Skip to content

chore(deps): bump the actions-version-updates group across 1 directory with 12 updates#169

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-version-updates-dbe9121927
Open

chore(deps): bump the actions-version-updates group across 1 directory with 12 updates#169
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-version-updates-dbe9121927

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 30, 2026
edited
Loading

Bumps the actions-version-updates group with 12 updates in the / directory:

Package From To
step-security/harden-runner 2.12.0 2.19.4
actions/checkout 4.2.2 6.0.3
actions/dependency-review-action 4.7.1 5.0.0
actions/setup-node 4 6
stefanzweifel/git-auto-commit-action 5.2.0 7.1.0
actions/download-artifact 4.3.0 8.0.1
JetBrains/qodana-action 201551778d1453e36c5c0aa26f89a94775cb1acc f5aa2889b113c16bd6aee47817b027537ee33ac7
ossf/scorecard-action 2.4.1 2.4.3
github/codeql-action 3.28.18 4.36.2
mridang/action-test-reporter 1 3
actions/upload-artifact 4.6.2 7.0.1
dorny/test-reporter 2.0.0 3.0.0

Updates step-security/harden-runner from 2.12.0 to 2.19.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

... (truncated)

Commits
  • 9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
  • 485dce8 Update agent to v1.8.6
  • ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
  • ec41b78 Default to audit mode when api-key missing with use-policy-store
  • 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
  • 1dee3df Update agent to v1.8.5
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 8d3c67d Release v2.19.0 (#661)
  • Additional commits viewable in compare view

Updates actions/checkout from 4.2.2 to 6.0.3

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

... (truncated)

Commits
  • df4cb1c Update changelog for v6.0.3 (#2446)
  • 1cce339 Fix checkout init for SHA-256 repositories (#2439)
  • 900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
  • 0c366fd Update changelog (#2357)
  • de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
  • 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
  • 8e8c483 Clarify v6 README (#2328)
  • 033fa0d Add worktree support for persist-credentials includeIf (#2327)
  • c2d88d3 Update all references from v5 and v4 to v6 (#2314)
  • 1af3b93 update readme/changelog for v6 (#2311)
  • Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.7.1 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

  • There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
  • Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
  • There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

... (truncated)

Commits
  • a1d282b Merge pull request #1098 from actions/ahpook/v5-release
  • eb6c199 update examples to show @​v5
  • 3943c2c v5.0.0 release branch
  • 454943c Merge pull request #1094 from actions/ashelytc/security-findings
  • 6d92a12 revert @​typescript-eslint/parser update
  • a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
  • b6b7079 update @​typescript-eslint/parser to 8.40.0
  • 821a21d update more dependencies
  • 05aaaae run npm audit fix
  • 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
  • Additional commits viewable in compare view

Updates actions/setup-node from 4 to 6

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

Dependency Upgrades

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

New Contributors

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

Updates stefanzweifel/git-auto-commit-action from 5.2.0 to 7.1.0

Release notes

Sourced from stefanzweifel/git-auto-commit-action's releases.

v7.1.0

Added

Changes

Dependency Updates

v7.0.0

Added

Changed

Dependency Updates

v6.0.1

Fixed

v6.0.0

Added

  • Throw error early if repository is in a detached state (#357)

Fixed

Removed

  • Remove support for create_branch, skip_checkout, skip_Fetch (#314)
Changelog

Sourced from stefanzweifel/git-auto-commit-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Unreleased

TBD

v7.1.0 - 2025-12-17

Added

Changes

Dependency Updates

v7.0.0 - 2025-10-12

Added

Changed

Dependency Updates

v6.0.1 - 2025-06-11

Fixed

v6.0.0 - 2025-06-10

... (truncated)

Commits

Updates actions/download-artifact from 4.3.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

... (truncated)

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

Updates JetBrains/qodana-action from 201551778d1453e36c5c0aa26f89a94775cb1acc to f5aa2889b113c16bd6aee47817b027537ee33ac7

Commits
  • f5aa288 🐛 QD-11047 fix issue with quick-fixes: pull-request (#490)
  • 26b380e 🐛 QD-11047 fix issue with quick-fixes in gitlab in branch mode (#482)
  • See full diff in compare view

Updates ossf/scorecard-action from 2.4.1 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

Other

New Contributors

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

Commits
  • 4eaacf0 bump docker to ghcr v2.4.3 (#1587)
  • 42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
  • 88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
  • 6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
  • 92083b5 📖 Fix recommended command to test the image in development (#1583)
  • 7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
  • 0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
  • 46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
  • c3f1350 🌱 Improve printing options (#1584)
  • 43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
  • Additional commits viewable in compare view

Updates github/codeql-action from 3.28.18 to 4.36.2

Release notes

Sourced from github/codeql-action's releases.

v4.36.2

  • Cache CodeQL CLI version information across Actions steps. #3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
  • Update default CodeQL bundle version to 2.25.6. #3948

v4.36.1

No user facing changes.

v4.36.0

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 30, 2026
@dependabot
chore(deps): bump the actions-version-updates group across 1 director…
2a9364b 
…y with 12 updates

Bumps the actions-version-updates group with 12 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.12.0` | `2.19.4` |
| [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `6.0.3` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.7.1` | `5.0.0` |
| [actions/setup-node](https://github.com/actions/setup-node) | `4` | `6` |
| [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) | `5.2.0` | `7.1.0` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4.3.0` | `8.0.1` |
| [JetBrains/qodana-action](https://github.com/jetbrains/qodana-action) | `201551778d1453e36c5c0aa26f89a94775cb1acc` | `f5aa2889b113c16bd6aee47817b027537ee33ac7` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.1` | `2.4.3` |
| [github/codeql-action](https://github.com/github/codeql-action) | `3.28.18` | `4.36.2` |
| [mridang/action-test-reporter](https://github.com/mridang/action-test-reporter) | `1` | `3` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` |
| [dorny/test-reporter](https://github.com/dorny/test-reporter) | `2.0.0` | `3.0.0` |



Updates `step-security/harden-runner` from 2.12.0 to 2.19.4
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@0634a26...9af89fc)

Updates `actions/checkout` from 4.2.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@11bd719...df4cb1c)

Updates `actions/dependency-review-action` from 4.7.1 to 5.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@da24556...a1d282b)

Updates `actions/setup-node` from 4 to 6
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v4...v6)

Updates `stefanzweifel/git-auto-commit-action` from 5.2.0 to 7.1.0
- [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases)
- [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md)
- [Commits](stefanzweifel/git-auto-commit-action@b863ae1...04702ed)

Updates `actions/download-artifact` from 4.3.0 to 8.0.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@d3f86a1...3e5f45b)

Updates `JetBrains/qodana-action` from 201551778d1453e36c5c0aa26f89a94775cb1acc to f5aa2889b113c16bd6aee47817b027537ee33ac7
- [Release notes](https://github.com/jetbrains/qodana-action/releases)
- [Commits](JetBrains/qodana-action@2015517...f5aa288)

Updates `ossf/scorecard-action` from 2.4.1 to 2.4.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@f49aabe...4eaacf0)

Updates `github/codeql-action` from 3.28.18 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ff0a06e...8aad20d)

Updates `mridang/action-test-reporter` from 1 to 3
- [Release notes](https://github.com/mridang/action-test-reporter/releases)
- [Changelog](https://github.com/mridang/action-test-reporter/blob/master/release.config.mjs)
- [Commits](mridang/action-test-reporter@v1...v3)

Updates `actions/upload-artifact` from 4.6.2 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...043fb46)

Updates `dorny/test-reporter` from 2.0.0 to 3.0.0
- [Release notes](https://github.com/dorny/test-reporter/releases)
- [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md)
- [Commits](dorny/test-reporter@6e6a65b...a43b3a5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: actions/dependency-review-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: dorny/test-reporter
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: github/codeql-action
  dependency-version: 4.36.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: JetBrains/qodana-action
  dependency-version: f5aa2889b113c16bd6aee47817b027537ee33ac7
  dependency-type: direct:production
  dependency-group: actions-version-updates
- dependency-name: mridang/action-test-reporter
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-version-updates
- dependency-name: stefanzweifel/git-auto-commit-action
  dependency-version: 7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-version-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump the actions-version-updates group with 12 updates chore(deps): bump the actions-version-updates group across 1 directory with 12 updates Jun 5, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-dbe9121927 branch from 0b5e80f to 2a9364b Compare June 5, 2026 22:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants