chore(deps): update github-actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
cachix/install-nix-action	action	patch	v31.10.5 → v31.10.6
github/codeql-action	action	patch	v4.35.2 → v4.35.4
step-security/harden-runner	action	patch	v2.19.0 → v2.19.1
trufflesecurity/trufflehog	action	patch	v3.95.2 → v3.95.3
useblacksmith/setup-docker-builder (changelog)	action	digest	ac083cc → 722e97d

---

Release Notes

cachix/install-nix-action (cachix/install-nix-action)

v31.10.6

Compare Source

What's Changed

• nix: 2.34.6 -> 2.34.7 by @​github-actions[bot] in #​275
  GHSA-vh5x-56v6-4368: Fixes a coroutine stack-to-heap overflow via unbounded recursion in the NAR directory parser. Severity: High.
  GHSA-gr92-w2r5-qw5p: Fixes an absolute path traversal vulnerability when unpacking archives to disk. Severity: Moderate.

Full Changelog: cachix/install-nix-action@v31...v31.10.6

github/codeql-action (github/codeql-action)

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

step-security/harden-runner (step-security/harden-runner)

v2.19.1

Compare Source

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in #​657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in #​657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

trufflesecurity/trufflehog (trufflesecurity/trufflehog)

v3.95.3

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.