miracum · chgl · Nov 3, 2025 · Nov 3, 2025
diff --git a/.github/workflows/build-docs.yaml b/.github/workflows/build-docs.yaml
@@ -24,7 +24,7 @@ jobs:
           persist-credentials: true # required for pushing to gh-pages
       - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
-          python-version: "3.13"
+          python-version: "3.14"
       - run: pip install --require-hashes -r docs/requirements.txt
       - run: mkdocs build --strict --verbose --site-dir=./site
 

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -174,7 +174,7 @@ jobs:
           path: /tmp
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
 
       - name: Sign image
         run: |

diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
@@ -22,7 +22,7 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2 # v2.6.1
+        uses: lycheeverse/lychee-action@a8c4c7cb88f0c7386610c35eb25108e448569cb0 # v2.7.0
         with:
           args: "--config=.lychee.toml ."
         env:

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -103,7 +103,7 @@ jobs:
       token: ${{ secrets.MIRACUM_BOT_SEMANTIC_RELEASE_TOKEN }}
 
   lint:
-    uses: miracum/.github/.github/workflows/standard-lint.yaml@53643b5d3c785e94d5d6a1c4119a15d4a3970e26 # v1.16.28
+    uses: miracum/.github/.github/workflows/standard-lint.yaml@9e83a2b0b2e5681d913d4decdd18ac4ad6a6091c # v1.18.0
     permissions:
       contents: read
       pull-requests: write

diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml
@@ -12,7 +12,7 @@ jobs:
   lint:
     name: Lint Helm Chart
     runs-on: ubuntu-24.04
-    container: ghcr.io/chgl/kube-powertools:v2.4.10@sha256:ad9f9de13edc1b0c24b9ae69935833fb1af0b22719e9d7e867cdb0bb987e94f6
+    container: ghcr.io/chgl/kube-powertools:v2.4.21@sha256:4da0e0ec55809c1cfdffb59c6e88cfb163acac9f9bac20a8099774334956ee17
     steps:
       - name: Add workspace as safe directory
         run: |

diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
@@ -16,6 +16,6 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - uses: googleapis/release-please-action@c2a5a2bd6a758a0937f1ddb1e8950609867ed15c # v4.3.0
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         with:
           token: ${{ secrets.MIRACUM_BOT_SEMANTIC_RELEASE_TOKEN }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -37,7 +37,7 @@ jobs:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
 
       - name: Add helm repos and update deps
         run: |
@@ -108,7 +108,7 @@ jobs:
   publish-kyverno-policies:
     name: publish kyverno policies
     runs-on: ubuntu-24.04
-    container: ghcr.io/chgl/kube-powertools:v2.4.10@sha256:ad9f9de13edc1b0c24b9ae69935833fb1af0b22719e9d7e867cdb0bb987e94f6
+    container: ghcr.io/chgl/kube-powertools:v2.4.21@sha256:4da0e0ec55809c1cfdffb59c6e88cfb163acac9f9bac20a8099774334956ee17
     continue-on-error: true
     steps:
       - name: Checkout
@@ -171,7 +171,7 @@ jobs:
           echo "hashes=$(base64 -w0 < checksums.sha256)" >> "$GITHUB_OUTPUT"
 
       - name: upload assets to release
-        uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
         with:
           files: |
             dist/*.tgz

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -68,6 +68,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        uses: github/codeql-action/upload-sarif@5d5cd550d3e189c569da8f16ea8de2d821c9bf7a # v3.31.2
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/validate-fhir-resources.yaml b/.github/workflows/validate-fhir-resources.yaml
@@ -13,7 +13,7 @@ jobs:
   validate-fhir-resource:
     name: Validate FHIR resources
     runs-on: ubuntu-24.04
-    container: ghcr.io/miracum/ig-build-tools:v2.2.16@sha256:3f8968c834d309dd3d144d83ef891c0015c86213625bf648fa0c8f0ce9f1b5ce
+    container: ghcr.io/miracum/ig-build-tools:v2.2.20@sha256:da5eef6ee0404adc95f2c625b2e31f32c6a907c186a766e0620e937c94de9749
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0