From b0e7ac27ceb0d08204910936f0dcf70e69c149a6 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 5 Jun 2026 06:00:36 +0000
Subject: [PATCH] Update GitHub Actions

---
 .github/workflows/ci.yml         | 4 ++--
 .github/workflows/claude.yml     | 4 ++--
 .github/workflows/lighthouse.yml | 2 +-
 .github/workflows/scorecard.yml  | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 35e0126..f6d2747 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,7 +28,7 @@ jobs:
 
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2.2.0
         with:
-          bun-version: 1.3.13
+          bun-version: 1.3.14
 
       # Bun is the package manager and script runner, but Next.js (and tsc)
       # run on Node. The runner image is pinned (ubuntu-24.04) but Node
@@ -187,7 +187,7 @@ jobs:
           # TruffleHog diffs base..head and needs the full history present.
           fetch-depth: 0
       - name: TruffleHog scan
-        uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26  # v3.95.2
+        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab  # v3.95.3
         with:
           # On PRs: scan the diff between base and head. On push to main:
           # scan the previous commit to HEAD. The action infers both from
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index aef1eaf..db292c5 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -41,11 +41,11 @@ jobs:
       id-token: write
       actions: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 1
 
-      - uses: anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 # v1.0.119
+      - uses: anthropics/claude-code-action@4481e6d3c7bbb88db2a928ca3444c536f589c7c1 # v1.0.131
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lighthouse.yml b/.github/workflows/lighthouse.yml
index 868e922..f865078 100644
--- a/.github/workflows/lighthouse.yml
+++ b/.github/workflows/lighthouse.yml
@@ -24,7 +24,7 @@ jobs:
 
       - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2.2.0
         with:
-          bun-version: 1.3.13
+          bun-version: 1.3.14
 
       # Bun is the package manager and script runner, but Next.js (and the
       # lhci binary) run on Node. The runner image is pinned (ubuntu-24.04)
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index d07c57c..b5e63b4 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -83,6 +83,6 @@ jobs:
           retention-days: 7
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # v4.35.2
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba  # v4.35.5
         with:
           sarif_file: results.sarif