chore(deps): update all-ci-updates

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
capsule		minor	0.10.9 -> 0.11.2
github/codeql-action	action	minor	v3.30.5 -> v3.31.0
ossf/scorecard-action	action	patch	v2.4.2 -> v2.4.3
securego/gosec	action	patch	v2.22.9 -> v2.22.10
sigstore/cosign-installer	action	patch	v3.10.0 -> v3.10.1

---

Release Notes

projectcapsule/capsule (capsule)

v0.11.2

Compare Source

v0.11.1

Compare Source

v0.11.0

Compare Source

Changelog

✨ New Features

• c901412: feat(api): migrate capsule.clastix.io/managed-by to meta api (#​1691) (@​oliverbaehler)
• 9fa1aba: feat(controller): allow owners to promote serviceaccounts within tenant as owners (#​1626) (@​oliverbaehler)
• 5ac0f83: feat(controller): refactor namespace core loop and state management (#​1680) (@​oliverbaehler)
• 2261ea6: feat(helm): add labels and annotations for capsuleconfiguration (#​1710) (@​oliverbaehler)
• beafe09: feat(tenant): allow additional metadata for rolebindings (#​1695) (@​oliverbaehler)
• dd70ac2: feat(tenant): owners are now an optional property (#​1654) (@​oliverbaehler)
• 14e09ea: feat: pre-release correctures (#​1682) (@​oliverbaehler)

🐛 Bug fixes

• ea2b6ec: fix(chart): disable node webhook by default (#​1685) (@​oliverbaehler)
• deb4db7: fix(docs): add static width per logo for adopters (#​1700) (@​sandert-k8s)
• 4878e1a: fix: bypass resourepool limits (#​1669) (@​Svarrogh1337)

🛠 Dependency updates

• ba15a83: fix(deps): update k8s.io/utils digest to bc988d5 (#​1676) (@​renovate[bot])
• 54e80f8: fix(deps): update module github.com/onsi/ginkgo/v2 to v2.25.3 (#​1605) (@​renovate[bot])
• 40d17bc: fix(deps): update module github.com/onsi/ginkgo/v2 to v2.26.0 (#​1678) (@​renovate[bot])
• c65a142: fix(deps): update module github.com/prometheus/client_golang to v1.23.1 (#​1639) (@​renovate[bot])
• bb8a511: fix(deps): update module github.com/prometheus/client_golang to v1.23.2 (#​1642) (@​renovate[bot])
• b1d0f8b: fix(deps): update module sigs.k8s.io/cluster-api to v1.11.2 (#​1688) (@​renovate[bot])
• e2418ab: fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.1 (#​1620) (@​renovate[bot])
• 8254c55: fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.2 (#​1684) (@​renovate[bot])
• e7da3b0: fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.3 (#​1697) (@​renovate[bot])
• 7ccb64d: fix(deps): update module sigs.k8s.io/gateway-api to v1.4.0 (#​1681) (@​renovate[bot])

Full Changelog: projectcapsule/capsule@v0.10.9...v0.11.0

Docker Images

• ghcr.io/projectcapsule/capsule:0.11.0
• ghcr.io/projectcapsule/capsule:latest

Helm Chart
View this release on Artifact Hub or use the OCI helm chart:

• ghcr.io/projectcapsule/charts/capsule:0.11.0

Review the Major Changes section first before upgrading to a new version

[!IMPORTANT]
Kubernetes compatibility

Note that the Capsule project offers support only for the latest minor version of Kubernetes.
Backwards compatibility with older versions of Kubernetes and OpenShift is offered by vendors.

Kubernetes version	Minimum required
v1.34	>= 1.34.0

Thanks to all the contributors! 🚀 🦄

github/codeql-action (github/codeql-action)

v3.31.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.0 - 24 Oct 2025

• Bump minimum CodeQL bundle version to 2.17.6. #​3223
• When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #​3222

See the full CHANGELOG.md for more information.

v3.30.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #​3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #​3204

See the full CHANGELOG.md for more information.

v3.30.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.7 - 06 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.6 - 02 Oct 2025

• Update default CodeQL bundle version to 2.23.2. #​3168

See the full CHANGELOG.md for more information.

ossf/scorecard-action (ossf/scorecard-action)

v2.4.3

Compare Source

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in #​1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in #​1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in #​1566
• setup codeowners for requesting reviews by @​spencerschrock in #​1576
• 🌱 Improve printing options by @​deivid-rodriguez in #​1584

New Contributors

• @​timothyklee made their first contribution in #​1566
• @​pankajtaneja5 made their first contribution in #​1574
• @​deivid-rodriguez made their first contribution in #​1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

securego/gosec (securego/gosec)

v2.22.10

Compare Source

Changelog

• 6be2b51 Update go to version 1.25.3 and 1.24.9 in CI (#​1404)
• fddb942 chore(deps): update all dependencies (#​1402)
• f676031 Update go to version 1.25.2 and 2.24.8 in CI (#​1401)
• 35f7ec2 chore(deps): update all dependencies (#​1399)
• 01029f0 check nil slices, partially check bounds (#​1396)
• 34db3de Remove unused target from the makefile
• f5a3b7a Use the ginkgo command install by the dependencies
• 761fcbc Keep the go module at 1.24 version for compatibility reasons
• 2238079 Remove manual test deps
• bb08aa3 fix: text must be supplied when markdown is used
• 23597d2 fix: improve error message of CheckAnalyzers
• 8d7e9d5 fix: log panic on SSA
• 0d8255e chore(deps): update all dependencies
• f9c52aa Update gosec to version v.22.9 in the github action

sigstore/cosign-installer (sigstore/cosign-installer)

v3.10.1

Compare Source

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

• Bump default Cosign to v2.6.1 (#​203)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (2631f0e) to head (1f99943).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #896   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files          1       1           
  Lines        288     227   -61     
=====================================
+ Misses       288     227   -61     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.