From 768857f141c849c13a189f59043f56c736825d07 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 4 May 2026 13:00:56 +0000
Subject: [PATCH] ci(deps): bump the github-actions group with 2 updates

Bumps the github-actions group with 2 updates: [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) and [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action).


Updates `trufflesecurity/trufflehog` from 3.94.3 to 3.95.2
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Commits](https://github.com/trufflesecurity/trufflehog/compare/47e7b7cd74f578e1e3145d48f669f22fd1330ca6...17456f8c7d042d8c82c9a8ca9e937231f9f42e26)

Updates `aquasecurity/trivy-action` from 0.35.0 to 0.36.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](https://github.com/aquasecurity/trivy-action/compare/57a97c7e7821a5776cebc9bb87c984fa69cba8f1...ed142fd0673e97e23eac54620cfb913e5ce36c25)

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-version: 3.95.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/ci-guardrails.yml | 2 +-
 .github/workflows/ci.yml            | 2 +-
 .github/workflows/release.yml       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci-guardrails.yml b/.github/workflows/ci-guardrails.yml
index 62c7d28..2c7bf78 100644
--- a/.github/workflows/ci-guardrails.yml
+++ b/.github/workflows/ci-guardrails.yml
@@ -117,7 +117,7 @@ jobs:
           echo "trufflehog=${trufflehog}" >> "$GITHUB_OUTPUT"
 
       - name: Run TruffleHog
-        uses: trufflesecurity/trufflehog@47e7b7cd74f578e1e3145d48f669f22fd1330ca6 # v3.94.3
+        uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
         with:
           extra_args: --results=verified,unknown
           version: ${{ steps.versions.outputs.trufflehog }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de41681..b15207a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -68,7 +68,7 @@ jobs:
       # Scanning the SBOM is strictly more accurate than Trivy's own filesystem
       # heuristics, and the SBOM only exists after the build completes.
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           scan-type: sbom
           scan-ref: target/bom_all.json
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 913011f..bdf2f38 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -73,7 +73,7 @@ jobs:
         run: ./mvnw -B -ntp -P integration-tests,generate-sbom,release -Dsigstore.skip=false -Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.json clean deploy
 
       - name: Scan SBOM for vulnerabilities
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           scan-type: sbom
           scan-ref: target/bom_all.json