Skip to content

Bump the github-actions group across 1 directory with 9 updates #3830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the github-actions group across 1 directory with 9 updates #3830

wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 1, 2025
edited
Loading

Bumps the github-actions group with 9 updates in the / directory:

Package From To
step-security/harden-runner 2.5.1 2.11.0
actions/checkout 2.7.0 4.2.2
arduino/setup-protoc 1.3.0 3.0.0
github/codeql-action 2.21.3 3.28.10
actions/dependency-review-action 3.0.7 4.5.0
actions/setup-java 3.12.0 4.7.0
google/osv-scanner-action 8bd1ce1c4be9d98053ffd9e6e14585276a36762c e6898c9042613f73c90501bfa535f3c2c73b9140
ossf/scorecard-action 2.3.3 2.4.1
actions/upload-artifact 4.3.3 4.6.1

Updates step-security/harden-runner from 2.5.1 to 2.11.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.11.0

What's Changed

Release v2.11.0 in #498 Harden-Runner Enterprise tier now supports the use of eBPF for DNS resolution and network call monitoring

Full Changelog: step-security/harden-runner@v2...v2.11.0

v2.10.4

What's Changed

Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.

Full Changelog: step-security/harden-runner@v2...v2.10.4

v2.10.3

What's Changed

Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.

Full Changelog: step-security/harden-runner@v2...v2.10.3

v2.10.2

What's Changed

  1. Fixes low-severity command injection weaknesses The advisory is here: GHSA-g85v-wf27-67xc

  2. Bug fix to improve detection of whether Harden-Runner is running in a container

Full Changelog: step-security/harden-runner@v2...v2.10.2

v2.10.1

What's Changed

Release v2.10.1 by @​varunsh-coder in step-security/harden-runner#463 Bug fix: Resolves an issue where DNS resolution of .local domains was failing when using a Kind cluster in a GitHub Actions workflow.

Full Changelog: step-security/harden-runner@v2...v2.10.1

v2.10.0

What's Changed

Release v2.10.0 by @​h0x0er and @​varunsh-coder in step-security/harden-runner#455

ARM Support: Harden-Runner Enterprise tier now supports GitHub-hosted ARM runners. This includes all the features that apply to previously supported GitHub-hosted x64 Linux runners.

Full Changelog: step-security/harden-runner@v2...v2.10.0

v2.9.1

What's Changed

Release v2.9.1 by @​h0x0er and @​varunsh-coder in #440 This release includes two changes:

  1. Updated markdown displayed in the job summary by the Harden-Runner Action.
  2. Fixed a bug affecting Enterprise Tier customers where the agent attempted to upload telemetry for jobs with disable-telemetry set to true. No telemetry was uploaded as the endpoint was not in the allowed list.

... (truncated)

Commits

Updates actions/checkout from 2.7.0 to 4.2.2

Release notes

Sourced from actions/checkout's releases.

v4.2.2

What's Changed

Full Changelog: actions/checkout@v4.2.1...v4.2.2

v4.2.1

What's Changed

New Contributors

Full Changelog: actions/checkout@v4.2.0...v4.2.1

v4.2.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v4.1.7...v4.2.0

v4.1.7

What's Changed

New Contributors

Full Changelog: actions/checkout@v4.1.6...v4.1.7

v4.1.6

What's Changed

Full Changelog: actions/checkout@v4.1.5...v4.1.6

v4.1.5

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

... (truncated)

Commits

Updates arduino/setup-protoc from 1.3.0 to 3.0.0

Release notes

Sourced from arduino/setup-protoc's releases.

v3.0.0

What's Changed

New Contributors

Full Changelog: arduino/setup-protoc@v2.1.0...v3.0.0

v2.1.0

What's Changed

New Contributors

Full Changelog: arduino/setup-protoc@v2.0.0...v2.1.0

v2.0.0

Changelog

Adding support for the MINOR.PATCH tag naming

Breaking

Full Changelog: arduino/setup-protoc@v1.3.0...v2.0.0

Contributors

Commits

Updates github/codeql-action from 2.21.3 to 3.28.10

Release notes

Sourced from github/codeql-action's releases.

v3.28.10

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.10 - 21 Feb 2025

  • Update default CodeQL bundle version to 2.20.5. #2772
  • Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

See the full CHANGELOG.md for more information.

v3.28.9

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.9 - 07 Feb 2025

  • Update default CodeQL bundle version to 2.20.4. #2753

See the full CHANGELOG.md for more information.

v3.28.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.8 - 29 Jan 2025

  • Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

See the full CHANGELOG.md for more information.

v3.28.7

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.7 - 29 Jan 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.28.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.28.10 - 21 Feb 2025

  • Update default CodeQL bundle version to 2.20.5. #2772
  • Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

3.28.9 - 07 Feb 2025

  • Update default CodeQL bundle version to 2.20.4. #2753

3.28.8 - 29 Jan 2025

  • Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

3.28.7 - 29 Jan 2025

No user facing changes.

