chore(deps): Update GitHub Actions

[williaby]

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package	Change	Type	Update	Age	Adoption	Passing	Confidence	Pending	OpenSSF
ByronWilliamsCPA/.github	e8fc83c → 62bfd79	action	digest
actions/checkout	v4.2.2 → v4.3.1	action	minor
github/codeql-action	v3.35.3 → v3.35.5	action	patch					v3.36.0
step-security/harden-runner	v2.19.1 → v2.19.4	action	patch

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Impact

• ✅ Patch update: bug fixes and security patches only
• ✅ No breaking changes

Acceptance Criteria

• All CI checks pass

Testing

• CI gates pass (tests, lint, type checking, security scan)

Notes

---

Release Notes

actions/checkout (actions/checkout)

v4.3.1

Compare Source

• Port v6 cleanup to v4 by @​ericsciple in #​2305

v4.3.0

Compare Source

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236

github/codeql-action (github/codeql-action)

v3.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

v3.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed

• Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

Compare Source

What's Changed

• Default to audit mode when api-key missing with use-policy-store by @​varunsh-coder in #​665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Walkthrough

Four CI workflow files are updated: CodeQL action bumped to v3.35.4, actions/checkout repinned to v4.3.1, and two reusable workflow uses references (supplemental-checks and sonarcloud) are repinned to new commit SHAs.

Changes

Workflow Dependency Updates

Layer / File(s)	Summary
GitHub Actions action version upgrades .github/workflows/codeql.yml, .github/workflows/dependency-review.yml	CodeQL action references updated to v3.35.4 for init/analyze steps; actions/checkout repinned to the commit for v4.3.1.
Reusable workflow pin updates .github/workflows/pr-validation.yml, .github/workflows/sonarcloud.yml	The supplemental-checks and sonarcloud jobs now reference new pinned commit SHAs for their reusable workflows.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Dependency Dashboard .github#62: updates the same workflow pins (CodeQL, checkout, and reusable-workflow SHAs) across org repositories.
• fix(ci): bump sonarcloud.yml to org reusable workflow SHA 6bad2f898 and correct sonar-organization #22: touches the same python-sonarcloud.yml reusable workflow SHA referenced here.
• Dependency Dashboard .claude#60: similar pinned action and reusable-workflow updates across workflows.
• ByronWilliamsCPA/maester-tests#14: includes repinning of reusable workflow SHAs used in this repository.

Suggested labels

security

Poem

🐰 I hopped through YAML, pins in paw,
Tiny SHAs I gently saw,
Bumped a version, nudged a line,
CI hums steady, tests align,
A carrot cheer for builds that thaw.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(deps): Update GitHub Actions' clearly and specifically describes the main change: updating GitHub Actions dependencies across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/github-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Updates pinned references for GitHub Actions workflows and reusable workflows to newer versions/commits as part of a scheduled dependency refresh (no intended API changes).

Changes:

• Bump actions/checkout from v4.2.2 to v4.3.1 (pinned by commit SHA).
• Update ByronWilliamsCPA/.github reusable workflow refs for SonarCloud and supplemental PR checks to a newer pinned commit.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/sonarcloud.yml	Updates the pinned commit SHA for the org reusable SonarCloud workflow.
.github/workflows/pr-validation.yml	Updates the pinned commit SHA for the org reusable supplemental PR checks workflow.
.github/workflows/dependency-review.yml	Updates actions/checkout pin to v4.3.1 commit SHA.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pr-validation.yml:
- Line 32: The workflow references a reusable workflow commit SHA that doesn't
match the PR objectives; update the commit digest used in the uses line (the
string
"ByronWilliamsCPA/.github/.github/workflows/python-supplemental-checks.yml@4e0fd54428d6745b04e2316f85d585109d7db02b")
to the intended SHA (e067cdb7) or, if you intend to use the newer commit, update
the PR description/objectives to state the newer digest
(4e0fd54428d6745b04e2316f85d585109d7db02b) so both the code and PR objectives
are consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 91afb571-ffbb-49c4-9f49-27e198b91c30

📥 Commits

Reviewing files that changed from the base of the PR and between c0eb24a and 6d35b22.

📒 Files selected for processing (4)

• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/pr-validation.yml
• .github/workflows/sonarcloud.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[williaby]

Closing this stale PR so Renovate can recreate it with GitHub native auto-merge attached.

Context: this PR was opened by Renovate v42.92 (or earlier), which did not enable GitHub native auto-merge on PR creation. After the self-hosted Renovate cutover to v43.150.0 (homelab-infra commit 425, 2026-05-25), platformAutomerge defaults to true and new PRs are auto-merged once required checks pass. Renovate does not retroactively click the auto-merge button on existing PRs, so closing is the cleanest path: the bot will recreate this on the next run with auto-merge already enabled.

No code review needed; just closing for hygiene.