chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
anchore/sbom-action	action	patch	v0.23.0 → v0.23.1
github.com/cert-manager/cert-manager	require	minor	v1.19.4 → v1.20.0
github.com/stackitcloud/stackit-sdk-go/core	require	minor	v0.22.0 → v0.23.0
github.com/stackitcloud/stackit-sdk-go/services/dns	require	minor	v0.17.6 → v0.19.1
github/codeql-action	action	minor	v4.32.6 → v4.33.0
sigstore/cosign-installer	action	minor	v4.0.0 → v4.1.0
step-security/harden-runner	action	minor	v2.15.1 → v2.16.0

---

Release Notes

anchore/sbom-action (anchore/sbom-action)

v0.23.1

Compare Source

v0.23.1

⬆️ Dependencies

• chore(deps): update Syft to v1.42.2 (#​607) [@​anchore-actions-token-generator[bot]]
• chore(deps): bump fast-xml-parser and all other deps (#​604) [@​dependabot[bot]]

cert-manager/cert-manager (github.com/cert-manager/cert-manager)

v1.20.0

Compare Source

github/codeql-action (github/codeql-action)

v4.33.0

Compare Source

sigstore/cosign-installer (sigstore/cosign-installer)

v4.1.0

Compare Source

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

• Bump cosign to 3.0.5 in #​220
• fix: add retry to curl downloads for transient network failures in #​210

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

step-security/harden-runner (step-security/harden-runner)

v2.16.0

Compare Source

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 34 additional dependencies were updated

Details:

Package	Change
k8s.io/api	v0.34.6 -> v0.35.2
k8s.io/apiextensions-apiserver	v0.34.6 -> v0.35.2
k8s.io/apimachinery	v0.34.6 -> v0.35.2
k8s.io/client-go	v0.34.6 -> v0.35.2
cel.dev/expr	v0.24.0 -> v0.25.1
github.com/go-openapi/jsonpointer	v0.22.1 -> v0.22.4
github.com/go-openapi/jsonreference	v0.21.2 -> v0.21.4
github.com/go-openapi/swag/jsonname	v0.25.1 -> v0.25.4
github.com/google/gnostic-models	v0.7.0 -> v0.7.1
github.com/mailru/easyjson	v0.9.0 -> v0.9.1
github.com/miekg/dns	v1.1.68 -> v1.1.72
github.com/spf13/cobra	v1.10.1 -> v1.10.2
golang.org/x/crypto	v0.45.0 -> v0.48.0
golang.org/x/mod	v0.29.0 -> v0.32.0
golang.org/x/net	v0.47.0 -> v0.51.0
golang.org/x/oauth2	v0.31.0 -> v0.35.0
golang.org/x/sync	v0.18.0 -> v0.19.0
golang.org/x/sys	v0.40.0 -> v0.41.0
golang.org/x/term	v0.37.0 -> v0.40.0
golang.org/x/text	v0.31.0 -> v0.34.0
golang.org/x/time	v0.13.0 -> v0.14.0
golang.org/x/tools	v0.38.0 -> v0.41.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250721164621-a45f3dfb1074 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250929231259-57b25ae835d4 -> v0.0.0-20260217215200-42d3e9bedb6d
google.golang.org/grpc	v1.75.1 -> v1.79.1
google.golang.org/protobuf	v1.36.9 -> v1.36.11
k8s.io/apiserver	v0.34.6 -> v0.35.2
k8s.io/component-base	v0.34.6 -> v0.35.2
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kms	v0.34.6 -> v0.35.2
k8s.io/kube-openapi	v0.0.0-20250910181357-589584f1c912 -> v0.0.0-20260127142750-a19766b6e2d4
sigs.k8s.io/controller-runtime	v0.22.3 -> v0.23.1
sigs.k8s.io/gateway-api	v1.4.0 -> v1.5.0
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2