chore: Update Infrastructure dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
busybox		minor	1.37-musl → 1.38-musl
dhi.io/nats (source)		digest	e545a82 → 5ce86b9
dhi.io/postgres (source)		digest	6aa59b8 → 21d6e88
docker/build-push-action	action	minor	v7.1.0 → v7.2.0
docker/metadata-action	action	minor	v6.0.0 → v6.1.0
docker/setup-buildx-action	action	minor	v4.0.0 → v4.1.0
ghcr.io/astral-sh/uv	stage	patch	0.11.15 → 0.11.16
github/codeql-action	action	minor	v4.35.5 → v4.36.0
golangci/golangci-lint-action	action	patch	v9.2.0 → v9.2.1
node	uses-with	minor	24.15.0 → 24.16.0
postgres	service	pinDigest	→ 96d56f7

---

Release Notes

docker/build-push-action (docker/build-push-action)

v7.2.0

Compare Source

docker/metadata-action (docker/metadata-action)

v6.1.0

Compare Source

docker/setup-buildx-action (docker/setup-buildx-action)

v4.1.0

Compare Source

• Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in #​489
• Bump brace-expansion from 1.1.12 to 5.0.6 in #​547 #​508
• Bump fast-xml-builder from 1.0.0 to 1.2.0 in #​540
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in #​496
• Bump flatted from 3.3.3 to 3.4.2 in #​499
• Bump glob from 10.3.12 to 13.0.6 in #​495
• Bump handlebars from 4.7.8 to 4.7.9 in #​504
• Bump lodash from 4.17.23 to 4.18.1 in #​523
• Bump picomatch from 4.0.3 to 4.0.4 in #​503
• Bump postcss from 8.5.6 to 8.5.10 in #​537
• Bump tar from 6.2.1 to 7.5.15 in #​545
• Bump undici from 6.23.0 to 6.25.0 in #​492
• Bump vite from 7.3.1 to 7.3.2 in #​520

Full Changelog: docker/setup-buildx-action@v4.0.0...v4.1.0

astral-sh/uv (ghcr.io/astral-sh/uv)

v0.11.16

Compare Source

Released on 2026-05-21.

Enhancements

• Add support for direct archive dependencies in Git (#​10072)
• Adjust hint rendering (#​18090)

Preview features

• uv audit: specialize malformed OSV error (#​19515)
• Reject locked malware installations (#​18936)

Configuration

• Allow disabling reading the system config with UV_NO_SYSTEM_CONFIG (#​19476)

Bug fixes

• Allow environment variables that take a list to be empty (#​19503)
• Ensure that incompatible wheel hints do not leak secrets (#​19504)
• Reject unsafe entry points in uv-build (#​19495)
• Restrict delimiters in entry point parsing (#​19471)
• uv-netrc: fix multi-word no-space comment lines causing parse errors (#​19494)

Documentation

• Document and test relative exclude-newer support for uv pip (#​19475)

github/codeql-action (github/codeql-action)

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

golangci/golangci-lint-action (golangci/golangci-lint-action)

v9.2.1

Compare Source

What's Changed

IMPORTANT: this is the first immutable release.

Changes

• chore: improve workflows by @​ldez in #​1394

Dependencies

• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in #​1325
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1326
• build(deps): bump the dependencies group with 4 updates by @​dependabot[bot] in #​1327
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1328
• build(deps): bump @​types/node from 25.0.2 to 25.0.3 in the dependencies group by @​dependabot[bot] in #​1329
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1330
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1332
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1333
• build(deps): bump the dependencies group with 6 updates by @​dependabot[bot] in #​1334
• build(deps-dev): bump the dev-dependencies group with 4 updates by @​dependabot[bot] in #​1335
• build(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in #​1336
• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in #​1337
• build(deps): bump @​types/node from 25.0.9 to 25.0.10 in the dependencies group by @​dependabot[bot] in #​1338
• build(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 by @​dependabot[bot] in #​1339
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in #​1340
• build(deps-dev): bump the dev-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​1344
• build(deps): bump fast-xml-parser from 5.3.4 to 5.3.6 by @​dependabot[bot] in #​1346
• build(deps): bump minimatch by @​dependabot[bot] in #​1348
• build(deps): bump minimatch from 3.1.3 to 3.1.5 by @​dependabot[bot] in #​1350
• build(deps): bump fast-xml-parser from 5.3.6 to 5.4.1 by @​dependabot[bot] in #​1351
• build(deps): bump fast-xml-parser from 5.4.1 to 5.5.6 by @​dependabot[bot] in #​1357
• build(deps): bump fast-xml-parser from 5.5.6 to 5.5.7 by @​dependabot[bot] in #​1358
• build(deps-dev): bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in #​1359
• build(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in #​1364
• build(deps): bump yaml from 2.8.2 to 2.8.3 by @​dependabot[bot] in #​1365
• build(deps): bump brace-expansion by @​dependabot[bot] in #​1370
• build(deps-dev): bump the dev-dependencies group across 1 directory with 7 updates by @​ldez in #​1374
• build(deps): bump github/codeql-action from 4 to 4.35.2 by @​dependabot[bot] in #​1384
• build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 by @​dependabot[bot] in #​1386
• build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 by @​dependabot[bot] in #​1389
• build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 by @​dependabot[bot] in #​1391

Full Changelog: golangci/golangci-lint-action@v9.2.0...v9.2.1

actions/node-versions (node)

v24.16.0: 24.16.0

Compare Source

Node.js 24.16.0

---

Configuration

📅 Schedule: (in timezone Etc/UTC)

• Branch creation
  • Between 12:00 AM and 06:59 AM, only on Saturday (* 0-6 * * 6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/github/codeql-action/upload-sarif	7211b7c8077ea37d8641b6271f6a365a22a5fbfa	Unknown	Unknown
actions/github/codeql-action/upload-sarif	7211b7c8077ea37d8641b6271f6a365a22a5fbfa	Unknown	Unknown

Scanned Files

• .github/workflows/docker.yml
• .github/workflows/scorecard.yml

[codspeed-hq]

Merging this PR will not alter performance

✅ 54 untouched benchmarks

---

_{Comparing renovate/infra (c316d7b) with main (4d57b9a)}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.13%. Comparing base (1b8b1d4) to head (c316d7b).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2055   +/-   ##
=======================================
  Coverage   87.13%   87.13%           
=======================================
  Files        2251     2251           
  Lines      130302   130302           
=======================================
  Hits       113533   113533           
  Misses      16754    16754           
  Partials       15       15           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[Aureliolo]

Decision: Infra dep batch (Docker images, GHA actions); CI green after regenerating 4 CLI compose goldens for the busybox 1.37→1.38-musl bump; no behavioural changes outside the digest/tag refresh.

Changelog digest:
Covered the Renovate "infra" group: busybox 1.37→1.38-musl, dhi.io/postgres digest rotation, dhi.io/nats digest rotation, docker/build-push-action v7.1→v7.2, docker/metadata-action v6.0→v6.1, docker/setup-buildx-action v4.0→v4.1, ghcr.io/astral-sh/uv 0.11.15→0.11.16, github/codeql-action v4.35.5→v4.36.0, golangci/golangci-lint-action v9.2.0→v9.2.1, actions/node-versions 24.15.0→24.16.0, postgres service pinDigest.

• Relevant security wins (auto-adopted, no code change): uv 0.11.16 wheel-hint secret-leak fix + unsafe entry-point rejection (flows into backend + fine-tune builds via the Dockerfile uv stage); github/codeql-action v4.36 bumps minimum CodeQL bundle to 2.19.4; golangci-lint-action v9.2.1 is the first immutable release (future v9.2.z bumps become pure digest changes).
• Relevant test fix (this commit): regenerated cli/testdata/compose_{default,custom_ports,sandbox,digest_pins}.yml so the busybox 1.38-musl digest matches the new compose template.
• Reviewed but not relevant: docker/build-push-action v7.2 + metadata-action v6.1 have empty release notes; setup-buildx v4.1 is internal actions-toolkit/dependency churn only; codeql v4.36 SHA-256 OID support is irrelevant until GitHub rolls SHA-256 (not soon); actions/node-versions 24.16 is a Node patch transparent to our build.

Follow-ups: a single bundled issue covers the recurring weekly toil from these digest rotations (mask @sha256:[0-9a-f]{64} and version-suffixed tags in the compose golden-file comparison so a digest bump no longer requires UPDATE_GOLDEN=1) and the deferred full litestar 2.22 controller migration.