Skip to content

ci(deps): bump the github-actions group across 1 directory with 14 updates#39

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/workflows/github-actions-8d7e254d75
Closed

ci(deps): bump the github-actions group across 1 directory with 14 updates#39
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/workflows/github-actions-8d7e254d75

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 14 updates in the /.github/workflows directory:

Package From To
step-security/harden-runner 2.16.1 2.19.4
actions/checkout 6.0.2 7.0.0
rust-lang/crates-io-auth-action 1.0.4 1.0.5
step-security/action-gh-release 2.6.1 3.0.0
step-security/action-semantic-pull-request 6.1.1 6.1.2
step-security/rust-cache 2.8.3 2.9.1
taiki-e/install-action 2.73.0 2.82.2
step-security/paths-filter 3.0.5 4.0.1
github/codeql-action 4.35.1 4.36.2
actions/labeler 6.0.1 6.1.0
actions/github-script 8.0.0 9.0.0
googleapis/release-please-action 4.4.0 5.0.0
actions/upload-artifact 7.0.0 7.0.1
actions/dependency-review-action 4.9.0 5.0.0

Updates step-security/harden-runner from 2.16.1 to 2.19.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

... (truncated)

Commits
  • 9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
  • 485dce8 Update agent to v1.8.6
  • ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
  • ec41b78 Default to audit mode when api-key missing with use-policy-store
  • 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
  • 1dee3df Update agent to v1.8.5
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 8d3c67d Release v2.19.0 (#661)
  • Additional commits viewable in compare view

Updates actions/checkout from 6.0.2 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Updates rust-lang/crates-io-auth-action from 1.0.4 to 1.0.5

Release notes

Sourced from rust-lang/crates-io-auth-action's releases.

v1.0.5

What's Changed

Internal changes

Full Changelog: rust-lang/crates-io-auth-action@v1.0.4...v1.0.5

Commits
  • c6f97d4 Merge pull request #259 from rust-lang/renovate/lock-file-maintenance
  • b929a92 package dist
  • 9d23f3b chore(deps): lock file maintenance
  • 2b6b194 Merge pull request #263 from rust-lang/ci-links-accept-403-as-failure
  • 1a7afc2 ci(links): accept 403 as success
  • 701b15c Merge pull request #260 from rust-lang/renovate/tsdown-0.x-lockfile
  • cf898e1 package dist
  • 1a6a621 chore(deps): update dependency tsdown to v0.22.2
  • 9f93ac2 Merge pull request #261 from rust-lang/renovate/github-actions
  • 5463451 chore(deps): update github actions to v6.0.3
  • Additional commits viewable in compare view

Updates step-security/action-gh-release from 2.6.1 to 3.0.0

Release notes

Sourced from step-security/action-gh-release's releases.

v3.0.0

What's Changed

New Contributors

Full Changelog: step-security/action-gh-release@v2...v3.0.0

Commits
  • 277bfa8 Merge pull request #86 from step-security/auto-cherry-pick
  • fcbd57a chore: Cherry-pick conflicting changes from upstream
  • 28e0835 fix: apply code build script
  • 147407f release: cut v3.0.0 for Node 24 upgrade (#670)
  • b06017c release: cut v3.0.0 for Node 24 upgrade (#670)
  • 7f52c03 Merge pull request #87 from step-security/npm-audit-fix
  • e09057e fix: apply audit fixes
  • 38e3839 fix: apply audit fixes
  • 30dad22 Merge pull request #85 from step-security/auto-cherry-pick
  • e5ef807 chore: Bump version to 2.6.2
  • Additional commits viewable in compare view

Updates step-security/action-semantic-pull-request from 6.1.1 to 6.1.2

Release notes

Sourced from step-security/action-semantic-pull-request's releases.

v6.1.2

What's Changed

Full Changelog: step-security/action-semantic-pull-request@v6...v6.1.2

Commits
  • 75d2dd5 Merge pull request #162 from step-security/Raj-StepSecurity-patch-11
  • dce66ee Update actions_release.yml
  • 80eb62b Merge pull request #161 from step-security/yarn-audit-fix
  • ac0700f fix: apply audit fixes
  • 92d4228 fix: apply audit fixes
  • 91fa82f fix: apply audit fixes
  • fed9df2 Merge pull request #160 from step-security/feat/update-subscription-check
  • 9d0ba60 code linted
  • 21be1b8 feat: added banner and update subscription check to make maintained actions f...
  • 57d5042 Merge pull request #159 from step-security/yarn-audit-fix
  • Additional commits viewable in compare view

Updates step-security/rust-cache from 2.8.3 to 2.9.1

Release notes

Sourced from step-security/rust-cache's releases.

v2.9.1

What's Changed

Full Changelog: step-security/rust-cache@v2...v2.9.1

v2.8.4

What's Changed

New Contributors

Full Changelog: step-security/rust-cache@v2...v2.8.4

Commits
  • 851174d fix: test vulns fixed (#279)
  • f0d17cd Merge branch 'main' into fix/test-vulnerabilities-fixed
  • 90bb4a5 chore: Cherry-picked changes from upstream (#281)
  • 595123a Merge pull request #280 from step-security/auto-cherry-pick
  • b1072eb conflicted commits cherry-picked
  • 374bbf5 fix: apply code build script
  • dd5ecff fix: apply code build script
  • 7791ac0 Compare case-insenitively for full cache key match (#303)
  • 49df1bd Consider all installed toolchains in cache key (#293)
  • 84286e5 Consider all installed toolchains in cache key (#293)
  • Additional commits viewable in compare view

Updates taiki-e/install-action from 2.73.0 to 2.82.2

Release notes

Sourced from taiki-e/install-action's releases.

2.82.2

  • Update xh@latest to 0.26.1.

  • Update uv@latest to 0.11.23.

  • Update trivy@latest to 0.71.2.

  • Update sccache@latest to 0.16.0.

2.82.1

  • Update vacuum@latest to 0.29.4.

  • Update uv@latest to 0.11.22.

  • Update osv-scanner@latest to 2.4.0.

  • Update mise@latest to 2026.6.11.

  • Update martin@latest to 1.11.0.

  • Update just@latest to 1.53.0.

  • Update cargo-zigbuild@latest to 0.23.0.

2.82.0

  • Support cargo-vet. (#1908, thanks @​jakewimmer)

  • Support cargo-crap. (#1905, thanks @​BartoszCiesla)

  • Support cargo-leptos. (#1903, thanks @​404Simon)

  • Update kingfisher@latest to 1.103.0.

  • Update cargo-xwin@latest to 0.23.0.

  • Update wasmtime@latest to 45.0.2.

  • Update cargo-deny@latest to 0.19.9.

  • Update prek@latest to 0.4.5.

  • Update trivy@latest to 0.71.1.

  • Update mise@latest to 2026.6.10.

2.81.11

  • Update wasm-tools@latest to 1.252.0.

  • Update wasm-bindgen@latest to 0.2.125.

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

[2.82.2] - 2026-06-21

  • Update xh@latest to 0.26.1.

  • Update uv@latest to 0.11.23.

  • Update trivy@latest to 0.71.2.

  • Update sccache@latest to 0.16.0.

[2.82.1] - 2026-06-20

  • Update vacuum@latest to 0.29.4.

  • Update uv@latest to 0.11.22.

  • Update osv-scanner@latest to 2.4.0.

  • Update mise@latest to 2026.6.11.

  • Update martin@latest to 1.11.0.

  • Update just@latest to 1.53.0.

  • Update cargo-zigbuild@latest to 0.23.0.

[2.82.0] - 2026-06-17

... (truncated)

Commits

Updates step-security/paths-filter from 3.0.5 to 4.0.1

Release notes

Sourced from step-security/paths-filter's releases.

v4.0.1

What's Changed

Full Changelog: step-security/paths-filter@v3...v4.0.1

Commits
  • 5c5241b Merge pull request #243 from step-security/feat/update-subscription-check
  • 4a740b4 claude comments addressed
  • c3c4a64 feat: added banner and update subscription check to make maintained actions f...
  • e7a5f27 Merge pull request #241 from step-security/auto-cherry-pick
  • 81a12d9 chore: Cherry-picked changes from upstream for conflicting changes
  • 8f54c5a feat: add merge_group event support
  • 6a7c5d6 Merge pull request #240 from step-security/auto-cherry-pick
  • c79c47b chore: Cherry-picked changes from upstream in package.json
  • 000dc59 feat: update action runtime to node24
  • 60b52a2 Merge pull request #236 from step-security/auto-cherry-pick
  • Additional commits viewable in compare view

Updates github/codeql-action from 4.35.1 to 4.36.2

Release notes

Sourced from github/codeql-action's releases.

v4.36.2

  • Cache CodeQL CLI version information across Actions steps. #3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
  • Update default CodeQL bundle version to 2.25.6. #3948

v4.36.1

No user facing changes.

v4.36.0

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
  • Add support for SHA-256 Git object IDs. #3893
  • Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
  • Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

  • Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
  • Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster ...

