chore(deps): bump the all-dependencies group with 3 updates

.github/workflows/ci.yml

@@ -153,7 +153,7 @@ jobs:
 
       - name: Determine version (NBGV)
         id: nbgv
-        uses: dotnet/nbgv@071d632702496c9f570398fbf453c6545c2cf2f0 # node24 (unreleased past v0.5.1; pin SHA until v0.5.2 ships)
+        uses: dotnet/nbgv@81f7c98786b56d9fa30c96223e7147d9bb582ff7 # node24 (unreleased past v0.5.1; pin SHA until v0.5.2 ships)
         with:
           setAllVars: true
 

.github/workflows/codeql.yml

@@ -1,37 +1,37 @@
-name: CodeQL
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: '0 6 * * 1'
-
-permissions:
-  security-events: write
-  contents: read
-
-jobs:
-  analyze:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Setup .NET
-        uses: actions/setup-dotnet@v5
-        with:
-          global-json-file: global.json
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
-        with:
-          languages: csharp
-
-      - name: Build
-        run: dotnet build --configuration Release
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          global-json-file: global.json
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4.35.5
+        with:
+          languages: csharp
+
+      - name: Build
+        run: dotnet build --configuration Release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4.35.5

.github/workflows/containers.yml

@@ -1,131 +1,131 @@
-name: Container Images
-
-on:
-  push:
-    branches: [main]
-    tags:
-      - "v*"
-  workflow_dispatch:
-
-env:
-  REGISTRY: ghcr.io
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - component: gateway
-            dockerfile: deploy/docker/Dockerfile.gateway
-          - component: daemon
-            dockerfile: deploy/docker/Dockerfile.daemon
-          - component: tui
-            dockerfile: deploy/docker/Dockerfile.tui
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Set up Docker Buildx
-        shell: bash
-        run: |
-          docker buildx version
-          docker buildx create --name jdai-builder --use || docker buildx use jdai-builder
-          docker buildx inspect --bootstrap
-
-      - name: Normalize image name
-        id: image
-        shell: bash
-        run: |
-          owner="${GITHUB_REPOSITORY_OWNER,,}"
-          echo "name=${{ env.REGISTRY }}/${owner}/jd.ai-${{ matrix.component }}" >> "$GITHUB_OUTPUT"
-
-      - name: Login to GHCR
-        uses: docker/login-action@v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: ${{ steps.image.outputs.name }}
-          tags: |
-            type=sha
-            type=raw,value=latest,enable={{is_default_branch}}
-            type=ref,event=tag
-
-      - name: Build and push
-        id: build
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          file: ${{ matrix.dockerfile }}
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Generate SBOM
-        uses: anchore/sbom-action@v0
-        with:
-          image: ${{ steps.image.outputs.name }}@${{ steps.build.outputs.digest }}
-          format: spdx-json
-          output-file: sbom-${{ matrix.component }}.spdx.json
-
-      - name: Upload SBOM artifact
-        uses: actions/upload-artifact@v7
-        with:
-          name: sbom-${{ matrix.component }}
-          path: sbom-${{ matrix.component }}.spdx.json
-
-      - name: Attest SBOM to image
-        uses: actions/attest-sbom@v4
-        continue-on-error: true
-        with:
-          subject-name: ${{ steps.image.outputs.name }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          sbom-path: sbom-${{ matrix.component }}.spdx.json
-
-  helm-lint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Install Helm
-        shell: bash
-        run: |
-          set -euo pipefail
-          HELM_VERSION="v3.19.0"
-          ARCHIVE="helm-${HELM_VERSION}-linux-amd64.tar.gz"
-          URL="https://get.helm.sh/${ARCHIVE}"
-          for attempt in 1 2 3; do
-            if curl -fsSL --retry 3 --retry-delay 2 "$URL" -o "$ARCHIVE"; then
-              break
-            fi
-            if [ "$attempt" -eq 3 ]; then
-              echo "Failed to download Helm from $URL after retries."
-              exit 1
-            fi
-            sleep $((attempt * 5))
-          done
-          tar -xzf "$ARCHIVE"
-          sudo mv linux-amd64/helm /usr/local/bin/helm
-          helm version --short
-
-      - name: Helm lint
-        run: helm lint deploy/helm/jdai
-
-      - name: Helm template (dry-run)
-        run: helm template jdai deploy/helm/jdai --debug > /dev/null
-
+name: Container Images
+
+on:
+  push:
+    branches: [main]
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - component: gateway
+            dockerfile: deploy/docker/Dockerfile.gateway
+          - component: daemon
+            dockerfile: deploy/docker/Dockerfile.daemon
+          - component: tui
+            dockerfile: deploy/docker/Dockerfile.tui
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        shell: bash
+        run: |
+          docker buildx version
+          docker buildx create --name jdai-builder --use || docker buildx use jdai-builder
+          docker buildx inspect --bootstrap
+
+      - name: Normalize image name
+        id: image
+        shell: bash
+        run: |
+          owner="${GITHUB_REPOSITORY_OWNER,,}"
+          echo "name=${{ env.REGISTRY }}/${owner}/jd.ai-${{ matrix.component }}" >> "$GITHUB_OUTPUT"
+
+      - name: Login to GHCR
+        uses: docker/login-action@v4.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ steps.image.outputs.name }}
+          tags: |
+            type=sha
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=tag
+
+      - name: Build and push
+        id: build
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: ${{ matrix.dockerfile }}
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ steps.image.outputs.name }}@${{ steps.build.outputs.digest }}
+          format: spdx-json
+          output-file: sbom-${{ matrix.component }}.spdx.json
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: sbom-${{ matrix.component }}
+          path: sbom-${{ matrix.component }}.spdx.json
+
+      - name: Attest SBOM to image
+        uses: actions/attest-sbom@v4
+        continue-on-error: true
+        with:
+          subject-name: ${{ steps.image.outputs.name }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          sbom-path: sbom-${{ matrix.component }}.spdx.json
+
+  helm-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install Helm
+        shell: bash
+        run: |
+          set -euo pipefail
+          HELM_VERSION="v3.19.0"
+          ARCHIVE="helm-${HELM_VERSION}-linux-amd64.tar.gz"
+          URL="https://get.helm.sh/${ARCHIVE}"
+          for attempt in 1 2 3; do
+            if curl -fsSL --retry 3 --retry-delay 2 "$URL" -o "$ARCHIVE"; then
+              break
+            fi
+            if [ "$attempt" -eq 3 ]; then
+              echo "Failed to download Helm from $URL after retries."
+              exit 1
+            fi
+            sleep $((attempt * 5))
+          done
+          tar -xzf "$ARCHIVE"
+          sudo mv linux-amd64/helm /usr/local/bin/helm
+          helm version --short
+
+      - name: Helm lint
+        run: helm lint deploy/helm/jdai
+
+      - name: Helm template (dry-run)
+        run: helm template jdai deploy/helm/jdai --debug > /dev/null
+

.github/workflows/pr-validation.yml

@@ -37,7 +37,7 @@ jobs:
 
       - name: Determine version (NBGV)
         id: nbgv
-        uses: dotnet/nbgv@071d632702496c9f570398fbf453c6545c2cf2f0 # node24 (unreleased past v0.5.1; pin SHA until v0.5.2 ships)
+        uses: dotnet/nbgv@81f7c98786b56d9fa30c96223e7147d9bb582ff7 # node24 (unreleased past v0.5.1; pin SHA until v0.5.2 ships)
         with:
           setAllVars: true