chore(deps): update github actions

[agntcy-automation]

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/create-github-app-token	action	minor	v3.1.1 → v3.2.0
github/codeql-action	action	patch	v4.35.4 → v4.35.5
go-task/setup-task	action	minor	v2.0.0 → v2.1.0
step-security/harden-runner	action	patch	v2.19.1 → v2.19.3	v2.19.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

github/codeql-action (github/codeql-action)

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

go-task/setup-task (go-task/setup-task)

v2.1.0

Compare Source

• Replaced typed-rest-client with @actions/http-client for GitHub API calls
  to eliminate the Node 24 DEP0169 deprecation warning about url.parse().
• Modernized the TypeScript tooling stack (vitest, oxlint, @actions/core@2,
  @actions/io@2, updated @types/node, @vercel/ncc, prettier, etc.).
• Migrated the project to ESM (sources + bundle). Aligns with the new
  @actions/* ESM-only majors and produces a ~47% smaller dist/index.js.
• Upgraded @actions/core 2 → 3, @actions/http-client 2 → 4,
  @actions/io 2 → 3, @actions/tool-cache 2 → 4, typescript 5 → 6, and
  markdownlint-cli 0.47 → 0.48.

step-security/harden-runner (step-security/harden-runner)

v2.19.3

Compare Source

What's Changed

• Default to audit mode when api-key missing with use-policy-store by @​varunsh-coder in #​665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2