chore(deps): Merge 5 safe Dependabot updates (Python deps, GitHub Actions) (#488)

* chore(deps): bump github/codeql-action from 3 to 4

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* chore(deps): bump docker/build-push-action from 5 to 6

Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5 to 6.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@v5...v6)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* chore(deps): bump actions/checkout from 4 to 5

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* chore(deps-dev): bump the python-dependencies group

Bumps the python-dependencies group in /backend with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [pytest-env](https://github.com/pytest-dev/pytest-env) | `1.1.5` | `1.2.0` |
| [pytest-mock](https://github.com/pytest-dev/pytest-mock) | `3.14.1` | `3.15.1` |
| [minio](https://github.com/minio/minio-py) | `7.2.12` | `7.2.18` |
| [matplotlib](https://github.com/matplotlib/matplotlib) | `3.9.3` | `3.10.7` |
| [deptry](https://github.com/fpgmaas/deptry) | `0.20.0` | `0.23.1` |
| [ruff](https://github.com/astral-sh/ruff) | `0.14.0` | `0.14.1` |
| [safety](https://github.com/pyupio/safety) | `3.2.3` | `3.6.2` |


Updates `pytest-env` from 1.1.5 to 1.2.0
- [Release notes](https://github.com/pytest-dev/pytest-env/releases)
- [Commits](pytest-dev/pytest-env@1.1.5...1.2.0)

Updates `pytest-mock` from 3.14.1 to 3.15.1
- [Release notes](https://github.com/pytest-dev/pytest-mock/releases)
- [Changelog](https://github.com/pytest-dev/pytest-mock/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest-mock@v3.14.1...v3.15.1)

Updates `minio` from 7.2.12 to 7.2.18
- [Release notes](https://github.com/minio/minio-py/releases)
- [Commits](minio/minio-py@7.2.12...7.2.18)

Updates `matplotlib` from 3.9.3 to 3.10.7
- [Release notes](https://github.com/matplotlib/matplotlib/releases)
- [Commits](matplotlib/matplotlib@v3.9.3...v3.10.7)

Updates `deptry` from 0.20.0 to 0.23.1
- [Release notes](https://github.com/fpgmaas/deptry/releases)
- [Changelog](https://github.com/fpgmaas/deptry/blob/main/CHANGELOG.md)
- [Commits](fpgmaas/deptry@0.20.0...0.23.1)

Updates `ruff` from 0.14.0 to 0.14.1
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.14.0...0.14.1)

Updates `safety` from 3.2.3 to 3.6.2
- [Release notes](https://github.com/pyupio/safety/releases)
- [Changelog](https://github.com/pyupio/safety/blob/main/CHANGELOG.md)
- [Commits](pyupio/safety@3.2.3...3.6.2)

---
updated-dependencies:
- dependency-name: pytest-env
  dependency-version: 1.2.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-dependencies
- dependency-name: pytest-mock
  dependency-version: 3.15.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-dependencies
- dependency-name: minio
  dependency-version: 7.2.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-dependencies
- dependency-name: matplotlib
  dependency-version: 3.10.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-dependencies
- dependency-name: deptry
  dependency-version: 0.23.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-dependencies
- dependency-name: ruff
  dependency-version: 0.14.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-dependencies
- dependency-name: safety
  dependency-version: 3.6.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>

* chore(deps-dev): bump types-aiofiles from 24.1.0 to 25.1.0 in /backend

Updates types-aiofiles type stubs to latest version.
Low risk type definition update.

Merge PR #436

* fix: Remove unused noqa directives flagged by ruff

Ruff auto-fixed 394 linting issues including:
- Removed 7 unused noqa:ARG002 directives (ARG002 not enabled)
- Fixed import sorting
- Removed extra blank lines

Files fixed:
- tests/e2e/test_pipeline_service_real.py
- tests/e2e/test_search_service_real.py
- tests/e2e/test_system_administration_e2e.py
- tests/unit/test_system_initialization_service_unit.py
- tests/unit/test_user_service_tdd.py
- Plus many other formatting improvements

All changes are auto-generated by ruff --fix.

