chore(deps): update github actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
SonarSource/sonarqube-scan-action	action	major	v7.1.0 → v8.0.0	v8.1.0 (+1)
actions/create-github-app-token	action	minor	v3.1.1 → v3.2.0
anthropics/claude-code-action	action	patch	v1.0.93 → v1.0.123	v1.0.133 (+9)
astral-sh/setup-uv	action	minor	v8.0.0 → v8.1.0
github/codeql-action	action	patch	v4.35.1 → v4.35.5	v4.36.0
orhun/git-cliff-action	action	minor	v4.7.1 → v4.8.0
slackapi/slack-github-action	action	patch	v3.0.1 → v3.0.3

---

Release Notes

SonarSource/sonarqube-scan-action (SonarSource/sonarqube-scan-action)

v8.0.0

Compare Source

What's Changed

Breaking change

• SQSCANGHA-145 Set skipSignatureVerification default value to false by @​antoine-vinot-sonarsource in #​241

Full Changelog: SonarSource/sonarqube-scan-action@v7...v8.0.0

v8.0

Compare Source

v8

Compare Source

v7.2.1

Compare Source

What's Changed

• SQSCANGHA-140 Set skipSignatureVerification default value to true to avoid breaking change by @​gmmcal in #​240

Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.2.1

v7.2.0

Compare Source

What's Changed

• SQSCANGHA-133 Upgrade the Node version used in UTs + contribution guide by @​claire-villard-sonarsource in #​226
• SC-45750 Migrate to dateless license headers by @​claire-villard-sonarsource in #​229
• SQSCANGHA-134 Upgrade the libraries to latest version by @​claire-villard-sonarsource in #​227
• SQSCANGHA-138 Update dist and add ci test by @​antoine-vinot-sonarsource in #​233
• SQSCANGHA-140 Add OpenPGP signature verification for scanner downloads by @​claire-villard-sonarsource in #​235

Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.2.0

v7.2

Compare Source

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

anthropics/claude-code-action (anthropics/claude-code-action)

v1.0.123

Compare Source

What's Changed

• fix: allow , in branch names by @​bugbubug in #​1310
• fix: dereference symlinks when snapshotting sensitive paths to .claude-pr/ by @​matanbaruch in #​1186
• fix: exclude .claude-pr snapshot from git staging by @​cvan20191 in #​1277
• fix: write execution file when SDK throws by @​Jerry2003826 in #​1255
• fix: handle non-user actors (e.g. Copilot) in permission and actor checks by @​krislavten in #​1144
• chore: bump pinned Bun to 1.3.14 by @​ashwin-ant in #​1312

New Contributors

• @​bugbubug made their first contribution in #​1310
• @​matanbaruch made their first contribution in #​1186
• @​cvan20191 made their first contribution in #​1277
• @​Jerry2003826 made their first contribution in #​1255
• @​krislavten made their first contribution in #​1144

Full Changelog: anthropics/claude-code-action@v1...v1.0.123

v1.0.122

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.122

v1.0.121

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.121

v1.0.120

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.120

v1.0.119

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.119

v1.0.118

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.118

v1.0.117

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.117

v1.0.116

Compare Source

What's Changed

• Update HackerOne links in SECURITY.md by @​OctavianGuzu in #​1268

Full Changelog: anthropics/claude-code-action@v1...v1.0.116

v1.0.115

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.115

v1.0.114

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.114

v1.0.113

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.113

v1.0.112

Compare Source

What's Changed

• fix: make trigger_phrase match case-insensitive by @​JustinBis in #​1279

New Contributors

• @​JustinBis made their first contribution in #​1279

Full Changelog: anthropics/claude-code-action@v1...v1.0.112

v1.0.111

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.111

v1.0.110

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.110

v1.0.109

Compare Source

What's Changed

• docs: pull_request_target guidance and base-action trust model by @​OctavianGuzu in #​1250

Full Changelog: anthropics/claude-code-action@v1...v1.0.109

v1.0.108

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.108

v1.0.107

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.107

v1.0.106

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.106

v1.0.105

Compare Source

What's Changed

• fix: allow + in branch names (generated by Claude Code EnterWorktree) by @​awakia in #​1248

