ci(deps): bump complytime/org-infra/.github/workflows/reusable_ci.yml from 0.3.1 to 0.4.0

[dependabot]

Bumps complytime/org-infra/.github/workflows/reusable_ci.yml from 0.3.1 to 0.4.0.

Release notes

Sourced from complytime/org-infra/.github/workflows/reusable_ci.yml's releases.

v0.4.0

org-infra 0.4.0

Central reusable GitHub Actions workflows, CI templates, compliance policy assets, and org sync tooling. Downstream repos usually consume this repo via workflow uses: pins or version tags.

Before you upgrade

• Treat workflow YAML updates as potentially breaking for every consumer until you’ve reviewed them.
• Use the Workflows & GitHub Actions section below for PRs that touched pipelines; for exact paths and hunks, open the compare link and narrow Files changed to .github/workflows/.

View full diff: v0.3.1 → v0.4.0

Changes

• chore: add user story issue template — #322 · @​beatrizmcouto
• feat: add task issue template — #321 · @​beatrizmcouto
• ci: add PR-triggered auto-labeler workflow — #320 · @​sonupreetam
• fix(ci): replace cosign copy with crane copy + fresh signing (#323) — #327 · @​trevor-vaughan
• fix(ci): fetch live PR title for commitlint validation — #330 · @​marcusburghardt
• chore: add CODEOWNERS file — #333 · @​marcusburghardt
• fix(ci): align compliance workflow with new complyctl config path — #332 · @​marcusburghardt
• feat(ci): add complypack publish pipeline for ampel branch-protection policies — #314 · @​marcusburghardt
• fix(ci): disable SHA tags on complypack Quay promotion — #338 · @​marcusburghardt
• fix: add id-token permission to promote-quay job — #339 · @​marcusburghardt
• fix(ci): remove BuildKit provenance that causes "unknown on unknown" in Quay — #336 · @​trevor-vaughan
• chore(ci): remove TEMPORARY manual staging of ampel policies — #334 · @​sonupreetam

Maintenance

• ci(deps): bump complytime/org-infra/.github/workflows/reusable_security.yml from 0.3.0 to 0.3.1 — #326 · @dependabot[bot]
• chore(deps): bump ruff from 0.15.15 to 0.15.16 — #325 · @dependabot[bot]
• chore(deps): bump https://github.com/astral-sh/ruff-pre-commit from v0.15.15 to 0.15.16 — #324 · @dependabot[bot]
• ci(deps): bump SonarSource/sonarqube-scan-action from 8.1.0 to 8.2.0 — #329 · @dependabot[bot]
• chore(deps): bump https://github.com/astral-sh/ruff-pre-commit from v0.15.16 to 0.15.17 — #345 · @dependabot[bot]
• chore(deps): bump ruff from 0.15.16 to 0.15.17 — #344 · @dependabot[bot]
• chore(deps): bump pytest from 9.0.3 to 9.1.0 — #343 · @dependabot[bot]
• ci(deps): bump release-drafter/release-drafter from 7.3.1 to 7.4.0 — #346 · @dependabot[bot]

---

Compare: v0.3.1…v0.4.0

Thanks to @​beatrizmcouto, @​marcusburghardt, @​sonupreetam, @​trevor-vaughan and dependabot[bot] for this release.

Commits

• bbd7194 ci(deps): bump release-drafter/release-drafter from 7.3.1 to 7.4.0
• e30c5cd chore(deps): bump pytest from 9.0.3 to 9.1.0 (#343)
• 29fa2ac chore(deps): bump ruff from 0.15.16 to 0.15.17 (#344)
• 8b5208c chore(deps): bump https://github.com/astral-sh/ruff-pre-commit (#345)
• 71c46a3 chore(ci): remove TEMPORARY manual staging of ampel policies (#334)
• 6d4b387 fix(ci): remove BuildKit provenance that causes "unknown on unknown" in Quay ...
• c1bc2a2 fix: add id-token permission to promote-quay job
• 3fee7cb fix(ci): disable SHA tags on complypack Quay promotion
• b72a180 fix(ci): update ci_test_publish_quay.yml refs for renamed workflow
• 12eab40 feat(ci): add latest tag to complypack publish pipeline
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

CRAP Load Analysis

No Go code changes detected in this PR. No CRAP impact.

[github-actions]

Automatically approved: risk=medium, review=success, ownership=org-owned, release_age=skipped (org-owned).

[github-actions]

🤖 Standardized Dependabot Review Summary 🤖

This PR was processed by the organization's reusable CI pipeline.

Criterion	Status	Detail
Dependencies Review	success	View logs
Calculated Risk	medium	complytime/org-infra/.github/workflows/reusable_ci.yml v0.4.0
Release Age	8h	Released 8 hours ago
Ownership	org-owned	Same organization — trusted source
Dependency Usage	unavailable	Informational only — does not affect approval

Auto-approval: ✅ Approved + auto-merge requested (org-owned)

---

Maintainer check list:

1. Ensure the PR passed all CI tests (required status checks).
2. Investigate failures for Major updates or any manual review requirement.
3. Don't overlook breaking changes and changelog information.
4. If the scorecard value is low, consider to contribute to make it higher. Everybody wins!
5. Be diligent. When in doubt, ask another maintainer for additional review.

[gxmiranda]

Straightforward Dependabot bump of complytime/org-infra reusable CI workflow from v0.3.1 to v0.4.0.

Verified:

• SHA pin bbd7194995388f96dd28c0c0792d406c8a249140 matches the upstream v0.4.0 tag exactly
• All 20+ CI checks pass (unit, E2E, integration, cross-repo, RPM builds, Testing Farm across 5 distros)
• Workflow permissions remain minimal (contents: read, issues: read)
• Commit follows Conventional Commits with Signed-off-by trailer

No security, alignment, or constitution concerns.

This review was generated by /review-pr (AI-assisted).

[marcusburghardt]

LGTM

[github-actions]

🤖 Standardized Dependabot Review Summary 🤖

This PR was processed by the organization's reusable CI pipeline.

Criterion	Status	Detail
Dependencies Review	success	View logs
Calculated Risk	medium	complytime/org-infra/.github/workflows/reusable_ci.yml v0.4.0
Release Age	74h	Released 74 hours ago
Ownership	org-owned	Same organization — trusted source
Dependency Usage	2 repos	Informational only — does not affect approval

Auto-approval: ✅ Approved + auto-merge requested (org-owned)

---

Maintainer check list:

1. Ensure the PR passed all CI tests (required status checks).
2. Investigate failures for Major updates or any manual review requirement.
3. Don't overlook breaking changes and changelog information.
4. If the scorecard value is low, consider to contribute to make it higher. Everybody wins!
5. Be diligent. When in doubt, ask another maintainer for additional review.

[github-actions]

Automatically approved: risk=medium, review=success, ownership=org-owned, release_age=skipped (org-owned).