Skip to content

chore(deps): Update GitHub Actions#33

Open
williaby wants to merge 1 commit into
mainfrom
renovate/github-actions
Open

chore(deps): Update GitHub Actions#33
williaby wants to merge 1 commit into
mainfrom
renovate/github-actions

Conversation

@williaby

@williaby williaby commented May 28, 2026

Copy link
Copy Markdown
Contributor

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Type Update Change OpenSSF
ByronWilliamsCPA/.github (changelog) action digest c22009c4b12bfe OpenSSF Scorecard
actions/checkout action patch v6.0.2v6.0.3 OpenSSF Scorecard
astral-sh/setup-uv action minor v8.1.0v8.2.0 OpenSSF Scorecard
github/codeql-action action minor v4.35.3v4.36.2 OpenSSF Scorecard
step-security/harden-runner action minor v2.10.1v2.19.4 OpenSSF Scorecard
step-security/harden-runner action patch v2.19.1v2.19.4 OpenSSF Scorecard

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes


Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

astral-sh/setup-uv (astral-sh/setup-uv)

v8.2.0: 🌈 New inputs quiet and download-from-astral-mirror

Compare Source

Changes

This release brings two new inputs and a few bug fixes.

New inputs

Lets talk about the new inputs first.

quiet

Pretty simple. It turns of all info loggings. Useful if you use this in a composite action and are not interested in all the details.
In the upcoming releases we will add log groups to fully implement support for "less noise"

[!NOTE]
Warnings and errors are always logged.

download-from-astral-mirror

In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting download-from-astral-mirror: false allows you to do that.

Bugfixes

When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.

We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.

🐛 Bug fixes
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates
github/codeql-action (github/codeql-action)

v4.36.2

Compare Source

  • Cache CodeQL CLI version information across Actions steps. #​3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #​3937
  • Update default CodeQL bundle version to 2.25.6. #​3948

v4.36.1

Compare Source

No user facing changes.

v4.36.0

Compare Source

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
  • Add support for SHA-256 Git object IDs. #​3893
  • Update default CodeQL bundle version to 2.25.5. #​3926

v4.35.5

Compare Source

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
  • Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

v4.35.4

Compare Source

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed
  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

Compare Source

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed
  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

Compare Source

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

Compare Source

What's Changed
New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks
  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).
Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

Compare Source

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

Compare Source

What's Changed
Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

Compare Source

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

v2.16.0

Compare Source

What's Changed
  • Updated action.yml to use node24
  • Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
  • Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

Compare Source

What's Changed
  • Fixes #​642 bug due to which post step was failing on Windows ARM runners
  • Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

v2.15.0

Compare Source

What's Changed
Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

Compare Source

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

Compare Source

What's Changed
  1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

  2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed
  • Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
  • Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

Compare Source

What's Changed
  • Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

Compare Source

What's Changed
  • Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
  • Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

v2.13.1

Compare Source

What's Changed
  • Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

  • Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

  • Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

v2.13.0

Compare Source

What's Changed
  • Improved job markdown summary
  • Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

Compare Source

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:

  • Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
  • Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

Compare Source

What's Changed
  • Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
  • Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

v2.12.0

Compare Source

What's Changed
  1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

  2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

v2.11.1

Compare Source

What's Changed

Full Changelog: step-security/harden-runner@v2...v2.11.1

v2.11.0

Compare Source

What's Changed

Release v2.11.0 in #​498
Harden-Runner Enterprise tier now supports the use of eBPF for DNS resolution and network call monitoring

Full Changelog: step-security/harden-runner@v2...v2.11.0

v2.10.4

Compare Source

What's Changed

Fixed a potential Harden-Runner post step failure that could occur when printing agent service logs. The fix gracefully handles failures without failing the post step.

Full Changelog: step-security/harden-runner@v2...v2.10.4

v2.10.3

Compare Source

What's Changed

Fixed an issue where DNS requests using uppercase characters (e.g., EXAMPLE.com) were blocked even when the domain was present in the allowed list. This update standardizes domain names to lowercase for consistent comparison.

Full Changelog: step-security/harden-runner@v2...v2.10.3

v2.10.2

Compare Source

What's Changed
  1. Fixes low-severity command injection weaknesses
    The advisory is here: GHSA-g85v-wf27-67xc

  2. Bug fix to improve detection of whether Harden-Runner is running in a container

Full Changelog: step-security/harden-runner@v2...v2.10.2


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "after 10pm every weekday,before 5am every weekday,every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings May 28, 2026 04:33
@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

GitHub Actions workflows across the repository were updated to pin action and reusable workflow references to specific commit SHAs. Step-security/harden-runner was upgraded to v2.19.4 across ten workflow jobs, supporting actions (checkout v6.0.3, setup-uv v8.2.0) were bumped, CodeQL actions were upgraded to v4.36.2, and five reusable workflow references were changed from branch pointers to deterministic commit pins.

Changes

Workflow Dependency Pinning

Layer / File(s) Summary
step-security/harden-runner version upgrades
.github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/pr-validation.yml, .github/workflows/reuse.yml, .github/workflows/security-analysis.yml
Pins step-security/harden-runner to v2.19.4 commit SHA across quality, dependency-review, dependency-standards-validation, CodeQL, PR validation, license reuse, and security gate validation jobs.
Supporting action and CodeQL upgrades
.github/workflows/ci.yml, .github/workflows/codeql.yml, .github/workflows/dependency-review.yml
Updates actions/checkout to v6.0.3, astral-sh/setup-uv to v8.2.0 in the quality job, and github/codeql-action/init and github/codeql-action/analyze to v4.36.2 while preserving CodeQL configuration.
Reusable workflow reference pinning
.github/workflows/coverage.yml, .github/workflows/python-compatibility.yml, .github/workflows/qlty.yml, .github/workflows/scorecard.yml, .github/workflows/security-analysis.yml
Replaces @main branch references with specific commit SHAs for reusable workflow invocations, ensuring deterministic workflow versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

  • ByronWilliamsCPA/taxdome#7: Implements the same step-security/harden-runner (v2.19.4) and actions/checkout (v6.0.3) version bumps across similar workflow files.
  • Dependency Dashboard reference-library#10: Covers matching action pin updates for step-security/harden-runner and reusable workflow pinning to commit 4acd7b6.
  • ByronWilliamsCPA/maester-tests#14: Applies the same GitHub Actions dependency updates including harden-runner, checkout, and setup-uv pins tracked in a Renovate dashboard.

Poem

🐰 Hops through the CI trails,
Pins locked tight so nothing fails,
Runner hardened, workflows true,
Commits secured with morning dew. 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title 'chore(deps): Update GitHub Actions' directly and accurately describes the main change—updating GitHub Actions dependencies across multiple workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented May 28, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/security-analysis.yml

PackageVersionLicenseIssue Type
ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml4b12bfe9a94a312be1f23cf7a591e6259ea96118NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/step-security/harden-runner 9af89fc71515a100421586dfdb3dc9c984fbf411 🟢 7.9
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1016 out of 16 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1014 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities⚠️ 016 existing vulnerabilities detected
actions/ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml 4b12bfe9a94a312be1f23cf7a591e6259ea96118 UnknownUnknown
actions/step-security/harden-runner 9af89fc71515a100421586dfdb3dc9c984fbf411 🟢 7.9
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1016 out of 16 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1014 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities⚠️ 016 existing vulnerabilities detected

Scanned Files

  • .github/workflows/pr-validation.yml
  • .github/workflows/security-analysis.yml

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Routine Renovate-driven dependency update for GitHub Actions across workflow files. Pins are updated to new SHAs with version comments, and two previously @main-referenced reusable workflows are now SHA-pinned, aligning with the repo's pinDigests policy.