New Contributors

• @​awakia made their first contribution in #​1248

Full Changelog: anthropics/claude-code-action@v1...v1.0.105

v1.0.104

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.104

v1.0.103

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.103

v1.0.102

Compare Source

What's Changed

• chore: bump oven-sh/setup-bun to v2.2.0 (Node.js 24) by @​ashwin-ant in #​1238
• docs: nit updates to security.md by @​OctavianGuzu in #​1240

Full Changelog: anthropics/claude-code-action@v1...v1.0.102

v1.0.101

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.101

v1.0.100

Compare Source

What's Changed

• Upgrade Claude model from opus-4-6 to opus-4-7 by @​ashwin-ant in #​1227
• fix: pass install.sh binary path to Agent SDK after 0.2.113 bump by @​ashwin-ant in #​1235

Full Changelog: anthropics/claude-code-action@v1...v1.0.100

v1.0.99

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.99

v1.0.98

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.98

v1.0.97

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.97

v1.0.96

Compare Source

What's Changed

• fix: handle fork PRs by fetching via refs/pull/N/head by @​stakeswky in #​963

New Contributors

• @​stakeswky made their first contribution in #​963

Full Changelog: anthropics/claude-code-action@v1...v1.0.96

v1.0.95

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.95

v1.0.94

Compare Source

What's Changed

• Prepend system bin dirs to PATH when allowed_non_write_users is set by @​OctavianGuzu in #​1208

Full Changelog: anthropics/claude-code-action@v1...v1.0.94

astral-sh/setup-uv (astral-sh/setup-uv)

v8.1.0: 🌈 New input no-project

Compare Source

Changes

This add the a new boolean input no-project.
It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#​856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#​860)
• Add a release-gate step to the release workflow @​zanieb (#​859)
• Draft commitish releases @​eifinger (#​858)
• Add action-types.yml to instructions @​eifinger (#​857)
• chore: update known checksums for 0.11.7 @​github-actions[bot] (#​853)
• Refactor version resolving @​eifinger (#​852)
• chore: update known checksums for 0.11.6 @​github-actions[bot] (#​850)
• chore: update known checksums for 0.11.5 @​github-actions[bot] (#​845)
• chore: update known checksums for 0.11.4 @​github-actions[bot] (#​843)
• Add a release workflow @​zanieb (#​839)
• chore: update known checksums for 0.11.3 @​github-actions[bot] (#​836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#​833)
• Pin setup-uv docs to v8 @​eifinger (#​829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @​dependabot[bot] (#​855)

github/codeql-action (github/codeql-action)

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

v4.35.2

Compare Source

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #​3807
• Update default CodeQL bundle version to 2.25.2. #​3823

orhun/git-cliff-action (orhun/git-cliff-action)

v4.8.0

Compare Source

[4.8.0] - 2026-04-26

🚀 Features

env

• Improve GitHub Token handling (#​77)

⚙️ Miscellaneous Tasks

sync

• Add automated git-cliff version sync (#​75)

version

• Update git-cliff to 2.13.1 (https://git-cliff.org/blog/2.13.0)

slackapi/slack-github-action (slackapi/slack-github-action)

v3.0.3

Compare Source

v3.0.2: Slack GitHub Action v3.0.2

Compare Source

Patch Changes

• 79529d7: fix: resolve url.parse deprecation warning for webhook techniques

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • Between 12:00 AM and 05:59 AM (* 0-5 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[helmut-hoffer-von-ankershoffen]

⚠️ Change control gap: This PR was open for 1 day before a Ketryx CR was created.
CR PYSDK-120 has been opened retroactively per CC-SOP-01.

PR title and body updated to add the SOP shield line. Future Renovate PRs in this repo will follow the standard create-CR-first flow (or be brought into compliance at merge time).

---

Posted by Claude claude-opus-4-7 via Claude Code, applying skills cc-sop-01 on behalf of [email protected]

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud