chore(deps): Update GitHub Actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
arillso/.github	action	patch	2026-06-02 → 2026-06-12
python	uses-with	patch	3.14.5 → 3.14.6

---

Release Notes

arillso/.github (arillso/.github)

v2026-06-12

Compare Source

Added

• templates/workflows/pull-request.yml: New event-focused PR template
  (name: Pull Request) combining Go CI, lint, CodeQL (via security-code.yml),
  and Claude review (via ai-claude-review.yml) as jobs — replaces ci.yml +
  codeql.yml
• templates/workflows/nightly-security.yml: New scheduled security template
  (name: Nightly Security Scan) running CodeQL, secret, dependency, and Trivy
  scans

Changed

• templates/workflows/: Migrate the workflow templates from the deprecated
  file-centric layout (ci.yml/codeql.yml/deploy.yml) to the event-focused
  layout (pull-request.yml/nightly-security.yml/tag.yml). deploy.yml
  renamed to tag.yml (name: Container Release) with a run-name: added;
  content otherwise unchanged
• AGENTS.md: Update the consumer usage example to the event-focused
  pull-request.yml layout and a valid reusable (ci-go.yml/ci-lint.yml,
  not the non-existent ci-go-action.yml)
• README.md / SUPPORT.md / CONTRIBUTING.md: Repoint standards references from
  the removed STANDARDS.md to AGENTS.md and templates/

Removed

• STANDARDS.md: Removed. It mandated the deprecated file-centric workflow
  layout and duplicated conventions; the Ansible-specific standards it held are
  now tracked in the organization knowledge base, and reusable-workflow
  conventions live in AGENTS.md + templates/

• templates/workflows/ci.yml, codeql.yml, deploy.yml: Removed in favor of the
  event-focused templates above

• security-secrets.yml: Add cancel-in-progress and concurrency-suffix
  inputs with a static security-secrets- concurrency group (a bare
  github.workflow/github.ref group collides across reusables called by the
  same caller, since that context resolves to the caller inside workflow_call)

  • Update trufflesecurity/trufflehog from v3.94.0 to v3.95.5
  • Update actions/checkout from v6.0.2 to v6.0.3

• ci-go.yml: Add go mod verify, go vet, gofmt -s -l format check
  (scoped to first-party package dirs via go list ./... so vendor/ and
  generated code don't trip the gate), and staticcheck (new
  enable_staticcheck input, default true); upload an HTML coverage report
  artifact

  • Add cancel-in-progress and concurrency-suffix inputs with a static
    ci-go- concurrency group (see security-secrets note above)

• renovate-base.json: Throttle prHourlyLimit from 0 (unlimited) to 4;
  enable osvVulnerabilityAlerts; treat pre-1.0 minor bumps as breaking
  (matchUpdateTypes: ["major", "minor"])

• renovate-go.json: Split the google.golang.org group into a "Kubernetes
  packages" group (k8s.io/* + sigs.k8s.io/*, co-versioned, with
  separateMultipleMajor: false so their majors share one PR) and a "Go platform
  packages" group (gRPC, Prometheus, google.golang.org, majors kept separate)

Fixed

• renovate-base.json: Stop digest-pinning dependencies that cannot carry a
  digest. The base preset forces pinDigests: true on all github-actions
  deps (reinforced by config:best-practices), which aborted entire Renovate
  branches with "Digest is not updated" for two dependency shapes. Two targeted
  packageRules now set pinDigests: false: release binaries installed via
  helper actions (uses-with inputs with the github-releases datasource —
  gitleaks, trivy, golangci-lint — pinned by release tag, not digest) and the
  kubesec/kubesec docker image referenced as a bare version string. These
  deps keep updating by tag/version; only the impossible digest pin is dropped

Dependencies

• GitHub Actions (Renovate batch): SHA-pinned action references updated
  • actions/checkout v6.0.2 → v6.0.3
  • actions/setup-go v6.3.0 → v6.4.0
  • actions/upload-artifact v7.0.0 → v7.0.1
  • github/codeql-action v4.35.5 → v4.36.2
  • aquasecurity/trivy-action v0.35.0 → v0.36.0
  • trufflesecurity/trufflehog v3.94.0 → v3.95.5
  • snok/container-retention-policy v3.0.1 → v3.1.0
  • anthropics/claude-code-action v1.0.127 → v1.0.142
  • Digest-only refreshes for golangci/golangci-lint-action (v9),
    reviewdog/action-actionlint (v1), DavidAnson/markdownlint-cli2-action
    (v23), docker/setup-buildx-action (v4), docker/build-push-action (v7)
• security-config.yml: Bump ansible 13.7.0 → 14.0.0 and pinned
  python-version 3.12 → 3.14.5 (the Trivy IaC Ansible security pass)

---

actions/python-versions (python)

v3.14.6: 3.14.6

Compare Source

Python 3.14.6

---

Configuration

📅 Schedule: (in timezone Europe/Zurich)

• Branch creation
  • "before 6am"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.