Conversation
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [softprops/action-gh-release](https://redirect.github.com/softprops/action-gh-release) | action | major | `v2.6.2` → `v3.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/softprops/action-gh-release) | --- ### Release Notes <details> <summary>softprops/action-gh-release (softprops/action-gh-release)</summary> ### [`v3.0.0`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v3.0.0) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.6.2...v3.0.0) `3.0.0` is a major release that moves the action runtime from Node 20 to Node 24. Use `v3` on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on `v2.6.2`. #### What's Changed ##### Other Changes 🔄 - Move the action runtime and bundle target to Node 24 - Update `@types/node` to the Node 24 line and allow future Dependabot updates - Keep the floating major tag on `v3`; `v2` remains pinned to the latest `2.x` release </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [dorny/paths-filter](https://redirect.github.com/dorny/paths-filter) | action | major | `v3.0.3` → `v4.0.1` | [](https://securityscorecards.dev/viewer/?uri=github.com/dorny/paths-filter) | --- ### Release Notes <details> <summary>dorny/paths-filter (dorny/paths-filter)</summary> ### [`v4.0.1`](https://redirect.github.com/dorny/paths-filter/releases/tag/v4.0.1) [Compare Source](https://redirect.github.com/dorny/paths-filter/compare/v4...v4.0.1) #### What's Changed - Support merge queue by [@​masaru-iritani](https://redirect.github.com/masaru-iritani) in [#​255](https://redirect.github.com/dorny/paths-filter/pull/255) #### New Contributors - [@​masaru-iritani](https://redirect.github.com/masaru-iritani) made their first contribution in [#​255](https://redirect.github.com/dorny/paths-filter/pull/255) **Full Changelog**: <dorny/paths-filter@v4.0.0...v4.0.1> ### [`v4.0.0`](https://redirect.github.com/dorny/paths-filter/blob/HEAD/CHANGELOG.md#v400) [Compare Source](https://redirect.github.com/dorny/paths-filter/compare/v3.0.3...v4.0.0) - [Update action runtime to node24](https://redirect.github.com/dorny/paths-filter/pull/294) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [docker/metadata-action](https://redirect.github.com/docker/metadata-action) | action | major | `v5.10.0` → `v6.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/docker/metadata-action) | --- ### Release Notes <details> <summary>docker/metadata-action (docker/metadata-action)</summary> ### [`v6.0.0`](https://redirect.github.com/docker/metadata-action/releases/tag/v6.0.0) [Compare Source](https://redirect.github.com/docker/metadata-action/compare/v5.10.0...v6.0.0) - Node 24 as default runtime (requires [Actions Runner v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1) or later) by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​605](https://redirect.github.com/docker/metadata-action/pull/605) - List inputs now preserve `#` inside values while still supporting full-line `#` comments by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​607](https://redirect.github.com/docker/metadata-action/pull/607) - Switch to ESM and update config/test wiring by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​602](https://redirect.github.com/docker/metadata-action/pull/602) - Bump lodash from 4.17.21 to 4.17.23 in [#​588](https://redirect.github.com/docker/metadata-action/pull/588) - Bump [@​actions/core](https://redirect.github.com/actions/core) from 1.11.1 to 3.0.0 in [#​599](https://redirect.github.com/docker/metadata-action/pull/599) - Bump [@​actions/github](https://redirect.github.com/actions/github) from 6.0.1 to 9.0.0 in [#​597](https://redirect.github.com/docker/metadata-action/pull/597) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.68.0 to 0.79.0 in [#​604](https://redirect.github.com/docker/metadata-action/pull/604) - Bump [@​isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion) from 5.0.0 to 5.0.1 in [#​600](https://redirect.github.com/docker/metadata-action/pull/600) - Bump semver from 7.7.3 to 7.7.4 in [#​603](https://redirect.github.com/docker/metadata-action/pull/603) **Full Changelog**: <docker/metadata-action@v5.10.0...v6.0.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [docker/login-action](https://redirect.github.com/docker/login-action) | action | major | `v3.7.0` → `v4.1.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/docker/login-action) | --- ### Release Notes <details> <summary>docker/login-action (docker/login-action)</summary> ### [`v4.1.0`](https://redirect.github.com/docker/login-action/releases/tag/v4.1.0) [Compare Source](https://redirect.github.com/docker/login-action/compare/v4...v4.1.0) - Fix scoped Docker Hub cleanup path when registry is omitted by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​945](https://redirect.github.com/docker/login-action/pull/945) - Bump [@​aws-sdk/client-ecr](https://redirect.github.com/aws-sdk/client-ecr) and [@​aws-sdk/client-ecr-public](https://redirect.github.com/aws-sdk/client-ecr-public) to 3.1020.0 in [#​930](https://redirect.github.com/docker/login-action/pull/930) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.77.0 to 0.86.0 in [#​932](https://redirect.github.com/docker/login-action/pull/932) [#​936](https://redirect.github.com/docker/login-action/pull/936) - Bump brace-expansion from 1.1.12 to 1.1.13 in [#​952](https://redirect.github.com/docker/login-action/pull/952) - Bump fast-xml-parser from 5.3.4 to 5.3.6 in [#​942](https://redirect.github.com/docker/login-action/pull/942) - Bump flatted from 3.3.3 to 3.4.2 in [#​944](https://redirect.github.com/docker/login-action/pull/944) - Bump glob from 10.3.12 to 10.5.0 in [#​940](https://redirect.github.com/docker/login-action/pull/940) - Bump handlebars from 4.7.8 to 4.7.9 in [#​949](https://redirect.github.com/docker/login-action/pull/949) - Bump http-proxy-agent and https-proxy-agent to 8.0.0 in [#​937](https://redirect.github.com/docker/login-action/pull/937) - Bump lodash from 4.17.23 to 4.18.1 in [#​958](https://redirect.github.com/docker/login-action/pull/958) - Bump minimatch from 3.1.2 to 3.1.5 in [#​941](https://redirect.github.com/docker/login-action/pull/941) - Bump picomatch from 4.0.3 to 4.0.4 in [#​948](https://redirect.github.com/docker/login-action/pull/948) - Bump undici from 6.23.0 to 6.24.1 in [#​938](https://redirect.github.com/docker/login-action/pull/938) **Full Changelog**: <docker/login-action@v4.0.0...v4.1.0> ### [`v4.0.0`](https://redirect.github.com/docker/login-action/releases/tag/v4.0.0) [Compare Source](https://redirect.github.com/docker/login-action/compare/v3.7.0...v4) - Node 24 as default runtime (requires [Actions Runner v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1) or later) by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​929](https://redirect.github.com/docker/login-action/pull/929) - Switch to ESM and update config/test wiring by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​927](https://redirect.github.com/docker/login-action/pull/927) - Bump [@​actions/core](https://redirect.github.com/actions/core) from 1.11.1 to 3.0.0 in [#​919](https://redirect.github.com/docker/login-action/pull/919) - Bump [@​aws-sdk/client-ecr](https://redirect.github.com/aws-sdk/client-ecr) from 3.890.0 to 3.1000.0 in [#​909](https://redirect.github.com/docker/login-action/pull/909) [#​920](https://redirect.github.com/docker/login-action/pull/920) - Bump [@​aws-sdk/client-ecr-public](https://redirect.github.com/aws-sdk/client-ecr-public) from 3.890.0 to 3.1000.0 in [#​909](https://redirect.github.com/docker/login-action/pull/909) [#​920](https://redirect.github.com/docker/login-action/pull/920) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.63.0 to 0.77.0 in [#​910](https://redirect.github.com/docker/login-action/pull/910) [#​928](https://redirect.github.com/docker/login-action/pull/928) - Bump [@​isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion) from 5.0.0 to 5.0.1 in [#​921](https://redirect.github.com/docker/login-action/pull/921) - Bump js-yaml from 4.1.0 to 4.1.1 in [#​901](https://redirect.github.com/docker/login-action/pull/901) **Full Changelog**: <docker/login-action@v3.7.0...v4.0.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [docker/build-push-action](https://redirect.github.com/docker/build-push-action) | action | major | `v6.19.2` → `v7.1.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/docker/build-push-action) | --- ### Release Notes <details> <summary>docker/build-push-action (docker/build-push-action)</summary> ### [`v7.1.0`](https://redirect.github.com/docker/build-push-action/releases/tag/v7.1.0) [Compare Source](https://redirect.github.com/docker/build-push-action/compare/v7...v7.1.0) - Git context [query format](https://docs.docker.com/build/concepts/context/#url-queries) support by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​1505](https://redirect.github.com/docker/build-push-action/pull/1505) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.79.0 to 0.87.0 by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​1505](https://redirect.github.com/docker/build-push-action/pull/1505) - Bump brace-expansion from 1.1.12 to 1.1.13 in [#​1500](https://redirect.github.com/docker/build-push-action/pull/1500) - Bump fast-xml-parser from 5.4.2 to 5.5.7 in [#​1489](https://redirect.github.com/docker/build-push-action/pull/1489) - Bump flatted from 3.3.3 to 3.4.2 in [#​1491](https://redirect.github.com/docker/build-push-action/pull/1491) - Bump glob from 10.3.12 to 10.5.0 in [#​1490](https://redirect.github.com/docker/build-push-action/pull/1490) - Bump handlebars from 4.7.8 to 4.7.9 in [#​1497](https://redirect.github.com/docker/build-push-action/pull/1497) - Bump lodash from 4.17.23 to 4.18.1 in [#​1510](https://redirect.github.com/docker/build-push-action/pull/1510) - Bump picomatch from 4.0.3 to 4.0.4 in [#​1496](https://redirect.github.com/docker/build-push-action/pull/1496) - Bump undici from 6.23.0 to 6.24.1 in [#​1486](https://redirect.github.com/docker/build-push-action/pull/1486) - Bump vite from 7.3.1 to 7.3.2 in [#​1509](https://redirect.github.com/docker/build-push-action/pull/1509) **Full Changelog**: <docker/build-push-action@v7.0.0...v7.1.0> ### [`v7.0.0`](https://redirect.github.com/docker/build-push-action/releases/tag/v7.0.0) [Compare Source](https://redirect.github.com/docker/build-push-action/compare/v6.19.2...v7) - Node 24 as default runtime (requires [Actions Runner v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1) or later) by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​1470](https://redirect.github.com/docker/build-push-action/pull/1470) - Remove deprecated `DOCKER_BUILD_NO_SUMMARY` and `DOCKER_BUILD_EXPORT_RETENTION_DAYS` envs by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​1473](https://redirect.github.com/docker/build-push-action/pull/1473) - Remove legacy export-build tool support for build summary by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​1474](https://redirect.github.com/docker/build-push-action/pull/1474) - Switch to ESM and update config/test wiring by [@​crazy-max](https://redirect.github.com/crazy-max) in [#​1466](https://redirect.github.com/docker/build-push-action/pull/1466) - Bump [@​actions/core](https://redirect.github.com/actions/core) from 1.11.1 to 3.0.0 in [#​1454](https://redirect.github.com/docker/build-push-action/pull/1454) - Bump [@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit) from 0.62.1 to 0.79.0 in [#​1453](https://redirect.github.com/docker/build-push-action/pull/1453) [#​1472](https://redirect.github.com/docker/build-push-action/pull/1472) [#​1479](https://redirect.github.com/docker/build-push-action/pull/1479) - Bump minimatch from 3.1.2 to 3.1.5 in [#​1463](https://redirect.github.com/docker/build-push-action/pull/1463) **Full Changelog**: <docker/build-push-action@v6.19.2...v7.0.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/upload-pages-artifact](https://redirect.github.com/actions/upload-pages-artifact) | action | major | `v4.0.0` → `v5.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-pages-artifact) | --- ### Release Notes <details> <summary>actions/upload-pages-artifact (actions/upload-pages-artifact)</summary> ### [`v5.0.0`](https://redirect.github.com/actions/upload-pages-artifact/releases/tag/v5.0.0) [Compare Source](https://redirect.github.com/actions/upload-pages-artifact/compare/v4.0.0...v5.0.0) ### Changelog - Update upload-artifact action to version 7 [@​Tom-van-Woudenberg](https://redirect.github.com/Tom-van-Woudenberg) ([#​139](https://redirect.github.com/actions/upload-pages-artifact/issues/139)) - feat: add `include-hidden-files` input [@​jonchurch](https://redirect.github.com/jonchurch) ([#​137](https://redirect.github.com/actions/upload-pages-artifact/issues/137)) See details of [all code changes](https://redirect.github.com/actions/upload-pages-artifact/compare/v4.0.0...v4.0.1) since previous release. </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | major | `v5.0.0` → `v8.0.1` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/download-artifact) | --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v8.0.1`](https://redirect.github.com/actions/download-artifact/releases/tag/v8.0.1) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v8...v8.0.1) ##### What's Changed - Support for CJK characters in the artifact name by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​471](https://redirect.github.com/actions/download-artifact/pull/471) - Add a regression test for artifact name + content-type mismatches by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​472](https://redirect.github.com/actions/download-artifact/pull/472) **Full Changelog**: <actions/download-artifact@v8...v8.0.1> ### [`v8.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v8.0.0) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v7.0.0...v8) ##### v8 - What's new ##### Direct downloads To support direct uploads in `actions/upload-artifact`, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the `Content-Type` header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new `skip-decompress` parameter to `false`. ##### Enforced checks (breaking) A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the `digest-mismatch` parameter. To be secure by default, we are now defaulting the behavior to `error` which will fail the workflow run. ##### ESM To support new versions of the @​actions/\* packages, we've upgraded the package to ESM. ##### What's Changed - Don't attempt to un-zip non-zipped downloads by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​460](https://redirect.github.com/actions/download-artifact/pull/460) - Add a setting to specify what to do on hash mismatch and default it to `error` by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​461](https://redirect.github.com/actions/download-artifact/pull/461) **Full Changelog**: <actions/download-artifact@v7...v8.0.0> ### [`v7.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v7.0.0) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v6.0.0...v7.0.0) ##### v7 - What's new > \[!IMPORTANT] > actions/download-artifact\@​v7 now runs on Node.js 24 (`runs.using: node24`) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading. ##### Node.js 24 This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24. ##### What's Changed - Update GHES guidance to include reference to Node 20 version by [@​patrikpolyak](https://redirect.github.com/patrikpolyak) in [#​440](https://redirect.github.com/actions/download-artifact/pull/440) - Download Artifact Node24 support by [@​salmanmkc](https://redirect.github.com/salmanmkc) in [#​415](https://redirect.github.com/actions/download-artifact/pull/415) - fix: update [@​actions/artifact](https://redirect.github.com/actions/artifact) to fix Node.js 24 punycode deprecation by [@​salmanmkc](https://redirect.github.com/salmanmkc) in [#​451](https://redirect.github.com/actions/download-artifact/pull/451) - prepare release v7.0.0 for Node.js 24 support by [@​salmanmkc](https://redirect.github.com/salmanmkc) in [#​452](https://redirect.github.com/actions/download-artifact/pull/452) ##### New Contributors - [@​patrikpolyak](https://redirect.github.com/patrikpolyak) made their first contribution in [#​440](https://redirect.github.com/actions/download-artifact/pull/440) - [@​salmanmkc](https://redirect.github.com/salmanmkc) made their first contribution in [#​415](https://redirect.github.com/actions/download-artifact/pull/415) **Full Changelog**: <actions/download-artifact@v6.0.0...v7.0.0> ### [`v6.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v6.0.0) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v5.0.0...v6.0.0) #### What's Changed **BREAKING CHANGE:** this update supports Node `v24.x`. This is not a breaking change per-se but we're treating it as such. - Update README for download-artifact v5 changes by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [#​417](https://redirect.github.com/actions/download-artifact/pull/417) - Update README with artifact extraction details by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [#​424](https://redirect.github.com/actions/download-artifact/pull/424) - Readme: spell out the first use of GHES by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​431](https://redirect.github.com/actions/download-artifact/pull/431) - Bump `@actions/artifact` to `v4.0.0` - Prepare `v6.0.0` by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​438](https://redirect.github.com/actions/download-artifact/pull/438) #### New Contributors - [@​danwkennedy](https://redirect.github.com/danwkennedy) made their first contribution in [#​431](https://redirect.github.com/actions/download-artifact/pull/431) **Full Changelog**: <actions/download-artifact@v5...v6.0.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/deploy-pages](https://redirect.github.com/actions/deploy-pages) | action | major | `v4.0.5` → `v5.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/deploy-pages) | --- ### Release Notes <details> <summary>actions/deploy-pages (actions/deploy-pages)</summary> ### [`v5.0.0`](https://redirect.github.com/actions/deploy-pages/releases/tag/v5.0.0) [Compare Source](https://redirect.github.com/actions/deploy-pages/compare/v4.0.5...v5.0.0) ### Changelog - Update Node.js version to 24.x [@​salmanmkc](https://redirect.github.com/salmanmkc) ([#​404](https://redirect.github.com/actions/deploy-pages/issues/404)) - Add workflow file for publishing releases to immutable action package [@​Jcambass](https://redirect.github.com/Jcambass) ([#​374](https://redirect.github.com/actions/deploy-pages/issues/374)) - Bump braces from 3.0.2 to 3.0.3 in the npm\_and\_yarn group across 1 directory [@​dependabot](https://redirect.github.com/dependabot) ([#​360](https://redirect.github.com/actions/deploy-pages/issues/360)) - Make the rebuild dist workflow work nicer with Dependabot [@​yoannchaudet](https://redirect.github.com/yoannchaudet) ([#​361](https://redirect.github.com/actions/deploy-pages/issues/361)) - Bump the non-breaking-changes group across 1 directory with 3 updates [@​dependabot](https://redirect.github.com/dependabot) ([#​358](https://redirect.github.com/actions/deploy-pages/issues/358)) - Delete repeated sentence [@​garethsb](https://redirect.github.com/garethsb) ([#​359](https://redirect.github.com/actions/deploy-pages/issues/359)) - Update README.md [@​tsusdere](https://redirect.github.com/tsusdere) ([#​348](https://redirect.github.com/actions/deploy-pages/issues/348)) - Bump the non-breaking-changes group with 4 updates [@​dependabot](https://redirect.github.com/dependabot) ([#​341](https://redirect.github.com/actions/deploy-pages/issues/341)) - Remove error message for file permissions [@​TooManyBees](https://redirect.github.com/TooManyBees) ([#​340](https://redirect.github.com/actions/deploy-pages/issues/340)) *** See details of [all code changes](https://redirect.github.com/actions/deploy-pages/compare/v4.0.5...v4.0.6) since previous release. :warning: For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the [compatibility table](https://redirect.github.com/actions/deploy-pages/#compatibility). </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action) | action | major | `v4.9.0` → `v5.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/dependency-review-action) | --- ### Release Notes <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v5.0.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v5.0.0): 5.0.0 [Compare Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.9.0...v5.0.0) This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version [v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1) to run. #### What's Changed - Add .github/copilot-instructions.md for Copilot coding agent by [@​ahpook](https://redirect.github.com/ahpook) in [#​1067](https://redirect.github.com/actions/dependency-review-action/pull/1067) - Update Node.js runtime from 20 to 24 by [@​scottschreckengaust](https://redirect.github.com/scottschreckengaust) in [#​1084](https://redirect.github.com/actions/dependency-review-action/pull/1084) - Bump spdx-license-ids from 3.0.20 to 3.0.23 by [@​mongolyy](https://redirect.github.com/mongolyy) in [#​1091](https://redirect.github.com/actions/dependency-review-action/pull/1091) - docs: bump actions/checkout from v4 to v6 in workflow examples by [@​Marukome0743](https://redirect.github.com/Marukome0743) in [#​1077](https://redirect.github.com/actions/dependency-review-action/pull/1077) - fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by [@​tspascoal](https://redirect.github.com/tspascoal) in [#​1076](https://redirect.github.com/actions/dependency-review-action/pull/1076) - Resolve security findings by [@​AshelyTC](https://redirect.github.com/AshelyTC) in [#​1094](https://redirect.github.com/actions/dependency-review-action/pull/1094) - v5.0.0 release branch by [@​ahpook](https://redirect.github.com/ahpook) in [#​1098](https://redirect.github.com/actions/dependency-review-action/pull/1098) #### New Contributors - [@​scottschreckengaust](https://redirect.github.com/scottschreckengaust) made their first contribution in [#​1084](https://redirect.github.com/actions/dependency-review-action/pull/1084) - [@​mongolyy](https://redirect.github.com/mongolyy) made their first contribution in [#​1091](https://redirect.github.com/actions/dependency-review-action/pull/1091) - [@​Marukome0743](https://redirect.github.com/Marukome0743) made their first contribution in [#​1077](https://redirect.github.com/actions/dependency-review-action/pull/1077) **Full Changelog**: <actions/dependency-review-action@v4.9.0...v5.0.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/configure-pages](https://redirect.github.com/actions/configure-pages) | action | major | `v5` → `v6.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/configure-pages) | --- ### Release Notes <details> <summary>actions/configure-pages (actions/configure-pages)</summary> ### [`v6.0.0`](https://redirect.github.com/actions/configure-pages/releases/tag/v6.0.0) [Compare Source](https://redirect.github.com/actions/configure-pages/compare/v5.0.0...v6.0.0) ### Changelog - upgrade to node 24 [@​salmanmkc](https://redirect.github.com/salmanmkc) ([#​186](https://redirect.github.com/actions/configure-pages/issues/186)) - Upgrade IA Publish [@​Jcambass](https://redirect.github.com/Jcambass) ([#​165](https://redirect.github.com/actions/configure-pages/issues/165)) - Add workflow file for publishing releases to immutable action package [@​Jcambass](https://redirect.github.com/Jcambass) ([#​163](https://redirect.github.com/actions/configure-pages/issues/163)) - pin draft release version [@​YiMysty](https://redirect.github.com/YiMysty) ([#​162](https://redirect.github.com/actions/configure-pages/issues/162)) - Bump espree from 9.6.1 to 10.1.0 [@​dependabot](https://redirect.github.com/dependabot) ([#​160](https://redirect.github.com/actions/configure-pages/issues/160)) - Bump eslint-config-prettier from 8.8.0 to 9.1.0 [@​dependabot](https://redirect.github.com/dependabot) ([#​143](https://redirect.github.com/actions/configure-pages/issues/143)) - Be more friendly to Dependabot [@​yoannchaudet](https://redirect.github.com/yoannchaudet) ([#​158](https://redirect.github.com/actions/configure-pages/issues/158)) - Bump eslint-plugin-github from 4.10.2 to 5.0.1 [@​dependabot](https://redirect.github.com/dependabot) ([#​154](https://redirect.github.com/actions/configure-pages/issues/154)) - Bump braces from 3.0.2 to 3.0.3 in the npm\_and\_yarn group [@​dependabot](https://redirect.github.com/dependabot) ([#​156](https://redirect.github.com/actions/configure-pages/issues/156)) - Bump undici from 5.28.3 to 5.28.4 [@​dependabot](https://redirect.github.com/dependabot) ([#​145](https://redirect.github.com/actions/configure-pages/issues/145)) See details of [all code changes](https://redirect.github.com/actions/configure-pages/compare/v5.0.0...v5.0.1) since previous release. </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…#184) This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [stefanzweifel/git-auto-commit-action](https://redirect.github.com/stefanzweifel/git-auto-commit-action) | action | major | `v6.0.1` → `v7.1.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/stefanzweifel/git-auto-commit-action) | --- ### Release Notes <details> <summary>stefanzweifel/git-auto-commit-action (stefanzweifel/git-auto-commit-action)</summary> ### [`v7.1.0`](https://redirect.github.com/stefanzweifel/git-auto-commit-action/blob/HEAD/CHANGELOG.md#v710---2025-12-17) [Compare Source](https://redirect.github.com/stefanzweifel/git-auto-commit-action/compare/v7...v7.1.0) ##### Added - Add skip\_push input option ([#​401](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/401)) [@​kvanzuijlen](https://redirect.github.com/@​kvanzuijlen) ##### Changes - docs: fix typo in README.md ([#​400](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/400)) [@​GideonBear](https://redirect.github.com/@​GideonBear) ##### Dependency Updates - Bump actions/checkout from 5 to 6 ([#​399](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/399)) \[@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)]\(<https://github.com/@​[dependabot[bot>]]\(<https://github.com/apps/dependabot>)) - Bump bats from 1.12.0 to 1.13.0 ([#​398](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/398)) \[@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)]\(<https://github.com/@​[dependabot[bot>]]\(<https://github.com/apps/dependabot>)) ### [`v7.0.0`](https://redirect.github.com/stefanzweifel/git-auto-commit-action/blob/HEAD/CHANGELOG.md#v700---2025-10-12) [Compare Source](https://redirect.github.com/stefanzweifel/git-auto-commit-action/compare/v6.0.1...v7) ##### Added - Restore skip\_fetch, skip\_checkout, create\_branch ([#​388](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/388)) [@​stefanzweifel](https://redirect.github.com/@​stefanzweifel) - Restore Detached State Detection ([#​393](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/393)) [@​stefanzweifel](https://redirect.github.com/@​stefanzweifel) - Add Support for Tag Messages ([#​391](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/391)) [@​EliasBoulharts](https://redirect.github.com/@​EliasBoulharts) ##### Changed - Run Action on Node 24 ([#​389](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/389)) [@​stefanzweifel](https://redirect.github.com/@​stefanzweifel) ##### Dependency Updates - Bump actions/checkout from 4 to 5 ([#​386](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/386)) \[@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)]\(<https://github.com/@​[dependabot[bot>]]\(<https://github.com/apps/dependabot>)) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTQxLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [peter-evans/create-pull-request](https://redirect.github.com/peter-evans/create-pull-request) | action | major | `v7.0.11` → `v8.1.1` | [](https://securityscorecards.dev/viewer/?uri=github.com/peter-evans/create-pull-request) | --- ### Release Notes <details> <summary>peter-evans/create-pull-request (peter-evans/create-pull-request)</summary> ### [`v8.1.1`](https://redirect.github.com/peter-evans/create-pull-request/releases/tag/v8.1.1): Create Pull Request v8.1.1 [Compare Source](https://redirect.github.com/peter-evans/create-pull-request/compare/v8.1.0...v8.1.1) #### What's Changed - build(deps-dev): bump the npm group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4305](https://redirect.github.com/peter-evans/create-pull-request/pull/4305) - build(deps): bump minimatch by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4311](https://redirect.github.com/peter-evans/create-pull-request/pull/4311) - build(deps): bump the github-actions group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4316](https://redirect.github.com/peter-evans/create-pull-request/pull/4316) - build(deps): bump [@​tootallnate/once](https://redirect.github.com/tootallnate/once) and jest-environment-jsdom by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4323](https://redirect.github.com/peter-evans/create-pull-request/pull/4323) - build(deps-dev): bump undici from 6.23.0 to 6.24.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4328](https://redirect.github.com/peter-evans/create-pull-request/pull/4328) - build(deps-dev): bump flatted from 3.3.1 to 3.4.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4334](https://redirect.github.com/peter-evans/create-pull-request/pull/4334) - build(deps): bump picomatch by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4339](https://redirect.github.com/peter-evans/create-pull-request/pull/4339) - build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4344](https://redirect.github.com/peter-evans/create-pull-request/pull/4344) - build(deps-dev): bump the npm group with 3 updates by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4349](https://redirect.github.com/peter-evans/create-pull-request/pull/4349) - fix: retry post-creation API calls on 422 eventual consistency errors by [@​peter-evans](https://redirect.github.com/peter-evans) in [#​4356](https://redirect.github.com/peter-evans/create-pull-request/pull/4356) **Full Changelog**: <peter-evans/create-pull-request@v8.1.0...v8.1.1> ### [`v8.1.0`](https://redirect.github.com/peter-evans/create-pull-request/releases/tag/v8.1.0): Create Pull Request v8.1.0 [Compare Source](https://redirect.github.com/peter-evans/create-pull-request/compare/v8...v8.1.0) ##### What's Changed - README.md: bump given GitHub actions to their latest versions by [@​deining](https://redirect.github.com/deining) in [#​4265](https://redirect.github.com/peter-evans/create-pull-request/pull/4265) - build(deps): bump the github-actions group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4273](https://redirect.github.com/peter-evans/create-pull-request/pull/4273) - build(deps-dev): bump the npm group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4274](https://redirect.github.com/peter-evans/create-pull-request/pull/4274) - build(deps-dev): bump undici from 6.22.0 to 6.23.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​4284](https://redirect.github.com/peter-evans/create-pull-request/pull/4284) - Update distribution by [@​actions-bot](https://redirect.github.com/actions-bot) in [#​4289](https://redirect.github.com/peter-evans/create-pull-request/pull/4289) - fix: Handle remote prune failures gracefully on self-hosted runners by [@​peter-evans](https://redirect.github.com/peter-evans) in [#​4295](https://redirect.github.com/peter-evans/create-pull-request/pull/4295) - feat: add [@​octokit/plugin-retry](https://redirect.github.com/octokit/plugin-retry) to handle retriable server errors by [@​peter-evans](https://redirect.github.com/peter-evans) in [#​4298](https://redirect.github.com/peter-evans/create-pull-request/pull/4298) ##### New Contributors - [@​deining](https://redirect.github.com/deining) made their first contribution in [#​4265](https://redirect.github.com/peter-evans/create-pull-request/pull/4265) **Full Changelog**: <peter-evans/create-pull-request@v8.0.0...v8.1.0> ### [`v8.0.0`](https://redirect.github.com/peter-evans/create-pull-request/releases/tag/v8.0.0): Create Pull Request v8.0.0 [Compare Source](https://redirect.github.com/peter-evans/create-pull-request/compare/v7.0.11...v8) ##### What's new in v8 - Requires [Actions Runner v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1) or later if you are using a self-hosted runner for Node 24 support. ##### What's Changed - chore: Update checkout action version to v6 by [@​yonas](https://redirect.github.com/yonas) in [#​4258](https://redirect.github.com/peter-evans/create-pull-request/pull/4258) - Update actions/checkout references to [@​v6](https://redirect.github.com/v6) in docs by [@​Copilot](https://redirect.github.com/Copilot) in [#​4259](https://redirect.github.com/peter-evans/create-pull-request/pull/4259) - feat: v8 by [@​peter-evans](https://redirect.github.com/peter-evans) in [#​4260](https://redirect.github.com/peter-evans/create-pull-request/pull/4260) ##### New Contributors - [@​yonas](https://redirect.github.com/yonas) made their first contribution in [#​4258](https://redirect.github.com/peter-evans/create-pull-request/pull/4258) - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [#​4259](https://redirect.github.com/peter-evans/create-pull-request/pull/4259) **Full Changelog**: <peter-evans/create-pull-request@v7.0.11...v8.0.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/checkout](https://redirect.github.com/actions/checkout) | action | major | `v5.0.1` → `v6.0.2` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/checkout) | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6.0.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v602) [Compare Source](https://redirect.github.com/actions/checkout/compare/v6.0.1...v6.0.2) - Fix tag handling: preserve annotations and explicit fetch-tags by [@​ericsciple](https://redirect.github.com/ericsciple) in [#​2356](https://redirect.github.com/actions/checkout/pull/2356) ### [`v6.0.1`](https://redirect.github.com/actions/checkout/compare/v6.0.0...v6.0.1) [Compare Source](https://redirect.github.com/actions/checkout/compare/v6...v6.0.1) ### [`v6.0.0`](https://redirect.github.com/actions/checkout/compare/v5.0.1...v6.0.0) [Compare Source](https://redirect.github.com/actions/checkout/compare/v5.0.1...v6) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | major | `v5.0.0` → `v7.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/download-artifact) | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v6` → `v7.0.1` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-artifact) | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v4.6.2` → `v7.0.1` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-artifact) | --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v7.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v7.0.0) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v6.0.0...v7.0.0) ##### v7 - What's new > \[!IMPORTANT] > actions/download-artifact\@​v7 now runs on Node.js 24 (`runs.using: node24`) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading. ##### Node.js 24 This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24. ##### What's Changed - Update GHES guidance to include reference to Node 20 version by [@​patrikpolyak](https://redirect.github.com/patrikpolyak) in [#​440](https://redirect.github.com/actions/download-artifact/pull/440) - Download Artifact Node24 support by [@​salmanmkc](https://redirect.github.com/salmanmkc) in [#​415](https://redirect.github.com/actions/download-artifact/pull/415) - fix: update [@​actions/artifact](https://redirect.github.com/actions/artifact) to fix Node.js 24 punycode deprecation by [@​salmanmkc](https://redirect.github.com/salmanmkc) in [#​451](https://redirect.github.com/actions/download-artifact/pull/451) - prepare release v7.0.0 for Node.js 24 support by [@​salmanmkc](https://redirect.github.com/salmanmkc) in [#​452](https://redirect.github.com/actions/download-artifact/pull/452) ##### New Contributors - [@​patrikpolyak](https://redirect.github.com/patrikpolyak) made their first contribution in [#​440](https://redirect.github.com/actions/download-artifact/pull/440) - [@​salmanmkc](https://redirect.github.com/salmanmkc) made their first contribution in [#​415](https://redirect.github.com/actions/download-artifact/pull/415) **Full Changelog**: <actions/download-artifact@v6.0.0...v7.0.0> ### [`v6.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v6.0.0) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v5.0.0...v6.0.0) #### What's Changed **BREAKING CHANGE:** this update supports Node `v24.x`. This is not a breaking change per-se but we're treating it as such. - Update README for download-artifact v5 changes by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [#​417](https://redirect.github.com/actions/download-artifact/pull/417) - Update README with artifact extraction details by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [#​424](https://redirect.github.com/actions/download-artifact/pull/424) - Readme: spell out the first use of GHES by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​431](https://redirect.github.com/actions/download-artifact/pull/431) - Bump `@actions/artifact` to `v4.0.0` - Prepare `v6.0.0` by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​438](https://redirect.github.com/actions/download-artifact/pull/438) #### New Contributors - [@​danwkennedy](https://redirect.github.com/danwkennedy) made their first contribution in [#​431](https://redirect.github.com/actions/download-artifact/pull/431) **Full Changelog**: <actions/download-artifact@v5...v6.0.0> </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7.0.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v7.0.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v7...v7.0.1) ##### What's Changed - Update the readme with direct upload details by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​795](https://redirect.github.com/actions/upload-artifact/pull/795) - Readme: bump all the example versions to v7 by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​796](https://redirect.github.com/actions/upload-artifact/pull/796) - Include changes in typespec/ts-http-runtime 0.3.5 by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [#​797](https://redirect.github.com/actions/upload-artifact/pull/797) **Full Changelog**: <actions/upload-artifact@v7...v7.0.1> ### [`v7.0.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v7.0.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v6.0.0...v7) #### v7 What's new ##### Direct Uploads Adds support for uploading single files directly (unzipped). Callers can set the new `archive` parameter to `false` to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The `name` parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file. ##### ESM To support new versions of the `@actions/*` packages, we've upgraded the package to ESM. #### What's Changed - Add proxy integration test by [@​Link-](https://redirect.github.com/Link-) in [#​754](https://redirect.github.com/actions/upload-artifact/pull/754) - Upgrade the module to ESM and bump dependencies by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​762](https://redirect.github.com/actions/upload-artifact/pull/762) - Support direct file uploads by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​764](https://redirect.github.com/actions/upload-artifact/pull/764) #### New Contributors - [@​Link-](https://redirect.github.com/Link-) made their first contribution in [#​754](https://redirect.github.com/actions/upload-artifact/pull/754) **Full Changelog**: <actions/upload-artifact@v6...v7.0.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Hans <11695964+hupling@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | major | `v5.0.0` → `v6.4.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/setup-node) | --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v6.4.0`](https://redirect.github.com/actions/setup-node/compare/v6.3.0...v6.4.0) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v6.3.0...v6.4.0) ### [`v6.3.0`](https://redirect.github.com/actions/setup-node/releases/tag/v6.3.0) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v6.2.0...v6.3.0) #### What's Changed ##### Enhancements: - Support parsing `devEngines` field by [@​susnux](https://redirect.github.com/susnux) in [#​1283](https://redirect.github.com/actions/setup-node/pull/1283) > When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node. ##### Dependency updates: - Fix npm audit issues by [@​gowridurgad](https://redirect.github.com/gowridurgad) in [#​1491](https://redirect.github.com/actions/setup-node/pull/1491) - Replace uuid with crypto.randomUUID() by [@​trivikr](https://redirect.github.com/trivikr) in [#​1378](https://redirect.github.com/actions/setup-node/pull/1378) - Upgrade minimatch from 3.1.2 to 3.1.5 by [@​dependabot](https://redirect.github.com/dependabot) in [#​1498](https://redirect.github.com/actions/setup-node/pull/1498) ##### Bug fixes: - Remove hardcoded bearer for mirror-url [@​marco-ippolito](https://redirect.github.com/marco-ippolito) in [#​1467](https://redirect.github.com/actions/setup-node/pull/1467) - Scope test lockfiles by package manager and update cache tests by [@​gowridurgad](https://redirect.github.com/gowridurgad) in [#​1495](https://redirect.github.com/actions/setup-node/pull/1495) #### New Contributors - [@​susnux](https://redirect.github.com/susnux) made their first contribution in [#​1283](https://redirect.github.com/actions/setup-node/pull/1283) **Full Changelog**: <actions/setup-node@v6...v6.3.0> ### [`v6.2.0`](https://redirect.github.com/actions/setup-node/compare/v6.1.0...v6.2.0) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v6.1.0...v6.2.0) ### [`v6.1.0`](https://redirect.github.com/actions/setup-node/releases/tag/v6.1.0) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v6...v6.1.0) #### What's Changed ##### Enhancement: - Remove always-auth configuration handling by [@​priyagupta108](https://redirect.github.com/priyagupta108) in [#​1436](https://redirect.github.com/actions/setup-node/pull/1436) ##### Dependency updates: - Upgrade [@​actions/cache](https://redirect.github.com/actions/cache) from 4.0.3 to 4.1.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1384](https://redirect.github.com/actions/setup-node/pull/1384) - Upgrade actions/checkout from 5 to 6 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1439](https://redirect.github.com/actions/setup-node/pull/1439) - Upgrade js-yaml from 3.14.1 to 3.14.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1435](https://redirect.github.com/actions/setup-node/pull/1435) ##### Documentation update: - Add example for restore-only cache in documentation by [@​aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in [#​1419](https://redirect.github.com/actions/setup-node/pull/1419) **Full Changelog**: <actions/setup-node@v6...v6.1.0> ### [`v6.0.0`](https://redirect.github.com/actions/setup-node/releases/tag/v6.0.0) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v5.0.0...v6) ##### What's Changed **Breaking Changes** - Limit automatic caching to npm, update workflows and documentation by [@​priyagupta108](https://redirect.github.com/priyagupta108) in [#​1374](https://redirect.github.com/actions/setup-node/pull/1374) **Dependency Upgrades** - Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1336](https://redirect.github.com/actions/setup-node/pull/1336) - Upgrade prettier from 2.8.8 to 3.6.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1334](https://redirect.github.com/actions/setup-node/pull/1334) - Upgrade actions/publish-action from 0.3.0 to 0.4.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​1362](https://redirect.github.com/actions/setup-node/pull/1362) **Full Changelog**: <actions/setup-node@v5...v6.0.0> </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | major | `v5.0.0` → `v6.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/download-artifact) | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v4.6.2` → `v6.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-artifact) | --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v6.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v6.0.0) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v5.0.0...v6.0.0) #### What's Changed **BREAKING CHANGE:** this update supports Node `v24.x`. This is not a breaking change per-se but we're treating it as such. - Update README for download-artifact v5 changes by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [#​417](https://redirect.github.com/actions/download-artifact/pull/417) - Update README with artifact extraction details by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [#​424](https://redirect.github.com/actions/download-artifact/pull/424) - Readme: spell out the first use of GHES by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​431](https://redirect.github.com/actions/download-artifact/pull/431) - Bump `@actions/artifact` to `v4.0.0` - Prepare `v6.0.0` by [@​danwkennedy](https://redirect.github.com/danwkennedy) in [#​438](https://redirect.github.com/actions/download-artifact/pull/438) #### New Contributors - [@​danwkennedy](https://redirect.github.com/danwkennedy) made their first contribution in [#​431](https://redirect.github.com/actions/download-artifact/pull/431) **Full Changelog**: <actions/download-artifact@v5...v6.0.0> </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v6.0.0`](https://redirect.github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0) ### [`v5.0.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.6.2...v5.0.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.6.2...v5.0.0) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Hans <11695964+hupling@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | major | `v3.35.4` → `v4.35.4` | [](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v4.35.4`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.35.3...v4.35.4) - Update default CodeQL bundle version to [2.25.4](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4). [#​3881](https://redirect.github.com/github/codeql-action/pull/3881) ### [`v4.35.3`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.35.2...v4.35.3) - *Upcoming breaking change*: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. [#​3837](https://redirect.github.com/github/codeql-action/pull/3837) - Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. [#​3850](https://redirect.github.com/github/codeql-action/pull/3850) - Best-effort connection tests for private registries now use `GET` requests instead of `HEAD` for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. [#​3853](https://redirect.github.com/github/codeql-action/pull/3853) - Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. [#​3852](https://redirect.github.com/github/codeql-action/pull/3852) - Update default CodeQL bundle version to [2.25.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3). [#​3865](https://redirect.github.com/github/codeql-action/pull/3865) ### [`v4.35.2`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.35.1...v4.35.2) - The undocumented TRAP cache cleanup feature that could be enabled using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the `trap-caching: false` input to the `init` Action. [#​3795](https://redirect.github.com/github/codeql-action/pull/3795) - The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. [#​3789](https://redirect.github.com/github/codeql-action/pull/3789) - Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. [#​3794](https://redirect.github.com/github/codeql-action/pull/3794) - Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. [#​3807](https://redirect.github.com/github/codeql-action/pull/3807) - Update default CodeQL bundle version to [2.25.2](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2). [#​3823](https://redirect.github.com/github/codeql-action/pull/3823) ### [`v4.35.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.35.0...v4.35.1) - Fix incorrect minimum required Git version for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158): it should have been 2.36.0, not 2.11.0. [#​3781](https://redirect.github.com/github/codeql-action/pull/3781) ### [`v4.35.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.34.1...v4.35.0) - Reduced the minimum Git version required for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#​3767](https://redirect.github.com/github/codeql-action/pull/3767) - Update default CodeQL bundle version to [2.25.1](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1). [#​3773](https://redirect.github.com/github/codeql-action/pull/3773) ### [`v4.34.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.34.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.34.0...v4.34.1) - Downgrade default CodeQL bundle version to [2.24.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#​3762](https://redirect.github.com/github/codeql-action/pull/3762) ### [`v4.34.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.34.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.33.0...v4.34.0) - Added an experimental change which disables TRAP caching when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#​3569](https://redirect.github.com/github/codeql-action/pull/3569) - We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#​3584](https://redirect.github.com/github/codeql-action/pull/3584) - Update default CodeQL bundle version to [2.25.0](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#​3585](https://redirect.github.com/github/codeql-action/pull/3585) ### [`v4.33.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.33.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.6...v4.33.0) - Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#​3562](https://redirect.github.com/github/codeql-action/pull/3562) To opt out of this change: - **Repositories owned by an organization:** Create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). Alternatively, if you are using an advanced setup workflow, you can set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. - **User-owned repositories using default setup:** Switch to an advanced setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. - **User-owned repositories using advanced setup:** Set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in your workflow. - Fixed [a bug](https://redirect.github.com/github/codeql-action/issues/3555) which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. [#​3557](https://redirect.github.com/github/codeql-action/pull/3557) - The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#​3559](https://redirect.github.com/github/codeql-action/pull/3559) - Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#​3563](https://redirect.github.com/github/codeql-action/pull/3563) - Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#​3564](https://redirect.github.com/github/codeql-action/pull/3564) - A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#​3570](https://redirect.github.com/github/codeql-action/pull/3570) ### [`v4.32.6`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.5...v4.32.6) - Update default CodeQL bundle version to [2.24.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3). [#​3548](https://redirect.github.com/github/codeql-action/pull/3548) ### [`v4.32.5`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.4...v4.32.5) - Repositories owned by an organization can now set up the `github-codeql-disable-overlay` custom repository property to disable [improved incremental analysis for CodeQL](https://redirect.github.com/github/roadmap/issues/1158). First, create a custom repository property with the name `github-codeql-disable-overlay` and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to `true` to disable improved incremental analysis. For more information, see [Managing custom properties for repositories in your organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization). This feature is not yet available on GitHub Enterprise Server. [#​3507](https://redirect.github.com/github/codeql-action/pull/3507) - Added an experimental change so that when [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158) fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. [#​3487](https://redirect.github.com/github/codeql-action/pull/3487) - The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. [#​3515](https://redirect.github.com/github/codeql-action/pull/3515) - Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. [#​3516](https://redirect.github.com/github/codeql-action/pull/3516) - Added an experimental change which lowers the minimum disk space requirement for [improved incremental analysis](https://redirect.github.com/github/roadmap/issues/1158), enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. [#​3498](https://redirect.github.com/github/codeql-action/pull/3498) - Added an experimental change which allows the `start-proxy` action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. [#​3512](https://redirect.github.com/github/codeql-action/pull/3512) - The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. [#​3503](https://redirect.github.com/github/codeql-action/pull/3503), [#​3504](https://redirect.github.com/github/codeql-action/pull/3504) ### [`v4.32.4`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.3...v4.32.4) - Update default CodeQL bundle version to [2.24.2](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2). [#​3493](https://redirect.github.com/github/codeql-action/pull/3493) - Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. [#​3473](https://redirect.github.com/github/codeql-action/pull/3473) - When the CodeQL Action is run [with debugging enabled in Default Setup](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup) and [private package registries are configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries), the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. [#​3486](https://redirect.github.com/github/codeql-action/pull/3486) - Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. [#​3485](https://redirect.github.com/github/codeql-action/pull/3485) - Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a [nightly CodeQL CLI release](https://redirect.github.com/dsp-testing/codeql-cli-nightlies) instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. [#​3484](https://redirect.github.com/github/codeql-action/pull/3484) ### [`v4.32.3`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.2...v4.32.3) - Added experimental support for testing connections to [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries). This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. [#​3466](https://redirect.github.com/github/codeql-action/pull/3466) ### [`v4.32.2`](https://redirect.github.com/github/codeql-action/compare/v4.32.1...v4.32.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.1...v4.32.2) ### [`v4.32.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.32.0...v4.32.1) - A warning is now shown in Default Setup workflow logs if a [private package registry is configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) using a GitHub Personal Access Token (PAT), but no username is configured. [#​3422](https://redirect.github.com/github/codeql-action/pull/3422) - Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. [#​3421](https://redirect.github.com/github/codeql-action/pull/3421) ### [`v4.32.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.11...v4.32.0) - Update default CodeQL bundle version to [2.24.0](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0). [#​3425](https://redirect.github.com/github/codeql-action/pull/3425) ### [`v4.31.11`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.11) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.10...v4.31.11) - When running a Default Setup workflow with [Actions debugging enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging), the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. [#​3409](https://redirect.github.com/github/codeql-action/pull/3409) - Improved error handling throughout the CodeQL Action. [#​3415](https://redirect.github.com/github/codeql-action/pull/3415) - Added experimental support for automatically excluding [generated files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github) from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. [#​3318](https://redirect.github.com/github/codeql-action/pull/3318) - The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. [#​3403](https://redirect.github.com/github/codeql-action/pull/3403) ### [`v4.31.10`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.10) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.9...v4.31.10) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.31.10 - 12 Jan 2026 - Update default CodeQL bundle version to 2.23.9. [#​3393](https://redirect.github.com/github/codeql-action/pull/3393) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.10/CHANGELOG.md) for more information. ### [`v4.31.9`](https://redirect.github.com/github/codeql-action/compare/v4.31.8...v4.31.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.8...v4.31.9) ### [`v4.31.8`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.7...v4.31.8) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.31.8 - 11 Dec 2025 - Update default CodeQL bundle version to 2.23.8. [#​3354](https://redirect.github.com/github/codeql-action/pull/3354) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.8/CHANGELOG.md) for more information. ### [`v4.31.7`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.6...v4.31.7) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.31.7 - 05 Dec 2025 - Update default CodeQL bundle version to 2.23.7. [#​3343](https://redirect.github.com/github/codeql-action/pull/3343) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.7/CHANGELOG.md) for more information. ### [`v4.31.6`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.5...v4.31.6) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.31.6 - 01 Dec 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.6/CHANGELOG.md) for more information. ### [`v4.31.5`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.4...v4.31.5) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.31.5 - 24 Nov 2025 - Update default CodeQL bundle version to 2.23.6. [#​3321](https://redirect.github.com/github/codeql-action/pull/3321) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.5/CHANGELOG.md) for more information. ### [`v4.31.4`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.3...v4.31.4) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.31.4 - 18 Nov 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.4/CHANGELOG.md) for more information. ### [`v4.31.3`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.2...v4.31.3) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.31.3 - 13 Nov 2025 - CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see [Upcoming deprecation of CodeQL Action v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/). - Update default CodeQL bundle version to 2.23.5. [#​3288](https://redirect.github.com/github/codeql-action/pull/3288) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.3/CHANGELOG.md) for more information. ### [`v4.31.2`](https://redirect.github.com/github/codeql-action/compare/v4.31.1...v4.31.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.1...v4.31.2) ### [`v4.31.1`](https://redirect.github.com/github/codeql-action/compare/v4.31.0...v4.31.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.31.0...v4.31.1) ### [`v4.31.0`](https://redirect.github.com/github/codeql-action/compare/v4.30.9...v4.31.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.30.9...v4.31.0) ### [`v4.30.9`](https://redirect.github.com/github/codeql-action/releases/tag/v4.30.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.30.8...v4.30.9) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 4.30.9 - 17 Oct 2025 - Update default CodeQL bundle version to 2.23.3. [#​3205](https://redirect.github.com/github/codeql-action/pull/3205) - Experimental: A new `setup-codeql` action has been added which is similar to `init`, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. [#​3204](https://redirect.github.com/github/codeql-action/pull/3204) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.30.9/CHANGELOG.md) for more information. ### [`v4.30.8`](https://redirect.github.com/github/codeql-action/releases/tag/v4.30.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v4.30.7...v4.30.8) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.30.8 - 10 Oct 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.30.8/CHANGELOG.md) for more information. ### [`v4.30.7`](https://redirect.github.com/github/codeql-action/releases/tag/v4.30.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.35.4...v4.30.7) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 4.30.7 - 06 Oct 2025 - \[v4+ only] The CodeQL Action now runs on Node.js v24. [#​3169](https://redirect.github.com/github/codeql-action/pull/3169) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.30.7/CHANGELOG.md) for more information. </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTU5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v4.6.2` → `v5.0.0` | [](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-artifact) | --- ### Release Notes <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v5.0.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.6.2...v5.0.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.6.2...v5.0.0) </details> --- ### Configuration 📅 **Schedule**: (in timezone Europe/Berlin) - Branch creation - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`) - Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (`* 0-4,22-23 * * 1-5`) - Only on Sunday and Saturday (`* * * * 0,6`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/it-at-m/lhm_actions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Hans <11695964+hupling@users.noreply.github.com>
📝 WalkthroughWalkthroughThis PR updates pinned commit SHAs for GitHub Actions marketplace actions across all CI/CD workflows and composite action templates. Core actions like ChangesUnified GitHub Actions version pinning update
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
action-templates/actions/action-trivy/action.yml (1)
50-50: 🧹 Nitpick | 🔵 Trivial | 💤 Low valueConsider pinning the CodeQL action to a specific SHA for consistency.
This file pins other actions to commit SHAs (lines 18, 23, 41) for security, but line 50 uses only a tag reference (
@v4). While not blocking for this PR, consider pinning to a SHA in a follow-up to maintain consistency with the repo's security practices.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@action-templates/actions/action-trivy/action.yml` at line 50, The GitHub Action reference "github/codeql-action/upload-sarif@v4" should be pinned to a specific commit SHA for consistency with other actions; replace the tag "@v4" with the corresponding commit SHA for the upload-sarif action (the same pattern used for other actions in this file) and verify the SHA matches the intended release; update the uses entry for "github/codeql-action/upload-sarif" so it references the exact commit SHA rather than the floating tag.action-templates/actions/action-npm-build/action.yml (1)
1-1:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winFix SHA mismatch in github/codeql-action and address breaking changes from major version updates.
Critical: The pinned SHA for
github/codeql-action v4.35.4is incorrect:
- Pinned:
68bde559dea0fdcac2102bfdf6230c5f70eb485e- Actual v4.35.4 tag:
3ce22a6e336a7fcc318bc58ae1986395bdc83ba7Update this to the correct SHA immediately.
All other action SHAs are correctly pinned. However, the major version updates introduce breaking changes that may require workflow adjustments:
- actions/upload-artifact v7: ESM runtime upgrade, Node 24 required; note the new
archiveparameter behavior for direct uploads- peter-evans/create-pull-request v8: Node.js 24 runtime requires self-hosted runners to upgrade to v2.327.1+
- github/codeql-action v4: Node.js 24 runtime (v3 used Node 20)
- actions/checkout v6: Credential storage location changed; Docker container actions require runner v2.329.0+
- actions/setup-node v6: Automatic caching limited to npm only (v5 cached for all managers);
always-authinput removed- actions/dependency-review-action v5: Verify compatibility with current usage
- stefanzweifel/git-auto-commit-action v7.1: Verify compatibility with current usage
Ensure runner versions on self-hosted infrastructure meet minimum requirements before merging.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@action-templates/actions/action-npm-build/action.yml` at line 1, Update the incorrect pinned SHA for github/codeql-action v4.35.4 from 68bde559dea0fdcac2102bfdf6230c5f70eb485e to the correct SHA 3ce22a6e336a7fcc318bc58ae1986395bdc83ba7 in the action YAML (refer to the name: "Npm build" and the github/codeql-action v4.35.4 reference), and then review and adjust workflows for breaking changes introduced by the major version upgrades listed (actions/upload-artifact v7, peter-evans/create-pull-request v8, github/codeql-action v4, actions/checkout v6, actions/setup-node v6, actions/dependency-review-action v5, stefanzweifel/git-auto-commit-action v7.1) ensuring self-hosted runners meet the minimum runner versions and any changed inputs/behaviors (archive param, Node 24 runtime, credential storage, caching/always-auth) are handled before merging.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@action-templates/actions/action-build-image/action.yml`:
- Line 39: The updated action pins (actions/checkout@v6.0.2,
actions/download-artifact@v8.0.1, docker/login-action@v4.1.0,
docker/metadata-action@v6.0.0, docker/build-push-action@v7.1.0) require GitHub
Actions Runner v2.327.1+ (Node 24); update documentation and deployment checks
to require that runner version before merging. Add a clear note to the action's
metadata/README and your release/PR checklist stating "Requires runner v2.327.1
or later", and update any self-hosted runner upgrade instructions or CI workflow
configuration to use GitHub-hosted runners that meet v2.327.1+ (or
verify/upgrade self-hosted runners) so the new uses entries (actions/checkout,
actions/download-artifact, docker/* actions) will run correctly.
---
Outside diff comments:
In `@action-templates/actions/action-npm-build/action.yml`:
- Line 1: Update the incorrect pinned SHA for github/codeql-action v4.35.4 from
68bde559dea0fdcac2102bfdf6230c5f70eb485e to the correct SHA
3ce22a6e336a7fcc318bc58ae1986395bdc83ba7 in the action YAML (refer to the name:
"Npm build" and the github/codeql-action v4.35.4 reference), and then review and
adjust workflows for breaking changes introduced by the major version upgrades
listed (actions/upload-artifact v7, peter-evans/create-pull-request v8,
github/codeql-action v4, actions/checkout v6, actions/setup-node v6,
actions/dependency-review-action v5, stefanzweifel/git-auto-commit-action v7.1)
ensuring self-hosted runners meet the minimum runner versions and any changed
inputs/behaviors (archive param, Node 24 runtime, credential storage,
caching/always-auth) are handled before merging.
In `@action-templates/actions/action-trivy/action.yml`:
- Line 50: The GitHub Action reference "github/codeql-action/upload-sarif@v4"
should be pinned to a specific commit SHA for consistency with other actions;
replace the tag "@v4" with the corresponding commit SHA for the upload-sarif
action (the same pattern used for other actions in this file) and verify the SHA
matches the intended release; update the uses entry for
"github/codeql-action/upload-sarif" so it references the exact commit SHA rather
than the floating tag.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: ad6f8f22-d932-4b94-accd-2b9398399f0e
📒 Files selected for processing (22)
.github/workflows/action-reviewdog.yml.github/workflows/action-superlint.yml.github/workflows/dependency_review.yaml.github/workflows/release-actions.yml.github/workflows/test-action-npm-build.yml.github/workflows/test-action-npm-release.ymlaction-templates/actions/action-actionlint/action.ymlaction-templates/actions/action-build-docs/action.ymlaction-templates/actions/action-build-image/action.ymlaction-templates/actions/action-checkout/action.ymlaction-templates/actions/action-codeql/action.ymlaction-templates/actions/action-create-github-release/action.ymlaction-templates/actions/action-dependency-review/action.ymlaction-templates/actions/action-deploy-docs/action.ymlaction-templates/actions/action-dockercompose-healthcheck/action.ymlaction-templates/actions/action-filter/action.ymlaction-templates/actions/action-maven-build/action.ymlaction-templates/actions/action-maven-release/action.ymlaction-templates/actions/action-npm-build/action.ymlaction-templates/actions/action-npm-release/action.ymlaction-templates/actions/action-pr-labeler/action.ymlaction-templates/actions/action-trivy/action.yml
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify that each pinned SHA corresponds to the claimed version tag
echo "Checking actions/checkout v6.0.2 → de0fac2e4500dabe0009e67214ff5f5447ce83dd"
gh api repos/actions/checkout/git/ref/tags/v6.0.2 --jq '.object.sha' | grep -q 'de0fac2e4500dabe0009e67214ff5f5447ce83dd' && echo "✓ actions/checkout SHA verified" || echo "✗ actions/checkout SHA mismatch"
echo "Checking actions/download-artifact v8.0.1 → 3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"
gh api repos/actions/download-artifact/git/ref/tags/v8.0.1 --jq '.object.sha' | grep -q '3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c' && echo "✓ actions/download-artifact SHA verified" || echo "✗ actions/download-artifact SHA mismatch"
echo "Checking docker/login-action v4.1.0 → 4907a6ddec9925e35a0a9e82d7399ccc52663121"
gh api repos/docker/login-action/git/ref/tags/v4.1.0 --jq '.object.sha' | grep -q '4907a6ddec9925e35a0a9e82d7399ccc52663121' && echo "✓ docker/login-action SHA verified" || echo "✗ docker/login-action SHA mismatch"
echo "Checking docker/metadata-action v6.0.0 → 030e881283bb7a6894de51c315a6bfe6a94e05cf"
gh api repos/docker/metadata-action/git/ref/tags/v6.0.0 --jq '.object.sha' | grep -q '030e881283bb7a6894de51c315a6bfe6a94e05cf' && echo "✓ docker/metadata-action SHA verified" || echo "✗ docker/metadata-action SHA mismatch"
echo "Checking docker/build-push-action v7.1.0 → bcafcacb16a39f128d818304e6c9c0c18556b85f"
gh api repos/docker/build-push-action/git/ref/tags/v7.1.0 --jq '.object.sha' | grep -q 'bcafcacb16a39f128d818304e6c9c0c18556b85f' && echo "✓ docker/build-push-action SHA verified" || echo "✗ docker/build-push-action SHA mismatch"Repository: it-at-m/lhm_actions
Length of output: 655
🌐 Web query:
actions/checkout v6 breaking changes
💡 Result:
actions/checkout v6 breaking-change summary (from official repo docs/changelog): 1) persist-credentials storage location change (behavioral breaking for some environments) - In v6.0.0, persist-credentials was changed to store the credentials in a separate file under $RUNNER_TEMP instead of writing them directly into the local .git/config [1][2]. - Because the credentials are no longer read from .git/config, authenticated git commands from Docker container actions require a minimum Actions Runner version of v2.329.0 (or later) so the container can access the persisted credentials in their new location [1][2]. - For most workflows, this is not expected to require workflow changes: the v6 “What’s new” text states that no workflow changes are required and that git fetch, git push, etc. continue to work automatically [2]. 2) Version/runtime-related notes included with v6 - The v6.0.0 release notes also mention updating the README for Node.js 24 support requirements/details [1]. 3) Related v6 follow-up fixes (not “breaking” but notable) - v6.0.2 includes a fix for tag handling (preserve annotations and explicit fetch-tags) [3][4]. Practical guidance when upgrading from v5 to v6 - If you use persist-credentials: true and especially if you run authenticated git commands inside Docker container actions, ensure your Actions Runner is at least v2.329.0 [2]. - Otherwise, the official docs indicate you should not need to change your workflow steps for typical git fetch/push usage [2].
Citations:
- 1: https://github.com/actions/checkout/blob/v6.0.1/CHANGELOG.md
- 2: https://github.com/actions/checkout
- 3: actions/checkout@v6.0.0...v6.0.2
- 4: https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md
🌐 Web query:
docker/login-action v4 breaking changes
💡 Result:
Main docker/login-action v4 breaking-change: the action now runs on Node.js 24 by default, not Node.js 20. What changed from v3 → v4 (and why it can break CI) 1) Runtime requirement: Node 24 default runtime - v4.0.0 states “Node 24 as default runtime (requires Actions Runner v2.327.1 or later)”[1]. - The PR implementing this changed action.yml from using: 'node20' to using: 'node24'[2]. Impact: if your GitHub Actions runner is older than the stated minimum, or you rely on Node 20-specific behavior, upgrading docker/login-action@v3 to @v4 can fail or behave differently. 2) Module system / build change: switch to ESM - v4.0.0 also notes “Switch to ESM and update config/test wiring”[1]. Impact: this is usually internal to the action, but it’s still a fundamental implementation change that’s worth treating as “breaking” for any unusual wrapper/consumption patterns. Other v4.x updates (not clearly “breaking”) - v4.1.0 is listed as a set of fixes and dependency bumps (e.g., “Fix scoped Docker Hub cleanup path when registry is omitted”)[3], but the release notes provided do not describe additional breaking interface changes beyond what’s already in v4.0.0. Practical migration guidance - Ensure your GitHub-hosted runner or self-hosted runner meets “Actions Runner v2.327.1 or later” before using docker/login-action@v4[1]. - If you have pinned or customized runner/container images that depend on Node 20, update them for Node 24 compatibility. - Otherwise, the typical workflow-level change is just updating uses: docker/login-action@v3 → uses: docker/login-action@v4[4].
Citations:
- 1: https://github.com/docker/login-action/releases/tag/v4.0.0
- 2: docker/login-action@176cb9c
- 3: https://github.com/docker/login-action/releases/tag/v4.1.0
- 4: docker/login-action@v3...v4
🌐 Web query:
docker/metadata-action v6 breaking changes
💡 Result:
docker/metadata-action v6 breaking changes (v6.0.0 released 2026-03-05) 1) Node.js runtime default: Node 24 v6.0.0 makes Node 24 the default runtime and requires GitHub Actions Runner v2.327.1 or later [1][2]. Impact: if your org/pipeline pins or assumes Node 20 behavior, you may need to update affected runner/action configuration so the workflow runs under the newer runtime. 2) ESM migration v6.0.0 includes a switch to ESM (“Switch to ESM and update config/test wiring”) [1][2]. Related notes also indicate ESM-only behavior for @actions/github (CommonJS consumers must use dynamic import) [3]. Impact: this is mainly internal for end users of the GitHub Action; it matters if you embed/require the action’s JS as a library in custom Node code. 3) Parsing behavior change for “list inputs” containing # v6.0.0 changes list input parsing to preserve # inside values while still supporting full-line # comments [1][2]. Impact: if you previously used # in a way that depended on it being treated as comment delimiters even when inside values, your tags/labels rules can change. Other changes in v6.0.0 (mostly dependency bumps) The release notes also list several dependency bumps (lodash, @actions/core, @actions/github, @docker/actions-toolkit, semver, etc.) [1][2].
Citations:
- 1: https://github.com/docker/metadata-action/releases/tag/v6.0.0
- 2: https://github.com/docker/metadata-action/releases
- 3: chore(deps): Bump @actions/github from 6.0.1 to 9.0.0 docker/metadata-action#597
🌐 Web query:
docker/build-push-action v7 breaking changes
💡 Result:
The docker/build-push-action v7.0.0 (released 2026-03-05) introduces several changes that could be breaking depending on usage[1][2][3]. Key breaking changes include: - Node 24 as the default runtime, requiring GitHub Actions Runner version v2.327.1 or later[1][2]. - Removal of deprecated environment variables DOCKER_BUILD_NO_SUMMARY and DOCKER_BUILD_EXPORT_RETENTION_DAYS[1][3]. - Complete removal of legacy export-build tool support for build summary (previously controllable via DOCKER_BUILD_EXPORT_LEGACY, now removed from docs)[1][3][4]. - Switch to ESM (ECMAScript Modules) and internal config/test updates[1]. - Major dependency bumps: @actions/core to 3.0.0 (potential API changes), @docker/actions-toolkit to 0.79.0[1]. No explicit migration guide found in official docs, but full changelog available at docker/build-push-action@v6.19.2...v7.0.0[1][3]. Workflows using removed env vars or old runners will fail. Later patch v7.1.0 (2026-04-10) adds no further breaking changes[5].
Citations:
- 1: https://github.com/docker/build-push-action/releases/tag/v7.0.0
- 2: https://github.com/docker/build-push-action/releases
- 3: docker/build-push-action@v6.19.2...v7.0.0
- 4: remove legacy export-build tool support docker/build-push-action#1474
- 5: https://github.com/docker/build-push-action/releases/tag/v7.1.0
🏁 Script executed:
cat -n action-templates/actions/action-build-image/action.ymlRepository: it-at-m/lhm_actions
Length of output: 2852
Update requires GitHub Actions Runner version v2.327.1 or later.
All five updated actions (actions/checkout v6.0.2, actions/download-artifact v8.0.1, docker/login-action v4.1.0, docker/metadata-action v6.0.0, docker/build-push-action v7.1.0) mandate Node 24 as the default runtime and require GitHub Actions Runner v2.327.1 or later to function. The pinned SHAs are correct and verified against their respective version tags. Ensure your GitHub-hosted and self-hosted runners meet this minimum version requirement before deploying these updates.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@action-templates/actions/action-build-image/action.yml` at line 39, The
updated action pins (actions/checkout@v6.0.2, actions/download-artifact@v8.0.1,
docker/login-action@v4.1.0, docker/metadata-action@v6.0.0,
docker/build-push-action@v7.1.0) require GitHub Actions Runner v2.327.1+ (Node
24); update documentation and deployment checks to require that runner version
before merging. Add a clear note to the action's metadata/README and your
release/PR checklist stating "Requires runner v2.327.1 or later", and update any
self-hosted runner upgrade instructions or CI workflow configuration to use
GitHub-hosted runners that meet v2.327.1+ (or verify/upgrade self-hosted
runners) so the new uses entries (actions/checkout, actions/download-artifact,
docker/* actions) will run correctly.
|
Pull Request
Changes
Reference
Relates to #XXX
Testing
URL to pull request or branch for testing your changes in sps-repo : ...
Checklist
Note: If some checklist items are not relevant for your PR, just remove them.
General
Code
Summary by CodeRabbit