chore(deps): update all-ci-dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	patch	v5.0.0 → v5.0.1
actions/setup-go	action	minor	v5.5.0 → v5.6.0
aquasecurity/trivy-action	action	minor	0.32.0 → 0.33.1
codecov/codecov-action	action	minor	v5.4.3 → v5.5.2
grafana (source)		minor	9.3.2 → 9.4.5
kube-prometheus-stack (source)		minor	76.4.0 → 76.5.1
loki (source)		minor	6.36.1 → 6.49.0
mimir-distributed (source)		minor	5.7.0 → 5.8.0
pyroscope (source)		minor	1.14.1 → 1.17.0
securego/gosec	action	patch	v2.22.8 → v2.22.11
sigstore/cosign-installer	action	minor	v3.9.2 → v3.10.1
tempo-distributed (source)		minor	1.46.4 → 1.60.0

---

Release Notes

actions/checkout (actions/checkout)

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

actions/setup-go (actions/setup-go)

v5.6.0

Compare Source

What's Changed

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​aparnajyothi-y in #​689

Full Changelog: actions/setup-go@v5...v5.6.0

aquasecurity/trivy-action (aquasecurity/trivy-action)

v0.33.1

Compare Source

What's Changed

• Update setup-trivy action to version v0.2.4 by @​martincostello in #​486

Full Changelog: aquasecurity/trivy-action@0.33.0...0.33.1

v0.33.0

Compare Source

What's Changed

• Update dependencies in README by @​ibakshay in #​378
• doc: correct sbom fs scan by @​yxtay in #​458
• Pin actions/cache by SHA by @​martincostello in #​480
• chore(ci): Add oras to correctly setup sync jobs by @​simar7 in #​482
• chore(deps): Update trivy to v0.65.0 by @​aqua-bot in #​481

New Contributors

• @​ibakshay made their first contribution in #​378
• @​yxtay made their first contribution in #​458
• @​martincostello made their first contribution in #​480

Full Changelog: aquasecurity/trivy-action@0.32.0...0.33.0

codecov/codecov-action (codecov/codecov-action)

v5.5.2

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

Compare Source

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in #​1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in #​1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in #​1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in #​1872
• docs: fix typo in README by @​datalater in #​1866
• Document a codecov-cli version reference example by @​webknjaz in #​1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in #​1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in #​1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

Compare Source

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in #​1864
• Pin actions/github-script by Git SHA by @​martincostello in #​1859
• fix: check reqs exist by @​joseph-sentry in #​1835
• fix: Typo in README by @​spalmurray in #​1838
• docs: Refine OIDC docs by @​spalmurray in #​1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in #​1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

grafana/helm-charts (grafana)

v9.4.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Fix typo in comment by @​ggabijaa in #​3901

New Contributors

• @​ggabijaa made their first contribution in #​3901

Full Changelog: grafana/helm-charts@tempo-distributed-1.47.2...grafana-9.4.5

v9.4.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Add missing attribute for GOMEMLIMIT field reference by @​cbcoutinho in #​3884

Full Changelog: grafana/helm-charts@rollout-operator-0.33.0...grafana-9.4.4

v9.4.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] upgrade kiwigrid/k8s-sidecar to 1.30.10 by @​DrFaust92 in #​3879

Full Changelog: grafana/helm-charts@tempo-distributed-1.47.1...grafana-9.4.3

v9.4.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] - bump to version 12.1.1 by @​cizara in #​3878

New Contributors

• @​cizara made their first contribution in #​3878

Full Changelog: grafana/helm-charts@grafana-9.4.1...grafana-9.4.2

v9.4.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] fix print statefulset pvc claim accessmode as list by @​LarsStegman in #​3823

Full Changelog: grafana/helm-charts@grafana-9.4.0...grafana-9.4.1

v9.4.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Set GOMEMLIMIT environment variable based on container resources by @​jnoordsij in #​3138

New Contributors

• @​jnoordsij made their first contribution in #​3138

Full Changelog: grafana/helm-charts@grafana-mcp-0.1.2...grafana-9.4.0

v9.3.6

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] fix:remove double quotes from NAMESPACE values in sidecar alerts by @​Peter-YoungUk in #​3871

New Contributors

• @​Peter-YoungUk made their first contribution in #​3871

Full Changelog: grafana/helm-charts@alloy-operator-0.3.9...grafana-9.3.6

v9.3.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] add support for envValueFrom in sidecar.alerts both initContainer and watch container by @​peter-kyu in #​3739

New Contributors

• @​peter-kyu made their first contribution in #​3739

Full Changelog: grafana/helm-charts@grafana-9.3.4...grafana-9.3.5

v9.3.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] switch targetport from number to port name by @​KyriosGN0 in #​3849

Full Changelog: grafana/helm-charts@grafana-9.3.3...grafana-9.3.4

v9.3.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Update _pod.tpl to override container name by @​brianjacksondev in #​3864

New Contributors

• @​brianjacksondev made their first contribution in #​3864

Full Changelog: grafana/helm-charts@helm-loki-6.37.0...grafana-9.3.3

prometheus-community/helm-charts (kube-prometheus-stack)

v76.5.1

Compare Source

kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.

