chore(deps): bump the actions-version-updates group across 1 directory with 10 updates by dependabot[bot] · Pull Request #19 · zitadel/example-auth-hono

dependabot · 2026-01-13T01:35:25Z

Bumps the actions-version-updates group with 10 updates in the / directory:

Package	From	To
step-security/harden-runner	`2.12.0`	`2.19.4`
actions/checkout	`4.2.2`	`7.0.0`
actions/dependency-review-action	`4.7.1`	`5.0.0`
actions/setup-node	`4`	`6`
stefanzweifel/git-auto-commit-action	`5.2.0`	`7.1.0`
ossf/scorecard-action	`2.4.1`	`2.4.3`
github/codeql-action	`3.28.18`	`4.36.2`
mridang/action-test-reporter	`1`	`3`
actions/upload-artifact	`4.6.2`	`7.0.1`
dorny/test-reporter	`2.0.0`	`3.0.0`

Updates step-security/harden-runner from 2.12.0 to 2.19.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Default to audit mode when api-key missing with use-policy-store by @varunsh-coder in step-security/harden-runner#665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657

What the fix changes

Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).

Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

@devantler made their first contribution in step-security/harden-runner#657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.

System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

... (truncated)

Commits

9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
485dce8 Update agent to v1.8.6
ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
ec41b78 Default to audit mode when api-key missing with use-policy-store
9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
1dee3df Update agent to v1.8.5
a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
6e92856 build dist and trim ubuntu-slim message
4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
8d3c67d Release v2.19.0 (#661)
Additional commits viewable in compare view

Updates actions/checkout from 4.2.2 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

block checking out fork pr for pull_request_target and workflow_run by @aiqiaoy in actions/checkout#2454

Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @dependabot[bot] in actions/checkout#2458

Bump flatted from 3.3.1 to 3.4.2 by @dependabot[bot] in actions/checkout#2460

Bump js-yaml from 4.1.0 to 4.2.0 by @dependabot[bot] in actions/checkout#2461

Bump @actions/core and @actions/tool-cache and Remove uuid by @dependabot[bot] in actions/checkout#2459

upgrade module to esm and update dependencies by @aiqiaoy in actions/checkout#2463

Bump the minor-npm-dependencies group across 1 directory with 3 updates by @dependabot[bot] in actions/checkout#2462

getting ready for checkout v7 release by @aiqiaoy in actions/checkout#2464

update error wording by @aiqiaoy in actions/checkout#2467

New Contributors

@aiqiaoy made their first contribution in actions/checkout#2454

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

Update changelog by @ericsciple in actions/checkout#2357

fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in actions/checkout#2414

Fix checkout init for SHA-256 repositories by @yaananth in actions/checkout#2439

Update changelog for v6.0.3 by @yaananth in actions/checkout#2446

New Contributors

@yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @TingluoHuang in actions/checkout#2355

Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Update all references from v5 and v4 to v6 by @ericsciple in actions/checkout#2314

Add worktree support for persist-credentials includeIf by @ericsciple in actions/checkout#2327

Clarify v6 README by @ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

Persist creds to a separate file by @ericsciple in actions/checkout#2286

v6-beta by @ericsciple in actions/checkout#2298

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

Block checking out fork PR for pull_request_target and workflow_run by @aiqiaoy in actions/checkout#2454

Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @dependabot[bot] in actions/checkout#2458

Bump flatted from 3.3.1 to 3.4.2 by @dependabot[bot] in actions/checkout#2460

Bump js-yaml from 4.1.0 to 4.2.0 by @dependabot[bot] in actions/checkout#2461

Bump @actions/core and @actions/tool-cache and Remove uuid by @dependabot[bot] in actions/checkout#2459

upgrade module to esm and update dependencies by @aiqiaoy in actions/checkout#2463

Bump the minor-npm-dependencies group across 1 directory with 3 updates by @dependabot[bot] in actions/checkout#2462

v6.0.3

Fix checkout init for SHA-256 repositories by @yaananth in actions/checkout#2439

fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in actions/checkout#2414

v6.0.2

Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in actions/checkout#2356

v6.0.1

Add worktree support for persist-credentials includeIf by @ericsciple in actions/checkout#2327

v6.0.0

Persist creds to a separate file by @ericsciple in actions/checkout#2286

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

v5.0.1

Port v6 cleanup to v5 by @ericsciple in actions/checkout#2301

v5.0.0

Update actions checkout to use node 24 by @salmanmkc in actions/checkout#2226

v4.3.1

Port v6 cleanup to v4 by @ericsciple in actions/checkout#2305

v4.3.0

docs: update README.md by @motss in actions/checkout#1971

Add internal repos for checking out multiple repositories by @mouismail in actions/checkout#1977

Documentation update - add recommended permissions to Readme by @benwells in actions/checkout#2043

Adjust positioning of user email note and permissions heading by @joshmgross in actions/checkout#2044

Update README.md by @nebuk89 in actions/checkout#2194

Update CODEOWNERS for actions by @TingluoHuang in actions/checkout#2224

Update package dependencies by @salmanmkc in actions/checkout#2236

v4.2.2

url-helper.ts now leverages well-known environment variables by @jww3 in actions/checkout#1941

Expand unit test coverage for isGhes by @jww3 in actions/checkout#1946

v4.2.1

Check out other refs/* by commit if provided, fall back to ref by @orhantoy in actions/checkout#1924

... (truncated)

Commits

9c091bb update error wording (#2467)
1044a6d getting ready for checkout v7 release (#2464)
f028218 Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)
d914b26 upgrade module to esm and update dependencies (#2463)
537c7ef Bump @actions/core and @actions/tool-cache and Remove uuid (#2459)
130a169 Bump js-yaml from 4.1.0 to 4.2.0 (#2461)
7d09575 Bump flatted from 3.3.1 to 3.4.2 (#2460)
0f9f3aa Bump actions/publish-immutable-action (#2458)
f9e715a block checking out fork pr for pull_request_target and workflow_run (#2454)
df4cb1c Update changelog for v6.0.3 (#2446)
Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.7.1 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

Add .github/copilot-instructions.md for Copilot coding agent by @ahpook in actions/dependency-review-action#1067

Update Node.js runtime from 20 to 24 by @scottschreckengaust in actions/dependency-review-action#1084

Bump spdx-license-ids from 3.0.20 to 3.0.23 by @mongolyy in actions/dependency-review-action#1091

docs: bump actions/checkout from v4 to v6 in workflow examples by @Marukome0743 in actions/dependency-review-action#1077

fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @tspascoal in actions/dependency-review-action#1076

Resolve security findings by @AshelyTC in actions/dependency-review-action#1094

v5.0.0 release branch by @ahpook in actions/dependency-review-action#1098

New Contributors

@scottschreckengaust made their first contribution in actions/dependency-review-action#1084

@mongolyy made their first contribution in actions/dependency-review-action#1091

@Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @felickz!

Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @jantiebot!

There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @juxtin!

What's Changed

Compare normalized purls to account for encoding quirks by @juxtin in actions/dependency-review-action#1056

Make purl comparisons case insensitive by @juxtin in actions/dependency-review-action#1057

Feat: Add Patched Version to Vulnerabilities summary by @felickz in actions/dependency-review-action#1045

fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @jantiebot in actions/dependency-review-action#1060

Bump actions/stale from 10.1.0 to 10.2.0 by @dependabot[bot] in actions/dependency-review-action#1058

Bump actions/checkout from 4 to 6 by @dependabot[bot] in actions/dependency-review-action#1021

Updates for release 4.9.0 by @ahpook in actions/dependency-review-action#1064

New Contributors

@jantiebot made their first contribution in actions/dependency-review-action#1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

GitHub Actions can't push to our protected main by @dangoor in actions/dependency-review-action#1017

Bump actions/stale from 9.1.0 to 10.1.0 by @dependabot[bot] in actions/dependency-review-action#995

... (truncated)

Commits

a1d282b Merge pull request #1098 from actions/ahpook/v5-release
eb6c199 update examples to show @v5
3943c2c v5.0.0 release branch
454943c Merge pull request #1094 from actions/ashelytc/security-findings
6d92a12 revert @typescript-eslint/parser update
a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
b6b7079 update @typescript-eslint/parser to 8.40.0
821a21d update more dependencies
05aaaae run npm audit fix
55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
Additional commits viewable in compare view

Updates actions/setup-node from 4 to 6

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

Limit automatic caching to npm, update workflows and documentation by @priyagupta108 in actions/setup-node#1374

Dependency Upgrades

Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @dependabot[bot] in #1336

Upgrade prettier from 2.8.8 to 3.6.2 by @dependabot[bot] in #1334

Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @dependabot[bot] in #1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

Enhance caching in setup-node with automatic package manager detection by @priya-kinthali in actions/setup-node#1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false
Upgrade action to use node24 by @salmanmkc in actions/setup-node#1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

Upgrade @octokit/request-error and @actions/github by @dependabot[bot] in actions/setup-node#1227

Upgrade uuid from 9.0.1 to 11.1.0 by @dependabot[bot] in actions/setup-node#1273

Upgrade undici from 5.28.5 to 5.29.0 by @dependabot[bot] in actions/setup-node#1295

Upgrade form-data to bring in fix for critical vulnerability by @gowridurgad in actions/setup-node#1332

Upgrade actions/checkout from 4 to 5 by @dependabot[bot] in actions/setup-node#1345

New Contributors

@priya-kinthali made their first contribution in actions/setup-node#1348

@salmanmkc made their first contribution in actions/setup-node#1325

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
ab72c7e Upgrade @actions dependencies (#1525)
53b8394 Bump minimatch from 3.1.2 to 3.1.5 (#1498)
54045ab Scope test lockfiles by package manager and update cache tests (#1495)
c882bff Replace uuid with crypto.randomUUID() (#1378)
774c1d6 feat(node-version-file): support parsing devEngines field (#1283)
efcb663 fix: remove hardcoded bearer (#1467)
d02c89d Fix npm audit issues (#1491)
6044e13 Docs: bump actions/checkout from v5 to v6 (#1468)
8e49463 Fix README typo (#1226)
Additional commits viewable in compare view

Updates stefanzweifel/git-auto-commit-action from 5.2.0 to 7.1.0

Release notes

Sourced from stefanzweifel/git-auto-commit-action's releases.

v7.1.0

Added

Add skip_push input option (#401) @kvanzuijlen

Changes

docs: fix typo in README.md (#400) @GideonBear

Dependency Updates

Bump actions/checkout from 5 to 6 (#399) [@dependabot[bot]](https://github.com/@[dependabot[bot]](https://github.com/apps/dependabot))

Bump bats from 1.12.0 to 1.13.0 (#398) [@dependabot[bot]](https://github.com/@[dependabot[bot]](https://github.com/apps/dependabot))

v7.0.0

Added

Restore skip_fetch, skip_checkout, create_branch (#388) @stefanzweifel

Restore Detached State Detection (#393) @stefanzweifel

Add Support for Tag Messages (#391) @EliasBoulharts

Changed

Run Action on Node 24 (#389) @stefanzweifel

Dependency Updates

Bump actions/checkout from 4 to 5 (#386) [@dependabot[bot]](https://github.com/@[dependabot[bot]](https://github.com/apps/dependabot))

v6.0.1

Fixed

Disable Check if Repo is in Detached State (#379) @stefanzweifel

v6.0.0

Added

Throw error early if repository is in a detached state (#357)

Fixed

Fix PAT instructions with Dependabot (#376) @Dreamsorcerer

Removed

Remove support for create_branch, skip_checkout, skip_Fetch (#314)

Changelog

Sourced from stefanzweifel/git-auto-commit-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

Unreleased

TBD

v7.1.0 - 2025-12-17

Added

Add skip_push input option (#401) @kvanzuijlen

Changes

docs: fix typo in README.md (#400) @GideonBear

Dependency Updates

Bump actions/checkout from 5 to 6 (#399) [@dependabot[bot]](https://github.com/@[dependabot[bot]](https://github.com/apps/dependabot))