3.28.6 - 27 Jan 2025

  • Re-enable debug artifact upload for CLI versions 2.20.3 or greater. #2726

3.28.5 - 24 Jan 2025

  • Update default CodeQL bundle version to 2.20.3. #2717

3.28.4 - 23 Jan 2025

No user facing changes.

3.28.3 - 22 Jan 2025

  • Update default CodeQL bundle version to 2.20.2. #2707
  • Fix an issue downloading the CodeQL Bundle from a GitHub Enterprise Server instance which occurred when the CodeQL Bundle had been synced to the instance using the CodeQL Action sync tool and the Actions runner did not have Zstandard installed. #2710
  • Uploading debug artifacts for CodeQL analysis is temporarily disabled. #2712

3.28.2 - 21 Jan 2025

No user facing changes.

3.28.1 - 10 Jan 2025

  • CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see this changelog post. #2677

... (truncated)

Commits
  • b56ba49 Merge pull request #2778 from github/update-v3.28.10-9856c48b1
  • 60c9c77 Update changelog for v3.28.10
  • 9856c48 Merge pull request #2773 from github/redsun82/rust
  • 9572e09 Rust: fix log string
  • 1a52936 Rust: special case default setup
  • cf7e909 Merge pull request #2772 from github/update-bundle/codeql-bundle-v2.20.5
  • b7006aa Merge branch 'main' into update-bundle/codeql-bundle-v2.20.5
  • cfedae7 Rust: throw configuration errors if requested and not correctly enabled
  • 3971ed2 Merge branch 'main' into redsun82/rust
  • d38c6e6 Merge pull request #2775 from github/angelapwen/bump-octokit
  • Additional commits viewable in compare view

Updates actions/dependency-review-action from 3.0.7 to 4.5.0

Release notes

Sourced from actions/dependency-review-action's releases.

v4.5.0

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4...v4.5.0

v4.4.0

What's Changed

Full Changelog: actions/dependency-review-action@v4.3.5...v4.4.0

v4.3.5

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

v4.3.4

What's Changed

Full Changelog: actions/dependency-review-action@v4.3.3...v4.3.4

Notes for v4.3.3

What's Changed

... (truncated)

Commits
  • 3b139cf Merge pull request #851 from actions/ahmed3lmallah/prepare-for-4.5.0-release
  • d6807b6 updating generated code
  • c89b41f addressing lint issues
  • eee97d8 incrementing project version
  • 9d10182 Merge pull request #827 from ebickle/fix/comment-warn-only
  • 9192be9 Merge pull request #850 from actions/ahmed3lmallah/adressing-CVE-2024-21538
  • 2fc8e23 Using cross-spawn safe version
  • fb86db2 fix: resolve race conditions in async core.group calls
  • 0a198ab fix: replace integer failureCount with boolean
  • fc499fc Merge branch 'main' into fix/comment-warn-only
  • Additional commits viewable in compare view

Updates actions/setup-java from 3.12.0 to 4.7.0

Release notes

Sourced from actions/setup-java's releases.

v4.7.0

What's Changed

New Contributors

Full Changelog: actions/setup-java@v4...v4.7.0

v4.6.0

What's Changed

Add-ons:

 - name: Checkout
   uses: actions/checkout@v4
 - name: Setup-java
   uses: actions/setup-java@v4
   with:
     distribution: ‘jetbrains’
     java-version: '21'

Bug fixes:

New Contributors

Full Changelog: actions/setup-java@v4...v4.6.0

v4.5.0

What's Changed

Bug fixes:

New Contributors:

... (truncated)

Commits

Updates google/osv-scanner-action from 8bd1ce1c4be9d98053ffd9e6e14585276a36762c to e6898c9042613f73c90501bfa535f3c2c73b9140

Commits
  • e6898c9 Merge pull request #57 from mullvad/support-checking-out-submodules
  • ab8175f Expose workflow input to allow checking out git submodules
  • b291b69 Merge pull request #52 from GeoDerp/main
  • adb15ca Merge pull request #55 from renovate-bot/renovate/workflows
  • efbfc13 chore(deps): update github/codeql-action action to v3.28.8
  • 1266768 Merge pull request #50 from renovate-bot/renovate/workflows
  • c10cec9 chore(deps): update workflows
  • b49eaf1 Merge branch 'main' into main
  • 764c918 Merge pull request #53 from google/update-to-v1.9.2
  • af3118a Update unified workflow example to point to v1.9.2 reusable workflows
  • Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.3.3 to 2.4.1

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.1

What's Changed

  • This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the v5.1.0 and v5.1.1 release notes.
  • Publishing results now uses half the API quota as before. The exact savings depends on the repository in question.
  • Some errors were made into annotations to make them more visible
  • There is now an optional file_mode input which controls how repository files are fetched from GitHub. The default is archive, but git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed.
  • The underlying container for the action is now hosted on GitHub Container Registry. There should be no functional changes.

