chore(deps): Update GitHub Actions#240
Conversation
|
Warning Review limit reached
Next review available in: 17 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Pull request overview
This PR performs routine maintenance updates to SHA-pinned GitHub Actions used by this repo’s reusable workflows, aligning with the repository’s supply chain and security posture.
Changes:
- Updated
actions/download-artifactpin to the latest digest used by Renovate. - Updated
github/codeql-action/upload-sarifpin tov4.36.2. - Updated
actions/setup-nodeandanthropics/claude-code-actionto newer pinned SHAs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/supply-chain-promote-core.yml | Updates pinned SHAs for artifact download, SARIF upload, and provenance attestation steps. |
| .github/workflows/python-dependency-provenance.yml | Updates the pinned actions/setup-node SHA used for frontend provenance steps. |
| .github/workflows/claude-baseline-review.yml | Updates the pinned anthropics/claude-code-action SHA for baseline triage reviews. |



Summary
Why
Scheduled patch update, bug fixes and security patches with no API changes.
Changes
This PR contains the following updates:
v4.1.0→v4.1.1448e3f8→634f93cv6.0.0→v6.4.0v1.0.158→v1.0.159v1.0.161(+1)v4.30.4→v4.36.2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Impact
Acceptance Criteria
Testing
Notes
Release Notes
actions/attest-build-provenance (actions/attest-build-provenance)
v4.1.1Compare Source
What's Changed
Full Changelog: actions/attest-build-provenance@v4.1.0...v4.1.1
actions/setup-node (actions/setup-node)
v6.4.0Compare Source
What's Changed
Dependency updates:
New Contributors
Full Changelog: actions/setup-node@v6...v6.4.0
v6.3.0Compare Source
What's Changed
Enhancements:
devEnginesfield by @susnux in #1283Dependency updates:
Bug fixes:
New Contributors
Full Changelog: actions/setup-node@v6...v6.3.0
v6.2.0Compare Source
What's Changed
Documentation
Dependency updates:
New Contributors
Full Changelog: actions/setup-node@v6...v6.2.0
v6.1.0Compare Source
What's Changed
Enhancement:
Dependency updates:
Documentation update:
Full Changelog: actions/setup-node@v6...v6.1.0
anthropics/claude-code-action (anthropics/claude-code-action)
v1.0.159Compare Source
What's Changed
New Contributors
Full Changelog: anthropics/claude-code-action@v1...v1.0.159
github/codeql-action (github/codeql-action)
v4.36.2Compare Source
v4.36.1Compare Source
No user facing changes.
v4.36.0Compare Source
v4.35.5Compare Source
analysis-kindsinput, onlycode-scanningwill be enabled. Theanalysis-kindsinput is experimental, for GitHub-internal use only, and may change without notice at any time. #3892v4.35.4Compare Source
v4.35.3Compare Source
GETrequests instead ofHEADfor better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853v4.35.2Compare Source
CODEQL_ACTION_CLEANUP_TRAP_CACHESenvironment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing thetrap-caching: falseinput to theinitAction. #3795v4.35.1Compare Source
v4.35.0Compare Source
v4.34.1Compare Source
v4.34.0Compare Source
none. We expect this rollout to be complete by the end of April 2026. #3584v4.33.0Compare Source
Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562
To opt out of this change:
github-codeql-file-coverage-on-prsand the type "True/false", then set this property totruein the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set theCODEQL_ACTION_FILE_COVERAGE_ON_PRSenvironment variable totruein your workflow.CODEQL_ACTION_FILE_COVERAGE_ON_PRSenvironment variable totruein your workflow.CODEQL_ACTION_FILE_COVERAGE_ON_PRSenvironment variable totruein your workflow.Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557
The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as
github-codeql-disable-overlaythat was previously only available on GitHub.com. #3559Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563
Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564
A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570
v4.32.6Compare Source
v4.32.5Compare Source
github-codeql-disable-overlaycustom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the namegithub-codeql-disable-overlayand the type "True/false" in the organization's settings. Then in the repository's settings, set this property totrueto disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507start-proxyaction to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512v4.32.4Compare Source
v4.32.3Compare Source
v4.32.2Compare Source
v4.32.1Compare Source
v4.32.0Compare Source
v4.31.11Compare Source
v4.31.10Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.10 - 12 Jan 2026
See the full CHANGELOG.md for more information.
v4.31.9Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.9 - 16 Dec 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v4.31.8Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.8 - 11 Dec 2025
See the full CHANGELOG.md for more information.
v4.31.7Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.7 - 05 Dec 2025
See the full CHANGELOG.md for more information.
v4.31.6Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.6 - 01 Dec 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v4.31.5Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.5 - 24 Nov 2025
See the full CHANGELOG.md for more information.
v4.31.4Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.4 - 18 Nov 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v4.31.3Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.3 - 13 Nov 2025
See the full CHANGELOG.md for more information.
v4.31.2Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.2 - 30 Oct 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v4.31.1Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.1 - 30 Oct 2025
add-snippetsinput has been removed from theanalyzeaction. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.See the full CHANGELOG.md for more information.
v4.31.0Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.31.0 - 24 Oct 2025
analyzeorupload-sarifactions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for theupload-sarifaction. Foranalyze, this may affect Advanced Setup for CodeQL users who specify a value other thanalwaysfor theuploadinput. #3222See the full CHANGELOG.md for more information.
v4.30.9Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.30.9 - 17 Oct 2025
setup-codeqlaction has been added which is similar toinit, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #3204See the full CHANGELOG.md for more information.
v4.30.8Compare Source
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
4.30.8 - 10 Oct 2025
No user facing changes.
See the full CHANGELOG.md for more information.
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.