Bump bats from 1.12.0 to 1.13.0 (#398) [@dependabot[bot]](https://github.com/@[dependabot[bot]](https://github.com/apps/dependabot))

v7.0.0 - 2025-10-12

Added

Restore skip_fetch, skip_checkout, create_branch (#388) @stefanzweifel

Restore Detached State Detection (#393) @stefanzweifel

Add Support for Tag Messages (#391) @EliasBoulharts

Changed

Run Action on Node 24 (#389) @stefanzweifel

Dependency Updates

Bump actions/checkout from 4 to 5 (#386) [@dependabot[bot]](https://github.com/@[dependabot[bot]](https://github.com/apps/dependabot))

v6.0.1 - 2025-06-11

Fixed

Disable Check if Repo is in Detached State (#379) @stefanzweifel

v6.0.0 - 2025-06-10

... (truncated)

Commits

04702ed Bump actions/checkout from 5 to 6 (#399)
1e49d50 Add skip_push input option (#401)
65c5677 docs: fix typo in README.md (#400)
547c140 Bump bats from 1.12.0 to 1.13.0 (#398)
8fa7f5a Update CHANGELOG
28e16e8 Release preparations for v7 (#394)
698fd76 Merge pull request #391 from EliasBoulharts/custom-tag-message
c40819a Update README
d7ee275 Change internal variable names
e8684eb Fix Tests
Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.1 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

docs: clarify GITHUB_TOKEN permissions needed for private repos by @pankajtaneja5 in ossf/scorecard-action#1574

📖 Fix recommended command to test the image in development by @deivid-rodriguez in ossf/scorecard-action#1583

Other

add missing top-level token permissions to workflows by @timothyklee in ossf/scorecard-action#1566

setup codeowners for requesting reviews by @spencerschrock in ossf/scorecard-action#1576

🌱 Improve printing options by @deivid-rodriguez in ossf/scorecard-action#1584

New Contributors

@timothyklee made their first contribution in ossf/scorecard-action#1566

@pankajtaneja5 made their first contribution in ossf/scorecard-action#1574

@deivid-rodriguez made their first contribution in ossf/scorecard-action#1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

Commits

4eaacf0 bump docker to ghcr v2.4.3 (#1587)
42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
92083b5 📖 Fix recommended command to test the image in development (#1583)
7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
c3f1350 🌱 Improve printing options (#1584)
43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
Additional commits viewable in compare view

Updates github/codeql-action from 3.28.18 to 4.36.2

Release notes

Sourced from github/codeql-action's releases.

v4.36.2

Cache CodeQL CLI version information across Actions steps. #3943

Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937

Update default CodeQL bundle version to 2.25.6. #3948

v4.36.1

No user facing changes.

v4.36.0

Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894

Add support for SHA-256 Git object IDs. #3893

Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899

For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791

If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892

Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837

Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850

Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853

Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852

Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795

The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789

Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807

Update default CodeQL bundle version to 2.25.2. #3823

v4.35.1

Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v4.35.0

Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767

Update default CodeQL bundle version to 2.25.1. #3773

v4.34.1

Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses.

…y with 10 updates Bumps the actions-version-updates group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.12.0` | `2.19.4` | | [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `7.0.0` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.7.1` | `5.0.0` | | [actions/setup-node](https://github.com/actions/setup-node) | `4` | `6` | | [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) | `5.2.0` | `7.1.0` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.1` | `2.4.3` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.28.18` | `4.36.2` | | [mridang/action-test-reporter](https://github.com/mridang/action-test-reporter) | `1` | `3` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` | | [dorny/test-reporter](https://github.com/dorny/test-reporter) | `2.0.0` | `3.0.0` | Updates `step-security/harden-runner` from 2.12.0 to 2.19.4 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@0634a26...9af89fc) Updates `actions/checkout` from 4.2.2 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...9c091bb) Updates `actions/dependency-review-action` from 4.7.1 to 5.0.0 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@da24556...a1d282b) Updates `actions/setup-node` from 4 to 6 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) Updates `stefanzweifel/git-auto-commit-action` from 5.2.0 to 7.1.0 - [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases) - [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md) - [Commits](stefanzweifel/git-auto-commit-action@b863ae1...04702ed) Updates `ossf/scorecard-action` from 2.4.1 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@f49aabe...4eaacf0) Updates `github/codeql-action` from 3.28.18 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ff0a06e...8aad20d) Updates `mridang/action-test-reporter` from 1 to 3 - [Release notes](https://github.com/mridang/action-test-reporter/releases) - [Changelog](https://github.com/mridang/action-test-reporter/blob/master/release.config.mjs) - [Commits](mridang/action-test-reporter@v1...v3) Updates `actions/upload-artifact` from 4.6.2 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...043fb46) Updates `dorny/test-reporter` from 2.0.0 to 3.0.0 - [Release notes](https://github.com/dorny/test-reporter/releases) - [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md) - [Commits](dorny/test-reporter@6e6a65b...a43b3a5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-version-updates - dependency-name: actions/dependency-review-action dependency-version: 4.8.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-version-updates - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-version-updates - dependency-name: actions/upload-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-version-updates - dependency-name: dorny/test-reporter dependency-version: 2.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-version-updates - dependency-name: github/codeql-action dependency-version: 4.31.10 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-version-updates - dependency-name: mridang/action-test-reporter dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-version-updates - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-version-updates - dependency-name: stefanzweifel/git-auto-commit-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-version-updates - dependency-name: step-security/harden-runner dependency-version: 2.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-version-updates ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jan 13, 2026

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch from 7091d0e to 8c7cdf4 Compare January 19, 2026 22:05

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch 2 times, most recently from 81651b7 to a1b59ea Compare February 9, 2026 23:48

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch from a1b59ea to d72a8fe Compare February 16, 2026 20:58

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch from d72a8fe to 1bf42ac Compare February 23, 2026 22:25

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch 2 times, most recently from 5471d97 to 438f77a Compare March 9, 2026 21:52

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch 2 times, most recently from 55b7af0 to 16546d1 Compare March 23, 2026 20:58

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch 2 times, most recently from 6b80e05 to 8fd42db Compare April 6, 2026 20:58

mridang force-pushed the main branch 2 times, most recently from f2ec864 to 8e895cd Compare April 11, 2026 03:58

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch 3 times, most recently from ce9be13 to 11fe86d Compare April 16, 2026 20:55

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch from 11fe86d to 198bdc4 Compare April 23, 2026 20:55

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch 2 times, most recently from aa151fe to 5e6b3eb Compare May 14, 2026 20:56

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch 2 times, most recently from 8221496 to 3cfd55f Compare June 4, 2026 20:54

dependabot Bot force-pushed the dependabot/github_actions/actions-version-updates-76190d6eca branch from 3cfd55f to 7ecb455 Compare June 18, 2026 20:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the actions-version-updates group across 1 directory with 10 updates#19

chore(deps): bump the actions-version-updates group across 1 directory with 10 updates#19
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-version-updates-76190d6eca

dependabot Bot commented on behalf of github Jan 13, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jan 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v2.19.4

What's Changed

v2.19.3

What's Changed

v2.19.2

What's Changed

v2.19.1

What's Changed

New Contributors

v2.19.0

What's Changed

New Runner Support

Automated Incident Response for Supply Chain Attacks

Bug Fixes

v7.0.0

What's Changed

New Contributors

v6.0.3

What's Changed

New Contributors

v6.0.2

What's Changed

v6.0.1

What's Changed

v6.0.0

What's Changed

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

5.0.0

What's Changed

New Contributors

Dependency Review Action 4.9.0

What's Changed

New Contributors

4.8.3

Dependency Review Action v4.8.3

What's Changed

v6.0.0

What's Changed

v5.0.0

What's Changed

Breaking Changes

Dependency Upgrades

New Contributors

v4.4.0

v7.1.0

Added

Changes

Dependency Updates

v7.0.0

Added

Changed

Dependency Updates

v6.0.1

Fixed

v6.0.0

Added

Fixed

Removed

Changelog

Unreleased

v7.1.0 - 2025-12-17

Added

Changes

Dependency Updates

v7.0.0 - 2025-10-12

Added

dependabot Bot commented on behalf of github Jan 13, 2026 •

edited

Loading