chore(deps): update workflows (#2653)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | patch | `v2.26.7` -> `v2.26.9` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | patch | `v3.26.7` -> `v3.26.9` |
|
[pypa/gh-action-pypi-publish](https://redirect.github.com/pypa/gh-action-pypi-publish)
| action | patch | `v1.10.1` -> `v1.10.2` |

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.26.9`](https://redirect.github.com/github/codeql-action/compare/v2.26.8...v2.26.9)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.8...v2.26.9)

###
[`v2.26.8`](https://redirect.github.com/github/codeql-action/compare/v2.26.7...v2.26.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.26.7...v2.26.8)

</details>

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.10.2`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.10.2)

[Compare
Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.10.1...v1.10.2)

#### 💅 Cosmetic Output Improvements

In
[#&#8203;250](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/250)
and
[#&#8203;258](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/258),
[@&#8203;facutuesca](https://redirect.github.com/facutuesca)[💰](https://redirect.github.com/sponsors/facutuesca)
added a nudge message with a magic link to pre-fill the creation of new
Trusted Publishers configurations on PyPI. The users are now suggested
to configure tokenless publishing by clicking a link printed in the job
summary when it's detected that they publish to PyPI or TestPyPI. Just
like magic! 🦄

#### 🛠️ Internal Dependencies


[@&#8203;woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw)
bumped `pypi-attestations` to v0.0.12 in
[#&#8203;262](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/262),
~hopefully fixing
[#&#8203;263](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/263).
🤞~ Nah.. that wasn't it.

> \[!TIP]
> Please keep in mind that reusable workflows are not yet supported,
even though they sometimes work, mostly by accident.

#### 💪 New Contributors

[@&#8203;facutuesca](https://redirect.github.com/facutuesca) made their
first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/258](https://redirect.github.com/pypa/gh-action-pypi-publish/pull/258)

**🪞 Full Diff**:
pypa/gh-action-pypi-publish@v1.10.1...v1.10.2

**🧔‍♂️ Release Manager:** [@&#8203;webknjaz
🇺🇦](https://redirect.github.com/sponsors/webknjaz)

**🙏 Special Thanks** to
[@&#8203;henryiii](https://redirect.github.com/henryiii)[💰](https://redirect.github.com/sponsors/henryiii)
for promptly pointing up possible fixes for
[#&#8203;263](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/263).

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

.github/workflows/codeql-analysis.yml

@@ -43,7 +43,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+      uses: github/codeql-action/init@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+      uses: github/codeql-action/autobuild@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d # v3.26.7
+      uses: github/codeql-action/analyze@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9

.github/workflows/publish-to-pypi.yaml

@@ -44,7 +44,7 @@ jobs:
         build
         --sdist --wheel --outdir dist/ .
     - name: Publish distribution to PyPI
-      uses: pypa/gh-action-pypi-publish@0ab0b79471669eb3a4d647e625009c62f9f3b241 # v1.10.1
+      uses: pypa/gh-action-pypi-publish@897895f1e160c830e369f9779632ebc134688e1b # v1.10.2
       with:
         password: ${{ secrets.PYPI_API_TOKEN }}
         packages_dir: dist/

.github/workflows/scorecards.yml

@@ -50,6 +50,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2fe1a3da42c8b4f96ced91264bda7407d8c65539 # v2.26.7
+        uses: github/codeql-action/upload-sarif@d97ba04b39135f37e9d60c84a6995bb18b7ac328 # v2.26.9
         with:
           sarif_file: results.sarif