ci(deps): bump complytime/org-infra/.github/workflows/reusable_security.yml from 0.3.1 to 0.4.0

[dependabot]

Bumps complytime/org-infra/.github/workflows/reusable_security.yml from 0.3.1 to 0.4.0.

Release notes

Sourced from complytime/org-infra/.github/workflows/reusable_security.yml's releases.

v0.4.0

org-infra 0.4.0

Central reusable GitHub Actions workflows, CI templates, compliance policy assets, and org sync tooling. Downstream repos usually consume this repo via workflow uses: pins or version tags.

Before you upgrade

• Treat workflow YAML updates as potentially breaking for every consumer until you’ve reviewed them.
• Use the Workflows & GitHub Actions section below for PRs that touched pipelines; for exact paths and hunks, open the compare link and narrow Files changed to .github/workflows/.

View full diff: v0.3.1 → v0.4.0

Changes

• chore: add user story issue template — #322 · @​beatrizmcouto
• feat: add task issue template — #321 · @​beatrizmcouto
• ci: add PR-triggered auto-labeler workflow — #320 · @​sonupreetam
• fix(ci): replace cosign copy with crane copy + fresh signing (#323) — #327 · @​trevor-vaughan
• fix(ci): fetch live PR title for commitlint validation — #330 · @​marcusburghardt
• chore: add CODEOWNERS file — #333 · @​marcusburghardt
• fix(ci): align compliance workflow with new complyctl config path — #332 · @​marcusburghardt
• feat(ci): add complypack publish pipeline for ampel branch-protection policies — #314 · @​marcusburghardt
• fix(ci): disable SHA tags on complypack Quay promotion — #338 · @​marcusburghardt
• fix: add id-token permission to promote-quay job — #339 · @​marcusburghardt
• fix(ci): remove BuildKit provenance that causes "unknown on unknown" in Quay — #336 · @​trevor-vaughan
• chore(ci): remove TEMPORARY manual staging of ampel policies — #334 · @​sonupreetam

Maintenance

• ci(deps): bump complytime/org-infra/.github/workflows/reusable_security.yml from 0.3.0 to 0.3.1 — #326 · @dependabot[bot]
• chore(deps): bump ruff from 0.15.15 to 0.15.16 — #325 · @dependabot[bot]
• chore(deps): bump https://github.com/astral-sh/ruff-pre-commit from v0.15.15 to 0.15.16 — #324 · @dependabot[bot]
• ci(deps): bump SonarSource/sonarqube-scan-action from 8.1.0 to 8.2.0 — #329 · @dependabot[bot]
• chore(deps): bump https://github.com/astral-sh/ruff-pre-commit from v0.15.16 to 0.15.17 — #345 · @dependabot[bot]
• chore(deps): bump ruff from 0.15.16 to 0.15.17 — #344 · @dependabot[bot]
• chore(deps): bump pytest from 9.0.3 to 9.1.0 — #343 · @dependabot[bot]
• ci(deps): bump release-drafter/release-drafter from 7.3.1 to 7.4.0 — #346 · @dependabot[bot]

---

Compare: v0.3.1…v0.4.0

Thanks to @​beatrizmcouto, @​marcusburghardt, @​sonupreetam, @​trevor-vaughan and dependabot[bot] for this release.

Commits

• bbd7194 ci(deps): bump release-drafter/release-drafter from 7.3.1 to 7.4.0
• e30c5cd chore(deps): bump pytest from 9.0.3 to 9.1.0 (#343)
• 29fa2ac chore(deps): bump ruff from 0.15.16 to 0.15.17 (#344)
• 8b5208c chore(deps): bump https://github.com/astral-sh/ruff-pre-commit (#345)
• 71c46a3 chore(ci): remove TEMPORARY manual staging of ampel policies (#334)
• 6d4b387 fix(ci): remove BuildKit provenance that causes "unknown on unknown" in Quay ...
• c1bc2a2 fix: add id-token permission to promote-quay job
• 3fee7cb fix(ci): disable SHA tags on complypack Quay promotion
• b72a180 fix(ci): update ci_test_publish_quay.yml refs for renamed workflow
• 12eab40 feat(ci): add latest tag to complypack publish pipeline
• Additional commits viewable in compare view

[github-actions]

CRAP Load Analysis

No Go code changes detected in this PR. No CRAP impact.

[github-actions]

Automatically approved: risk=medium, review=success, release_age=135h.

[github-actions]

🤖 Standardized Dependabot Review Summary 🤖

This PR was processed by the organization's reusable CI pipeline.

Criterion	Status	Detail
Dependencies Review	success	View logs
Calculated Risk	medium	complytime/org-infra/.github/workflows/reusable_security.yml v0.4.0
Release Age	135h	Released 135 hours ago
Dependency Usage	unavailable	Informational only — does not affect approval

Auto-approval: ✅ Approved

---

Maintainer check list:

1. Ensure the PR passed all CI tests (required status checks).
2. Investigate failures for Major updates or any manual review requirement.
3. Don't overlook breaking changes and changelog information.
4. If the scorecard value is low, consider to contribute to make it higher. Everybody wins!
5. Be diligent. When in doubt, ask another maintainer for additional review.

[marcusburghardt]

LGTM

[github-actions]

🤖 Standardized Dependabot Review Summary 🤖

This PR was processed by the organization's reusable CI pipeline.

Criterion	Status	Detail
Dependencies Review	success	View logs
Calculated Risk	medium	complytime/org-infra/.github/workflows/reusable_security.yml v0.4.0
Release Age	143h	Released 143 hours ago
Dependency Usage	unavailable	Informational only — does not affect approval

Auto-approval: ✅ Approved

---

Maintainer check list:

1. Ensure the PR passed all CI tests (required status checks).
2. Investigate failures for Major updates or any manual review requirement.
3. Don't overlook breaking changes and changelog information.
4. If the scorecard value is low, consider to contribute to make it higher. Everybody wins!
5. Be diligent. When in doubt, ask another maintainer for additional review.

[github-actions]

Automatically approved: risk=medium, review=success, release_age=143h.