Skip to content

⬆️ gha: Bump the github-actions group across 1 directory with 10 updates#45

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github-actions-fec8646481
Closed

⬆️ gha: Bump the github-actions group across 1 directory with 10 updates#45
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github-actions-fec8646481

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 10 updates in the / directory:

Package From To
step-security/harden-runner 2.15.1 2.19.0
peter-evans/create-pull-request 8.1.0 8.1.1
actions/setup-go 6.3.0 6.4.0
reviewdog/action-golangci-lint 2.8.0 2.10.0
reviewdog/action-alex 1.16.0 1.16.1
reviewdog/action-actionlint 1.71.0 1.72.0
mikepenz/release-changelog-builder-action 6.1.1 6.2.1
softprops/action-gh-release 2.5.0 3.0.0
actions/upload-artifact 7.0.0 7.0.1
github/codeql-action 4.32.6 4.35.2

Updates step-security/harden-runner from 2.15.1 to 2.19.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

What's Changed

Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

v2.16.0

What's Changed

  • Updated action.yml to use node24
  • Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
  • Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

Commits

Updates peter-evans/create-pull-request from 8.1.0 to 8.1.1

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v8.1.1

What's Changed

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1

Commits
  • 5f6978f fix: retry post-creation API calls on 422 eventual consistency errors (#4356)
  • d32e88d build(deps-dev): bump the npm group with 3 updates (#4349)
  • 8170bcc build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#4344)
  • 0041819 build(deps): bump picomatch (#4339)
  • b993918 build(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#4334)
  • 36d7c84 build(deps-dev): bump undici from 6.23.0 to 6.24.0 (#4328)
  • a45d1fb build(deps): bump @​tootallnate/once and jest-environment-jsdom (#4323)
  • 3499eb6 build(deps): bump the github-actions group with 2 updates (#4316)
  • 3f3b473 build(deps): bump minimatch (#4311)
  • 6699836 build(deps-dev): bump the npm group with 2 updates (#4305)
  • See full diff in compare view

Updates actions/setup-go from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-go's releases.

v6.4.0

What's Changed

Enhancement

Dependency update

Documentation update

New Contributors

Full Changelog: actions/setup-go@v6...v6.4.0

Commits

Updates reviewdog/action-golangci-lint from 2.8.0 to 2.10.0

Release notes

Sourced from reviewdog/action-golangci-lint's releases.

Release v2.10.0

What's Changed

New Contributors

Full Changelog: reviewdog/action-golangci-lint@v2.9.0...v2.10.0

v2.9.0

What's Changed

... (truncated)

Commits
  • c76ccea Merge pull request #829 from reviewdog/renovate/github-codeql-action-4.x
  • 6381f98 chore(deps): update github/codeql-action action to v4
  • 89de6bb Merge pull request #828 from reviewdog/renovate/actions-setup-node-6.x
  • 0c74698 chore(deps): update actions/setup-node action to v6
  • d0c4e9d Merge pull request #836 from reviewdog/renovate/node-24.x
  • c2a63d6 chore(deps): update node.js to v24.14.0
  • 3943b33 Merge pull request #835 from reviewdog/introduce-bundle-script
  • 575ba31 update dependencies
  • a69b2ad bump lockfileVersion to 3
  • 2a19ff6 install rimraf
  • Additional commits viewable in compare view

Updates reviewdog/action-alex from 1.16.0 to 1.16.1

Release notes

Sourced from reviewdog/action-alex's releases.

Release v1.16.1

What's Changed

New Contributors

Full Changelog: reviewdog/action-alex@v1.16.0...v1.16.1

Commits
  • b6673b5 Merge pull request #59 from vincent067/fix-fail-on-error-exit-code
  • 117bd58 fix: propagate exit code to make fail_on_error work correctly
  • ee2bd61 Merge pull request #48 from reviewdog/renovate/reviewdog-action-shellcheck-1.x
  • 7b37af6 chore(deps): update reviewdog/action-shellcheck action to v1.30.0
  • dd45e4f Merge pull request #47 from reviewdog/pinact-readme-20250319-031733
  • 0fa17b0 README: Pin GitHub Actions with commit SHA using pinact
  • See full diff in compare view

Updates reviewdog/action-actionlint from 1.71.0 to 1.72.0

Release notes

Sourced from reviewdog/action-actionlint's releases.

