chore(deps): update tools

[renovate]

This PR contains the following updates:

Package	Update	Change	Age	Adoption	Passing	Confidence
aquasecurity/trivy	minor	v0.69.3 → v0.70.0
github.com/cli/cli/v2	minor	v2.89.0 → v2.90.0
mikefarah/yq	minor	v4.52.5 → v4.53.2

---

Release Notes

aquasecurity/trivy (aquasecurity/trivy)

v0.70.0

Compare Source

Changelog

• 8a3177a release: v0.70.0 [main] (#​10105)
• 974de49 chore(deps): bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 (#​10496)
• 2175597 chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 (#​10526)
• 50c7a1e chore(deps): bump the common group across 1 directory with 8 updates (#​10540)
• 885fbce chore(deps): bump the docker group across 1 directory with 2 updates (#​10538)
• 7ee3e1e fix: use Development category for GoReleaser discussions (#​10530)
• 6dbe369 chore(deps): bump testcontainers-go to v0.42.0 (#​10531)
• 21e6888 chore: update CODEOWNERS (#​10529)
• 35d28e8 chore(deps): bump helm.sh/helm/v3 from 3.20.1 to 3.20.2 (#​10511)
• 6d40a98 chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6 (#​10510)
• 848f41b chore(deps): bump github.com/moby/buildkit from 0.27.1 to 0.28.1 (#​10449)
• aa8d502 ci: migrate from mkdocs-material-insiders to mkdocs-material (#​10509)
• d2245de chore: remove aquasecurity/homebrew-trivy tap from GoReleaser (#​10508)
• 57c9cd3 ci: update runners for workflows that interact with GitHub API (#​10502)
• 42f73ae ci: rename tokens and update runners (#​10500)
• 87b62ee ci: trigger helm chart publishing via helm-charts workflow (#​10474)
• 6be4a27 ci: remove ruleset update step from release-please workflow (#​10499)
• 1561215 ci: use large runner and replace ORG_REPO_TOKEN in release-please workflow (#​10498)
• c24d3eb ci: trigger rpm/deb deployment via trivy-repo workflow (#​10476)
• bda9710 fix: remove os.Stdout from wazero module config (#​10403)
• 1a6f7a1 chore(deps): bump the common group across 1 directory with 22 updates (#​10408)
• 297e7fa chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#​10407)
• 20458b8 fix(flag): validate template file extension (#​10296)
• e9e9e8c fix(sbom): preserve Red Hat BuildInfo when scanning SBOMs without layer info (#​10378)
• f207ec6 fix: handle Go 1.26 GOEXPERIMENT version format change (#​10351)
• 4cf4498 fix(python): handle multiple version specifiers in requirements.txt (#​10361)
• 51c1599 ci: run Trivy version bump in trivy-action (#​10272)
• 12ab3ce fix(python): nil pointer dereference with optional poetry groups without dependencies (#​10359)
• aef4ecc ci: replace personal email with github-actions[bot] in workflows (#​10369)
• 1962aa9 chore: replace smithy epoch parsing with stdlib time.Unix (#​10286)
• 891cd79 test: update golden files for purl changes (#​10372)
• fb6a83a ci: add zizmor to scan GitHub Actions workflows (#​10322)
• 778a853 refactor: log statuses as strings (#​10285)
• 88a91cf ci: add build provenance attestations for release artifacts (#​10316)
• 33b9d8e fix(sbom): add NOASSERTION for licenseDeclared/licenseConcluded in SPDX non-library packages (#​10368)
• e5da6de fix(report): set correct sarif ROOTPATH uri when scanning a git repository (#​10366)
• d7fb355 perf(plugin): optimize directory traversal by replacing filepath.Walk with filepath.WalkDir (#​10325)
• a96cede docs: correct typos in CHANGELOG and diagram (#​10320)
• 703de6d chore: delete roadmap wf (#​10295)
• 66acebb ci(helm): bump Trivy version to 0.69.3 for Trivy Helm Chart 0.21.3 (#​10310)
• 2a4dfbf fix(cyclonedx): include CVSS v4 vulnerability ratings (#​10313)
• 77f5cb5 fix: detected vulnerability fields in azure and mariner detector (#​10275)
