ci(deps): bump the production-dependencies group with 3 updates

.github/workflows/ci.yml

@@ -69,7 +69,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@v4.36.2
         with:
           # Scan both the Python backend and the Next.js frontend.
           # `security-extended` adds queries beyond the default
@@ -79,7 +79,7 @@ jobs:
           languages: python, javascript, typescript
           queries: security-extended
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@v4.36.2
         with:
           # The frontend is a TS/JSX project under frontend/src;
           # without this filter CodeQL still walks the whole tree but

.github/workflows/codeql.yml

@@ -37,12 +37,12 @@ jobs:
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@v4.36.2
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@v4.36.2
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/dependency-review.yml

@@ -15,7 +15,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
 

.github/workflows/lychee.yml

@@ -26,7 +26,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: lychee
-        uses: lycheeverse/lychee-action@v2.4.0
+        uses: lycheeverse/lychee-action@v2.8.0
         with:
           args: --verbose --no-progress --exclude-mail --exclude-loopback
         env:

.github/workflows/scorecard.yml

@@ -22,7 +22,7 @@ jobs:
     timeout-minutes: 30
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit
 
@@ -40,7 +40,7 @@ jobs:
 
       - name: Upload to code-scanning
         if: always()
-        uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.27.5
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.27.5
         with:
           sarif_file: results.sarif
           category: scorecard

.github/workflows/stale.yml

@@ -18,7 +18,7 @@ jobs:
     timeout-minutes: 15
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: audit