ci(deps): bump the github-actions group with 4 updates

[dependabot]

Bumps the github-actions group with 4 updates: zizmorcore/zizmor-action, github/codeql-action, philips-software/amp-devcontainer and anchore/sbom-action.

Updates zizmorcore/zizmor-action from 0.4.1 to 0.5.0

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.5.0

What's Changed

• Expose output-file as an output when advanced-security: true by @​unlobito in zizmorcore/zizmor-action#87

New Contributors

• @​unlobito made their first contribution in zizmorcore/zizmor-action#87

Full Changelog: zizmorcore/zizmor-action@v0.4.1...v0.5.0

Commits

• 0dce257 chore(deps): bump peter-evans/create-pull-request (#88)
• fb94974 Expose output-file as an output when advanced-security: true (#87)
• 867562a chore(deps): bump the github-actions group with 2 updates (#85)
• 7462f07 Bump pins in README (#84)
• See full diff in compare view

Updates github/codeql-action from 4.31.10 to 4.32.2

Release notes

Sourced from github/codeql-action's releases.

v4.32.2

• Update default CodeQL bundle version to 2.24.1. #3460

v4.32.1

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

v4.32.0

• Update default CodeQL bundle version to 2.24.0. #3425

v4.31.11

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409
• Improved error handling throughout the CodeQL Action. #3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #3403

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.32.2 - 05 Feb 2026

• Update default CodeQL bundle version to 2.24.1. #3460

4.32.1 - 02 Feb 2026

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

4.32.0 - 26 Jan 2026

• Update default CodeQL bundle version to 2.24.0. #3425

4.31.11 - 23 Jan 2026

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409
• Improved error handling throughout the CodeQL Action. #3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #3403

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #3393

4.31.9 - 16 Dec 2025

No user facing changes.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #3354

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #3343

4.31.6 - 01 Dec 2025

No user facing changes.

4.31.5 - 24 Nov 2025

... (truncated)

Commits

• 45cbd0c Merge pull request #3461 from github/update-v4.32.2-7aee93297
• cb528be Update changelog for v4.32.2
• 7aee932 Merge pull request #3460 from github/update-bundle/codeql-bundle-v2.24.1
• b5f028a Merge pull request #3457 from github/dependabot/npm_and_yarn/npm-minor-4c1fc3...
• 9702c27 Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-4c1fc3d0aa
• c36c948 Add changelog note
• 3d03318 Update default bundle to codeql-bundle-v2.24.1
• 77591e2 Merge pull request #3459 from github/copilot/fix-github-actions-workflow-again
• 7a44a9d Fix Rebuild Action workflow by adding --no-edit flag to git merge --continue
• e2ac371 Initial plan
• Additional commits viewable in compare view

Updates philips-software/amp-devcontainer from 6.6.2 to 6.8.0

Release notes

Sourced from philips-software/amp-devcontainer's releases.

v6.8.0

6.8.0 (2026-02-05)

📋 Summary

This release updates LLVM/Clang to version 20 in amp-devcontainer-cpp, CPM.cmake is updated to version 0.42.1.

🔖 Packages

Container	Full identifier
amp-devcontainer-base	ghcr.io/philips-software/amp-devcontainer-base:v6.8.0@sha256:030326f1971e6474dcdd58f152e0f02a1d737b1b0a9b0d045a9ee0bcac76b601
amp-devcontainer-cpp	ghcr.io/philips-software/amp-devcontainer-cpp:v6.8.0@sha256:5c6d33d6d4642163481eb5cab49ccd861be6b558c45b4902616bc653c7e22e2a
amp-devcontainer-rust	ghcr.io/philips-software/amp-devcontainer-rust:v6.8.0@sha256:a6f75a8b35d9d713431c1e26914deea6a13a5b321da865de224e40d7e51f3cb5

Features

• Update LLVM/Clang to version 20 (#1125) (20dddd7)

Chores

• deps: Update CPM to version 0.42.1 (#1126) (fea1e09)

v6.7.2

6.7.2 (2026-02-04)

📋 Summary

The devcontainer flavors published as part of amp-devcontainer are now listed on containers.dev, and can be directly used from supporting tooling (like the devcontainer cli, or VS Code).

In amp-devcontainer-cpp, Mull is updated to version 0.29.0.

Several Extensions have been updated to the latest version.

[!NOTE]

This is the last release of amp-devcontainer-cpp that is based upon LLVM/Clang 19, the next release will include an update to LLVM/Clang 20.

🔖 Packages

Container	Full identifier
amp-devcontainer-base	ghcr.io/philips-software/amp-devcontainer-base:v6.7.2@sha256:d78cffe713847ecc5a5c038c8e0393322d6323752823694be6c904dff71e34f9
amp-devcontainer-cpp	ghcr.io/philips-software/amp-devcontainer-cpp:v6.7.2@sha256:8e45c04483ce4a1ed8dd40172580ae28326031d8ffd5f157c8325fe096369634
amp-devcontainer-rust	ghcr.io/philips-software/amp-devcontainer-rust:v6.7.2@sha256:55afae1966bfe135ff090a57174cfa186063c50002c5035b4e203adf3f8b147b

Bug Fixes

• Update devcontainer template structure (#1132) (ef21f17)

... (truncated)

Changelog

Sourced from philips-software/amp-devcontainer's changelog.

CHANGELOG

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

6.8.0 (2026-02-05)

Features

• Update LLVM/Clang to version 20 (#1125) (20dddd7)

Chores

• deps: Update CPM to version 0.42.1 (#1126) (fea1e09)

6.7.2 (2026-02-04)

Bug Fixes

• Update devcontainer template structure (#1132) (ef21f17)

Chores

• deps, cpp: Update github.vscode-github-actions, ms-vscode.cmake-tools, sonarsource.sonarlint-vscode, usernamehw.errorlens in devcontainer.json (#1122) (07f8c44)
• deps, cpp: Update ms-vscode.cmake-tools, sonarsource.sonarlint-vscode in devcontainer-metadata.json (#1121) (8b663ed)
• deps, cpp: Update ms-vscode.cpptools, sonarsource.sonarlint-vscode in devcontainer-metadata.json (#1127) (c0081cf)
• deps, cpp: Update ms-vscode.cpptools, sonarsource.sonarlint-vscode in devcontainer.json (#1129) (4615474)
• deps, cpp: Update mull-19 (#1131) (8ccc9eb)
• deps, rust: Update github.vscode-github-actions, github.vscode-pull-request-github, rust-lang.rust-analyzer, sonarsource.sonarlint-vscode, usernamehw.errorlens in devcontainer.json (#1130) (b93db92)
• deps, rust: Update rust-lang.rust-analyzer in devcontainer-metadata.json (#1128) (7626d5b)
• deps, rust: Update rust-lang.rust-analyzer, usernamehw.errorlens in devcontainer-metadata.json (#1123) (f69df6d)

6.7.1 (2026-01-27)

Bug Fixes

• Expose enable-edge-tag on reusable workflow (#1098) (5d8ba52)

Chores

• Add checksum to umbrella certificate (#1089) (f42f104)
• deps, cpp: Update github.vscode-github-actions, sonarsource.sonarlint-vscode in devcontainer.json (#1106) (36f7684)
• deps, cpp: Update llvm-vs-code-extensions.vscode-clangd, sonarsource.sonarlint-vscode in devcontainer-metadata.json (#1105) (30b6a59)

... (truncated)

Commits

• 0b102f3 chore(main): release 6.8.0 (#1133)
• 20dddd7 feat: update LLVM/Clang to version 20 (#1125)
• fea1e09 chore(deps): update CPM to version 0.42.1 (#1126)
• 44e57c1 chore(main): release 6.7.2 (#1124)
• ef21f17 fix: update devcontainer template structure (#1132)
• c0081cf chore(deps, cpp): update ms-vscode.cpptools, sonarsource.sonarlint-vscode in ...
• 7626d5b chore(deps, rust): update rust-lang.rust-analyzer in devcontainer-metadata.js...
• b93db92 chore(deps, rust): update github.vscode-github-actions, github.vscode-pull-re...
• 4615474 chore(deps, cpp): update ms-vscode.cpptools, sonarsource.sonarlint-vscode in ...
• 8ccc9eb chore(deps, cpp): update mull-19 (#1131)
• Additional commits viewable in compare view

Updates anchore/sbom-action from 0.21.1 to 0.22.2

Release notes

Sourced from anchore/sbom-action's releases.

v0.22.2

⬆️ Dependencies

• chore(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 (#581) [@dependabot[bot]]
• chore(deps): update Syft to v1.41.2 (#582) [@anchore-actions-token-generator[bot]]
• chore(deps-dev): bump the dev-dependencies group with 2 updates (#580) [@dependabot[bot]]
• chore(deps): update Syft to v1.41.1 (#579) [@anchore-actions-token-generator[bot]]

v0.22.1

⬆️ Dependencies

• chore(deps): update Syft to v1.41.0 (#576) [@anchore-actions-token-generator[bot]]
• chore(deps): bump lodash from 4.17.21 to 4.17.23 (#573) [@dependabot[bot]]

v0.22.0

Changes in v0.22.0

⬆️ Dependencies

• chore(deps-dev): bump the dev-dependencies group with 19 updates (#566) [@​dependabot]
• chore(deps): bump npm-check-updates from 17.1.3 to 19.3.1 (#567) [@​dependabot]
• chore(deps): update Syft to v1.40.1 (#563) [@​anchore-actions-token-generator[bot]]

Commits

• 28d7154 chore(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 (#581)
• 5e35834 chore(deps): update Syft to v1.41.2 (#582)
• a30a06a chore(deps-dev): bump the dev-dependencies group with 2 updates (#580)
• 750e84c chore(deps): update Syft to v1.41.1 (#579)
• 5620efe chore(deps): bump release-drafter/release-drafter from 6.1.0 to 6.2.0 (#578)
• ec824c7 chore(deps): bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#577)
• deef08a chore(deps): update Syft to v1.41.0 (#576)
• f139ded chore(deps): bump lodash from 4.17.21 to 4.17.23 (#573)
• 1b05262 chore(deps): bump zizmorcore/zizmor-action from 0.3.0 to 0.4.1 (#575)
• 1e8f28d chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#574)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	21		0	0	0.62s
✅ DOCKERFILE	hadolint	3		0	0	0.83s
✅ GHERKIN	gherkin-lint	6		0	0	2.67s
✅ JSON	npm-package-json-lint	yes		no	no	0.42s
✅ JSON	prettier	21	4	0	0	0.55s
✅ JSON	v8r	21		0	0	7.39s
✅ MARKDOWN	markdownlint	12	0	0	0	1.03s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.27s
✅ REPOSITORY	checkov	yes		no	no	18.22s
✅ REPOSITORY	gitleaks	yes		no	no	0.58s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
⚠️ REPOSITORY	grype	yes		no	20	31.63s
✅ REPOSITORY	secretlint	yes		no	no	0.95s
✅ REPOSITORY	syft	yes		no	no	1.97s
✅ REPOSITORY	trivy	yes		no	no	6.62s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.23s
✅ REPOSITORY	trufflehog	yes		no	no	2.29s
⚠️ SPELL	lychee	81		3	0	21.84s
✅ YAML	prettier	29	0	0	0	0.98s
✅ YAML	v8r	29		0	0	8.04s
✅ YAML	yamllint	29		0	0	0.89s

Detailed Issues

⚠️ REPOSITORY / grype - 20 warnings

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/continuous-integration.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/image-cleanup.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/issue-cleanup.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/issue-creation-tool-versions.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/linting-formatting.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/ossf-scorecard.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/pr-conventional-title.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/pr-image-cleanup.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/pr-report.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/release-build.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/release-please.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/update-dependencies.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/vulnerability-scan.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-acceptance-test.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-build-push.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-dependency-review.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-document-generation.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-integration-test.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-publish-templates.yml

warning: A medium vulnerability in github-action package: step-security/harden-runner, version v2.14.1 was found at: /.github/workflows/wc-sanitize-image-name.yml

warning: 20 warnings emitted

⚠️ SPELL / lychee - 3 errors

[IGNORED] docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a | Unsupported: Error creating request client: builder error for url (docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a)
[ERROR] https://www.contributor-covenant.org/version/2/0/code_of_conduct.html | Network error: error sending request for url (https://www.contributor-covenant.org/version/2/0/code_of_conduct.html) Maybe a certificate error?
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden
[IGNORED] https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer | Unsupported: Error creating request client: builder error for url (vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer)
[ERROR] https://docs.sigstore.dev/cosign/verifying/verify/ | Network error: error sending request for url (https://docs.sigstore.dev/cosign/verifying/verify/) Maybe a certificate error?
📝 Summary
---------------------
🔍 Total..........126
✅ Successful.....121
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........3

Errors in README.md
[ERROR] https://docs.sigstore.dev/cosign/verifying/verify/ | Network error: error sending request for url (https://docs.sigstore.dev/cosign/verifying/verify/) Maybe a certificate error?

Errors in .github/CODE_OF_CONDUCT.md
[ERROR] https://www.contributor-covenant.org/version/2/0/code_of_conduct.html | Network error: error sending request for url (https://www.contributor-covenant.org/version/2/0/code_of_conduct.html) Maybe a certificate error?

Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-base:edge ➔ ghcr.io/philips-software/amp-devcontainer-base:pr-1151

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	174.05 MB	174.05 MB	984 B (0%)	🔽
linux/arm64	166.57 MB	166.57 MB	123 B (0%)	🔽

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-rust:edge ➔ ghcr.io/philips-software/amp-devcontainer-rust:pr-1151

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	554.46 MB	554.46 MB	774 B (0%)	🔽
linux/arm64	508.69 MB	508.69 MB	+500 B (+0%)	🔼

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-cpp:edge ➔ ghcr.io/philips-software/amp-devcontainer-cpp:pr-1151

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	695.77 MB	695.76 MB	1.48 kB (0%)	🔽
linux/arm64	676.63 MB	676.63 MB	95 B (0%)	🔽

[github-actions]

Test Results

 7 files  ±0   7 suites  ±0   3m 55s ⏱️ -2s
33 tests ±0  33 ✅ ±0  0 💤 ±0  0 ❌ ±0 
69 runs  ±0  69 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 4e19570. ± Comparison against base commit 02d75f0.

[github-actions]

Pull Request Report (#1151)

Static measures

Description	Value
Number of added lines	6
Number of deleted lines	6
Number of changed files	4
Number of commits	1
Number of reviews	1
Number of comments (w/o review comments)	6
Number of reviews that contains a comment to resolve	0
Number of reviews that requested a change from the author	0
Number of reviews that approved the Pull Request	1
Get the total number of participants of a Pull Request	4

Time related measures

Description	Value
PR lead time (from creation to close of PR)	9 Hours
Time that was spend on the branch before the PR was created	1 Sec
Time that was spend on the branch before the PR was merged	9 Hours
Time to merge after last review	53.9 Min

Status check related measures

Description	Value
Total runtime for last status check run (Workflow for PR)	45.6 Min
Total time spend in last status check run on PR	18.9 Min