Skip to content

ci: bump the github-actions group with 10 updates#266

Merged
frbrkoala merged 2 commits into
mainfrom
dependabot/github_actions/github-actions-efdc49ccbc
Jul 1, 2026
Merged

ci: bump the github-actions group with 10 updates#266
frbrkoala merged 2 commits into
mainfrom
dependabot/github_actions/github-actions-efdc49ccbc

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 10 updates:

Package From To
actions/download-artifact 4.3.0 8.0.1
actions/github-script 7.0.1 9.0.0
actions/checkout 3 7
tj-actions/changed-files 46.0.5 47.0.6
actions/setup-python 5.1.1 6.3.0
actions/upload-artifact 4.6.2 7.0.1
github/codeql-action/init 3.29.7 4.36.2
github/codeql-action/analyze 3.29.7 4.36.2
actions/dependency-review-action 4.7.1 5.0.0
actions/stale 9.0.0 10.3.0

Updates actions/download-artifact from 4.3.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

... (truncated)

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

Updates actions/github-script from 7.0.1 to 9.0.0

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v8.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

Full Changelog: actions/github-script@v7.1.0...v8.0.0

v7.1.0

What's Changed

... (truncated)

Commits
  • 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
  • ca10bbd fix: use @​octokit/core/types import for v7 compatibility
  • 86e48e2 merge: incorporate main branch changes
  • c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
  • afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
  • ff8117e ci: fix user-agent test to handle orchestration ID
  • 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
  • 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
  • c17d55b ci: add getOctokit integration test job
  • a047196 test: add getOctokit integration tests via callAsyncFunction
  • Additional commits viewable in compare view

Updates actions/checkout from 3 to 7

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

... (truncated)

Commits

Updates tj-actions/changed-files from 46.0.5 to 47.0.6

Release notes

Sourced from tj-actions/changed-files's releases.

v47.0.6

What's Changed

Full Changelog: tj-actions/changed-files@v47.0.5...v47.0.6

v47.0.5

What's Changed

Full Changelog: tj-actions/changed-files@v47.0.4...v47.0.5

v47.0.4

What's Changed

Full Changelog: tj-actions/changed-files@v47.0.3...v47.0.4

... (truncated)

Changelog

Sourced from tj-actions/changed-files's changelog.

Changelog

47.0.6 - (2026-04-18)

🔄 Update

  • Updated README.md (#2817)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (c23d52b) - (github-actions[bot])

⚙️ Miscellaneous Tasks

  • deps: Bump lodash from 4.17.23 to 4.18.1 (#2837) (9426d40) - (dependabot[bot])
  • deps: Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#2843) (32de080) - (dependabot[bot])
  • deps: Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#2844) (2487d12) - (dependabot[bot])
  • deps-dev: Bump @​types/node from 25.5.0 to 25.6.0 (#2846) (cef85a3) - (dependabot[bot])
  • deps-dev: Bump prettier from 3.8.1 to 3.8.3 (#2848) (7b082de) - (dependabot[bot])
  • deps: Bump github/codeql-action from 4.35.1 to 4.35.2 (#2849) (07224ca) - (dependabot[bot])
  • deps-dev: Bump jest from 30.2.0 to 30.3.0 (#2822) (2bb1357) - (dependabot[bot])
  • deps: Bump nrwl/nx-set-shas from 4.4.0 to 5.0.1 (#2829) (cc98117) - (dependabot[bot])
  • deps: Bump yaml from 2.8.2 to 2.8.3 (#2830) (786e421) - (dependabot[bot])
  • deps-dev: Bump eslint-plugin-jest from 29.15.0 to 29.15.1 (#2831) (726b41b) - (dependabot[bot])
  • deps: Bump github/codeql-action from 4.32.6 to 4.35.1 (#2834) (2c3585e) - (dependabot[bot])
  • deps: Bump actions/download-artifact from 8.0.0 to 8.0.1 (#2824) (3d37a7f) - (dependabot[bot])
  • deps-dev: Bump @​types/node from 25.3.5 to 25.5.0 (#2825) (445b0eb) - (dependabot[bot])
  • deps: Bump github/codeql-action from 4.32.5 to 4.32.6 (#2819) (4f892cd) - (dependabot[bot])
  • deps-dev: Bump @​types/node from 25.3.3 to 25.3.5 (#2820) (6118651) - (dependabot[bot])
  • deps: Bump actions/setup-node from 6.2.0 to 6.3.0 (#2818) (e517d7a) - (dependabot[bot])

⬆️ Upgrades

  • Upgraded to v47.0.5 (#2816)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (4750530) - (github-actions[bot])

47.0.5 - (2026-03-03)

🔄 Update

  • Updated README.md (#2805)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (35dace0) - (github-actions[bot])

  • Updated README.md (#2803)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (9ee99eb) - (github-actions[bot])

⚙️ Miscellaneous Tasks

... (truncated)

Commits
  • 9426d40 chore(deps): bump lodash from 4.17.23 to 4.18.1 (#2837)
  • 32de080 chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#2843)
  • 2487d12 chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 (#2844)
  • cef85a3 chore(deps-dev): bump @​types/node from 25.5.0 to 25.6.0 (#2846)
  • 7b082de chore(deps-dev): bump prettier from 3.8.1 to 3.8.3 (#2848)
  • 07224ca chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 (#2849)
  • 2bb1357 chore(deps-dev): bump jest from 30.2.0 to 30.3.0 (#2822)
  • cc98117 chore(deps): bump nrwl/nx-set-shas from 4.4.0 to 5.0.1 (#2829)
  • 786e421 chore(deps): bump yaml from 2.8.2 to 2.8.3 (#2830)
  • 726b41b chore(deps-dev): bump eslint-plugin-jest from 29.15.0 to 29.15.1 (#2831)
  • Additional commits viewable in compare view

Updates actions/setup-python from 5.1.1 to 6.3.0

Release notes

Sourced from actions/setup-python's releases.

v6.3.0

What's Changed

Enhancement

Dependency update

Documentation

New Contributors

Full Changelog: actions/setup-python@v6...v6.3.0

v6.2.0

What's Changed

Dependency Upgrades

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

What's Changed

Enhancements:

Dependency and Documentation updates:

New Contributors

Full Changelog: actions/setup-python@v6...v6.1.0

... (truncated)

Commits

Updates actions/upload-artifact from 4.6.2 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

... (truncated)

Commits
  • 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
  • 634250c Include changes in typespec/ts-http-runtime 0.3.5
  • e454baa Readme: bump all the example versions to v7 (#796)
  • 74fad66 Update the readme with direct upload details (#795)
  • bbbca2d Support direct file uploads (#764)
  • 589182c Upgrade the module to ESM and bump dependencies (#762)
  • 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
  • 02a8460 Add proxy integration test
  • b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
  • e516bc8 docs: correct description of Node.js 24 support in README
  • Additional commits viewable in compare view

Updates github/codeql-action/init from 3.29.7 to 4.36.2

Release notes

Sourced from github/codeql-action/init's releases.

v4.36.2

  • Cache CodeQL CLI version information across Actions steps. #3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
  • Update default CodeQL bundle version to 2.25.6. #3948

v4.36.1

No user facing changes.

v4.36.0

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
  • Add support for SHA-256 Git object IDs. #3893
  • Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input,...

    Description has been truncated

Bumps the github-actions group with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4.3.0` | `8.0.1` |
| [actions/github-script](https://github.com/actions/github-script) | `7.0.1` | `9.0.0` |
| [actions/checkout](https://github.com/actions/checkout) | `3` | `7` |
| [tj-actions/changed-files](https://github.com/tj-actions/changed-files) | `46.0.5` | `47.0.6` |
| [actions/setup-python](https://github.com/actions/setup-python) | `5.1.1` | `6.3.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` |
| [github/codeql-action/init](https://github.com/github/codeql-action) | `3.29.7` | `4.36.2` |
| [github/codeql-action/analyze](https://github.com/github/codeql-action) | `3.29.7` | `4.36.2` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.7.1` | `5.0.0` |
| [actions/stale](https://github.com/actions/stale) | `9.0.0` | `10.3.0` |


Updates `actions/download-artifact` from 4.3.0 to 8.0.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@d3f86a1...3e5f45b)

Updates `actions/github-script` from 7.0.1 to 9.0.0
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@60a0d83...3a2844b)

Updates `actions/checkout` from 3 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v3...v7)

Updates `tj-actions/changed-files` from 46.0.5 to 47.0.6
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@ed68ef8...9426d40)

Updates `actions/setup-python` from 5.1.1 to 6.3.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@39cd149...ece7cb0)

Updates `actions/upload-artifact` from 4.6.2 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...043fb46)

Updates `github/codeql-action/init` from 3.29.7 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@51f7732...8aad20d)

Updates `github/codeql-action/analyze` from 3.29.7 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@51f7732...8aad20d)

Updates `actions/dependency-review-action` from 4.7.1 to 5.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@da24556...a1d282b)

Updates `actions/stale` from 9.0.0 to 10.3.0
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](actions/stale@28ca103...eb5cf3a)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/github-script
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: tj-actions/changed-files
  dependency-version: 47.0.6
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action/init
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action/analyze
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/dependency-review-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/stale
  dependency-version: 10.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 26, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/daily-tag.yml

PackageVersionLicenseIssue Type
actions/checkout7.*.*NullUnknown License

.github/workflows/website-test-deploy.yml

PackageVersionLicenseIssue Type
actions/checkout7.*.*NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 7.*.* 🟢 6.9
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1016 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 10SAST tool is run on all commits
actions/actions/checkout 7.*.* 🟢 6.9
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1016 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 10SAST tool is run on all commits

Scanned Files

  • .github/workflows/daily-tag.yml
  • .github/workflows/website-test-deploy.yml

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown

Scan for commit: 230d460 | Updated: 2026-07-01 00:07:04 UTC

🔒 Security Scan Results

Scanned files: 10

⚠️ Security findings detected. Please review and address before merging.

@frbrkoala frbrkoala merged commit 9213322 into main Jul 1, 2026
7 checks passed
@frbrkoala frbrkoala deleted the dependabot/github_actions/github-actions-efdc49ccbc branch July 1, 2026 00:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant