chore(deps): update github actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/build-push-action (changelog)	action	digest	bcafcac → f9f3042
docker/login-action	action	minor	v4.1.0 → v4.2.0
docker/metadata-action	action	minor	v6.0.0 → v6.1.0
docker/setup-buildx-action	action	minor	v4.0.0 → v4.1.0
docker/setup-qemu-action (changelog)	action	digest	ce36039 → 0611638
step-security/harden-runner	action	patch	v2.19.0 → v2.19.4

---

Release Notes

docker/login-action (docker/login-action)

v4.2.0

Compare Source

• Bump @​actions/core from 3.0.0 to 3.0.1 in #​976
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1050.0 in #​960
• Bump @​docker/actions-toolkit from 0.86.0 to 0.90.0 in #​970
• Bump brace-expansion from 2.0.1 to 5.0.6 in #​993
• Bump fast-xml-builder from 1.1.4 to 1.2.0 in #​985
• Bump fast-xml-parser from 5.3.6 to 5.8.0 in #​963
• Bump http-proxy-agent and https-proxy-agent to 9.0.0 in #​961
• Bump postcss from 8.5.6 to 8.5.10 in #​979
• Bump tar from 6.2.1 to 7.5.15 in #​991
• Bump vite from 7.3.1 to 7.3.3 in #​986

Full Changelog: docker/login-action@v4.1.0...v4.2.0

docker/metadata-action (docker/metadata-action)

v6.1.0

Compare Source

• Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in #​613
• Bump brace-expansion from 1.1.12 to 5.0.6 in #​658 #​630
• Bump csv-parse from 6.1.0 to 6.2.1 in #​617
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​620
• Bump flatted from 3.3.3 to 3.4.2 in #​623
• Bump glob from 10.3.15 to 10.5.0 in #​621
• Bump handlebars from 4.7.8 to 4.7.9 in #​629
• Bump lodash from 4.17.23 to 4.18.1 in #​639
• Bump moment-timezone from 0.6.0 to 0.6.1 in #​619
• Bump picomatch from 4.0.3 to 4.0.4 in #​626
• Bump postcss from 8.5.6 to 8.5.10 in #​649
• Bump tar from 6.2.1 to 7.5.15 in #​657
• Bump undici from 6.23.0 to 6.25.0 in #​614
• Bump vite from 7.3.1 to 7.3.2 in #​637

Full Changelog: docker/metadata-action@v6.0.0...v6.1.0

docker/setup-buildx-action (docker/setup-buildx-action)

v4.1.0

Compare Source

• Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in #​489
• Bump brace-expansion from 1.1.12 to 5.0.6 in #​547 #​508
• Bump fast-xml-builder from 1.0.0 to 1.2.0 in #​540
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​496
• Bump flatted from 3.3.3 to 3.4.2 in #​499
• Bump glob from 10.3.12 to 13.0.6 in #​495
• Bump handlebars from 4.7.8 to 4.7.9 in #​504
• Bump lodash from 4.17.23 to 4.18.1 in #​523
• Bump picomatch from 4.0.3 to 4.0.4 in #​503
• Bump postcss from 8.5.6 to 8.5.10 in #​537
• Bump tar from 6.2.1 to 7.5.15 in #​545
• Bump undici from 6.23.0 to 6.25.0 in #​492
• Bump vite from 7.3.1 to 7.3.2 in #​520

Full Changelog: docker/setup-buildx-action@v4.0.0...v4.1.0

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed

• Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

Compare Source

What's Changed

• Default to audit mode when api-key missing with use-policy-store by @​varunsh-coder in #​665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

Compare Source

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in #​657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in #​657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

---

Configuration

📅 Schedule: (in timezone America/Argentina/Buenos_Aires)

• Branch creation
  • "before 9am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.