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude <[email protected]>

Author: 3 people

.github/workflows/01-lint.yml

@@ -166,7 +166,7 @@ jobs:
 
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🐍 Set up Python 3.12
         if: |

.github/workflows/02-security.yml

@@ -28,7 +28,7 @@ jobs:
     steps:
       # 0️⃣ Checkout source code with full history for secret scanning
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0  # Need full history to scan all commits
 
@@ -46,7 +46,7 @@ jobs:
     steps:
       # 0️⃣ Checkout source code with full history
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0  # Need full history for differential scanning
 
@@ -66,7 +66,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🔍 Scan Python dependencies (pyproject.toml, poetry.lock)
         uses: aquasecurity/trivy-action@master
@@ -79,7 +79,7 @@ jobs:
           scanners: 'vuln'  # Only vulnerabilities, not misconfigurations
 
       - name: 📤 Upload Trivy Backend SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: trivy-backend-deps.sarif
@@ -90,7 +90,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🔍 Scan Node dependencies (package.json, package-lock.json)
         uses: aquasecurity/trivy-action@master
@@ -103,7 +103,7 @@ jobs:
           scanners: 'vuln'
 
       - name: 📤 Upload Trivy Frontend SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: trivy-frontend-deps.sarif

.github/workflows/03-build-secure.yml

@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🧹 Free Up Disk Space
         run: |
@@ -92,7 +92,7 @@ jobs:
           fi
 
       - name: 📤 Upload Hadolint SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && steps.hadolint.outputs.hadolint_success == 'true'
         with:
           sarif_file: hadolint-${{ matrix.service }}.sarif
@@ -109,7 +109,7 @@ jobs:
             ${{ runner.os }}-buildx-
 
       - name: 🏗️ Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: ${{ matrix.context }}
           file: ${{ matrix.dockerfile }}
@@ -158,7 +158,7 @@ jobs:
           fi
 
       - name: 📤 Upload Dockle SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && steps.check-dockle.outputs.dockle_success == 'true'
         with:
           sarif_file: dockle-${{ matrix.service }}.sarif
@@ -188,7 +188,7 @@ jobs:
           fi
 
       - name: 📤 Upload Trivy SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && steps.check-trivy.outputs.trivy_success == 'true'
         with:
           sarif_file: trivy-${{ matrix.service }}.sarif
@@ -229,7 +229,7 @@ jobs:
                 --file grype-${{ matrix.service }}.sarif
 
       - name: 📤 Upload Grype SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         continue-on-error: true
         with:
@@ -288,7 +288,7 @@ jobs:
           fi
 
       - name: 📤 Upload Trivy Filesystem SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && steps.check-trivy-fs.outputs.trivy_fs_success == 'true'
         with:
           sarif_file: trivy-fs-${{ matrix.service }}.sarif

.github/workflows/04-pytest.yml

@@ -55,7 +55,7 @@ jobs:
 
       # 1️⃣ Checkout source code
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       # 2️⃣ Setup Python environment
       - name: 🐍 Set up Python

.github/workflows/05-ci.yml

@@ -29,7 +29,7 @@ jobs:
   test-isolation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
         uses: actions/setup-python@v4
@@ -84,7 +84,7 @@ jobs:
       EMBEDDING_MODEL: sentence-transformers/all-minilm-l6-v2
       DATA_DIR: /tmp/test-data
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
         uses: actions/setup-python@v4

.github/workflows/06-weekly-security-audit.yml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🧹 Free Up Disk Space
         run: |
@@ -68,7 +68,7 @@ jobs:
           exit-code: '0'  # Don't fail, just report
 
       - name: 📤 Upload Trivy Results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: 'trivy-${{ matrix.service }}-results.sarif'
 
@@ -122,7 +122,7 @@ jobs:
     if: always()
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 📥 Download Security Reports
         uses: actions/download-artifact@v4

.github/workflows/07-frontend-lint.yml

@@ -33,7 +33,7 @@ jobs:
     steps:
       # 0️⃣ Checkout source code
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       # 1️⃣ Setup Node.js environment
       - name: 📦 Setup Node.js

.github/workflows/ai-issue-triage.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/claude-code-review.yml

@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

.github/workflows/claude.yml

@@ -31,7 +31,7 @@ jobs:
       actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1