chore(deps): Merge 5 safe Dependabot updates (Python deps, GitHub Actions)

.github/workflows/01-lint.yml

@@ -166,7 +166,7 @@ jobs:
 
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🐍 Set up Python 3.12
         if: |

.github/workflows/02-security.yml

@@ -28,7 +28,7 @@ jobs:
     steps:
       # 0️⃣ Checkout source code with full history for secret scanning
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0  # Need full history to scan all commits
 
@@ -46,7 +46,7 @@ jobs:
     steps:
       # 0️⃣ Checkout source code with full history
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0  # Need full history for differential scanning
 
@@ -66,7 +66,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🔍 Scan Python dependencies (pyproject.toml, poetry.lock)
         uses: aquasecurity/trivy-action@master
@@ -79,7 +79,7 @@ jobs:
           scanners: 'vuln'  # Only vulnerabilities, not misconfigurations
 
       - name: 📤 Upload Trivy Backend SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: trivy-backend-deps.sarif
@@ -90,7 +90,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🔍 Scan Node dependencies (package.json, package-lock.json)
         uses: aquasecurity/trivy-action@master
@@ -103,7 +103,7 @@ jobs:
           scanners: 'vuln'
 
       - name: 📤 Upload Trivy Frontend SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: trivy-frontend-deps.sarif

.github/workflows/03-build-secure.yml

@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🧹 Free Up Disk Space
         run: |
@@ -92,7 +92,7 @@ jobs:
           fi
 
       - name: 📤 Upload Hadolint SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && steps.hadolint.outputs.hadolint_success == 'true'
         with:
           sarif_file: hadolint-${{ matrix.service }}.sarif
@@ -109,7 +109,7 @@ jobs:
             ${{ runner.os }}-buildx-
 
       - name: 🏗️ Build Docker Image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: ${{ matrix.context }}
           file: ${{ matrix.dockerfile }}
@@ -158,7 +158,7 @@ jobs:
           fi
 
       - name: 📤 Upload Dockle SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && steps.check-dockle.outputs.dockle_success == 'true'
         with:
           sarif_file: dockle-${{ matrix.service }}.sarif
@@ -188,7 +188,7 @@ jobs:
           fi
 
       - name: 📤 Upload Trivy SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && steps.check-trivy.outputs.trivy_success == 'true'
         with:
           sarif_file: trivy-${{ matrix.service }}.sarif
@@ -229,7 +229,7 @@ jobs:
                 --file grype-${{ matrix.service }}.sarif
 
       - name: 📤 Upload Grype SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         continue-on-error: true
         with:
@@ -288,7 +288,7 @@ jobs:
           fi
 
       - name: 📤 Upload Trivy Filesystem SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always() && steps.check-trivy-fs.outputs.trivy_fs_success == 'true'
         with:
           sarif_file: trivy-fs-${{ matrix.service }}.sarif

.github/workflows/04-pytest.yml

@@ -55,7 +55,7 @@ jobs:
 
       # 1️⃣ Checkout source code
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       # 2️⃣ Setup Python environment
       - name: 🐍 Set up Python

.github/workflows/05-ci.yml

@@ -29,7 +29,7 @@ jobs:
   test-isolation:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
         uses: actions/setup-python@v4
@@ -84,7 +84,7 @@ jobs:
       EMBEDDING_MODEL: sentence-transformers/all-minilm-l6-v2
       DATA_DIR: /tmp/test-data
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
         uses: actions/setup-python@v4

.github/workflows/06-weekly-security-audit.yml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🧹 Free Up Disk Space
         run: |
@@ -68,7 +68,7 @@ jobs:
           exit-code: '0'  # Don't fail, just report
 
       - name: 📤 Upload Trivy Results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: 'trivy-${{ matrix.service }}-results.sarif'
 
@@ -122,7 +122,7 @@ jobs:
     if: always()
     steps:
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 📥 Download Security Reports
         uses: actions/download-artifact@v4

.github/workflows/07-frontend-lint.yml

@@ -33,7 +33,7 @@ jobs:
     steps:
       # 0️⃣ Checkout source code
       - name: 📥 Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       # 1️⃣ Setup Node.js environment
       - name: 📦 Setup Node.js

.github/workflows/ai-issue-triage.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/claude-code-review.yml

@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

.github/workflows/claude.yml

@@ -31,7 +31,7 @@ jobs:
       actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 

.github/workflows/codespace-testing.yml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup GitHub CLI
         run: |

.github/workflows/deploy_code_engine.yml

@@ -29,7 +29,7 @@ jobs:
       security-events: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -42,7 +42,7 @@ jobs:
           password: ${{ secrets.IBM_CLOUD_API_KEY }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile.codeengine
@@ -60,7 +60,7 @@ jobs:
       security-events: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -70,7 +70,7 @@ jobs:
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-results.sarif'
@@ -89,7 +89,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up IBM Cloud CLI
         uses: ibm-cloud/sdk-action@v1
@@ -131,7 +131,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up IBM Cloud CLI
         uses: ibm-cloud/sdk-action@v1

