	PR Branch	Change
p95_ms	2.27	2.24	-1.4%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric	Baseline	PR	Change
p50_ms	1.93	1.93	📉 -0.3%
p95_ms	2.27	2.24	📉 -1.4%
p99_ms	2.37	2.35	📉 -0.7%
mean_ms	1.37	1.37	📉 -0.3%
min_ms	0.05	0.05	➡️ 0.0%
max_ms	2.40	2.42	📈 0.6%
throughput_ops	728.91	731.17	📈 0.3%
total_iterations	500.00	500.00	➡️ 0.0%
avg_p95_all_benchmarks_ms	0.91	0.90	📉 -0.2%
avg_throughput_all_benchmarks_ops	1083771.22	1151461.87	📈 6.2%

About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

• Regression Threshold: 10%
• Warmup Iterations: 5
• Benchmark Iterations: 50
• Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

[github-actions]

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric	Baseline (main)	PR Branch	Change
p95_ms	2.30	2.28	-0.7%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric	Baseline	PR	Change
p50_ms	1.90	1.93	📈 1.5%
p95_ms	2.30	2.28	📉 -0.7%
p99_ms	2.39	2.40	📈 0.3%
mean_ms	1.36	1.38	📈 1.0%
min_ms	0.05	0.05	➡️ 0.0%
max_ms	2.43	2.51	📈 3.2%
throughput_ops	733.77	726.46	📉 -1.0%
total_iterations	500.00	500.00	➡️ 0.0%
avg_p95_all_benchmarks_ms	0.92	0.91	📉 -1.0%
avg_throughput_all_benchmarks_ops	1163699.79	1139651.94	📉 -2.1%

About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

• Regression Threshold: 10%
• Warmup Iterations: 5
• Benchmark Iterations: 50
• Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

[williaby]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Merge conflicts resolved in commit 7444e7b. The conflict in .github/workflows/release.yml was between the updated SHA (74c633a) from this renovate branch and the if: guard condition added to main in #58. The resolved file retains both: the updated SHA and the if condition that prevents releases when CI has not succeeded.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/postman-api-tests.yml (1)

65-67: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add persist-credentials: false to checkout step.

actions/checkout currently persists the token in local git config on the runner. Explicitly disable persistence for hardening.

🔧 Suggested fix

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

Based on learnings: In all GitHub Actions workflow YAML files under .github/workflows, ensure every actions/checkout step includes persist-credentials: false.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/postman-api-tests.yml around lines 65 - 67, The checkout
step currently uses actions/checkout@... without disabling token persistence;
update the checkout step that uses "actions/checkout" to include
persist-credentials: false so the runner does not write the GITHUB_TOKEN into
local git config (locate the checkout step with the "uses: actions/checkout"
entry and add the persist-credentials: false key under that step).

.github/workflows/performance-regression.yml (1)

61-63: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add persist-credentials: false to the actions/checkout step

In .github/workflows/performance-regression.yml, the Checkout repository step (actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) lacks with: persist-credentials: false, so the token can be persisted in the runner’s git config.

🔒 Proposed fix

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/performance-regression.yml around lines 61 - 63, The
checkout step using actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
should explicitly disable token persistence; update the "Checkout repository"
step to add a with: block that sets persist-credentials: false so the runner
does not write the GITHUB_TOKEN into git config (locate the step named "Checkout
repository" that references actions/checkout@de0fac2e... and add the
with:persist-credentials: false entry).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/performance-regression.yml:
- Around line 61-63: The checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly
disable token persistence; update the "Checkout repository" step to add a with:
block that sets persist-credentials: false so the runner does not write the
GITHUB_TOKEN into git config (locate the step named "Checkout repository" that
references actions/checkout@de0fac2e... and add the with:persist-credentials:
false entry).

In @.github/workflows/postman-api-tests.yml:
- Around line 65-67: The checkout step currently uses actions/checkout@...
without disabling token persistence; update the checkout step that uses
"actions/checkout" to include persist-credentials: false so the runner does not
write the GITHUB_TOKEN into local git config (locate the checkout step with the
"uses: actions/checkout" entry and add the persist-credentials: false key under
that step).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1cb70355-0183-49ca-9d79-9b8f28d361ad

📥 Commits

Reviewing files that changed from the base of the PR and between 31f4d5b and 7444e7b.

📒 Files selected for processing (18)

• .github/workflows/ci.yml
• .github/workflows/codecov.yml
• .github/workflows/codeql.yml
• .github/workflows/container-security.yml
• .github/workflows/coverage.yml
• .github/workflows/docs.yml
• .github/workflows/mutation-testing.yml
• .github/workflows/performance-regression.yml
• .github/workflows/postman-api-tests.yml
• .github/workflows/pr-validation.yml
• .github/workflows/publish-pypi.yml
• .github/workflows/python-compatibility.yml
• .github/workflows/qlty.yml
• .github/workflows/release.yml
• .github/workflows/sbom.yml
• .github/workflows/scorecard.yml
• .github/workflows/security-analysis.yml
• .github/workflows/sonarcloud.yml

[williaby]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[github-actions]

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric	Baseline (main)	PR Branch	Change
p95_ms	2.22	2.13	-4.1%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric	Baseline	PR	Change
p50_ms	1.83	1.82	📉 -0.5%
p95_ms	2.22	2.13	📉 -4.1%
p99_ms	2.29	2.23	📉 -2.6%
mean_ms	1.32	1.30	📉 -1.4%
min_ms	0.05	0.05	📈 4.0%
max_ms	2.46	2.25	📉 -8.8%
throughput_ops	755.14	766.52	📈 1.5%
total_iterations	500.00	500.00	➡️ 0.0%
avg_p95_all_benchmarks_ms	0.90	0.86	📉 -4.4%
avg_throughput_all_benchmarks_ops	1006857.34	1069262.26	📈 6.2%

About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

• Regression Threshold: 10%
• Warmup Iterations: 5
• Benchmark Iterations: 50
• Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

[github-actions]

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric	Baseline (main)	PR Branch	Change
p95_ms	2.44	2.55	+4.7%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric	Baseline	PR	Change
p50_ms	1.99	2.05	📈 3.0%
p95_ms	2.44	2.55	📈 4.7%
p99_ms	2.60	2.63	📈 1.4%
mean_ms	1.44	1.48	📈 3.1%
min_ms	0.05	0.05	📉 -1.9%
max_ms	2.67	2.90	📈 8.5%
throughput_ops	694.85	673.78	📉 -3.0%
total_iterations	500.00	500.00	➡️ 0.0%
avg_p95_all_benchmarks_ms	0.96	0.97	📈 0.9%
avg_throughput_all_benchmarks_ops	1047526.39	945616.97	📉 -9.7%

About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

• Regression Threshold: 10%
• Warmup Iterations: 5
• Benchmark Iterations: 50
• Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud