Skip to content

chore(deps)!: Update GitHub Actions (major)#37

Open
williaby wants to merge 1 commit into
mainfrom
renovate/major-github-actions
Open

chore(deps)!: Update GitHub Actions (major)#37
williaby wants to merge 1 commit into
mainfrom
renovate/major-github-actions

Conversation

@williaby

@williaby williaby commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Type Update Change OpenSSF
SonarSource/sonarqube-scan-action action major v4.0.0v8.2.0 OpenSSF Scorecard
actions/checkout action major v4.2.2v7.0.0 OpenSSF Scorecard
actions/dependency-review-action action major v4.5.0v5.0.0 OpenSSF Scorecard
actions/download-artifact action major v6.0.0v8.0.1 OpenSSF Scorecard
actions/github-script action major v7.0.1v9.0.0 OpenSSF Scorecard
actions/setup-python action major v5.3.0v6.3.0 OpenSSF Scorecard
actions/upload-artifact action major v4.5.0v7.0.1 OpenSSF Scorecard
astral-sh/setup-uv action major v7.1.1v8.2.0 OpenSSF Scorecard
fsfe/reuse-action action major v4.0.0v6.0.0 OpenSSF Scorecard
lycheeverse/lychee-action action major v1.10.0v2.8.0 OpenSSF Scorecard

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes


Release Notes

SonarSource/sonarqube-scan-action (SonarSource/sonarqube-scan-action)

v8.2.0

Compare Source

What's Changed

  • SQSCANGHA-149 Add scannerBinariesAuthHeader input by @​henryju in #​246
  • SQSCANGHA-88 Deprecate the SONARCLOUD_URL env variable support by @​henryju in #​249
  • SQSCANGHA-84 Remove outdated wget/curl references by @​henryju in #​248
  • SQSCANGHA-135 Fix scanner binaries always re-downloaded due to incompatible 4-part version by @​henryju in #​250
  • SQSCANGHA-127 Rename downloaded file to .zip before extraction on Windows by @​henryju in #​251

Full Changelog: SonarSource/sonarqube-scan-action@v8...v8.2.0

v8.2

Compare Source

v8.1.0

Compare Source

What's Changed

Full Changelog: SonarSource/sonarqube-scan-action@v8...v8.1.0

v8.1

Compare Source

v8.0.0

Compare Source

What's Changed

Breaking change

Full Changelog: SonarSource/sonarqube-scan-action@v7...v8.0.0

v8.0

Compare Source

v8

Compare Source

v7.2.1

Compare Source

What's Changed

  • SQSCANGHA-140 Set skipSignatureVerification default value to true to avoid breaking change by @​gmmcal in #​240

Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.2.1

v7.2.0

Compare Source

What's Changed

Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.2.0

v7.2

Compare Source

v7.1.0

Compare Source

What's Changed

Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.1.0

v7.1

Compare Source

v7.0.0

Compare Source

What's Changed

New Contributors

Full Changelog: SonarSource/sonarqube-scan-action@v6.0.0...v7.0.0

v7.0

Compare Source

v7

Compare Source

v6.0.0

Compare Source

BREAKING CHANGE!

In order to prevent command-line injection, the actions has been rewritten from Bash to JS, and the args input is now parsed differently. When updating to v6, you might have to update your workflow to change how arguments are quoted.
For example, if you were previously passing:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      -Dsonar.projectName="My Project"

you should now pass:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      "-Dsonar.projectName=My Project"

For more args passing examples, please refer to the README file

What's Changed

Full Changelog: SonarSource/sonarqube-scan-action@v5.3.1...v6.0.0

v6.0

Compare Source

v6

Compare Source

v5.3.2

Compare Source

Full Changelog: SonarSource/sonarqube-scan-action@v5.3.1...v5.3.2

v5.3.1

Compare Source

OVERLOOKED BREAKING CHANGE!

In order to prevent command-line injection, the way to parse the args input has been changed, but this is possibly a breaking change regarding support of quotes.

For example, if you were previously passing:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      -Dsonar.projectName="My Project"

you should now pass:

- uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    args: >
      "-Dsonar.projectName=My Project"

Edit: We have now released v6 that more accurately reflect this breaking change.

What's Changed

New Contributors

Full Changelog: SonarSource/sonarqube-scan-action@v5...v5.3.1

v5.3.0

Compare Source

What's Changed

New Contributors

Full Changelog: SonarSource/sonarqube-scan-action@v5.2.0...v5.3.0

v5.3

Compare Source

v5.2.0

Compare Source

What's Changed

Full Changelog: SonarSource/sonarqube-scan-action@v5...v5.2.0

v5.2

Compare Source

v5.1.0

Compare Source

What's Changed

Full Changelog: SonarSource/sonarqube-scan-action@v5.0.0...v5.1.0

v5.1

Compare Source

v5.0.0

Compare Source

What's Changed

Full Changelog: SonarSource/sonarqube-scan-action@v4...v5.0.0

v5.0

Compare Source

v5

Compare Source

v4.2.2

Compare Source

Full Changelog: SonarSource/sonarqube-scan-action@v4.2.1...v4.2.2

v4.2.1

Compare Source

What's Changed

Full Changelog: SonarSource/sonarqube-scan-action@v4.2.0...v4.2.1

v4.2.0

Compare Source

We are happy to announce this new version of the GitHub action, which brings support for C, C++, and Objective-C projects.

The action supports both AutoConfig scenarios, as well as scenarios where Build Wrapper is required, and is a complete replacement of sonarqube-github-c-cpp and sonarcloud-github-c-cpp.

To install Build Wrapper, a new sonarqube-scan-action/install-build-wrapper sub-action is provided.

Check the README for examples of configuration.

On top of C, C++, and Objective-C support, we have also improved our support of self-hosted GitHub runners:

  • we don't expect anymore the temporary runner folder (RUNNER_TEMP) to be cleaned after every job execution: if present, the action will clean it, before running
  • similarly, we don't expect anymore the Sonar SSL folder (~/sonar/ssl) to be cleaned after every job execution: if present, the action will clean it, before running

What's Changed

New Contributors

Full Changelog: SonarSource/sonarqube-scan-action@v4.1.0...v4.2.0

v4.2

Compare Source

v4.1.0

Compare Source

The new version is now the official entrypoint for both Server and Cloud: a single GitHub action to interact with the SonarQube solution, whether on-premise or in the cloud!

It also brings several other improvements, including:

  • the ability to customize the location from where the SonarScanner CLI is downloaded, which can be useful when the runner is self-hosted and has regulated or no access to the Internet
  • the ability to use curl as a fallback when wget is not available in the environment of the runner
  • the requirement of the Java keytool to be available has been lifted

What's Changed

Full Changelog: SonarSource/sonarqube-scan-action@v4.0.0...v4.1.0

v4.1

Compare Source

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source

v6.0.3

Compare Source

v6.0.2

Compare Source

v6.0.1

Compare Source

v6.0.0

Compare Source

v6

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

v5

Compare Source

v4.3.1

Compare Source

v4.3.0

Compare Source

actions/dependency-review-action (actions/dependency-review-action)

v5.0.0: 5.0.0

Compare Source

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed
New Contributors

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

v4.9.0: Dependency Review Action 4.9.0

Compare Source

This feature release contains a couple of notable changes:

  • There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
  • Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
  • There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

v4.8.3: 4.8.3

Compare Source

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

v4.8.2

Compare Source

Minor fixes:

v4.8.1: Dependency Review Action v4.8.1

Compare Source

What's Changed

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4...v4.8.0

v4.7.4

Compare Source

v4.7.3: 4.7.3

Compare Source

What's Changed

Full Changelog: actions/dependency-review-action@v4...v4.7.3

v4.7.2: 4.7.2

Compare Source

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4...v4.7.2

v4.7.1

Compare Source

  • Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #​889
  • License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

Compare Source

  • Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #​809 and probably others)
  • Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

v4.6.0

Compare Source

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

Full Changelog: actions/download-artifact@v8...v8.0.1

[v8.0.0](https://redirect.github.com/actions/download-artifact/releas

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "after 10pm every weekday,before 5am every weekday,every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings June 11, 2026 02:16
@williaby williaby self-assigned this Jun 11, 2026
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 34 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ecd1cae9-b7af-410f-aec3-8169ba3e6719

📥 Commits

Reviewing files that changed from the base of the PR and between 7c2c91e and e5298fc.

📒 Files selected for processing (6)
  • .github/workflows/dependency-review.yml
  • .github/workflows/fips-compatibility.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/reuse.yml
  • .github/workflows/slsa-provenance.yml
  • .github/workflows/sonarcloud.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/major-github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/download-artifact 3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c 🟢 5.1
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 10SAST tool is run on all commits
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
actions/SonarSource/sonarqube-scan-action 713881670b6b3676cda39549040e2d88c70d582e 🟢 6.3
Details
CheckScoreReason
Security-Policy🟢 10security policy file detected
Code-Review🟢 9Found 21/23 approved changesets -- score normalized to 9
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 1023 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 5dependency not pinned by hash detected -- score normalized to 5
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 1branch protection is not maximal on development and all release branches
SAST🟢 6SAST tool is not run on all commits -- score normalized to 6
actions/actions/checkout 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 🟢 6.9
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1016 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 10SAST tool is run on all commits
actions/actions/setup-python ece7cb06caefa5fff74198d8649806c4678c61a1 🟢 5.9
Details
CheckScoreReason
Maintained🟢 810 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
actions/actions/upload-artifact 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a 🟢 5.5
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Maintained🟢 34 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 10SAST tool is run on all commits
Branch-Protection⚠️ 0branch protection not enabled on development/release branches

Scanned Files

  • .github/workflows/slsa-provenance.yml
  • .github/workflows/sonarcloud.yml

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates pinned GitHub Actions used across the repository’s CI/security workflows to newer major versions, primarily to keep the automation ecosystem up to date (including Node.js runtime bumps in several actions).

Changes:

  • Bump core workflow actions (e.g., actions/checkout, actions/setup-python, actions/upload-artifact) to newer major versions pinned by commit SHA.
  • Update security/compliance-related actions (SonarSource/sonarqube-scan-action, actions/dependency-review-action, fsfe/reuse-action) to newer major versions.
  • Update utility actions used in validation/reporting (actions/download-artifact, actions/github-script, astral-sh/setup-uv, lycheeverse/lychee-action).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/sonarcloud.yml Updates checkout/setup-python/sonarqube scan/upload-artifact action pins used for SonarCloud analysis.
.github/workflows/slsa-provenance.yml Updates actions/download-artifact pin used to fetch release artifacts for provenance hashing.
.github/workflows/reuse.yml Updates checkout/reuse-action/upload-artifact pins for REUSE compliance checks and artifact upload.
.github/workflows/pr-validation.yml Updates checkout/setup-python/setup-uv/lychee-action pins for PR validation jobs.
.github/workflows/fips-compatibility.yml Updates checkout/setup-uv/upload-artifact/github-script pins used for FIPS scanning and PR commenting.
.github/workflows/dependency-review.yml Updates checkout and dependency-review-action pins for PR dependency scanning.

Comment on lines 37 to +38
- name: Dependency Review
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
@williaby williaby force-pushed the renovate/major-github-actions branch from fede7ab to c26d58b Compare June 11, 2026 14:15
@williaby williaby force-pushed the renovate/major-github-actions branch 2 times, most recently from ff539c1 to 09f1559 Compare June 26, 2026 20:20
@williaby williaby force-pushed the renovate/major-github-actions branch from 09f1559 to e5298fc Compare June 29, 2026 18:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants