chore(deps): update workflows (#2362)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
patch | `v4.1.6` -> `v4.1.7` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v2.25.8` -> `v2.25.11` |
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | minor | `v1.8.14` -> `v1.9.0` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.7`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.6...v4.1.7)

- Bump the minor-npm-dependencies group across 1 directory with 4
updates by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1739](https://togithub.com/actions/checkout/pull/1739)
- Bump actions/checkout from 3 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1697](https://togithub.com/actions/checkout/pull/1697)
- Check out other refs/\* by commit by
[@&#8203;orhantoy](https://togithub.com/orhantoy) in
[https://github.com/actions/checkout/pull/1774](https://togithub.com/actions/checkout/pull/1774)
- Pin actions/checkout's own workflows to a known, good, stable version.
by [@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1776](https://togithub.com/actions/checkout/pull/1776)

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.25.11`](https://togithub.com/github/codeql-action/compare/v2.25.10...v2.25.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.25.10...v2.25.11)

###
[`v2.25.10`](https://togithub.com/github/codeql-action/compare/v2.25.9...v2.25.10)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.25.9...v2.25.10)

###
[`v2.25.9`](https://togithub.com/github/codeql-action/compare/v2.25.8...v2.25.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.25.8...v2.25.9)

</details>

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.9.0`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.9.0)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.14...v1.9.0)

#### 💅 Cosmetic Output Improvements

-
[@&#8203;woodruffw](https://togithub.com/woodruffw)[💰](https://togithub.com/sponsors/woodruffw)
updated the tense on password nudge in
[#&#8203;234](https://togithub.com/pypa/gh-action-pypi-publish/issues/234)
-
[@&#8203;shenxianpeng](https://togithub.com/shenxianpeng)[💰](https://togithub.com/sponsors/shenxianpeng)
helped us disable the progress bar that was being produced by the `twine
upload` command via
[#&#8203;231](https://togithub.com/pypa/gh-action-pypi-publish/issues/231)
-
[@&#8203;woodruffw](https://togithub.com/woodruffw)[💰](https://togithub.com/sponsors/woodruffw)
also linked the PyPI status dashboard in the trusted publishing error
message via
[https://github.com/pypa/gh-action-pypi-publish/pull/243](https://togithub.com/pypa/gh-action-pypi-publish/pull/243)

#### 🛠️ Internal Dependencies

- pre-commit linters got auto-updated @&#8203;
[#&#8203;225](https://togithub.com/pypa/gh-action-pypi-publish/issues/225)
-   some notable dependency bumps include
    -   `cryptography == 42.0.7`
    -   `id == 1.4.0`
- `idna == 3.7` via
[#&#8203;228](https://togithub.com/pypa/gh-action-pypi-publish/issues/228)
- `requests == 2.32.0` via
[#&#8203;240](https://togithub.com/pypa/gh-action-pypi-publish/issues/240)
    -   `Twine == 5.1.0`

#### ⚙️ Secret Stuff

In
[#&#8203;241](https://togithub.com/pypa/gh-action-pypi-publish/issues/241),
[@&#8203;br3ndonland](https://togithub.com/br3ndonland)[💰](https://togithub.com/sponsors/br3ndonland)
added a Docker label linking the container image to this repository for
GHCR to display it nicely. This is preparatory work for a big
performance-focused refactoring he's working on in
[#&#8203;230](https://togithub.com/pypa/gh-action-pypi-publish/issues/230).

#### 💪 New Contributors

- [@&#8203;shenxianpeng](https://togithub.com/shenxianpeng) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/231](https://togithub.com/pypa/gh-action-pypi-publish/pull/231)
- [@&#8203;br3ndonland](https://togithub.com/br3ndonland) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/241](https://togithub.com/pypa/gh-action-pypi-publish/pull/241)

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.8.14...v1.9.0

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://togithub.com/sponsors/webknjaz)

**🙏 Special Thanks** to
[@&#8203;pradyunsg](https://togithub.com/pradyunsg)[💰](https://togithub.com/sponsors/pradyunsg)
for promptly unblocking this release to Marketplace as GitHub started
asking for yet another developer agreement signature from the
organization admins.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuOSIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS45IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: Xueqin Cui <[email protected]>

Author: renovate-bot

.github/workflows/publish-to-pypi.yaml

@@ -24,7 +24,7 @@ jobs:
     name: Publish
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         fetch-depth: 0
         submodules: recursive
@@ -44,7 +44,7 @@ jobs:
         build
         --sdist --wheel --outdir dist/ .
     - name: Publish distribution to PyPI
-      uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14
+      uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # v1.9.0
       with:
         password: ${{ secrets.PYPI_API_TOKEN }}
         packages_dir: dist/

.github/workflows/scorecards.yml

@@ -50,6 +50,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@6ac9fc7e8e290bda8fac86290b68e176def71959 # v2.25.8
+        uses: github/codeql-action/upload-sarif@d958b976dc5b990f802df244f2dc5d807113327f # v2.25.11
         with:
           sarif_file: results.sarif