chore(deps): update all digest updates

.github/workflows/automerge.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: metadata
-        uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v2
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2
 
       - name: log metadata
         run: echo "${DEPENDABOT_METADATA}"

.github/workflows/ci.yml

@@ -73,7 +73,7 @@ jobs:
       - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - id: build-ci
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           target: ${{ env.ENVIRONMENT }}
           cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
@@ -102,7 +102,7 @@ jobs:
           password: ${{ github.token }}
 
       - if: ${{ github.event_name == 'push' || github.ref_name == github.event.repository.default_branch }}
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           target: ${{ env.ENVIRONMENT }}
           cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
@@ -113,7 +113,7 @@ jobs:
           ENVIRONMENT: dev
 
       - if: ${{ github.event_name == 'push' || github.ref_name == github.event.repository.default_branch }}
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
           cache-to: type=registry,ref=${{ env.GHCR_IMAGE_NAME }}:cache,mode=max

.github/workflows/ossf.yml

@@ -41,6 +41,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
-      - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+      - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: results.sarif

.github/workflows/scans.yml

@@ -25,12 +25,12 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: bridgecrewio/checkov-action@002cd2e8cc0fe0535e6f364509e091c1a9870efa # master
+      - uses: bridgecrewio/checkov-action@3203f966a7ccd680cd8f6aaa3c3c5b0b3e9afa32 # master
         with:
           soft_fail: ${{ github.event_name != 'pull_request' }}
 
       - if: ${{ success() || failure() }}
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: results.sarif
 
@@ -46,7 +46,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
           load: true
@@ -65,7 +65,7 @@ jobs:
           db-file: matcher.db
 
       - if: ${{ success() || failure() }}
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: clair_results.sarif
 
@@ -80,7 +80,7 @@ jobs:
 
       - uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1
 
-      - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+      - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: devskim-results.sarif
 
@@ -111,7 +111,7 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
 
       - if: ${{ success() || failure() }}
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: results.sarif
 
@@ -133,7 +133,7 @@ jobs:
           only-fixed: true
 
       - if: ${{ success() || failure() }}
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
 
@@ -149,7 +149,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
           load: true
@@ -165,7 +165,7 @@ jobs:
           IMAGE_ID: ${{ steps.build.outputs.imageid }}
 
       - if: ${{ success() || failure() }}
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
 
@@ -192,7 +192,7 @@ jobs:
           bom: true
 
       - if: ${{ success() || failure() }}
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: results.sarif
 
@@ -220,13 +220,13 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
 
       - if: ${{ success() || failure() }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: megalinter-reports
           path: megalinter-reports
 
       - if: ${{ success() || failure() }}
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: megalinter-reports/megalinter-report.sarif
           ref: ${{ github.head_ref && format('refs/heads/{0}', github.head_ref) || github.ref }}
@@ -258,7 +258,7 @@ jobs:
       - uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1
         id: msdo
 
-      - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+      - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: ${{ steps.msdo.outputs.sarifFile }}
 
@@ -306,7 +306,7 @@ jobs:
           only-fixed: true
 
       - if: ${{ success() || failure() }}
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
 
@@ -337,7 +337,7 @@ jobs:
           scanners: vuln,secret,misconfig
           skip-setup-trivy: true
 
-      - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+      - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: trivy-results.sarif
 
@@ -354,7 +354,7 @@ jobs:
         # required for sarif upload
 
       - id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
         with:
           cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
           load: true
@@ -376,7 +376,7 @@ jobs:
           severity: HIGH,CRITICAL
           skip-setup-trivy: true
 
-      - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+      - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
           sarif_file: trivy-results.sarif
 
@@ -404,7 +404,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - id: changed-files
-        uses: step-security/changed-files@60967b822d3001fa82242f8d6b4ed46bc3600a68 # v47
+        uses: step-security/changed-files@2e07db73e5ccdb319b9a6c7766bd46d39d304bad # v47
         with:
           files: "**/*.{cs,java,js,py}"
           separator: ","

Dockerfile

@@ -4,7 +4,7 @@
 ##
 # base
 ##
-FROM debian:stable-slim@sha256:e51bfcd2226c480a5416730e0fa2c40df28b0da5ff562fc465202feeef2f1116 AS base
+FROM debian:stable-slim@sha256:8f0c555de6a2f9c2bda1b170b67479d11f7f5e3b66bb4a7a1d8843361c9dd3ff AS base
 
 # set up user
 ARG USER=user
@@ -33,7 +33,7 @@
 APT::AutoRemove::SuggestsImportant "false";
 EOF
 
 RUN apt-get update && \
   apt-get upgrade --yes && \
   apt-get install --yes --no-install-recommends curl \
   && rm -rf /var/lib/apt/lists/*
@@ -43,7 +43,7 @@
 ##
 FROM base AS dev
 
 RUN apt-get update && \
   apt-get install --yes --no-install-recommends build-essential \
   && rm -rf /var/lib/apt/lists/*
 
@@ -91,7 +91,7 @@
 FROM dev AS compile
 
 USER root
 RUN apt-get update && \
   apt-get install --yes --no-install-recommends \
   binutils \
   patchelf \