chore(deps): update bfra-me/.github to v4.14.2

[fro-bot]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
bfra-me/.github	action	minor	v4.13.6 → v4.14.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

bfra-me/.github (bfra-me/.github)

v4.14.2

Compare Source

Patch Changes

• Fix self-checkout in reusable workflows: use GITHUB_WORKFLOW_REF to resolve the correct ref instead of github.workflow_sha, which resolves to the caller's SHA during workflow_call. (#​1897)

v4.14.1

Compare Source

Patch Changes

• Pass GitHub App token to self-checkout steps in reusable workflows for cross-repo access when called via workflow_call. (#​1893)

v4.14.0

Compare Source

Minor Changes

• Replace hardcoded SHA pins for internal actions in reusable workflows with self-checkout at github.workflow_sha. Actions now always match the workflow version — no timing gap, no recursive release cycle, no separate "update internal action SHA pins" automation needed for action packages. (#​1889)

v4.13.9

Compare Source

Patch Changes

• ⚙️ Update GitHub Actions workflow dependency bfra-me/renovate-action from 9.12.0 to 9.13.0 (#​1878)

• 📦 Group update for dependencies dependencies: Node.js, node (#​1882)

• ⚙️ Update GitHub Actions workflow dependency bfra-me/renovate-action from 9.13.0 to 9.14.0 (#​1880)

• ⚙️ Update GitHub Actions workflow dependency fro-bot/agent from v0.32.0 to v0.32.1 (#​1883)

v4.13.8

Compare Source

Patch Changes

• ⚠️ Update GitHub Actions workflow dependency fro-bot/agent from v0.31.2 to v0.32.0 (#​1872)

• ⚙️ Update GitHub Actions workflow dependency bfra-me/renovate-action from 9.10.1 to 9.11.0 (#​1874)

• ⚙️ Update GitHub Actions workflow dependency bfra-me/renovate-action from 9.11.0 to 9.12.0 (#​1875)

v4.13.7

Compare Source

Patch Changes

• Force flatted to 3.4.2 to fix prototype pollution vulnerability (CVE-2026-33228) (#​1859)

  This addresses a HIGH severity security vulnerability in flatted <=3.4.1
  discovered via Dependabot alert #​39. The vulnerability allows prototype
  pollution via the parse() function in NodeJS.

  Since flatted is a transitive dependency of eslint via flat-cache and
  file-entry-cache, we add a pnpm override to ensure the patched version
  is used throughout the dependency tree.

• ⚙️ Update GitHub Actions workflow dependency bfra-me/renovate-action from 9.10.0 to 9.10.1 (#​1868)

• ⚙️ Update GitHub Actions workflow dependency fro-bot/agent from v0.31.1 to v0.31.2 (#​1863)

• 📦 Update npm dependency eslint from 10.0.3 to 10.1.0 (#​1869)

• 📦 Update npm dependency pnpm (#​1867)

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Phoenix, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.