What's Changed

• [kube-prometheus-stack] Update kube-prometheus-stack dependency non-major updates by @​renovate[bot] in #​6080

Full Changelog: prometheus-community/helm-charts@prometheus-ipmi-exporter-0.6.3...kube-prometheus-stack-76.5.1

v76.5.0

Compare Source

kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.

What's Changed

• [kube-prometheus-stack] Update https://github.com/etcd-io/etcd digest to e5654af by @​renovate[bot] in #​6079

Full Changelog: prometheus-community/helm-charts@prometheus-27.32.0...kube-prometheus-stack-76.5.0

v76.4.1

Compare Source

kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.

What's Changed

• [kube-prometheus-stack] Update kube-prometheus-stack dependency non-major updates by @​renovate[bot] in #​6070

Full Changelog: prometheus-community/helm-charts@alertmanager-1.25.0...kube-prometheus-stack-76.4.1

securego/gosec (securego/gosec)

v2.22.11

Compare Source

Changelog

• 424fc4c feature: add rule for trojan source (#​1431)
• aa2e2fb feat(ai): add OpenAI and custom API provider support (#​1424)
• b6eea26 chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#​1437)
• 41f28e2 chore(deps): update module google.golang.org/genai to v1.37.0 (#​1435)
• daccba6 refactor: simplify report functions in main.go (#​1434)
• d4be287 Update go to 1.25.5 and 1.24.11 in CI (#​1433)
• fde7515 chore(deps): update all dependencies (#​1425)
• 20c9506 feat(ai): add support for latest Claude models and update provider flags (#​1423)
• bd9e372 Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#​1427)
• 7aa7e93 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (#​1428)
• a58917f fix: correct schema with temporary placeholder (#​1418)
• 8b0d0b8 perf: skip SSA analysis if no analyzers are loaded (#​1419)
• 8a5d01a test: add sarif validation (#​1417)
• a8fefd1 chore(deps): update all dependencies (#​1421)
• c34cbbf Update go to version 1.25.4 and 1.24.10 in CI (#​1415)
• 10cf58a fix: build tag parsing. (#​1413)
• d2d7348 chore(deps): update all dependencies (#​1411)
• afa853e chore(deps): update all dependencies (#​1409)
• 6b2e6e4 chore(deps): update all dependencies (#​1408)
• 0adab9d Update gosec to version v2.22.10 in the github action (#​1405)

v2.22.10

Compare Source

Changelog

• 6be2b51 Update go to version 1.25.3 and 1.24.9 in CI (#​1404)
• fddb942 chore(deps): update all dependencies (#​1402)
• f676031 Update go to version 1.25.2 and 2.24.8 in CI (#​1401)
• 35f7ec2 chore(deps): update all dependencies (#​1399)
• 01029f0 check nil slices, partially check bounds (#​1396)
• 34db3de Remove unused target from the makefile
• f5a3b7a Use the ginkgo command install by the dependencies
• 761fcbc Keep the go module at 1.24 version for compatibility reasons
• 2238079 Remove manual test deps
• bb08aa3 fix: text must be supplied when markdown is used
• 23597d2 fix: improve error message of CheckAnalyzers
• 8d7e9d5 fix: log panic on SSA
• 0d8255e chore(deps): update all dependencies
• f9c52aa Update gosec to version v.22.9 in the github action

v2.22.9

Compare Source

Changelog

• 15d5c61 Update cosign to v2.6.0 and go in the CI to latest version
• 7b8713e fix(autofix): unnecessary conversion
• 64ebfc0 feat(autofix): update gemini sdk and add anthropic claude
• 506407e feat(G304): add os.Root remediation hint (Autofix) when Go >= 1.24
• 3ead143 chore(deps): update all dependencies
• e81fba3 refactor(G304): remove unused trackJoin helper; no functional change
• ab078db style: gofmt rules/readfile.go
• e6218c8 test(g304): add samples for var perm and var flag with cleaned path\n\n- Ensure G304 does not fire when only non-path args (flag/perm) are variables\n- Both samples use filepath.Clean on the path arg\n- Rules suite remains green (42 passed)
• 79f835d rules(G304): analyze only path arg; ignore flag/perm vars; track Clean and safe Join; fix nil-context panic\n\n- Limit G304 checks to first arg (path) for os.Open/OpenFile/ReadFile, avoiding false positives when flag/perm are variables\n- Track filepath.Clean so cleaned identifiers are treated as safe\n- Consider safe joins: filepath.Join(const|resolvedBase, Clean(var)|cleanedIdent)\n- Record Join(...) assigned to identifiers and allow if later cleaned\n- Fix panic by passing non-nil context in trackJoinAssignStmt\n- All rules tests: 42 passed
• 40ac530 rules(G202): detect SQL concat in ValueSpec declarations; add test sample\n\n- Handle var query string = 'SELECT ...' + user style declarations\n- Reuse existing binary expr detection on ValueSpec.Values\n- Add postgres sample mirroring issue #​1309 report\n- Rules tests: 42 passed
• 4be6b11 chore(deps): update all dependencies
• 5af1117 chore(deps): update all dependencies
• 287b46c chore(deps): update all dependencies
• cee0aea Update gosec version to v2.22.8 in the Github action

sigstore/cosign-installer (sigstore/cosign-installer)

v3.10.1

Compare Source

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

• Bump default Cosign to v2.6.1 (#​203)

v3.10.0

Compare Source

What's Changed

• Bump default Cosign to v2.6.0 in #​200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.