.github/workflows/deploy_complete_app.yml

@@ -103,7 +103,7 @@
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up IBM Cloud CLI
         run: |
@@ -146,7 +146,7 @@
       security-events: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -159,7 +159,7 @@
           password: ${{ secrets.IBM_CLOUD_API_KEY }}
 
       - name: Build and push backend Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile.codeengine
@@ -178,7 +178,7 @@
       security-events: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -191,13 +191,13 @@
           password: ${{ secrets.IBM_CLOUD_API_KEY }}
 
       - name: Build and push frontend Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: ./frontend
           file: ./frontend/Dockerfile.frontend
           platforms: linux/amd64
           push: true
           tags: ${{ env.IBM_CLOUD_REGION }}.icr.io/${{ env.CR_NAMESPACE }}/${{ env.FRONTEND_APP_NAME }}:${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -210,17 +210,17 @@
       security-events: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Run Trivy vulnerability scanner (Backend)
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.IBM_CLOUD_REGION }}.icr.io/${{ env.CR_NAMESPACE }}/${{ env.BACKEND_APP_NAME }}:${{ github.sha }}
           format: 'sarif'
           output: 'trivy-backend-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab (Backend)
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-backend-results.sarif'
@@ -228,7 +228,7 @@
       - name: Run Trivy vulnerability scanner (Backend - Table)
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.IBM_CLOUD_REGION }}.icr.io/${{ env.CR_NAMESPACE }}/${{ env.BACKEND_APP_NAME }}:${{ github.sha }}
           format: 'table'
           exit-code: '1'
           severity: 'CRITICAL,HIGH'
@@ -242,17 +242,17 @@
       security-events: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Run Trivy vulnerability scanner (Frontend)
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.IBM_CLOUD_REGION }}.icr.io/${{ env.CR_NAMESPACE }}/${{ env.FRONTEND_APP_NAME }}:${{ github.sha }}
           format: 'sarif'
           output: 'trivy-frontend-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab (Frontend)
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-frontend-results.sarif'
@@ -260,18 +260,18 @@
       - name: Run Trivy vulnerability scanner (Frontend - Table)
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ env.IBM_CLOUD_REGION }}.icr.io/${{ env.CR_NAMESPACE }}/${{ env.FRONTEND_APP_NAME }}:${{ github.sha }}
           format: 'table'
           exit-code: '1'
           severity: 'CRITICAL,HIGH'
 
   deploy-backend:
     needs: [build-and-push-backend, security-scan-backend]
     if: always() && (needs.security-scan-backend.result == 'success' || needs.security-scan-backend.result == 'skipped') && (github.event_name == 'workflow_dispatch' || github.event_name == 'push' || (github.event_name == 'schedule' && inputs.deploy_after_build == true))
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up IBM Cloud CLI
         run: |
@@ -281,7 +281,7 @@
       - name: Deploy Backend to Code Engine
         env:
           IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }}
           IMAGE_URL: ${{ env.IBM_CLOUD_REGION }}.icr.io/${{ env.CR_NAMESPACE }}/${{ env.BACKEND_APP_NAME }}:${{ github.sha }}
           APP_NAME: ${{ env.BACKEND_APP_NAME }}
           IBM_CLOUD_REGION: ${{ env.IBM_CLOUD_REGION }}
           IBM_CLOUD_RESOURCE_GROUP: ${{ vars.IBM_CLOUD_RESOURCE_GROUP || 'rag-modulo-deployment' }}
@@ -323,11 +323,11 @@
 
   deploy-frontend:
     needs: [build-and-push-frontend, security-scan-frontend]
     if: always() && (needs.security-scan-frontend.result == 'success' || needs.security-scan-frontend.result == 'skipped') && (github.event_name == 'workflow_dispatch' || github.event_name == 'push' || (github.event_name == 'schedule' && inputs.deploy_after_build == true))
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up IBM Cloud CLI
         run: |
@@ -337,7 +337,7 @@
       - name: Deploy Frontend to Code Engine
         env:
           IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }}
           IMAGE_URL: ${{ env.IBM_CLOUD_REGION }}.icr.io/${{ env.CR_NAMESPACE }}/${{ env.FRONTEND_APP_NAME }}:${{ github.sha }}
           APP_NAME: ${{ env.FRONTEND_APP_NAME }}
           IBM_CLOUD_REGION: ${{ env.IBM_CLOUD_REGION }}
           IBM_CLOUD_RESOURCE_GROUP: ${{ vars.IBM_CLOUD_RESOURCE_GROUP || 'rag-modulo-deployment' }}
@@ -354,7 +354,7 @@
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up IBM Cloud CLI
         run: |
@@ -363,7 +363,7 @@
 
       - name: Test Backend Health
         run: |
           BACKEND_URL=$(ibmcloud ce app get --name "${{ env.BACKEND_APP_NAME }}" --output json | jq -r '.status.url' | head -1)
           if [ -n "$BACKEND_URL" ]; then
             echo "Testing backend at: $BACKEND_URL/health"
             if curl -f -s "$BACKEND_URL/health" > /dev/null; then

.github/workflows/dev-environment-ci.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3