ci: bump the github-actions group with 3 updates

[dependabot]

Bumps the github-actions group with 3 updates: actions/setup-go, anchore/sbom-action and securego/gosec.

Updates actions/setup-go from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-go's releases.

v6.4.0

What's Changed

Enhancement

• Add go-download-base-url input for custom Go distributions by @​gdams in actions/setup-go#721

Dependency update

• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in actions/setup-go#727

Documentation update

• Rearrange README.md, add advanced-usage.md by @​priyagupta108 in actions/setup-go#724
• Fix Microsoft build of Go link by @​gdams in actions/setup-go#734

New Contributors

• @​gdams made their first contribution in actions/setup-go#721

Full Changelog: actions/setup-go@v6...v6.4.0

Commits

• 4a36011 docs: fix Microsoft build of Go link (#734)
• 8f19afc feat: add go-download-base-url input for custom Go distributions (#721)
• 27fdb26 Bump minimatch from 3.1.2 to 3.1.5 (#727)
• def8c39 Rearrange README.md, add advanced-usage.md (#724)
• See full diff in compare view

Updates anchore/sbom-action from 0.23.1 to 0.24.0

Release notes

Sourced from anchore/sbom-action's releases.

v0.24.0

• chore: update to node 24 + deps (#614) [@​kzantow]
• chore: update to ES modules (#595) [@​kzantow]

⬆️ Dependencies

• chore(deps): update Syft to v1.42.3 (#615) [@anchore-actions-token-generator[bot]]

Commits

• e22c389 chore(deps): update Syft to v1.42.3 (#615)
• 36a5fde chore: update to node 24 + deps (#614)
• a0a6512 chore(deps): bump actions/setup-node from 6.2.0 to 6.3.0 (#608)
• See full diff in compare view

Updates securego/gosec from 2.24.7 to 2.25.0

Release notes

Sourced from securego/gosec's releases.

v2.25.0

Changelog

• 223e19b8856e00f02cc67804499a83f77e208f3c chore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#1617)
• b23a9e534822ec656207d6d33116b9c48fcde6c7 fix: allow barry action to access secrets on fork PRs (#1616)
• 355cfa5a43916c57b7727eece120dd54665c1427 fix: reduce G117 false positives for custom marshalers and transformed values (#1614) (#1615)
• 744bfb5ef06e24230087a2470dd1eda8cf5ac48a Add barry security scanner as a step in the CI (#1612)
• 4fde15d2287caa7ba8480e14d3ccd49579d17f42 chore(deps): update all dependencies (#1611)
• dec52c4101b534ac9bc8cf22ac051a65c90d75e0 fix: prevent taint analysis hang on packages with many CHA call graph edges (#1608) (#1610)
• a0de8b6aab054e0fe97bec94d1f5e635dc5dc495 Add some skills for claude code to automate some tasks (#1609)
• c2dfcec7f34bdbb3591c1dccd4aafde1d49c5bd6 Add G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#1606)
• 8aec3f48a22ee5404185b01ac7667302ba73e51c fix: skip SSA analysis on ill-typed packages to prevent panic (#1607)
• 1ced32df147e2dd7bb9400023c246235bb32be92 Port G120 from SSA-based to taint analysis (fixes #1600, #1603) (#1605)
• befce8de5da965121ad143b3c1eba58b0c3941bb fix(G118): eliminate false positive for package-level cancel variables (#1602)
• b7b2c7b668f3f2bef8a8ae04d72f0eb60492322c feat: add G124 rule for insecure HTTP cookie configuration (#1599)
• 6e66a943db54eb8d235ac766fa2fd414d44e8821 feat: add G709 rule for unsafe deserialization of untrusted data (#1598)
• e7ea2377aa2138d550e6d466ceef7a3164b4d7ea feat: add G708 rule for server-side template injection via text/template (#1597)
• 889546214c90564feb348e14fd1bf526295e0b2d fix(G118): eliminate false positive when cancel is called via struct field in a closure (#1596)
• 619ce2117e086b696f9357dc3422c18c2d0262bf Fix infinite recursion in interprocedural taint analysis (#1594)
• 0e0eb1792f3ced1edfe332daa388f088d4bd2f08 Fix G118 false positive when cancel is stored in returned struct field (#1593)
• 59a9da022f37d928b5c26c2b720e5f43f4a3e9b4 Fix G118 false positive on cancel called inside goroutine closure (#1592)
• cbf46b8771cfe2f02d3f935469c7898198d901f4 fix(analyzer): per-package rule instantiation eliminates concurrent map crash (#1589)
• c6c3ba865980cf3333c8bcaa93b4b9b7a4858bba chore(deps): update all dependencies (#1588)
• c709ed8be30a01d52ef51a099f5da6fc23dd3e31 fix(G118): treat returned cancel func as called (fixes #1584) (#1585)
• fa74dd7069d482a37b1207afbeffbfc7681a47f8 chore(go): update supported Go versions to 1.25.8 and 1.26.1 (#1583)
• cd1f29ec710ed24a305edf5908f52240addb1811 Update the README with the correct version of the Github action for gosec (#1582)
• 5887aee36f8b982ecb71885fde827ec0e84d98a2 chore(deps): update all dependencies (#1579)
• 6641fcf966593bf52ed426aa262839b340d56375 Fix G115 false positives for guarded int64-to-byte conversions (#1578)
• 3c9c3da6924bb1daeea428e28ec9ac5fa5a09c25 Update the container image migration notice (#1576)
• 973e94e8fc181de08ab86b212e6475221e777069 chore(action): bump gosec to 2.24.7 (#1575)

Commits

• 223e19b chore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#1617)
• b23a9e5 fix: allow barry action to access secrets on fork PRs (#1616)
• 355cfa5 fix: reduce G117 false positives for custom marshalers and transformed values...
• 744bfb5 Add barry security scanner as a step in the CI (#1612)
• 4fde15d chore(deps): update all dependencies (#1611)
• dec52c4 fix: prevent taint analysis hang on packages with many CHA call graph edges (...
• a0de8b6 Add some skills for claude code to automate some tasks (#1609)
• c2dfcec Add G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#1606)
• 8aec3f4 fix: skip SSA analysis on ill-typed packages to prevent panic (#1607)
• 1ced32d Port G120 from SSA-based to taint analysis (fixes #1600, #1603) (#1605)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

---

Summary by cubic

Update CI workflows to newer minor versions of actions/setup-go, anchore/sbom-action, and securego/gosec for better reliability and security scanning.

• Dependencies
  • actions/setup-go: 6.3.0 → 6.4.0 — adds custom download URL support and minor fixes.
  • anchore/sbom-action: 0.23.1 → 0.24.0 — updates to Node 24 and bumps Syft to v1.42.3.
  • securego/gosec: 2.24.7 → 2.25.0 — improved analysis and fewer false positives.

^{Written for commit 5ab0d87. Summary will update on new commits.}

[github-actions]

Sensitive Change Detection (shadow mode)

This PR modifies control-plane files:

• .github/workflows/release.yml
• .github/workflows/security.yml
• .github/workflows/test.yml

Shadow mode — this check is informational only. When activated, changes to these paths will require approval from a maintainer.

[cubic-dev-ai]

1 issue found across 3 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yml">

<violation number="1" location=".github/workflows/release.yml:44">
P3: Update the inline version comment to match the v6.4.0 commit hash so the pinned action version is accurately documented.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P3: Update the inline version comment to match the v6.4.0 commit hash so the pinned action version is accurately documented.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yml, line 44:

<comment>Update the inline version comment to match the v6.4.0 commit hash so the pinned action version is accurately documented.</comment>

<file context>
@@ -41,7 +41,7 @@ jobs:
 
       - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.3.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache
         with:
           go-version-file: go.mod
</file context>

Suggested change

	uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.3.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache
	uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache