chore(deps): update github-actions dependencies (#4766)

| datasource  | package                                 | from     | to      |
| ----------- | --------------------------------------- | -------- | ------- |
| github-tags | actions/cache                           | v4.2.4   | v4.3.0  |
| github-tags | github/codeql-action                    | v3.29.11 | v3.31.0 |
| github-tags | mr-smithers-excellent/docker-build-push | v6.7     | v6.8    |
| github-tags | softprops/action-gh-release             | v2.3.2   | v2.4.1  |

Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>

.github/workflows/build.yml

@@ -42,7 +42,7 @@ jobs:
   build_linux_boringcrypto:
     name: Build on Linux (boringcrypto)
     runs-on: github-hosted-ubuntu-x64-large
-    container: grafana/alloy-build-image:v0.1.22-boringcrypto@sha256:a6fa44bb736498737c17aaeada5d237572be1af9f24849ab3b557692b46be57e
+    container: grafana/alloy-build-image:v0.1.22-boringcrypto@sha256:b609db5a06d6cd768514d1daac6bb81bed9f7fed4336f48cfb5410b8a3d8d65d
     strategy:
       matrix:
         os: [linux]

.github/workflows/check-windows-build-image.yml

@@ -18,7 +18,7 @@ jobs:
           persist-credentials: false
 
       - name: Create test Windows build image
-        uses: mr-smithers-excellent/docker-build-push@a4dc055191e5c80b01c04d2525d545efb5712b2b # v6.7
+        uses: mr-smithers-excellent/docker-build-push@19d2beefef6bcdc202195fdcb9deb79a4fab5c1f # v6.8
         with:
           image: grafana/alloy-build-image
           tags: latest

.github/workflows/fuzz-go.yml

@@ -93,7 +93,7 @@ jobs:
         run: echo "FUZZ_CACHE=$(go env GOCACHE)/fuzz" >> $GITHUB_ENV
 
       - name: Restore fuzz cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ${{ env.FUZZ_CACHE }}
           key: fuzz-${{ matrix.package }}-${{ matrix.function }}-${{ github.sha }}

.github/workflows/helm-release.yml

@@ -171,7 +171,7 @@ jobs:
       # The tag name in grafana/helm-charts is <package>-<version>, while the
       # tag name for grafana/alloy is helm-chart/<version>.
       - name: Make github release
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
         with:
           name: ${{ steps.parse-chart.outputs.packagename }}
           repository: grafana/helm-charts

.github/workflows/snyk.yml

@@ -13,6 +13,6 @@ permissions:
 
 jobs:
   snyk-scan-ci:
-    uses: grafana/security-github-actions/.github/workflows/snyk_monitor.yml@83ad62dece401d747910bdd585c4ebe31ca504b3 # main
+    uses: grafana/security-github-actions/.github/workflows/snyk_monitor.yml@2fad4cfe5a62abb31fc95ffdd2fd581307bc1822 # main
     secrets:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.github/workflows/trivy.yml

@@ -37,6 +37,6 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
+        uses: github/codeql-action/upload-sarif@d198d2fabf39a7f36b5ce57ce70d4942944f006e # v3.31.0
         with:
           sarif_file: 'trivy-results.sarif'