Docs

New Contributors

v2.4.0

What's Changed

This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the v5.0.0 release notes. Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation.

Documentation

New Contributors

Full Changelog: ossf/scorecard-action@v2.3.3...v2.4.0

Commits

Updates actions/upload-artifact from 4.3.3 to 4.6.1

Release notes

Sourced from actions/upload-artifact's releases.

v4.6.1

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v4.4.3...v4.5.0

v4.4.3

What's Changed

Full Changelog: actions/upload-artifact@v4.4.2...v4.4.3

v4.4.2

What's Changed

Full Changelog: actions/upload-artifact@v4.4.1...v4.4.2

v4.4.1

What's Ch...

Description has been truncated

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot requested a review from a team as a code owner March 1, 2025 22:17
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 1, 2025
@dependabot dependabot bot mentioned this pull request Mar 1, 2025
Closed
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-856d6d6612 branch from 3429053 to aa860f4 Compare April 1, 2025 22:45
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-856d6d6612 branch from aa860f4 to c6ffcbd Compare May 1, 2025 22:47
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-856d6d6612 branch from c6ffcbd to 617040f Compare June 1, 2025 22:45
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-856d6d6612 branch from 617040f to 7b042b9 Compare July 1, 2025 22:13
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-856d6d6612 branch from 7b042b9 to 1d103d0 Compare August 1, 2025 22:54
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-856d6d6612 branch from 1d103d0 to 9a8ae95 Compare October 1, 2025 22:03
@dependabot
Bump the github-actions group across 1 directory with 9 updates
4cd8e02 
Bumps the github-actions group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.5.1` | `2.11.0` |
| [actions/checkout](https://github.com/actions/checkout) | `2.7.0` | `4.2.2` |
| [arduino/setup-protoc](https://github.com/arduino/setup-protoc) | `1.3.0` | `3.0.0` |
| [github/codeql-action](https://github.com/github/codeql-action) | `2.21.3` | `3.28.10` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `3.0.7` | `4.5.0` |
| [actions/setup-java](https://github.com/actions/setup-java) | `3.12.0` | `4.7.0` |
| [google/osv-scanner-action](https://github.com/google/osv-scanner-action) | `8bd1ce1c4be9d98053ffd9e6e14585276a36762c` | `e6898c9042613f73c90501bfa535f3c2c73b9140` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.3.3` | `2.4.1` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.3.3` | `4.6.1` |



Updates `step-security/harden-runner` from 2.5.1 to 2.11.0
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@8ca2b8b...4d991eb)

Updates `actions/checkout` from 2.7.0 to 4.2.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2.7.0...11bd719)

Updates `arduino/setup-protoc` from 1.3.0 to 3.0.0
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](arduino/setup-protoc@149f6c8...c65c819)

Updates `github/codeql-action` from 2.21.3 to 3.28.10
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v2.21.3...b56ba49)

Updates `actions/dependency-review-action` from 3.0.7 to 4.5.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@7d90b4f...3b139cf)

Updates `actions/setup-java` from 3.12.0 to 4.7.0
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](actions/setup-java@cd89f46...3a4f6e1)

Updates `google/osv-scanner-action` from 8bd1ce1c4be9d98053ffd9e6e14585276a36762c to e6898c9042613f73c90501bfa535f3c2c73b9140
- [Release notes](https://github.com/google/osv-scanner-action/releases)
- [Commits](google/osv-scanner-action@8bd1ce1...e6898c9)

Updates `ossf/scorecard-action` from 2.3.3 to 2.4.1
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@dc50aa9...f49aabe)

Updates `actions/upload-artifact` from 4.3.3 to 4.6.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@6546280...4cec3d8)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: arduino/setup-protoc
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-java
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: google/osv-scanner-action
  dependency-type: direct:production
  dependency-group: github-actions
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-856d6d6612 branch from 9a8ae95 to 4cd8e02 Compare November 1, 2025 22:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant