chore(deps): Bump github/codeql-action from 4.35.5 to 4.36.0

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.5 to 4.36.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/9e0d7b8d25671d64c341c19c0152d693099fb5ba...7211b7c8077ea37d8641b6271f6a365a22a5fbfa)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/.e2e-run.yml

@@ -22,10 +22,6 @@ on:
       slug:
         required: false
         type: string
-      aws-role-to-assume:
-        required: false
-        type: string
-        description: "IAM role ARN to assume via OIDC for ECR authentication. When set, configure-aws-credentials runs before registry login."
     secrets:
       registry_username:
         required: false
@@ -40,9 +36,6 @@ env:
 jobs:
   run:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -118,14 +111,6 @@ jobs:
           driver-opts: |
             image=${{ matrix.buildkit_image }}
             network=host
-      -
-        name: Configure AWS credentials
-        if: inputs.aws-role-to-assume != '' && (contains(inputs.registry, '.ecr.') || inputs.registry == 'public.ecr.aws')
-        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
-        with:
-          role-to-assume: ${{ inputs.aws-role-to-assume }}
-          aws-region: us-east-1
-          role-session-name: gha-build-push-action-e2e-${{ github.run_id }}-${{ github.run_attempt }}
       -
         name: Login to Registry
         if: github.event_name != 'pull_request' && (inputs.type == 'remote' || env.REGISTRY_USER != '')

.github/workflows/codeql.yml

@@ -35,12 +35,12 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
       -
         name: Initialize CodeQL
-        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: javascript-typescript
           build-mode: none
       -
         name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: "/language:javascript-typescript"

.github/workflows/e2e.yml

@@ -2,7 +2,6 @@ name: e2e
 
 permissions:
   contents: read
-  id-token: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -100,15 +99,14 @@ jobs:
       name: ${{ matrix.name }}
       registry: ${{ matrix.registry }}
       slug: ${{ matrix.slug }}
-      aws-role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
     secrets:
       # Pass only the two secrets needed by each matrix entry.
-      # AWS ECR entries use OIDC via aws-role-to-assume instead of static keys.
       registry_username: >-
         ${{
           matrix.auth == 'dockerhub' && secrets.DOCKERHUB_USERNAME ||
           matrix.auth == 'ghcr' && secrets.GHCR_USERNAME ||
           matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
+          matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
           matrix.auth == 'gar' && secrets.GAR_USERNAME ||
           matrix.auth == 'acr' && secrets.AZURE_CLIENT_ID ||
           matrix.auth == 'quay' && secrets.QUAY_USERNAME ||
@@ -120,6 +118,7 @@ jobs:
           matrix.auth == 'dockerhub' && secrets.DOCKERHUB_TOKEN ||
           matrix.auth == 'ghcr' && secrets.GHCR_PAT ||
           matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
+          matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
           matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
           matrix.auth == 'acr' && secrets.AZURE_CLIENT_SECRET ||
           matrix.auth == 'quay' && secrets.QUAY_TOKEN ||

.github/workflows/test.yml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Test
-        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
         with:
           source: .
           targets: test

.github/workflows/update-dist.yml

@@ -37,7 +37,7 @@ jobs:
           token: ${{ steps.docker-read-app.outputs.token }}
       -
         name: Build
-        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
         with:
           source: .
           targets: build

.github/workflows/validate.yml

@@ -26,7 +26,7 @@ jobs:
       -
         name: Generate matrix
         id: generate
-        uses: docker/bake-action/subaction/matrix@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        uses: docker/bake-action/subaction/matrix@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
         with:
           target: validate
 
@@ -41,6 +41,6 @@ jobs:
     steps:
       -
         name: Validate
-        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
         with:
           targets: ${{ matrix.target }}