deps(ci): update Dependabot, pre-commit tooling, and testing dependencies (#5170)

# Description of Changes

This pull request updates dependency management and CI/CD configurations
to improve automation, security, and maintainability. The most
significant changes include expanding Dependabot coverage to more
directories and ecosystems, updating pre-commit and Python dependency
versions, and pinning action versions in GitHub workflows for better
reproducibility and security.

**Dependency Management Improvements:**

* Expanded Dependabot configuration in `.github/dependabot.yml` to
include additional directories and package ecosystems such as npm,
docker, cargo, and pip, ensuring automated dependency updates across
more parts of the project.
* Updated Python dependencies in
`.github/scripts/requirements_pre_commit.txt` to newer versions for
`cfgv`, `filelock`, `platformdirs`, `pre-commit`, and `virtualenv`,
improving compatibility and security.
[[1]](diffhunk://#diff-4b865d764c6955aa3ab06c7beff7c08a122e5145c1f0fecd7b4fd4575848b598L7-R17)
[[2]](diffhunk://#diff-4b865d764c6955aa3ab06c7beff7c08a122e5145c1f0fecd7b4fd4575848b598L27-R33)
[[3]](diffhunk://#diff-4b865d764c6955aa3ab06c7beff7c08a122e5145c1f0fecd7b4fd4575848b598L110-R112)
* Added `tomli-w` to `.github/scripts/requirements_sync_readme.in` and
`.github/scripts/requirements_sync_readme.txt` for TOML file writing
support.
[[1]](diffhunk://#diff-e359c7d332d374a67300c004d7bab6c37cb16b5e1b9c8cd63adf2b59462c1f06R2)
[[2]](diffhunk://#diff-cf0fa825b1295e115dbbe842a6f179ed0c72dd80b758d3238ab792cdd0013a4cR7-R10)

**CI/CD Workflow Enhancements:**

* Updated installation commands in `.github/workflows/check_toml.yml`
and `.github/workflows/sync_files_v2.yml` to use hashed and
version-pinned dependencies, improving reproducibility and security.
Also removed redundant dependency installation in the sync workflow.
[[1]](diffhunk://#diff-3117b4a93711d37b0a9a1668272eec716fea0b4f57dde16a85e7ab3f569c455dL203-R203)
[[2]](diffhunk://#diff-b1acd58f6bdc16d0f02514058f8842a8ec3c90e8771f6a1e83801fa14ee5041cL56-R56)
[[3]](diffhunk://#diff-b1acd58f6bdc16d0f02514058f8842a8ec3c90e8771f6a1e83801fa14ee5041cL68-L70)
* Pinned GitHub Actions versions in
`.github/workflows/deploy-on-v2-commit.yml` by using commit SHAs for
actions such as `actions/checkout`, `docker/setup-buildx-action`,
`docker/login-action`, and `docker/build-push-action`, ensuring builds
use known-good versions.
[[1]](diffhunk://#diff-f8b6ec3c0af9cd2d8dffef6f3def2be6357fe596a606850ca7f5d799e1349069L26-R29)
[[2]](diffhunk://#diff-f8b6ec3c0af9cd2d8dffef6f3def2be6357fe596a606850ca7f5d799e1349069L89-R96)
[[3]](diffhunk://#diff-f8b6ec3c0af9cd2d8dffef6f3def2be6357fe596a606850ca7f5d799e1349069L109-R109)

**Pre-commit Configuration Updates:**

* Updated hooks in `.pre-commit-config.yaml` to newer versions for
`ruff-pre-commit`, `gitleaks`, and `pre-commit-hooks`, providing
enhanced linting and security scanning.
[[1]](diffhunk://#diff-63a9c44a44acf85fea213a857769990937107cf072831e1a26808cfde9d096b9L3-R3)
[[2]](diffhunk://#diff-63a9c44a44acf85fea213a857769990937107cf072831e1a26808cfde9d096b9L25-R29)

---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.

.github/dependabot.yml

@@ -21,3 +21,38 @@ updates:
     directory: /
     schedule:
       interval: weekly
+
+  - package-ecosystem: npm
+    directory: /devTools
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: docker
+    directory: /docker/backend
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: docker
+    directory: /docker/embedded
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: docker
+    directory: /docker/frontend
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: npm
+    directory: /frontend
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: cargo
+    directory: /frontend/src-tauri
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: pip
+    directory: /testing/cucumber
+    schedule:
+      interval: "weekly"

.github/scripts/requirements_pre_commit.txt

@@ -4,9 +4,9 @@
 #
 #    pip-compile --generate-hashes --output-file='.github\scripts\requirements_pre_commit.txt' --strip-extras '.github\scripts\requirements_pre_commit.in'
 #
-cfgv==3.4.0 \
-    --hash=sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9 \
-    --hash=sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560
+cfgv==3.5.0 \
+    --hash=sha256:a8dc6b26ad22ff227d2634a65cb388215ce6cc96bbcc5cfde7641ae87e8dacc0 \
+    --hash=sha256:d5b1034354820651caa73ede66a6294d6e95c1b00acc5e9b098e917404669132
     # via pre-commit
 distlib==0.4.0 \
     --hash=sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16 \
@@ -28,9 +28,9 @@ platformdirs==4.5.0 \
     --hash=sha256:70ddccdd7c99fc5942e9fc25636a8b34d04c24b335100223152c2803e4063312 \
     --hash=sha256:e578a81bb873cbb89a41fcc904c7ef523cc18284b7e3b3ccf06aca1403b7ebd3
     # via virtualenv
-pre-commit==4.3.0 \
-    --hash=sha256:2b0747ad7e6e967169136edffee14c16e148a778a54e4f967921aa1ebf2308d8 \
-    --hash=sha256:499fe450cc9d42e9d58e606262795ecb64dd05438943c62b66f6a8673da30b16
+pre-commit==4.5.0 \
+    --hash=sha256:25e2ce09595174d9c97860a95609f9f852c0614ba602de3561e267547f2335e1 \
+    --hash=sha256:dc5a065e932b19fc1d4c653c6939068fe54325af8e741e74e88db4d28a4dd66b
     # via -r .github/scripts/requirements_pre_commit.in
 pyyaml==6.0.3 \
     --hash=sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c \

.github/scripts/requirements_sync_readme.in

@@ -1 +1,2 @@
 tomlkit
+tomli-w

.github/scripts/requirements_sync_readme.txt

@@ -4,6 +4,10 @@
 #
 #    pip-compile --generate-hashes --output-file='.github\scripts\requirements_sync_readme.txt' --strip-extras '.github\scripts\requirements_sync_readme.in'
 #
+tomli-w==1.2.0 \
+    --hash=sha256:188306098d013b691fcadc011abd66727d3c414c571bb01b1a174ba8c983cf90 \
+    --hash=sha256:2dd14fac5a47c27be9cd4c976af5a12d87fb1f0b4512f81d69cce3b35ae25021
+    # via -r .github/scripts/requirements_sync_readme.in
 tomlkit==0.13.3 \
     --hash=sha256:430cf247ee57df2b94ee3fbe588e71d362a941ebb545dec29b53961d61add2a1 \
     --hash=sha256:c89c649d79ee40629a9fda55f8ace8c6a1b42deb912b2a8fd8d942ddadb606b0

.github/workflows/check_toml.yml

@@ -200,7 +200,7 @@ jobs:
 
       - name: Install Python dependencies
         run: |
-          pip install tomli-w
+          pip install --require-hashes tomli-w==1.2.0 --hash sha256:188306098d013b691fcadc011abd66727d3c414c571bb01b1a174ba8c983cf90
 
       - name: Run Python script to check files
         id: run-check

.github/workflows/deploy-on-v2-commit.yml

@@ -23,10 +23,10 @@ jobs:
           egress-policy: audit
 
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
       - name: Get commit hashes for frontend and backend
         id: commit-hashes
@@ -86,14 +86,14 @@ jobs:
 
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_API }}
 
       - name: Build and push frontend image
         if: steps.check-frontend.outputs.exists == 'false'
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ./docker/frontend/Dockerfile
@@ -106,7 +106,7 @@ jobs:
       
       - name: Build and push backend image
         if: steps.check-backend.outputs.exists == 'false'
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: ./docker/backend/Dockerfile

.github/workflows/sync_files_v2.yml

@@ -53,8 +53,7 @@ jobs:
           cache: "pip" # caching pip dependencies
 
       - name: Install Python dependencies
-        run: |
-          pip install tomli-w
+        run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt
 
       - name: Sync translation TOML files
         run: |
@@ -65,9 +64,6 @@ jobs:
           git add frontend/public/locales/*/translation.toml
           git diff --staged --quiet || git commit -m ":memo: Sync translation files (TOML)" || echo "No changes detected"
 
-      - name: Install README dependencies
-        run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt
-
       - name: Sync README.md
         run: |
           python scripts/counter_translation_v3.py