ci: Update CI tool dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
CodSpeedHQ/action	action	minor	v4.14.0 → v4.15.0
actions/setup-python	action	minor	v6.1.0 → v6.2.0
chainguard-dev/actions	action	patch	v1.6.15 → v1.6.17
github/codeql-action	action	patch	v4.35.2 → v4.35.3
goreleaser/goreleaser-action	action	minor	v7.1.0 → v7.2.1
python	uses-with	pin	3.14 → 3.14.4

---

Release Notes

CodSpeedHQ/action (CodSpeedHQ/action)

v4.15.0

Compare Source

Release Notes

This release adds first support for macOS walltime.

Please note that profiling and other instruments are not yet available on macOS and will come in a later update.

Minimum integration versions

• pytest-codspeed v4.5.0
• codspeed-rust v4.6.0
• codspeed-cpp v2.3.0
• codspeed-go v1.2.0
• codspeed-node v5.4.0

🚀 Features

• Revert logo changes by @​GuillaumeLagrange
• Display N/A rather than NaN/inf in the benchmarks results table by @​GuillaumeLagrange in #​314
• Only wrap walltime command with sudo on linux by @​GuillaumeLagrange
• Add --with-token flag to read token from stdin by @​fargito in #​313
• Warn when libc debug info is not found by @​not-matthias in #​310
• Resolve debug info and symbols from separate debug files by @​not-matthias in #​303

🧪 Testing

• Add libc debuglink/build-id fixtures by @​not-matthias
• Add stripped binary and debug file test fixtures by @​not-matthias

⚙️ Internals

• chore: bump runner version to 4.15.0 by @​github-actions[bot] in #​204
• Bump exec-harness version
• Add macos basic run test by @​GuillaumeLagrange in #​319
• Remove DumpPerfMapAtExit in favor of custom dumper by @​not-matthias in #​295

Install codspeed-runner 4.15.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CodSpeedHQ/codspeed/releases/download/v4.15.0/codspeed-runner-installer.sh | sh

Download codspeed-runner 4.15.0

File	Platform	Checksum
codspeed-runner-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
codspeed-runner-aarch64-unknown-linux-musl.tar.gz	ARM64 MUSL Linux	checksum
codspeed-runner-x86_64-unknown-linux-musl.tar.gz	x64 MUSL Linux	checksum

Full Runner Changelog: https://github.com/CodSpeedHQ/codspeed/blob/main/CHANGELOG.md

Full Changelog: CodSpeedHQ/action@v4.14.0...v4.15.0

actions/setup-python (actions/setup-python)

v6.2.0

Compare Source

chainguard-dev/actions (chainguard-dev/actions)

v1.6.17

Compare Source

What's Changed

• build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in /wolfi-build-pkg by @​dependabot[bot] in #​876
• build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in /melange-build by @​dependabot[bot] in #​875
• build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in /inky-build-pkg by @​dependabot[bot] in #​874
• build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in /goimports by @​dependabot[bot] in #​873
• build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.16 in /gofmt by @​dependabot[bot] in #​872
• fix(setup-knative): make resource_blaster fail loudly on HTTP errors by @​jml in #​878
• otel-export: use RUNNER_NAME for the current job by @​joshrwolf in #​877

New Contributors

• @​jml made their first contribution in #​878

Full Changelog: chainguard-dev/actions@v1.6.16...v1.6.17

v1.6.16

Compare Source

What's Changed

• build(deps): bump chainguard-dev/actions from 1.6.14 to 1.6.15 in /wolfi-build-pkg by @​dependabot[bot] in #​867
• build(deps): bump chainguard-dev/actions from 1.6.14 to 1.6.15 in /melange-build by @​dependabot[bot] in #​866
• build(deps): bump chainguard-dev/actions from 1.6.14 to 1.6.15 in /inky-build-pkg by @​dependabot[bot] in #​865
• build(deps): bump chainguard-dev/actions from 1.6.14 to 1.6.15 in /goimports by @​dependabot[bot] in #​864
• build(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 by @​dependabot[bot] in #​861
• build(deps): bump chainguard-dev/actions from 1.6.14 to 1.6.15 by @​dependabot[bot] in #​862
• build(deps): bump chainguard-dev/actions from 1.6.14 to 1.6.15 in /gofmt by @​dependabot[bot] in #​863
• build(deps): bump actions/setup-node from 6.3.0 to 6.4.0 in /githubapp-token by @​dependabot[bot] in #​869
• build(deps): bump step-security/harden-runner from 2.18.0 to 2.19.0 by @​dependabot[bot] in #​868

Full Changelog: chainguard-dev/actions@v1.6.15...v1.6.16

github/codeql-action (github/codeql-action)

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

goreleaser/goreleaser-action (goreleaser/goreleaser-action)

v7.2.1

Compare Source

This fully removes the usage of the old nightly moving tag.

Full Changelog: goreleaser/goreleaser-action@v7.2.0...v7.2.1

v7.2.0

Compare Source

What's Changed

• test: cover install across release eras by @​caarlos0 in #​555
• feat: add version-file input by @​caarlos0 in #​556
• feat: resolve nightly to latest vX.Y.Z--nightly release by @​caarlos0 in #​558

Full Changelog: goreleaser/goreleaser-action@v7...v7.2.0

---

Configuration

📅 Schedule: (in timezone Etc/UTC)

• Branch creation
  • Between 12:00 AM and 06:59 AM, only on Saturday (* 0-6 * * 6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/github/codeql-action/upload-sarif	e46ed2cbd01164d986452f91f178727624ae40d7	Unknown	Unknown

Scanned Files

• .github/workflows/scorecard.yml

[codspeed-hq]

Merging this PR will not alter performance

✅ 54 untouched benchmarks

---

_{Comparing renovate/ci-tools (2c5fa49) with main (3d790d9)}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.69%. Comparing base (3d790d9) to head (2c5fa49).
⚠️ Report is 4 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1703      +/-   ##
==========================================
- Coverage   84.69%   84.69%   -0.01%     
==========================================
  Files        1786     1786              
  Lines      102259   102259              
  Branches     8980     8980              
==========================================
- Hits        86613    86609       -4     
- Misses      13457    13459       +2     
- Partials     2189     2191       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.