chore(deps): bump the dependencies group with 4 updates

.github/linters/trivy.yaml

@@ -0,0 +1,3 @@
+scan:
+  skip-dirs:
+    - .mypy_cache

.github/linters/zizmor.yaml

@@ -0,0 +1,6 @@
+rules:
+  dangerous-triggers: # to allow pull_request_target for auto-labelling fork pull requests
+    ignore:
+      - auto-labeler.yml
+      - pr-title.yml
+      - release.yml

.github/workflows/auto-labeler.yml

@@ -11,7 +11,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       config-name: release-drafter.yml
     secrets:

.github/workflows/contributors_report.yaml

@@ -30,7 +30,7 @@ jobs:
           echo "END_DATE=$end_date" >> "$GITHUB_ENV"
 
       - name: Run contributor action
-        uses: github/contributors@69e531b620b7e5b0fad2e9823681607b54db447a
+        uses: github/contributors@ae62be2e3b1a3b2847955ec659d9bb6f88ffe628
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           START_DATE: ${{ env.START_DATE }}

.github/workflows/copilot-setup-steps.yml

@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/[email protected]

.github/workflows/docker-ci.yml

@@ -15,5 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/[email protected]
+        with:
+          persist-credentials: false
       - name: Build the Docker image
         run: docker build . --file Dockerfile --platform linux/amd64

.github/workflows/pr-title.yml

@@ -12,6 +12,6 @@ jobs:
       contents: read
       pull-requests: read
       statuses: write
-    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     secrets:
       github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/python-ci.yml

@@ -21,6 +21,8 @@ jobs:
         python-version: [3.11, 3.12]
     steps:
       - uses: actions/[email protected]
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/[email protected]
         with:

.github/workflows/release.yml

@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: read
-    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/release.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       publish: true
       release-config-name: release-drafter.yml
@@ -25,7 +25,7 @@ jobs:
       packages: write
       id-token: write
       attestations: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/release-image.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       image-name: ${{ github.repository }}
       full-tag: ${{ needs.release.outputs.full-tag }}
@@ -40,7 +40,7 @@ jobs:
     permissions:
       contents: read
       discussions: write
-    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@ebb4e218b75c6043139fd69a4c9bb5a465fb696b
+    uses: github/ospo-reusable-workflows/.github/workflows/release-discussion.yaml@c9afb9b655e0f5d2b3abe9c93cee54fa2992c2e0
     with:
       full-tag: ${{ needs.release.outputs.full-tag }}
       body: ${{ needs.release.outputs.body }}

.github/workflows/scorecard.yml

@@ -42,6 +42,6 @@ jobs:
           path: results.sarif
           retention-days: 5
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
         with:
           sarif_file: results.sarif

.github/workflows/super-linter.yaml

@@ -21,12 +21,13 @@ jobs:
         uses: actions/[email protected]
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt -r requirements-test.txt
       - name: Lint Code Base
-        uses: super-linter/super-linter@5119dcd8011e92182ce8219d9e9efc82f16fddb6
+        uses: super-linter/super-linter@ffde3b2b33b745cb612d787f669ef9442b1339a6
         env:
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -18,7 +18,17 @@ COPY requirements.txt *.py /action/workspace/
 RUN python3 -m pip install --no-cache-dir -r requirements.txt \
     && apt-get -y update \
     && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \
-    && rm -rf /var/lib/apt/lists/*
+    && rm -rf /var/lib/apt/lists/* \
+    && addgroup --system appuser \
+    && adduser --system --ingroup appuser --home /action/workspace --disabled-login appuser \
+    && chown -R appuser:appuser /action/workspace
+
+# Run the action as a non-root user
+USER appuser
+
+# Add a simple healthcheck to satisfy container scanners
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+  CMD python3 -c "import os,sys; sys.exit(0 if os.path.exists('/action/workspace/contributors.py') else 1)"
 
 CMD ["/action/workspace/contributors.py"]
 ENTRYPOINT ["python3", "-u"]