    Description has been truncated

…dates

Bumps the github-actions group with 14 updates in the /.github/workflows directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.16.1` | `2.19.4` |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `7.0.0` |
| [rust-lang/crates-io-auth-action](https://github.com/rust-lang/crates-io-auth-action) | `1.0.4` | `1.0.5` |
| [step-security/action-gh-release](https://github.com/step-security/action-gh-release) | `2.6.1` | `3.0.0` |
| [step-security/action-semantic-pull-request](https://github.com/step-security/action-semantic-pull-request) | `6.1.1` | `6.1.2` |
| [step-security/rust-cache](https://github.com/step-security/rust-cache) | `2.8.3` | `2.9.1` |
| [taiki-e/install-action](https://github.com/taiki-e/install-action) | `2.73.0` | `2.82.2` |
| [step-security/paths-filter](https://github.com/step-security/paths-filter) | `3.0.5` | `4.0.1` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.36.2` |
| [actions/labeler](https://github.com/actions/labeler) | `6.0.1` | `6.1.0` |
| [actions/github-script](https://github.com/actions/github-script) | `8.0.0` | `9.0.0` |
| [googleapis/release-please-action](https://github.com/googleapis/release-please-action) | `4.4.0` | `5.0.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.9.0` | `5.0.0` |



Updates `step-security/harden-runner` from 2.16.1 to 2.19.4
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@fe10465...9af89fc)

Updates `actions/checkout` from 6.0.2 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...9c091bb)

Updates `rust-lang/crates-io-auth-action` from 1.0.4 to 1.0.5
- [Release notes](https://github.com/rust-lang/crates-io-auth-action/releases)
- [Commits](rust-lang/crates-io-auth-action@bbd8162...c6f97d4)

Updates `step-security/action-gh-release` from 2.6.1 to 3.0.0
- [Release notes](https://github.com/step-security/action-gh-release/releases)
- [Commits](step-security/action-gh-release@dc29ef0...277bfa8)

Updates `step-security/action-semantic-pull-request` from 6.1.1 to 6.1.2
- [Release notes](https://github.com/step-security/action-semantic-pull-request/releases)
- [Commits](step-security/action-semantic-pull-request@bc0cf74...75d2dd5)

Updates `step-security/rust-cache` from 2.8.3 to 2.9.1
- [Release notes](https://github.com/step-security/rust-cache/releases)
- [Commits](step-security/rust-cache@9be15b8...851174d)

Updates `taiki-e/install-action` from 2.73.0 to 2.82.2
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](taiki-e/install-action@7a562df...9e1e580)

Updates `step-security/paths-filter` from 3.0.5 to 4.0.1
- [Release notes](https://github.com/step-security/paths-filter/releases)
- [Commits](step-security/paths-filter@6eee183...5c5241b)

Updates `github/codeql-action` from 4.35.1 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@c10b806...8aad20d)

Updates `actions/labeler` from 6.0.1 to 6.1.0
- [Release notes](https://github.com/actions/labeler/releases)
- [Commits](actions/labeler@634933e...f27b608)

Updates `actions/github-script` from 8.0.0 to 9.0.0
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@ed59741...3a2844b)

Updates `googleapis/release-please-action` from 4.4.0 to 5.0.0
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@16a9c90...45996ed)

Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@bbbca2d...043fb46)

Updates `actions/dependency-review-action` from 4.9.0 to 5.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@2031cfc...a1d282b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: rust-lang/crates-io-auth-action
  dependency-version: 1.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: step-security/action-gh-release
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: step-security/action-semantic-pull-request
  dependency-version: 6.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: step-security/rust-cache
  dependency-version: 2.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: taiki-e/install-action
  dependency-version: 2.82.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: step-security/paths-filter
  dependency-version: 4.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/labeler
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/github-script
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: googleapis/release-please-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/dependency-review-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added area/ci CI/CD area/deps Dependencies labels Jun 22, 2026
@github-actions github-actions Bot added the area/config Configuration label Jun 22, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 29, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/dot-github/workflows/github-actions-8d7e254d75 branch June 29, 2026 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci CI/CD area/config Configuration area/deps Dependencies

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants