chore(deps): bump the github-actions-minor-and-patch group across 1 directory with 4 updates

.github/workflows/attest.yml

@@ -48,7 +48,7 @@ jobs:
     steps:
       - name: "Checkout tagged source"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Attest only stable tags. Manual dispatches must supply the exact tag.
           ref: "${{ github.event_name == 'workflow_dispatch' && inputs.release_tag || github.ref_name }}"

.github/workflows/benchmark-smoke.yml

@@ -41,7 +41,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           fetch-depth: 0
           persist-credentials: false

.github/workflows/ci.yml

@@ -68,7 +68,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history is not strictly required for plain tests, but keeping
           # checkout behavior consistent across workflows helps avoid edge cases
@@ -106,7 +106,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           fetch-depth: 0
           persist-credentials: false

.github/workflows/commit-lint.yml

@@ -55,7 +55,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # commit range validation requires real history.
           fetch-depth: 0

.github/workflows/dependency-review.yml

@@ -46,7 +46,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           persist-credentials: false
 

.github/workflows/docs-smoke.yml

@@ -56,7 +56,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history is unnecessary here because the docs smoke script only
           # inspects the checked-out tree, not branch history or diff state.

.github/workflows/fuzz.yml

@@ -35,7 +35,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           fetch-depth: 1
           persist-credentials: false

.github/workflows/govulncheck.yml

@@ -44,7 +44,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history is not strictly required by govulncheck itself, but it
           # keeps repository state consistent across push / PR jobs

.github/workflows/lint.yml

@@ -47,7 +47,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history is not strictly required for ordinary linting, but it is
           # useful for merge-group scenarios and keeps diff-based issue filtering
@@ -76,7 +76,7 @@ jobs:
 
       - name: "Run golangci-lint"
         # golangci/golangci-lint-action v9
-        uses: "golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20"
+        uses: "golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee"
         with:
           # Match the current repository lint configuration baseline.
           #

.github/workflows/release.yml

@@ -51,7 +51,7 @@ jobs:
     steps:
       - name: "Checkout stable tag source"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Stable releases are published from an existing SemVer tag, not from
           # branch pushes. For manual dispatches, the caller must provide the
@@ -122,7 +122,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # `gh release create --verify-tag` shells out to git and expects a
           # real repository checkout with full history and tags.

.github/workflows/scorecards.yml

@@ -77,13 +77,13 @@ jobs:
       # restrictions and adds useful visibility into outbound network behavior.
       - name: "Harden runner"
         # step-security/harden-runner v2
-        uses: "step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40"
+        uses: "step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411"
         with:
           egress-policy: "audit"
 
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           # Full history improves the quality of some repository checks and keeps
           # the action closer to the official examples.
@@ -110,7 +110,7 @@ jobs:
 
       - name: "Upload SARIF to GitHub code scanning"
         # github/codeql-action/upload-sarif v4
-        uses: "github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225"
+        uses: "github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e"
         with:
           sarif_file: "results.sarif"
 

.github/workflows/security-codeql.yml

@@ -61,7 +61,7 @@ jobs:
     steps:
       - name: "Checkout repository"
         # actions/checkout v6
-        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
+        uses: "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10"
         with:
           persist-credentials: false
 
@@ -80,7 +80,7 @@ jobs:
       #   right default until proven otherwise.
       - name: "Initialize CodeQL"
         # github/codeql-action/init v4
-        uses: "github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225"
+        uses: "github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e"
         with:
           languages: "${{ matrix.language }}"
           build-mode: "autobuild"
@@ -98,6 +98,6 @@ jobs:
 
       - name: "Perform CodeQL analysis"
         # github/codeql-action/analyze v4
-        uses: "github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225"
+        uses: "github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e"
         with:
           category: "/language:${{ matrix.language }}"