Update workflows (#1296)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v2.3.3` -> `v2.3.5` |
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | patch | `v1.8.5` -> `v1.8.6` |

---

### Release Notes

<details>
<summary>github/codeql-action</summary>

###
[`v2.3.5`](https://togithub.com/github/codeql-action/compare/v2.3.4...v2.3.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.3.4...v2.3.5)

###
[`v2.3.4`](https://togithub.com/github/codeql-action/compare/v2.3.3...v2.3.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.3.3...v2.3.4)

</details>

<details>
<summary>pypa/gh-action-pypi-publish</summary>

###
[`v1.8.6`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.6)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.5...v1.8.6)

#### What's Updated

- [@&#8203;woodruffw] dropped the references to a “private beta” from
the project docs and runtime in
[pypa/gh-action-pypi-publish#147.
He also clarified that the API tokens are still more secure than
passwords in
[pypa/gh-action-pypi-publish#150.
- [@&#8203;asherf] noticed that the action metadata incorrectly marked
the `password` field as required and contributed a correction in
[pypa/gh-action-pypi-publish#151
- [@&#8203;webknjaz] moved the Trusted Publishing example to the top of
the README in hopes that new users would default to using it via
pypa/gh-action-pypi-publish@f47b347

#### New Contributors

- [@&#8203;asherf] made their first contribution in
[pypa/gh-action-pypi-publish#151

**Full Diff**:
pypa/gh-action-pypi-publish@v1.8.5...v1.8.6

[@&#8203;asherf]: https://togithub.com/sponsors/asherf

[@&#8203;webknjaz]: https://togithub.com/sponsors/webknjaz

[@&#8203;woodruffw]: https://togithub.com/sponsors/woodruffw

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS40OC4yIiwidXBkYXRlZEluVmVyIjoiMzUuOTguMSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->

.github/workflows/publish-to-pypi.yaml

@@ -44,7 +44,7 @@ jobs:
         build
         --sdist --wheel --outdir dist/ .
     - name: Publish distribution to PyPI
-      uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d # v1.8.5
+      uses: pypa/gh-action-pypi-publish@a56da0b891b3dc519c7ee3284aff1fad93cc8598 # v1.8.6
       with:
         password: ${{ secrets.PYPI_API_TOKEN }}
         packages_dir: dist/

.github/workflows/scorecards.yml

@@ -50,6 +50,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
+        uses: github/codeql-action/upload-sarif@0225834cc549ee0ca93cb085b92954821a145866 # v2.3.5
         with:
           sarif_file: results.sarif