⬆️ gha: Bump the github-actions group across 1 directory with 7 updates

[dependabot]

Bumps the github-actions group with 7 updates in the / directory:

Package	From	To
step-security/harden-runner	2.15.1	2.16.1
actions/setup-go	6.3.0	6.4.0
reviewdog/action-golangci-lint	2.8.0	2.10.0
reviewdog/action-actionlint	1.71.0	1.72.0
mikepenz/release-changelog-builder-action	6.1.1	6.2.0
softprops/action-gh-release	2.5.0	2.6.1
github/codeql-action	4.32.6	4.35.1

Updates step-security/harden-runner from 2.15.1 to 2.16.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.16.1

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

v2.16.0

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

Commits

• fe10465 v2.16.1 (#654)
• fa2e9d6 Release v2.16.0 (#646)
• See full diff in compare view

Updates actions/setup-go from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-go's releases.

v6.4.0

What's Changed

Enhancement

• Add go-download-base-url input for custom Go distributions by @​gdams in actions/setup-go#721

Dependency update

• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in actions/setup-go#727

Documentation update

• Rearrange README.md, add advanced-usage.md by @​priyagupta108 in actions/setup-go#724
• Fix Microsoft build of Go link by @​gdams in actions/setup-go#734

New Contributors

• @​gdams made their first contribution in actions/setup-go#721

Full Changelog: actions/setup-go@v6...v6.4.0

Commits

• 4a36011 docs: fix Microsoft build of Go link (#734)
• 8f19afc feat: add go-download-base-url input for custom Go distributions (#721)
• 27fdb26 Bump minimatch from 3.1.2 to 3.1.5 (#727)
• def8c39 Rearrange README.md, add advanced-usage.md (#724)
• See full diff in compare view

Updates reviewdog/action-golangci-lint from 2.8.0 to 2.10.0

Release notes

Sourced from reviewdog/action-golangci-lint's releases.

Release v2.10.0

What's Changed

• fix: update go download url by @​kurochan in reviewdog/action-golangci-lint#817
• chore(deps): update dependency @​types/node to v20.19.37 by @​renovate[bot] in reviewdog/action-golangci-lint#802
• chore(deps): update dependency ts-jest to v29.4.6 by @​renovate[bot] in reviewdog/action-golangci-lint#805
• chore(deps): update dependency @​vercel/ncc to v0.38.4 by @​renovate[bot] in reviewdog/action-golangci-lint#812
• chore(deps): update actions/checkout action to v4.3.1 by @​renovate[bot] in reviewdog/action-golangci-lint#813
• chore(deps): update dependency eslint-plugin-import to v2.32.0 by @​renovate[bot] in reviewdog/action-golangci-lint#814
• chore(deps): update @​typescript-eslint/parser and eslint-plugin-jest by @​renovate[bot] in reviewdog/action-golangci-lint#818
• chore(deps): update dependency prettier to v3.8.1 by @​renovate[bot] in reviewdog/action-golangci-lint#819
• chore(deps): update dependency typescript to v5.9.3 by @​renovate[bot] in reviewdog/action-golangci-lint#820
• chore(deps): update github/codeql-action action to v3.32.6 by @​renovate[bot] in reviewdog/action-golangci-lint#821
• chore(deps): update reviewdog/action-actionlint action to v1.71.0 by @​renovate[bot] in reviewdog/action-golangci-lint#822
• chore(deps): update reviewdog/action-eslint action to v1.34.0 by @​renovate[bot] in reviewdog/action-golangci-lint#823
• Upgrade Node.js runtime to v24 by @​Copilot in reviewdog/action-golangci-lint#824
• Migrate to ES Modules with Rollup by @​Copilot in reviewdog/action-golangci-lint#825
• chore(deps): update actions/checkout action to v6 by @​renovate[bot] in reviewdog/action-golangci-lint#827
• bump eslint 10.0.3 by @​shogo82148 in reviewdog/action-golangci-lint#832
• introduce bundle script by @​shogo82148 in reviewdog/action-golangci-lint#835
• chore(deps): update node.js to v24.14.0 by @​renovate[bot] in reviewdog/action-golangci-lint#836
• chore(deps): update actions/setup-node action to v6 by @​renovate[bot] in reviewdog/action-golangci-lint#828
• chore(deps): update github/codeql-action action to v4 by @​renovate[bot] in reviewdog/action-golangci-lint#829

New Contributors

• @​kurochan made their first contribution in reviewdog/action-golangci-lint#817
• @​Copilot made their first contribution in reviewdog/action-golangci-lint#824

Full Changelog: reviewdog/action-golangci-lint@v2.9.0...v2.10.0

v2.9.0

What's Changed

• Update Go to v1.23 by @​massongit in reviewdog/action-golangci-lint#783
• chore(config): migrate renovate config by @​renovate[bot] in reviewdog/action-golangci-lint#784
• chore(deps): update github/codeql-action action to v3.28.13 by @​renovate[bot] in reviewdog/action-golangci-lint#781
• chore(deps): update dependency @​types/semver to v7.7.0 by @​renovate[bot] in reviewdog/action-golangci-lint#786
• chore(deps): update dependency @​types/node to v20.17.28 by @​renovate[bot] in reviewdog/action-golangci-lint#787
• Add CI to check golintci-lint config by @​massongit in reviewdog/action-golangci-lint#790
• .golangci.v1.yml: disable golint by @​massongit in reviewdog/action-golangci-lint#791
• chore(deps): update dependency ts-jest to v29.3.1 by @​renovate[bot] in reviewdog/action-golangci-lint#792
• chore(deps): update dependency ts-jest to v29.3.2 by @​renovate[bot] in reviewdog/action-golangci-lint#799
• chore(deps): update actions/setup-node action to v4.4.0 by @​renovate[bot] in reviewdog/action-golangci-lint#800
• chore(deps): update github/codeql-action action to v3.28.15 by @​renovate[bot] in reviewdog/action-golangci-lint#796
• chore(deps): update dependency @​types/node to v20.17.30 by @​renovate[bot] in reviewdog/action-golangci-lint#793
• chore(deps): update dependency typescript to v5.8.3 by @​renovate[bot] in reviewdog/action-golangci-lint#794
• chore(deps): update dependency js-yaml to v4.1.1 [security] by @​renovate[bot] in reviewdog/action-golangci-lint#810
• chore(deps): update @​typescript-eslint/parser and eslint-plugin-jest (major) by @​renovate[bot] in reviewdog/action-golangci-lint#727
• chore(deps): update haya14busa/action-bumpr action to v1.11.4 by @​renovate[bot] in reviewdog/action-golangci-lint#795
• chore(deps): update haya14busa/action-update-semver action to v1.5.1 by @​renovate[bot] in reviewdog/action-golangci-lint#797
• chore(deps): update github/codeql-action action to v3.31.8 by @​renovate[bot] in reviewdog/action-golangci-lint#801

... (truncated)

Commits

• c76ccea Merge pull request #829 from reviewdog/renovate/github-codeql-action-4.x
• 6381f98 chore(deps): update github/codeql-action action to v4
• 89de6bb Merge pull request #828 from reviewdog/renovate/actions-setup-node-6.x
• 0c74698 chore(deps): update actions/setup-node action to v6
• d0c4e9d Merge pull request #836 from reviewdog/renovate/node-24.x
• c2a63d6 chore(deps): update node.js to v24.14.0
• 3943b33 Merge pull request #835 from reviewdog/introduce-bundle-script
• 575ba31 update dependencies
• a69b2ad bump lockfileVersion to 3
• 2a19ff6 install rimraf
• Additional commits viewable in compare view

Updates reviewdog/action-actionlint from 1.71.0 to 1.72.0

Release notes

Sourced from reviewdog/action-actionlint's releases.

Release v1.72.0

v1.72.0: PR #196 - chore(deps): update actionlint to 1.7.12

Commits

• 6fb7acc bump v1.72.0
• b2a904a Merge branch 'main' into releases/v1
• 5eaffa1 Merge pull request #196 from reviewdog/depup/actionlint
• 39a6754 chore(deps): update actionlint to 1.7.12
• d39025c Merge pull request #195 from reviewdog/renovate/docker-setup-buildx-action-4.x
• 2e8272d Merge pull request #194 from reviewdog/renovate/docker-setup-qemu-action-4.x
• 128d9b7 Merge pull request #190 from reviewdog/renovate/shogo82148-actions-create-rel...
• 1674e4f chore(deps): update docker/setup-buildx-action action to v4
• 8fdb9d2 Merge pull request #189 from reviewdog/renovate/docker-setup-buildx-action-3.x
• a518ce8 Merge pull request #188 from reviewdog/renovate/peter-evans-create-pull-reque...
• Additional commits viewable in compare view

Updates mikepenz/release-changelog-builder-action from 6.1.1 to 6.2.0

Release notes

Sourced from mikepenz/release-changelog-builder-action's releases.

v6.2.0

💬 Other

• Security hardening: Renovate, SHA-pinned actions, least-privilege permissions
  • PR: #1536
• fix: use PR author for commit-dist job condition
  • PR: #1541

📦 Dependencies

• Bump actions/upload-artifact from 6 to 7
  • PR: #1523
• Bump mikepenz/action-gh-release from 1 to 2
  • PR: #1529
• Bump flatted from 3.3.3 to 3.4.2
  • PR: #1531
• Bump the dev-dependencies group with 4 updates
  • PR: #1532
• Bump vitest from 4.0.18 to 4.1.0
  • PR: #1533
• Bump https-proxy-agent from 7.0.6 to 8.0.0
  • PR: #1534
• Bump picomatch from 4.0.3 to 4.0.4
  • PR: #1535
• chore(deps): update dependency glob to v11.1.0 [security]
  • PR: #1537
• chore(deps): pin mikepenz/release-changelog-builder-action action to d7b8cec
  • PR: #1539
• chore(deps): update dependency undici to v7
  • PR: #1540
• chore: upgrade TypeScript to v6
  • PR: #1543
• chore: pin all dependencies to exact versions
  • PR: #1544
• chore(deps): update mikepenz/release-changelog-builder-action digest to a77ddc5
  • PR: #1545
• chore(deps): update dependency glob to v13
  • PR: #1546

Contributors:

• @​dependabot[bot], @​mikepenz

Commits

• 2cb9bef Merge pull request #1547 from mikepenz/develop
• 0cc2898 Merge pull request #1546 from mikepenz/renovate/glob-13.x
• 5fcdcea Merge pull request #1545 from mikepenz/renovate/github-actions-updates
• 1783230 chore(deps): update dependency glob to v13
• a176e8e chore(deps): update mikepenz/release-changelog-builder-action digest to a77ddc5
• a77ddc5 Merge pull request #1544 from mikepenz/chore/pin-exact-deps
• 3ef87e7 chore: recompile dist
• 27efd72 chore: update undici specifically
• 6a2bae6 chore: pin all dependencies to exact versions
• 72827c1 Merge pull request #1543 from mikepenz/chore/typescript-6
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.5.0 to 2.6.1

Release notes

Sourced from softprops/action-gh-release's releases.

v2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in softprops/action-gh-release#765

v2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in softprops/action-gh-release#372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in softprops/action-gh-release#760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in softprops/action-gh-release#759
• docs: clarify working_directory input by @​chenrui333 in softprops/action-gh-release#761
• ci: verify dist bundle freshness by @​chenrui333 in softprops/action-gh-release#762
• fix: clarify immutable prerelease uploads by @​chenrui333 in softprops/action-gh-release#763

v2.5.3

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2. It fixes [#639](https://github.com/softprops/action-gh-release/issues/639), [#571](https://github.com/softprops/action-gh-release/issues/571), [#280](https://github.com/softprops/action-gh-release/issues/280), [#614](https://github.com/softprops/action-gh-release/issues/614), [#311](https://github.com/softprops/action-gh-release/issues/311), [#403](https://github.com/softprops/action-gh-release/issues/403), and [#368](https://github.com/softprops/action-gh-release/issues/368). It also adds documentation clarifications for [#541](https://github.com/softprops/action-gh-release/issues/541), [#645](https://github.com/softprops/action-gh-release/issues/645), [#542](https://github.com/softprops/action-gh-release/issues/542), [#393](https://github.com/softprops/action-gh-release/issues/393), and [#411](https://github.com/softprops/action-gh-release/issues/411), where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in softprops/action-gh-release#765

2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in softprops/action-gh-release#372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in softprops/action-gh-release#760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in softprops/action-gh-release#759
• docs: clarify working_directory input by @​chenrui333 in softprops/action-gh-release#761
• ci: verify dist bundle freshness by @​chenrui333 in softprops/action-gh-release#762
• fix: clarify immutable prerelease uploads by @​chenrui333 in softprops/action-gh-release#763

2.5.3

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2. It fixes [#639](https://github.com/softprops/action-gh-release/issues/639), [#571](https://github.com/softprops/action-gh-release/issues/571), [#280](https://github.com/softprops/action-gh-release/issues/280), [#614](https://github.com/softprops/action-gh-release/issues/614), [#311](https://github.com/softprops/action-gh-release/issues/311), [#403](https://github.com/softprops/action-gh-release/issues/403), and [#368](https://github.com/softprops/action-gh-release/issues/368). It also adds documentation clarifications for [#541](https://github.com/softprops/action-gh-release/issues/541), [#645](https://github.com/softprops/action-gh-release/issues/645), [#542](https://github.com/softprops/action-gh-release/issues/542), [#393](https://github.com/softprops/action-gh-release/issues/393), and [#411](https://github.com/softprops/action-gh-release/issues/411), where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

... (truncated)

Commits

• 153bb8e release 2.6.1
• 569deb8 fix: preserve discussion category when publishing releases (#765)
• 26e8ad2 release 2.6.0
• b959f31 fix: clarify immutable prerelease uploads (#763)
• 8a8510e ci: verify dist bundle freshness (#762)
• 438c15d docs: clarify working_directory input (#761)
• 6ca3b5d fix: recover concurrent asset metadata 404s (#760)
• 11f9176 chore: add RELEASE.md
• 1f3f350 feat: add AGENTS.md
• 37819cb docs: clarify reused draft release behavior (#759)
• Additional commits viewable in compare view

Updates github/codeql-action from 4.32.6 to 4.35.1

Release notes

Sourced from github/codeql-action's releases.

v4.35.1

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v4.35.0

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

v4.34.1

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

v4.33.0

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

• Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487

... (truncated)

Commits

• c10b806 Merge pull request #3782 from github/update-v4.35.1-d6d1743b8
• c5ffd06 Update changelog for v4.35.1
• d6d1743 Merge pull request #3781 from github/henrymercer/update-git-minimum-version
• 65d2efa Add changelog note
• 2437b20 Update minimum git version for overlay to 2.36.0
• ea5f719 Merge pull request #3775 from github/dependabot/npm_and_yarn/node-forge-1.4.0
• 45ceeea Merge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f28
• 24448c9 Rebuild
• 7c51060 Update changelog and version after v4.35.0
• b8bb9f2 Merge pull request #3776 from github/update-v4.35.0-0078ad667
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 967d4c2.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/step-security/harden-runner	fe104658747b27e96e4f7e80cd0a94068e53901d	🟢 7.9	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 13 out of 13 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 10 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities ⚠️ 0 13 existing vulnerabilities detected
actions/actions/setup-go	4a3601121dd01d1626a1e23e37211e3254c1c06c	🟢 6.1	Details Check Score Reason Maintained 🟢 10 12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/step-security/harden-runner	fe104658747b27e96e4f7e80cd0a94068e53901d	🟢 7.9	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 13 out of 13 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 10 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities ⚠️ 0 13 existing vulnerabilities detected

Scanned Files

• .github/workflows/pr-label.yml
• .github/workflows/test.yml

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.