chore(deps): pin dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
docker/scout-action	action	pinDigest	→ f8c7768
getsentry/action-release (changelog)	action	digest	128c505 → dab6548

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/getsentry/action-release	dab6548b3c03c4717878099e43782cf5be654289	🟢 5.3	Details Check Score Reason Maintained 🟢 6 5 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 6 Code-Review ⚠️ 2 Found 7/30 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8

Scanned Files

• .github/workflows/release.yml

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.13%. Comparing base (32e9f7e) to head (74f41c5).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1137   +/-   ##
=======================================
  Coverage   40.13%   40.13%           
=======================================
  Files         205      205           
  Lines       14444    14444           
  Branches     1686     1686           
=======================================
  Hits         5797     5797           
  Misses       8647     8647           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.