Release v1.72.0

v1.72.0: PR #196 - chore(deps): update actionlint to 1.7.12

Commits
  • 6fb7acc bump v1.72.0
  • b2a904a Merge branch 'main' into releases/v1
  • 5eaffa1 Merge pull request #196 from reviewdog/depup/actionlint
  • 39a6754 chore(deps): update actionlint to 1.7.12
  • d39025c Merge pull request #195 from reviewdog/renovate/docker-setup-buildx-action-4.x
  • 2e8272d Merge pull request #194 from reviewdog/renovate/docker-setup-qemu-action-4.x
  • 128d9b7 Merge pull request #190 from reviewdog/renovate/shogo82148-actions-create-rel...
  • 1674e4f chore(deps): update docker/setup-buildx-action action to v4
  • 8fdb9d2 Merge pull request #189 from reviewdog/renovate/docker-setup-buildx-action-3.x
  • a518ce8 Merge pull request #188 from reviewdog/renovate/peter-evans-create-pull-reque...
  • Additional commits viewable in compare view

Updates mikepenz/release-changelog-builder-action from 6.1.1 to 6.2.1

Release notes

Sourced from mikepenz/release-changelog-builder-action's releases.

v6.2.1

🐛 Fixes

  • fix: handle multi-line commit bodies in git log parsing

💬 Other

  • chore: remove Renovate workflow

Contributors:

v6.2.0

💬 Other

  • Security hardening: Renovate, SHA-pinned actions, least-privilege permissions
  • fix: use PR author for commit-dist job condition

📦 Dependencies

  • Bump actions/upload-artifact from 6 to 7
  • Bump mikepenz/action-gh-release from 1 to 2
  • Bump flatted from 3.3.3 to 3.4.2
  • Bump the dev-dependencies group with 4 updates
  • Bump vitest from 4.0.18 to 4.1.0
  • Bump https-proxy-agent from 7.0.6 to 8.0.0
  • Bump picomatch from 4.0.3 to 4.0.4
  • chore(deps): update dependency glob to v11.1.0 [security]
  • chore(deps): pin mikepenz/release-changelog-builder-action action to d7b8cec
  • chore(deps): update dependency undici to v7
  • chore: upgrade TypeScript to v6
  • chore: pin all dependencies to exact versions
  • chore(deps): update mikepenz/release-changelog-builder-action digest to a77ddc5

... (truncated)

Commits
  • bcae711 Merge pull request #1554 from mikepenz/develop
  • 5795a33 Merge pull request #1553 from mikepenz/fix/multiline-commit-body-parsing
  • f5544cb fix: use git %x00/%x1f format placeholders instead of literal bytes
  • 7ebd13b fix: use non-printable separators for robust git log parsing
  • 787f65d fix: handle multi-line commit bodies in git log parsing
  • 1d37aec Merge pull request #1551 from mikepenz/chore/remove-renovate-workflow
  • a8e74a6 chore: override vite to 8.0.5 to fix vulnerabilities
  • 202a06f chore: remove Renovate workflow (using self-hosted app instead)
  • 2cb9bef Merge pull request #1547 from mikepenz/develop
  • 0cc2898 Merge pull request #1546 from mikepenz/renovate/glob-13.x
  • Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.5.0 to 3.0.0

Release notes

Sourced from softprops/action-gh-release's releases.

v3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

  • Move the action runtime and bundle target to Node 24
  • Update @types/node to the Node 24 line and allow future Dependabot updates
  • Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v2.6.2

What's Changed

Other Changes 🔄

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

v2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

  • Move the action runtime and bundle target to Node 24
  • Update @types/node to the Node 24 line and allow future Dependabot updates
  • Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

2.6.2

What's Changed

Other Changes 🔄

2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

... (truncated)

Commits
  • b430933 release: cut v3.0.0 for Node 24 upgrade (#670)
  • c2e35e0 chore(deps): bump the npm group across 1 directory with 7 updates (#783)
  • 3bb1273 release 2.6.2
  • c34030f chore: bump node to 24.14.1
  • 8975bd0 chore(deps): bump vite from 8.0.0 to 8.0.5 (#781)
  • f71937f chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 (#777)
  • 3f0d239 chore(deps): bump picomatch from 4.0.3 to 4.0.4 (#775)
  • 153bb8e release 2.6.1
  • 569deb8 fix: preserve discussion category when publishing releases (#765)
  • 26e8ad2 release 2.6.0
  • Additional commits viewable in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits
  • 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
  • 634250c Include changes in typespec/ts-http-runtime 0.3.5
  • e454baa Readme: bump all the example versions to v7 (#796)
  • 74fad66 Update the readme with direct upload details (#795)
  • See full diff in compare view

Updates github/codeql-action from 4.32.6 to 4.35.2

Release notes

Sourced from github/codeql-action's releases.

v4.35.2

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
  • Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
  • Update default CodeQL bundle version to 2.25.2. #3823

v4.35.1

v4.35.0

v4.34.1

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

v4.33.0

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.35.2 - 15 Apr 2026

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
  • Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
  • Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

4.34.1 - 20 Mar 2026

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this roll...

    Description has been truncated

@dependabot
⬆️ gha: Bump the github-actions group across 1 directory with 10 updates
e4b147b 
Bumps the github-actions group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.15.1` | `2.19.0` |
| [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.1.0` | `8.1.1` |
| [actions/setup-go](https://github.com/actions/setup-go) | `6.3.0` | `6.4.0` |
| [reviewdog/action-golangci-lint](https://github.com/reviewdog/action-golangci-lint) | `2.8.0` | `2.10.0` |
| [reviewdog/action-alex](https://github.com/reviewdog/action-alex) | `1.16.0` | `1.16.1` |
| [reviewdog/action-actionlint](https://github.com/reviewdog/action-actionlint) | `1.71.0` | `1.72.0` |
| [mikepenz/release-changelog-builder-action](https://github.com/mikepenz/release-changelog-builder-action) | `6.1.1` | `6.2.1` |
| [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.5.0` | `3.0.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.32.6` | `4.35.2` |



Updates `step-security/harden-runner` from 2.15.1 to 2.19.0
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@58077d3...8d3c67d)

Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](peter-evans/create-pull-request@c0f553f...5f6978f)

Updates `actions/setup-go` from 6.3.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@4b73464...4a36011)

Updates `reviewdog/action-golangci-lint` from 2.8.0 to 2.10.0
- [Release notes](https://github.com/reviewdog/action-golangci-lint/releases)
- [Commits](reviewdog/action-golangci-lint@f9bba13...c76ccea)

Updates `reviewdog/action-alex` from 1.16.0 to 1.16.1
- [Release notes](https://github.com/reviewdog/action-alex/releases)
- [Commits](reviewdog/action-alex@6083b8c...b6673b5)

Updates `reviewdog/action-actionlint` from 1.71.0 to 1.72.0
- [Release notes](https://github.com/reviewdog/action-actionlint/releases)
- [Commits](reviewdog/action-actionlint@0d952c5...6fb7acc)

Updates `mikepenz/release-changelog-builder-action` from 6.1.1 to 6.2.1
- [Release notes](https://github.com/mikepenz/release-changelog-builder-action/releases)
- [Commits](mikepenz/release-changelog-builder-action@a34a800...bcae711)

Updates `softprops/action-gh-release` from 2.5.0 to 3.0.0
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@a06a81a...b430933)

Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@bbbca2d...043fb46)

Updates `github/codeql-action` from 4.32.6 to 4.35.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@0d579ff...95e58e9)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: peter-evans/create-pull-request
  dependency-version: 8.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/setup-go
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: reviewdog/action-golangci-lint
  dependency-version: 2.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: reviewdog/action-alex
  dependency-version: 1.16.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: reviewdog/action-actionlint
  dependency-version: 1.72.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: mikepenz/release-changelog-builder-action
  dependency-version: 6.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: softprops/action-gh-release
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-version: 4.35.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 20, 2026
@github-actions

github-actions Bot commented Apr 20, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/step-security/harden-runner 8d3c67de8e2fe68ef647c8db1e6a09f647780f40 🟢 8.4
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1016 out of 16 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1013 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 64 existing vulnerabilities detected
actions/actions/setup-go 4a3601121dd01d1626a1e23e37211e3254c1c06c 🟢 5.7
Details
CheckScoreReason
Maintained🟢 67 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 6
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 10SAST tool is run on all commits
actions/step-security/harden-runner 8d3c67de8e2fe68ef647c8db1e6a09f647780f40 🟢 8.4
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1016 out of 16 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1013 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 64 existing vulnerabilities detected

Scanned Files

  • .github/workflows/pr-label.yml
  • .github/workflows/test.yml

@dependabot @github

dependabot Bot commented on behalf of github May 11, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this May 11, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/github-actions-fec8646481 branch May 11, 2026 21:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants