From afa0400edf5eda219d52c7a55c718c4d288ff984 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Jun 2026 12:45:24 +0000 Subject: [PATCH] ci: bump the github-actions group with 10 updates Bumps the github-actions group with 10 updates: | Package | From | To | | --- | --- | --- | | [actions/download-artifact](https://github.com/actions/download-artifact) | `4.3.0` | `8.0.1` | | [actions/github-script](https://github.com/actions/github-script) | `7.0.1` | `9.0.0` | | [actions/checkout](https://github.com/actions/checkout) | `3` | `7` | | [tj-actions/changed-files](https://github.com/tj-actions/changed-files) | `46.0.5` | `47.0.6` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.1.1` | `6.3.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` | | [github/codeql-action/init](https://github.com/github/codeql-action) | `3.29.7` | `4.36.2` | | [github/codeql-action/analyze](https://github.com/github/codeql-action) | `3.29.7` | `4.36.2` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.7.1` | `5.0.0` | | [actions/stale](https://github.com/actions/stale) | `9.0.0` | `10.3.0` | Updates `actions/download-artifact` from 4.3.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/d3f86a106a0bac45b974a628896c90dbdf5c8093...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c) Updates `actions/github-script` from 7.0.1 to 9.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/60a0d83039c74a4aee543508d2ffcb1c3799cdea...3a2844b7e9c422d3c10d287c895573f7108da1b3) Updates `actions/checkout` from 3 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v3...v7) Updates `tj-actions/changed-files` from 46.0.5 to 47.0.6 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/ed68ef82c095e0d48ec87eccea555d944a631a4c...9426d40962ed5378910ee2e21d5f8c6fcbf2dd96) Updates `actions/setup-python` from 5.1.1 to 6.3.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/39cd14951b08e74b54015e9e001cdefcf80e669f...ece7cb06caefa5fff74198d8649806c4678c61a1) Updates `actions/upload-artifact` from 4.6.2 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) Updates `github/codeql-action/init` from 3.29.7 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/51f77329afa6477de8c49fc9c7046c15b9a4e79d...8aad20d150bbac5944a9f9d289da16a4b0d87c1e) Updates `github/codeql-action/analyze` from 3.29.7 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/51f77329afa6477de8c49fc9c7046c15b9a4e79d...8aad20d150bbac5944a9f9d289da16a4b0d87c1e) Updates `actions/dependency-review-action` from 4.7.1 to 5.0.0 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/da24556b548a50705dd671f47852072ea4c105d9...a1d282b36b6f3519aa1f3fc636f609c47dddb294) Updates `actions/stale` from 9.0.0 to 10.3.0 - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/28ca1036281a5e5922ead5184a1bbf96e5fc984e...eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: tj-actions/changed-files dependency-version: 47.0.6 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-python dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: github/codeql-action/init dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: github/codeql-action/analyze dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/dependency-review-action dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/stale dependency-version: 10.3.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/ash-security-comment.yml | 4 ++-- .github/workflows/ash-security-scan.yml | 8 ++++---- .github/workflows/blueprints-unit-tests.yml | 2 +- .github/workflows/codeql.yml | 6 +++--- .github/workflows/daily-tag.yml | 2 +- .github/workflows/dependency-review.yml | 4 ++-- .github/workflows/pre-commit.yml | 4 ++-- .github/workflows/stale-issue-pr.yml | 2 +- .github/workflows/website-deploy.yaml | 2 +- .github/workflows/website-test-deploy.yml | 2 +- 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ash-security-comment.yml b/.github/workflows/ash-security-comment.yml index 3cd15980..8941b57b 100644 --- a/.github/workflows/ash-security-comment.yml +++ b/.github/workflows/ash-security-comment.yml @@ -21,7 +21,7 @@ jobs: # scan was skipped because no scannable files changed, or the upload # failed). Later steps guard on this step's outcome. continue-on-error: true - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ash-security-results path: /tmp/ash-results @@ -46,7 +46,7 @@ jobs: - name: Post comment on PR if: steps.pr-info.outputs.pr_number - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: # Pass values via env and read with process.env rather than interpolating # ${{ }} directly into the script body (avoids any script-injection risk). diff --git a/.github/workflows/ash-security-scan.yml b/.github/workflows/ash-security-scan.yml index 3770d6c7..bacb63ae 100644 --- a/.github/workflows/ash-security-scan.yml +++ b/.github/workflows/ash-security-scan.yml @@ -11,7 +11,7 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 @@ -21,7 +21,7 @@ jobs: # compromise (CVE-2025-30066) where version tags were retroactively # repointed to a malicious commit. Pinning to an immutable commit SHA is # the documented mitigation. Bump deliberately, never via a floating tag. - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 + uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6 with: files: | **/*.ts @@ -46,7 +46,7 @@ jobs: - name: Set up Python if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4.7.1 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v4.7.1 with: python-version: '3.10' @@ -169,7 +169,7 @@ jobs: - name: Upload scan results if: always() && steps.changed-files.outputs.any_changed == 'true' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ash-security-results path: | diff --git a/.github/workflows/blueprints-unit-tests.yml b/.github/workflows/blueprints-unit-tests.yml index 6daa30bb..04582320 100644 --- a/.github/workflows/blueprints-unit-tests.yml +++ b/.github/workflows/blueprints-unit-tests.yml @@ -14,7 +14,7 @@ jobs: actions: read contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: actions/setup-node@v6 with: node-version: 20 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0564b447..242a36b3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,10 +21,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Initialize CodeQL - uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: javascript-typescript build-mode: none @@ -32,6 +32,6 @@ jobs: queries: security-extended - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:javascript-typescript" diff --git a/.github/workflows/daily-tag.yml b/.github/workflows/daily-tag.yml index 37641580..d0244eb9 100644 --- a/.github/workflows/daily-tag.yml +++ b/.github/workflows/daily-tag.yml @@ -13,7 +13,7 @@ jobs: name: "Create tag on main for changes in last 24 hours" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v7 - name: "Get changes and create TAG" run: | diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 410dd0f7..93142a7d 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -11,10 +11,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Dependency Review - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 with: # Fail PRs that introduce dependencies with known HIGH or CRITICAL # vulnerabilities. "moderate" is intentionally not blocking to avoid diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index c0a7676e..c1ea17e2 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -11,11 +11,11 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: # Need the PR base commit so pre-commit can diff for changed files. fetch-depth: 0 - - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v4.7.1 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v4.7.1 # ShellCheck is invoked as a local "system" hook (see .pre-commit-config.yaml); # it is preinstalled on ubuntu-latest, so no install step is required. - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 diff --git a/.github/workflows/stale-issue-pr.yml b/.github/workflows/stale-issue-pr.yml index 0494b1de..5d90f0c6 100644 --- a/.github/workflows/stale-issue-pr.yml +++ b/.github/workflows/stale-issue-pr.yml @@ -19,7 +19,7 @@ jobs: with: egress-policy: audit - - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 id: stale with: ascending: true diff --git a/.github/workflows/website-deploy.yaml b/.github/workflows/website-deploy.yaml index 9c7c327d..319f972a 100644 --- a/.github/workflows/website-deploy.yaml +++ b/.github/workflows/website-deploy.yaml @@ -18,7 +18,7 @@ jobs: shell: bash working-directory: website steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: actions/setup-node@v6 with: node-version: 20 diff --git a/.github/workflows/website-test-deploy.yml b/.github/workflows/website-test-deploy.yml index 52c2a330..f7df68a1 100644 --- a/.github/workflows/website-test-deploy.yml +++ b/.github/workflows/website-test-deploy.yml @@ -17,7 +17,7 @@ jobs: shell: bash working-directory: website steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: actions/setup-node@v6 with: node-version: 20