Changes:

  • Bump step-security/harden-runner to 9af89fc (v2.19.4) across all workflows.
  • Bump github/codeql-action/{init,analyze} to 7211b7c (v4.36.0).
  • Update ByronWilliamsCPA/.github reusable workflow refs to SHA e75a86b, including pinning previously-floating @main refs in coverage.yml and qlty.yml.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/ci.yml Updated harden-runner SHA to v2.19.4 in both jobs.
.github/workflows/codeql.yml Updated harden-runner to v2.19.4 and codeql-action init/analyze to v4.36.0.
.github/workflows/coverage.yml Pinned python-qlty-coverage reusable workflow from @main to SHA.
.github/workflows/pr-validation.yml Updated harden-runner SHA to v2.19.4 across three jobs.
.github/workflows/python-compatibility.yml Bumped reusable python-compatibility workflow SHA.
.github/workflows/qlty.yml Pinned python-qlty-coverage reusable workflow from @main to SHA.
.github/workflows/reuse.yml Updated harden-runner SHA to v2.19.4 in both jobs.
.github/workflows/scorecard.yml Bumped reusable python-scorecard workflow SHA.
.github/workflows/security-analysis.yml Bumped python-security-analysis reusable workflow SHA and harden-runner to v2.19.4.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@williaby williaby force-pushed the renovate/github-actions branch 2 times, most recently from 5f64bc2 to 309a04a Compare May 28, 2026 20:07
@williaby williaby force-pushed the renovate/github-actions branch 2 times, most recently from f9760c8 to af22525 Compare May 30, 2026 23:07
@socket-security

socket-security Bot commented May 30, 2026

Copy link
Copy Markdown

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

@williaby williaby force-pushed the renovate/github-actions branch 2 times, most recently from 2147bbf to c8a2ade Compare June 2, 2026 08:03

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/coverage.yml:
- Line 26: Update the reusable workflow reference to remove the stale trailing
ref comment; in the line that uses
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b
(the uses entry in the coverage.yml file), delete the trailing " # main"
annotation so the ref matches the SHA pin exactly and no longer misleads about
using the main branch.

In @.github/workflows/python-compatibility.yml:
- Line 38: Update the trailing comment on the uses line that currently reads "#
main" because the action is pinned to an immutable SHA; locate the line
beginning with "uses:
ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b"
and replace or remove the inaccurate comment—e.g., change it to "# pinned to
commit ab2a3856..." or remove the comment entirely so it no longer suggests the
ref is "main".

In @.github/workflows/qlty.yml:
- Line 18: The comment "# main" next to the pinned reusable workflow is
misleading because the workflow is pinned to a commit SHA; update the line
containing the uses declaration (the string starting with "uses:
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b
# main") by either removing the "# main" comment or replacing it with an
accurate note reflecting the SHA (or a short explanation like "# pinned to
commit SHA") so the comment correctly represents the pinned reference.

In @.github/workflows/security-analysis.yml:
- Line 25: The workflow 'uses' ref is pinned to a commit SHA but still has a
trailing "# main" comment that is misleading; edit the line containing the uses
declaration (uses:
ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b)
to remove or replace the "# main" annotation (e.g., remove it or replace with a
note like "# pinned to commit ab2a385...") so the comment accurately reflects
that it's pinned to a specific commit.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6fb54b3f-84ce-4433-847d-447d44986158

📥 Commits

Reviewing files that changed from the base of the PR and between c7e7593 and c8a2ade.

📒 Files selected for processing (9)
  • .github/workflows/ci.yml
  • .github/workflows/codeql.yml
  • .github/workflows/coverage.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/python-compatibility.yml
  • .github/workflows/qlty.yml
  • .github/workflows/reuse.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/security-analysis.yml

Comment thread .github/workflows/coverage.yml Outdated
name: Upload Coverage to Qlty
if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@main
uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b # main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the trailing ref annotation.

# main is stale after switching this reusable workflow to a commit SHA pin.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/coverage.yml at line 26, Update the reusable workflow
reference to remove the stale trailing ref comment; in the line that uses
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b
(the uses entry in the coverage.yml file), delete the trailing " # main"
annotation so the ref matches the SHA pin exactly and no longer misleads about
using the main branch.

compatibility:
name: Python Compatibility Matrix
uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@c22009ccaab0d3234819d30d9d7a03d53c531cb9 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b # main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Correct the outdated comment.

The workflow now references an immutable SHA, so # main no longer describes this line accurately.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-compatibility.yml at line 38, Update the trailing
comment on the uses line that currently reads "# main" because the action is
pinned to an immutable SHA; locate the line beginning with "uses:
ByronWilliamsCPA/.github/.github/workflows/python-compatibility.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b"
and replace or remove the inaccurate comment—e.g., change it to "# pinned to
commit ab2a3856..." or remove the comment entirely so it no longer suggests the
ref is "main".

Comment thread .github/workflows/qlty.yml Outdated
qlty:
if: ${{ github.event.workflow_run.conclusion == 'success' }}
uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@main
uses: ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b # main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove or update the stale # main note.

The reusable workflow is pinned to a commit SHA here, so keeping # main is misleading.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/qlty.yml at line 18, The comment "# main" next to the
pinned reusable workflow is misleading because the workflow is pinned to a
commit SHA; update the line containing the uses declaration (the string starting
with "uses:
ByronWilliamsCPA/.github/.github/workflows/python-qlty-coverage.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b
# main") by either removing the "# main" comment or replacing it with an
accurate note reflecting the SHA (or a short explanation like "# pinned to
commit SHA") so the comment correctly represents the pinned reference.

Comment thread .github/workflows/security-analysis.yml Outdated
pull-requests: write
actions: read
uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@c22009ccaab0d3234819d30d9d7a03d53c531cb9 # main
uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b # main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update the stale ref comment.

This line is pinned to a commit SHA now, so the trailing # main annotation is misleading and will confuse future updates.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security-analysis.yml at line 25, The workflow 'uses' ref
is pinned to a commit SHA but still has a trailing "# main" comment that is
misleading; edit the line containing the uses declaration (uses:
ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@ab2a3856e5292b9dcaed1d8a54c221f2074a549b)
to remove or replace the "# main" annotation (e.g., remove it or replace with a
note like "# pinned to commit ab2a385...") so the comment accurately reflects
that it's pinned to a specific commit.

@williaby williaby force-pushed the renovate/github-actions branch 11 times, most recently from 2e56889 to ab1c84a Compare June 9, 2026 17:10
@williaby williaby force-pushed the renovate/github-actions branch 2 times, most recently from 727a596 to 1d5888b Compare June 11, 2026 05:10
@williaby williaby force-pushed the renovate/github-actions branch 2 times, most recently from 2f8d577 to fbd7ba6 Compare June 14, 2026 11:07

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
.github/workflows/security-analysis.yml (1)

25-25: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Misleading # main annotations on SHA-pinned reusable workflows. Both reusable workflow references are pinned to specific commit SHAs but retain trailing # main comments, which incorrectly suggest they track the main branch.

  • .github/workflows/security-analysis.yml#L25-L25: Remove # main from the python-security-analysis.yml reusable workflow reference.
  • .github/workflows/coverage.yml#L26-L26: Remove # main from the python-qlty-coverage.yml reusable workflow reference.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security-analysis.yml at line 25, The reusable workflow
references in both files are pinned to specific commit SHAs but include trailing
`# main` comments that incorrectly indicate they track the main branch. In
`.github/workflows/security-analysis.yml` at line 25, remove the `# main`
comment from the end of the python-security-analysis.yml workflow reference
line. In `.github/workflows/coverage.yml` at line 26, remove the `# main`
comment from the end of the python-qlty-coverage.yml workflow reference line.
This will make the annotations consistent with the actual SHA-pinned references.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 37: Add the security configuration `with: persist-credentials: false` to
all checkout action invocations to prevent credential leakage through GitHub
Actions artifacts. In `.github/workflows/ci.yml` at lines 37-37 (quality job
checkout step) and 118-118 (dependency-review job checkout step), add the `with:
persist-credentials: false` configuration to the respective `actions/checkout`
uses statements. Similarly, in `.github/workflows/reuse.yml` at lines 35-35
(reuse job checkout step) and 63-63 (validate-licenses job checkout step), add
the same `with: persist-credentials: false` configuration to each
`actions/checkout` uses statement.

In @.github/workflows/dependency-review.yml:
- Around line 23-24: The checkout action in the Checkout repository step is
unnecessarily persisting GitHub token credentials in git config, creating a
security risk. Add the `persist-credentials: false` option to the
actions/checkout action to disable credential persistence, since this workflow
only needs the checked-out files and does not require git authentication for
subsequent steps.

---

Duplicate comments:
In @.github/workflows/security-analysis.yml:
- Line 25: The reusable workflow references in both files are pinned to specific
commit SHAs but include trailing `# main` comments that incorrectly indicate
they track the main branch. In `.github/workflows/security-analysis.yml` at line
25, remove the `# main` comment from the end of the python-security-analysis.yml
workflow reference line. In `.github/workflows/coverage.yml` at line 26, remove
the `# main` comment from the end of the python-qlty-coverage.yml workflow
reference line. This will make the annotations consistent with the actual
SHA-pinned references.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e1e251c8-8328-4871-8a05-dc659ba466a4

📥 Commits

Reviewing files that changed from the base of the PR and between a2557bf and fbd7ba6.

📒 Files selected for processing (10)
  • .github/workflows/ci.yml
  • .github/workflows/codeql.yml
  • .github/workflows/coverage.yml
  • .github/workflows/dependency-review.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/python-compatibility.yml
  • .github/workflows/qlty.yml
  • .github/workflows/reuse.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/security-analysis.yml
🚧 Files skipped from review as they are similar to previous changes (5)
  • .github/workflows/qlty.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/python-compatibility.yml
  • .github/workflows/codeql.yml
  • .github/workflows/pr-validation.yml

Comment thread .github/workflows/ci.yml

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Missing persist-credentials: false on checkout actions across workflows. All four checkout action invocations lack the persist-credentials: false safeguard, which prevents credential leakage through GitHub Actions artifacts (artipacked vulnerability).

  • .github/workflows/ci.yml#L37-L37: Add with: persist-credentials: false to the quality job checkout step.
  • .github/workflows/ci.yml#L118-L118: Add with: persist-credentials: false to the dependency-review job checkout step.
  • .github/workflows/reuse.yml#L35-L35: Add with: persist-credentials: false to the reuse job checkout step.
  • .github/workflows/reuse.yml#L63-L63: Add with: persist-credentials: false to the validate-licenses job checkout step.
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 36-37: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

📍 Affects 2 files
  • .github/workflows/ci.yml#L37-L37 (this comment)
  • .github/workflows/ci.yml#L118-L118
  • .github/workflows/reuse.yml#L35-L35
  • .github/workflows/reuse.yml#L63-L63
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 37, Add the security configuration `with:
persist-credentials: false` to all checkout action invocations to prevent
credential leakage through GitHub Actions artifacts. In
`.github/workflows/ci.yml` at lines 37-37 (quality job checkout step) and
118-118 (dependency-review job checkout step), add the `with:
persist-credentials: false` configuration to the respective `actions/checkout`
uses statements. Similarly, in `.github/workflows/reuse.yml` at lines 35-35
(reuse job checkout step) and 63-63 (validate-licenses job checkout step), add
the same `with: persist-credentials: false` configuration to each
`actions/checkout` uses statement.

Source: Linters/SAST tools

Comment on lines 23 to +24
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Disable persisted checkout credentials.

This job only needs the checked-out files, so keeping the GitHub token in git config is unnecessary exposure. Add persist-credentials: false to reduce the blast radius if a later step or action is compromised.

Suggested change
       - name: Checkout repository
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml around lines 23 - 24, The checkout
action in the Checkout repository step is unnecessarily persisting GitHub token
credentials in git config, creating a security risk. Add the
`persist-credentials: false` option to the actions/checkout action to disable
credential persistence, since this workflow only needs the checked-out files and
does not require git authentication for subsequent steps.

Source: Linters/SAST tools

@williaby williaby force-pushed the renovate/github-actions branch 7 times, most recently from be0e272 to 46815ee Compare June 22, 2026 05:08

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (5)
.github/workflows/reuse.yml (2)

34-35: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Still missing persist-credentials: false on checkout.

This repeats the earlier checkout-credential finding: the REUSE job still persists credentials in git config. Please add persist-credentials: false.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/reuse.yml around lines 34 - 35, The Checkout repository
step using actions/checkout is missing the persist-credentials: false
configuration option, which allows credentials to persist in the git config. Add
the with parameter section to the actions/checkout step and set
persist-credentials to false to prevent credential persistence in git config for
the REUSE job.

Source: Linters/SAST tools


62-63: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Still missing persist-credentials: false on checkout.

Same issue in the license-validation job: actions/checkout still keeps credentials in git config. Disable it here as well.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/reuse.yml around lines 62 - 63, The "Checkout repository"
step using actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing
the persist-credentials configuration parameter. Add `persist-credentials:
false` as an input parameter to the actions/checkout step to prevent git
credentials from being persisted in the git config, matching the security
configuration pattern used elsewhere in the workflow.

Source: Linters/SAST tools

.github/workflows/dependency-review.yml (1)

24-24: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Still missing persist-credentials: false on checkout.

The checkout step still persists the GitHub token in git config, which is the same artipacked exposure previously flagged. Add persist-credentials: false.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml at line 24, The checkout action in
the workflow does not disable credential persistence, which leaves the GitHub
token vulnerable to exposure in git config. Add the `persist-credentials: false`
option to the `with` section of the `actions/checkout` action to prevent the
token from being stored in git configuration.

Source: Linters/SAST tools

.github/workflows/ci.yml (2)

117-118: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Still missing persist-credentials: false on checkout.

Same issue as above: this actions/checkout step still leaves credentials persisted in git config. Please disable that here too.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 117 - 118, The Checkout step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the
persist-credentials: false configuration, which leaves credentials persisted in
git config. Add a with section to this step that includes persist-credentials:
false to prevent credentials from being persisted in the git configuration.

Source: Linters/SAST tools


36-37: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Still missing persist-credentials: false on checkout.

This repeats the earlier artipacked finding: actions/checkout is still persisting credentials in git config here. Add persist-credentials: false.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 36 - 37, The checkout step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the
persist-credentials configuration which allows credentials to be persisted in
git config. Add the with section to the Checkout step and include
persist-credentials set to false to prevent credentials from being stored in the
git configuration.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/ci.yml:
- Around line 117-118: The Checkout step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the
persist-credentials: false configuration, which leaves credentials persisted in
git config. Add a with section to this step that includes persist-credentials:
false to prevent credentials from being persisted in the git configuration.
- Around line 36-37: The checkout step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the
persist-credentials configuration which allows credentials to be persisted in
git config. Add the with section to the Checkout step and include
persist-credentials set to false to prevent credentials from being stored in the
git configuration.

In @.github/workflows/dependency-review.yml:
- Line 24: The checkout action in the workflow does not disable credential
persistence, which leaves the GitHub token vulnerable to exposure in git config.
Add the `persist-credentials: false` option to the `with` section of the
`actions/checkout` action to prevent the token from being stored in git
configuration.

In @.github/workflows/reuse.yml:
- Around line 34-35: The Checkout repository step using actions/checkout is
missing the persist-credentials: false configuration option, which allows
credentials to persist in the git config. Add the with parameter section to the
actions/checkout step and set persist-credentials to false to prevent credential
persistence in git config for the REUSE job.
- Around line 62-63: The "Checkout repository" step using
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 is missing the
persist-credentials configuration parameter. Add `persist-credentials: false` as
an input parameter to the actions/checkout step to prevent git credentials from
being persisted in the git config, matching the security configuration pattern
used elsewhere in the workflow.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c3d8571b-68fe-42d0-8111-2e73d2208d01

📥 Commits

Reviewing files that changed from the base of the PR and between fbd7ba6 and 46815ee.

📒 Files selected for processing (10)
  • .github/workflows/ci.yml
  • .github/workflows/codeql.yml
  • .github/workflows/coverage.yml
  • .github/workflows/dependency-review.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/python-compatibility.yml
  • .github/workflows/qlty.yml
  • .github/workflows/reuse.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/security-analysis.yml
✅ Files skipped from review due to trivial changes (3)
  • .github/workflows/python-compatibility.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/security-analysis.yml
🚧 Files skipped from review as they are similar to previous changes (3)
  • .github/workflows/codeql.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/qlty.yml

@williaby williaby force-pushed the renovate/github-actions branch 5 times, most recently from 29f617c to 469fed0 Compare June 28, 2026 02:07
@williaby williaby force-pushed the renovate/github-actions branch from 469fed0 to 1369b41 Compare June 29, 2026 02:06
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants