fix(deps): update non-major-updates

.github/skills/security-scan-docker-image-scripts/run.sh

@@ -50,7 +50,7 @@ SYFT_INSTALLED_VERSION=$(syft version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\
 GRYPE_INSTALLED_VERSION=$(grype version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")
 
 # Set defaults matching CI workflow
-set_default_env "SYFT_VERSION" "v1.42.2"
+set_default_env "SYFT_VERSION" "v1.42.3"
 set_default_env "GRYPE_VERSION" "v0.109.1"
 set_default_env "IMAGE_TAG" "charon:local"
 set_default_env "FAIL_ON_SEVERITY" "Critical,High"

.github/workflows/nightly-build.yml

@@ -282,7 +282,7 @@ jobs:
 
           echo "Primary SBOM generation failed or produced missing/invalid output; using deterministic Syft fallback"
 
-          SYFT_VERSION="v1.42.2"
+          SYFT_VERSION="v1.42.3"
           OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
           ARCH="$(uname -m)"
           case "$ARCH" in

.github/workflows/security-pr.yml

@@ -385,7 +385,7 @@ jobs:
       - name: Upload Trivy SARIF to GitHub Security
         if: always() && steps.trivy-sarif-check.outputs.exists == 'true'
         # github/codeql-action v4
-        uses: github/codeql-action/upload-sarif@7da6361ba56d9e2aa798049c7f0a046fe133921e
+        uses: github/codeql-action/upload-sarif@30c555a528e360aaf7570127a2440e1396c211cb
         with:
           sarif_file: 'trivy-binary-results.sarif'
           category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}