• 18e6028 ci: add persist-credentials: false to checkout steps (#​10306)
• 2f62c94 ci(helm): bump Trivy version to 0.69.2 for Trivy Helm Chart 0.21.2 (#​10270)
• 9588325 chore(deps): bump the common group across 1 directory with 8 updates (#​10248)
• 01295f3 chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#​10257)
• a01f109 chore(deps): bump the aws group across 1 directory with 6 updates (#​10249)
• 5fe09eb chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#​10241)
• 835a4ad ci: remove apidiff workflow (#​10259)
• 2a140f1 chore(deps): bump github.com/docker/cli from 29.1.4+incompatible to 29.2.1+incompatible in the docker group across 1 directory (#​10221)
• a0f6962 ci: bump golangci-lint to v2.10 in cache-test-assets (#​10243)
• 350fe33 feat(java): add support for proxy configuration from Maven settings.xml (#​10187)
• ccf5a5a chore(deps): bump the github-actions group across 3 directories with 11 updates (#​10242)
• d0a3f63 feat(python): add pylock.toml support (#​10137)
• 2d92b27 chore: bump SPDX license IDs and exceptions to v3.28.0 (#​10233)
• 21e6577 docs: fix typos and upgrade insecure HTTP links to HTTPS (#​10219)
• a4f7937 chore: bump golangci-lint to v2.10.0 (#​10223)
• da94d5f feat(misconf): support for azurerm_network_interface_security_group_association (#​10215)
• d758826 ci: pin Docker Engine to v29 for integration tests (#​10232)
• 7acb5f6 feat(go): detect version from ELF symbol table for binaries built with -trimpath (#​10197)
• 5b54388 docs: migrate private registry documentation from GCR to GAR (#​10208)
• 1c09181 chore(deps): bump the common group across 1 directory with 24 updates (#​10206)
• fb05196 chore(deps): update Docker client SDK to v29 (#​10202)
• 3a3d750 test: update Docker Engine integration tests for Docker API v0.29.0+ compatibility (#​10199)
• 0f0d6db fix(misconf): initialize custom annotation field if empty (#​10123)
• 2c1f65b feat(ubuntu): add eol data for 25.10 (#​10181)
• 42216b5 docs: fix incorrect count of Python package managers (#​10175)
• 8662089 chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (#​10179)
• 823f363 feat(misconf): resolve Azure resources via resource_id (#​10173)
• 580c4ac ci(helm): bump Trivy version to 0.69.1 for Trivy Helm Chart 0.21.1 (#​10155)
• 68c196f refactor: remove unused Insecure field from ServiceOption (#​10113)
• 0b73503 refactor: reduce complexity of init in detect.go (#​10163)
• 66bdec4 feat(misconf): adapt ARM k8s clusters (#​9696) (#​10125)
• 82019c3 docs: update version endpoint example in client/server documentation (#​10151)
• d6e6331 feat(vuln): skip third-party packages in common Detect function (#​10129)
• 5ffcdfc ci: add composite action for Go setup (#​10146)
• b775a1b fix(misconf): apply check aliases when filtering results via .trivyignore (#​10112)
• 8d3d4ee docs(terraform): add limitation for data sources and computed resource attributes (#​10128)
• fa195b4 fix: update PhotonOS feed URL (#​10122)
• 4c46d41 feat(server): include server version info in JSON output for client/server mode (#​10075)
• 7415661 chore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs (#​10107)
• fc5f139 refactor: unify scanner error limit and compiler limit (#​10106)
• 73c64af ci(helm): bump Trivy version to 0.69.0 for Trivy Helm Chart 0.21.0 (#​10103)
• 9a3e0a8 fix(java): Disable overwriting exclusions (#​10088)
• 65e151f refactor(rust): use txtar format for cargo analyzer test data (#​10104)
• 1a72b32 feat(python): add pylock.toml (PEP 751) parser (#​9632)
• cc64eeb chore(deps): bump the aws group across 1 directory with 6 updates (#​10068)
• b9a8d2d fix(server): exclude JavaDB and CheckBundle from /version endpoint (#​10100)

cli/cli (github.com/cli/cli/v2)

v2.90.0: GitHub CLI 2.90.0

Compare Source

Manage agent skills with gh skill (Public Preview)

Agent skills are portable sets of instructions, scripts, and resources that teach AI coding agents how to perform specific tasks. The new gh skill command makes it easy to discover, install, manage, and publish agent skills from GitHub repositories - right from the CLI.

# Discover skills
gh skill search copilot

# Preview a skill without installing
gh skill preview github/awesome-copilot documentation-writer

# Install a skill
gh skill install github/awesome-copilot documentation-writer

# Pin to a specific version
gh skill install github/awesome-copilot documentation-writer --pin v1.2.0

# Check installed skills for updates
gh skill update --all

# Validate and publish your own skills
gh skill publish --dry-run

Skills are automatically installed to the correct directory for your agent host. gh skill supports GitHub Copilot, Claude Code, Cursor, Codex, Gemini CLI, and Antigravity. Target a specific agent and scope with --agent and --scope flags.

gh skill publish validates skills against the Agent Skills specification and checks remote settings like tag protection and immutable releases to improve supply chain security.

Read the full announcement on the GitHub Blog.

gh skill is launching in public preview and is subject to change without notice.

Official extension suggestions

When you run a command that matches a known official extension that isn't installed (e.g. gh stack), the CLI now offers to install it instead of showing a generic "unknown command" error.

This feature is available for github/gh-aw and github/gh-stack.

When possible, you'll be prompted to install immediately. When prompting isn't possible, the CLI prints the gh extension install command to run.

gh extension install no longer requires authentication

gh extension install previously required a valid auth token even though it only needs to download a public release asset. The auth check has been removed, so you can install extensions without being logged in.

What's Changed

✨ Features

• Add gh skill command group: install, preview, search, update, publish by @​SamMorrowDrums in #​13165
• Suggest and install official extensions for unknown commands by @​BagToad in #​13175
• gh skill publish: auto-push unpushed commits before publish by @​SamMorrowDrums in #​13171
• Disable auth check for gh extension install by @​BagToad in #​13176

🐛 Fixes

• Fix infinite loop in gh release list --limit 0 by @​Bahtya in #​13097
• Ensure api and auth commands record agentic invocations by @​williammartin in #​13046
• Disable auth check for local-only skill flags by @​SamMorrowDrums in #​13173
• URL-encode parentPath in skills discovery API call by @​SamMorrowDrums in #​13172
• Fix: use target directory remotes in skills publish by @​SamMorrowDrums in #​13169
• Fix: preserve namespace in skills search deduplication by @​SamMorrowDrums in #​13170

📚 Docs & Chores

• docs: include PGP key fingerprints by @​babakks in #​13112
• docs: add sha/md5 checksums of keyring files by @​babakks in #​13150
• docs: fix SHA512 checksum for GPG key by @​timsu92 in #​13157
• docs(skill): polish skill commandset docs by @​babakks in #​13183
• Document dependency CVE policy in SECURITY.md by @​BagToad in #​13119
• Replace github.com/golang/snappy with klauspost/compress/snappy by @​thaJeztah in #​13048
• chore: bump to go1.26.2 by @​babakks in #​13116
• chore: delete experimental script/debian-devel by @​babakks in #​13127
• Suggest first party extensions by @​williammartin in #​13182
• Add cli/skill-reviewers as CODEOWNERS for skills packages by @​BagToad in #​13189
• Add @​cli/code-reviewers to all CODEOWNERS rules by @​BagToad in #​13190
• Address post-merge review feedback for skills commands by @​SamMorrowDrums in #​13185
• Fix skills-publish-dry-run acceptance test error message mismatch by @​SamMorrowDrums in #​13187
• Skills: replace real git in publish tests with CommandStubber by @​SamMorrowDrums in #​13188
• Remove redundant nil-client fallback in skills publish by @​SamMorrowDrums in #​13168
• Publish: use shared discovery logic instead of requiring skills/ directory by @​SamMorrowDrums in #​13167

Dependencies

• chore(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5 by @​dependabot[bot] in #​13071
• chore(deps): bump github.com/yuin/goldmark from 1.7.16 to 1.8.2 by @​dependabot[bot] in #​13045
• chore(deps): bump charm.land/bubbles/v2 from 2.0.0 to 2.1.0 by @​dependabot[bot] in #​13051
• chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 by @​dependabot[bot] in #​13152
• chore(deps): bump github.com/google/go-containerregistry from 0.21.3 to 0.21.4 by @​dependabot[bot] in #​13129
• chore(deps): bump github.com/sigstore/protobuf-specs from 0.5.0 to 0.5.1 by @​dependabot[bot] in #​13128
• chore(deps): bump github.com/in-toto/attestation from 1.1.2 to 1.2.0 by @​dependabot[bot] in #​13044
• chore(deps): bump advanced-security/filter-sarif from 1.0.1 to 1.1 by @​dependabot[bot] in #​12918
• chore(deps): bump google.golang.org/grpc from 1.79.3 to 1.80.0 by @​dependabot[bot] in #​13076
• chore(deps): bump github.com/hashicorp/go-version from 1.8.0 to 1.9.0 by @​dependabot[bot] in #​13065

New Contributors

• @​thaJeztah made their first contribution in #​13048
• @​Bahtya made their first contribution in #​13097
• @​timsu92 made their first contribution in #​13157
• @​SamMorrowDrums made their first contribution in #​13173

Full Changelog: cli/cli@v2.89.0...v2.90.0

mikefarah/yq (mikefarah/yq)

v4.53.2

Compare Source

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[erikgb]

/lgtm
/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [erikgb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment