Skip to content

fix: update diverse actions#265

Closed
hupling wants to merge 18 commits into
mainfrom
dev
Closed

fix: update diverse actions#265
hupling wants to merge 18 commits into
mainfrom
dev

Conversation

@hupling

@hupling hupling commented May 12, 2026

Copy link
Copy Markdown
Contributor

Pull Request

Changes

  • ...
  • ...

Reference

Relates to #XXX

Testing

URL to pull request or branch for testing your changes in sps-repo : ...

Checklist

Note: If some checklist items are not relevant for your PR, just remove them.

General

  • Met all acceptance criteria of the issue
  • Added meaningful PR title and list of changes in the description
  • Documented changes in documentation files (docs/action.md, docs/workflows.md and/or docs/deployment.md)
  • Tested changes with sample project https://github.com/it-at-m/sps

Code

  • Wrote code and comments in English
  • Coming soon: Added unit tests

Summary by CodeRabbit

  • Chores
    • Updated continuous integration and deployment pipeline tooling, including GitHub Actions and build automation dependencies, to current versions across all project workflows and action templates.

Review Change Stack

renovate Bot and others added 18 commits May 12, 2026 07:11
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[softprops/action-gh-release](https://redirect.github.com/softprops/action-gh-release)
| action | major | `v2.6.2` → `v3.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/softprops/action-gh-release/badge)](https://securityscorecards.dev/viewer/?uri=github.com/softprops/action-gh-release)
|

---

### Release Notes

<details>
<summary>softprops/action-gh-release
(softprops/action-gh-release)</summary>

###
[`v3.0.0`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v3.0.0)

[Compare
Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.6.2...v3.0.0)

`3.0.0` is a major release that moves the action runtime from Node 20 to
Node 24.
Use `v3` on GitHub-hosted runners and self-hosted fleets that already
support the
Node 24 Actions runtime. If you still need the last Node 20-compatible
line, stay on
`v2.6.2`.

#### What's Changed

##### Other Changes 🔄

- Move the action runtime and bundle target to Node 24
- Update `@types/node` to the Node 24 line and allow future Dependabot
updates
- Keep the floating major tag on `v3`; `v2` remains pinned to the latest
`2.x` release

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| [dorny/paths-filter](https://redirect.github.com/dorny/paths-filter) |
action | major | `v3.0.3` → `v4.0.1` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/dorny/paths-filter/badge)](https://securityscorecards.dev/viewer/?uri=github.com/dorny/paths-filter)
|

---

### Release Notes

<details>
<summary>dorny/paths-filter (dorny/paths-filter)</summary>

###
[`v4.0.1`](https://redirect.github.com/dorny/paths-filter/releases/tag/v4.0.1)

[Compare
Source](https://redirect.github.com/dorny/paths-filter/compare/v4...v4.0.1)

#### What's Changed

- Support merge queue by
[@&#8203;masaru-iritani](https://redirect.github.com/masaru-iritani) in
[#&#8203;255](https://redirect.github.com/dorny/paths-filter/pull/255)

#### New Contributors

- [@&#8203;masaru-iritani](https://redirect.github.com/masaru-iritani)
made their first contribution in
[#&#8203;255](https://redirect.github.com/dorny/paths-filter/pull/255)

**Full Changelog**:
<dorny/paths-filter@v4.0.0...v4.0.1>

###
[`v4.0.0`](https://redirect.github.com/dorny/paths-filter/blob/HEAD/CHANGELOG.md#v400)

[Compare
Source](https://redirect.github.com/dorny/paths-filter/compare/v3.0.3...v4.0.0)

- [Update action runtime to
node24](https://redirect.github.com/dorny/paths-filter/pull/294)

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[docker/metadata-action](https://redirect.github.com/docker/metadata-action)
| action | major | `v5.10.0` → `v6.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/docker/metadata-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/docker/metadata-action)
|

---

### Release Notes

<details>
<summary>docker/metadata-action (docker/metadata-action)</summary>

###
[`v6.0.0`](https://redirect.github.com/docker/metadata-action/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/docker/metadata-action/compare/v5.10.0...v6.0.0)

- Node 24 as default runtime (requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
or later) by [@&#8203;crazy-max](https://redirect.github.com/crazy-max)
in
[#&#8203;605](https://redirect.github.com/docker/metadata-action/pull/605)
- List inputs now preserve `#` inside values while still supporting
full-line `#` comments by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;607](https://redirect.github.com/docker/metadata-action/pull/607)
- Switch to ESM and update config/test wiring by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;602](https://redirect.github.com/docker/metadata-action/pull/602)
- Bump lodash from 4.17.21 to 4.17.23 in
[#&#8203;588](https://redirect.github.com/docker/metadata-action/pull/588)
- Bump [@&#8203;actions/core](https://redirect.github.com/actions/core)
from 1.11.1 to 3.0.0 in
[#&#8203;599](https://redirect.github.com/docker/metadata-action/pull/599)
- Bump
[@&#8203;actions/github](https://redirect.github.com/actions/github)
from 6.0.1 to 9.0.0 in
[#&#8203;597](https://redirect.github.com/docker/metadata-action/pull/597)
- Bump
[@&#8203;docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit)
from 0.68.0 to 0.79.0 in
[#&#8203;604](https://redirect.github.com/docker/metadata-action/pull/604)
- Bump
[@&#8203;isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion)
from 5.0.0 to 5.0.1 in
[#&#8203;600](https://redirect.github.com/docker/metadata-action/pull/600)
- Bump semver from 7.7.3 to 7.7.4 in
[#&#8203;603](https://redirect.github.com/docker/metadata-action/pull/603)

**Full Changelog**:
<docker/metadata-action@v5.10.0...v6.0.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| [docker/login-action](https://redirect.github.com/docker/login-action)
| action | major | `v3.7.0` → `v4.1.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/docker/login-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/docker/login-action)
|

---

### Release Notes

<details>
<summary>docker/login-action (docker/login-action)</summary>

###
[`v4.1.0`](https://redirect.github.com/docker/login-action/releases/tag/v4.1.0)

[Compare
Source](https://redirect.github.com/docker/login-action/compare/v4...v4.1.0)

- Fix scoped Docker Hub cleanup path when registry is omitted by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;945](https://redirect.github.com/docker/login-action/pull/945)
- Bump
[@&#8203;aws-sdk/client-ecr](https://redirect.github.com/aws-sdk/client-ecr)
and
[@&#8203;aws-sdk/client-ecr-public](https://redirect.github.com/aws-sdk/client-ecr-public)
to 3.1020.0 in
[#&#8203;930](https://redirect.github.com/docker/login-action/pull/930)
- Bump
[@&#8203;docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit)
from 0.77.0 to 0.86.0 in
[#&#8203;932](https://redirect.github.com/docker/login-action/pull/932)
[#&#8203;936](https://redirect.github.com/docker/login-action/pull/936)
- Bump brace-expansion from 1.1.12 to 1.1.13 in
[#&#8203;952](https://redirect.github.com/docker/login-action/pull/952)
- Bump fast-xml-parser from 5.3.4 to 5.3.6 in
[#&#8203;942](https://redirect.github.com/docker/login-action/pull/942)
- Bump flatted from 3.3.3 to 3.4.2 in
[#&#8203;944](https://redirect.github.com/docker/login-action/pull/944)
- Bump glob from 10.3.12 to 10.5.0 in
[#&#8203;940](https://redirect.github.com/docker/login-action/pull/940)
- Bump handlebars from 4.7.8 to 4.7.9 in
[#&#8203;949](https://redirect.github.com/docker/login-action/pull/949)
- Bump http-proxy-agent and https-proxy-agent to 8.0.0 in
[#&#8203;937](https://redirect.github.com/docker/login-action/pull/937)
- Bump lodash from 4.17.23 to 4.18.1 in
[#&#8203;958](https://redirect.github.com/docker/login-action/pull/958)
- Bump minimatch from 3.1.2 to 3.1.5 in
[#&#8203;941](https://redirect.github.com/docker/login-action/pull/941)
- Bump picomatch from 4.0.3 to 4.0.4 in
[#&#8203;948](https://redirect.github.com/docker/login-action/pull/948)
- Bump undici from 6.23.0 to 6.24.1 in
[#&#8203;938](https://redirect.github.com/docker/login-action/pull/938)

**Full Changelog**:
<docker/login-action@v4.0.0...v4.1.0>

###
[`v4.0.0`](https://redirect.github.com/docker/login-action/releases/tag/v4.0.0)

[Compare
Source](https://redirect.github.com/docker/login-action/compare/v3.7.0...v4)

- Node 24 as default runtime (requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
or later) by [@&#8203;crazy-max](https://redirect.github.com/crazy-max)
in
[#&#8203;929](https://redirect.github.com/docker/login-action/pull/929)
- Switch to ESM and update config/test wiring by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;927](https://redirect.github.com/docker/login-action/pull/927)
- Bump [@&#8203;actions/core](https://redirect.github.com/actions/core)
from 1.11.1 to 3.0.0 in
[#&#8203;919](https://redirect.github.com/docker/login-action/pull/919)
- Bump
[@&#8203;aws-sdk/client-ecr](https://redirect.github.com/aws-sdk/client-ecr)
from 3.890.0 to 3.1000.0 in
[#&#8203;909](https://redirect.github.com/docker/login-action/pull/909)
[#&#8203;920](https://redirect.github.com/docker/login-action/pull/920)
- Bump
[@&#8203;aws-sdk/client-ecr-public](https://redirect.github.com/aws-sdk/client-ecr-public)
from 3.890.0 to 3.1000.0 in
[#&#8203;909](https://redirect.github.com/docker/login-action/pull/909)
[#&#8203;920](https://redirect.github.com/docker/login-action/pull/920)
- Bump
[@&#8203;docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit)
from 0.63.0 to 0.77.0 in
[#&#8203;910](https://redirect.github.com/docker/login-action/pull/910)
[#&#8203;928](https://redirect.github.com/docker/login-action/pull/928)
- Bump
[@&#8203;isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion)
from 5.0.0 to 5.0.1 in
[#&#8203;921](https://redirect.github.com/docker/login-action/pull/921)
- Bump js-yaml from 4.1.0 to 4.1.1 in
[#&#8203;901](https://redirect.github.com/docker/login-action/pull/901)

**Full Changelog**:
<docker/login-action@v3.7.0...v4.0.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[docker/build-push-action](https://redirect.github.com/docker/build-push-action)
| action | major | `v6.19.2` → `v7.1.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/docker/build-push-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/docker/build-push-action)
|

---

### Release Notes

<details>
<summary>docker/build-push-action (docker/build-push-action)</summary>

###
[`v7.1.0`](https://redirect.github.com/docker/build-push-action/releases/tag/v7.1.0)

[Compare
Source](https://redirect.github.com/docker/build-push-action/compare/v7...v7.1.0)

- Git context [query
format](https://docs.docker.com/build/concepts/context/#url-queries)
support by [@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;1505](https://redirect.github.com/docker/build-push-action/pull/1505)
- Bump
[@&#8203;docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit)
from 0.79.0 to 0.87.0 by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;1505](https://redirect.github.com/docker/build-push-action/pull/1505)
- Bump brace-expansion from 1.1.12 to 1.1.13 in
[#&#8203;1500](https://redirect.github.com/docker/build-push-action/pull/1500)
- Bump fast-xml-parser from 5.4.2 to 5.5.7 in
[#&#8203;1489](https://redirect.github.com/docker/build-push-action/pull/1489)
- Bump flatted from 3.3.3 to 3.4.2 in
[#&#8203;1491](https://redirect.github.com/docker/build-push-action/pull/1491)
- Bump glob from 10.3.12 to 10.5.0 in
[#&#8203;1490](https://redirect.github.com/docker/build-push-action/pull/1490)
- Bump handlebars from 4.7.8 to 4.7.9 in
[#&#8203;1497](https://redirect.github.com/docker/build-push-action/pull/1497)
- Bump lodash from 4.17.23 to 4.18.1 in
[#&#8203;1510](https://redirect.github.com/docker/build-push-action/pull/1510)
- Bump picomatch from 4.0.3 to 4.0.4 in
[#&#8203;1496](https://redirect.github.com/docker/build-push-action/pull/1496)
- Bump undici from 6.23.0 to 6.24.1 in
[#&#8203;1486](https://redirect.github.com/docker/build-push-action/pull/1486)
- Bump vite from 7.3.1 to 7.3.2 in
[#&#8203;1509](https://redirect.github.com/docker/build-push-action/pull/1509)

**Full Changelog**:
<docker/build-push-action@v7.0.0...v7.1.0>

###
[`v7.0.0`](https://redirect.github.com/docker/build-push-action/releases/tag/v7.0.0)

[Compare
Source](https://redirect.github.com/docker/build-push-action/compare/v6.19.2...v7)

- Node 24 as default runtime (requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
or later) by [@&#8203;crazy-max](https://redirect.github.com/crazy-max)
in
[#&#8203;1470](https://redirect.github.com/docker/build-push-action/pull/1470)
- Remove deprecated `DOCKER_BUILD_NO_SUMMARY` and
`DOCKER_BUILD_EXPORT_RETENTION_DAYS` envs by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;1473](https://redirect.github.com/docker/build-push-action/pull/1473)
- Remove legacy export-build tool support for build summary by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;1474](https://redirect.github.com/docker/build-push-action/pull/1474)
- Switch to ESM and update config/test wiring by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;1466](https://redirect.github.com/docker/build-push-action/pull/1466)
- Bump [@&#8203;actions/core](https://redirect.github.com/actions/core)
from 1.11.1 to 3.0.0 in
[#&#8203;1454](https://redirect.github.com/docker/build-push-action/pull/1454)
- Bump
[@&#8203;docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit)
from 0.62.1 to 0.79.0 in
[#&#8203;1453](https://redirect.github.com/docker/build-push-action/pull/1453)
[#&#8203;1472](https://redirect.github.com/docker/build-push-action/pull/1472)
[#&#8203;1479](https://redirect.github.com/docker/build-push-action/pull/1479)
- Bump minimatch from 3.1.2 to 3.1.5 in
[#&#8203;1463](https://redirect.github.com/docker/build-push-action/pull/1463)

**Full Changelog**:
<docker/build-push-action@v6.19.2...v7.0.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[actions/upload-pages-artifact](https://redirect.github.com/actions/upload-pages-artifact)
| action | major | `v4.0.0` → `v5.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/upload-pages-artifact/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-pages-artifact)
|

---

### Release Notes

<details>
<summary>actions/upload-pages-artifact
(actions/upload-pages-artifact)</summary>

###
[`v5.0.0`](https://redirect.github.com/actions/upload-pages-artifact/releases/tag/v5.0.0)

[Compare
Source](https://redirect.github.com/actions/upload-pages-artifact/compare/v4.0.0...v5.0.0)

### Changelog

- Update upload-artifact action to version 7
[@&#8203;Tom-van-Woudenberg](https://redirect.github.com/Tom-van-Woudenberg)
([#&#8203;139](https://redirect.github.com/actions/upload-pages-artifact/issues/139))
- feat: add `include-hidden-files` input
[@&#8203;jonchurch](https://redirect.github.com/jonchurch)
([#&#8203;137](https://redirect.github.com/actions/upload-pages-artifact/issues/137))

See details of [all code
changes](https://redirect.github.com/actions/upload-pages-artifact/compare/v4.0.0...v4.0.1)
since previous release.

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[actions/download-artifact](https://redirect.github.com/actions/download-artifact)
| action | major | `v5.0.0` → `v8.0.1` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/download-artifact/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/download-artifact)
|

---

### Release Notes

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v8.0.1`](https://redirect.github.com/actions/download-artifact/releases/tag/v8.0.1)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v8...v8.0.1)

##### What's Changed

- Support for CJK characters in the artifact name by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;471](https://redirect.github.com/actions/download-artifact/pull/471)
- Add a regression test for artifact name + content-type mismatches by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;472](https://redirect.github.com/actions/download-artifact/pull/472)

**Full Changelog**:
<actions/download-artifact@v8...v8.0.1>

###
[`v8.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v8.0.0)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v7.0.0...v8)

##### v8 - What's new

##### Direct downloads

To support direct uploads in `actions/upload-artifact`, the action will
no longer attempt to unzip all downloaded files. Instead, the action
checks the `Content-Type` header ahead of unzipping and skips non-zipped
files. Callers wishing to download a zipped file as-is can also set the
new `skip-decompress` parameter to `false`.

##### Enforced checks (breaking)

A previous release introduced digest checks on the download. If a
download hash didn't match the expected hash from the server, the action
would log a warning. Callers can now configure the behavior on mismatch
with the `digest-mismatch` parameter. To be secure by default, we are
now defaulting the behavior to `error` which will fail the workflow run.

##### ESM

To support new versions of the @&#8203;actions/\* packages, we've
upgraded the package to ESM.

##### What's Changed

- Don't attempt to un-zip non-zipped downloads by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;460](https://redirect.github.com/actions/download-artifact/pull/460)
- Add a setting to specify what to do on hash mismatch and default it to
`error` by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;461](https://redirect.github.com/actions/download-artifact/pull/461)

**Full Changelog**:
<actions/download-artifact@v7...v8.0.0>

###
[`v7.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v7.0.0)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v6.0.0...v7.0.0)

##### v7 - What's new

> \[!IMPORTANT]
> actions/download-artifact\@&#8203;v7 now runs on Node.js 24
(`runs.using: node24`) and requires a minimum Actions Runner version of
2.327.1. If you are using self-hosted runners, ensure they are updated
before upgrading.

##### Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary
support for Node 24, however this action was by default still running on
Node.js 20. Now this action by default will run on Node.js 24.

##### What's Changed

- Update GHES guidance to include reference to Node 20 version by
[@&#8203;patrikpolyak](https://redirect.github.com/patrikpolyak) in
[#&#8203;440](https://redirect.github.com/actions/download-artifact/pull/440)
- Download Artifact Node24 support by
[@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in
[#&#8203;415](https://redirect.github.com/actions/download-artifact/pull/415)
- fix: update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
to fix Node.js 24 punycode deprecation by
[@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in
[#&#8203;451](https://redirect.github.com/actions/download-artifact/pull/451)
- prepare release v7.0.0 for Node.js 24 support by
[@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in
[#&#8203;452](https://redirect.github.com/actions/download-artifact/pull/452)

##### New Contributors

- [@&#8203;patrikpolyak](https://redirect.github.com/patrikpolyak) made
their first contribution in
[#&#8203;440](https://redirect.github.com/actions/download-artifact/pull/440)
- [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) made their
first contribution in
[#&#8203;415](https://redirect.github.com/actions/download-artifact/pull/415)

**Full Changelog**:
<actions/download-artifact@v6.0.0...v7.0.0>

###
[`v6.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v5.0.0...v6.0.0)

#### What's Changed

**BREAKING CHANGE:** this update supports Node `v24.x`. This is not a
breaking change per-se but we're treating it as such.

- Update README for download-artifact v5 changes by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[#&#8203;417](https://redirect.github.com/actions/download-artifact/pull/417)
- Update README with artifact extraction details by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[#&#8203;424](https://redirect.github.com/actions/download-artifact/pull/424)
- Readme: spell out the first use of GHES by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;431](https://redirect.github.com/actions/download-artifact/pull/431)
- Bump `@actions/artifact` to `v4.0.0`
- Prepare `v6.0.0` by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;438](https://redirect.github.com/actions/download-artifact/pull/438)

#### New Contributors

- [@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) made
their first contribution in
[#&#8203;431](https://redirect.github.com/actions/download-artifact/pull/431)

**Full Changelog**:
<actions/download-artifact@v5...v6.0.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[actions/deploy-pages](https://redirect.github.com/actions/deploy-pages)
| action | major | `v4.0.5` → `v5.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/deploy-pages/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/deploy-pages)
|

---

### Release Notes

<details>
<summary>actions/deploy-pages (actions/deploy-pages)</summary>

###
[`v5.0.0`](https://redirect.github.com/actions/deploy-pages/releases/tag/v5.0.0)

[Compare
Source](https://redirect.github.com/actions/deploy-pages/compare/v4.0.5...v5.0.0)

### Changelog

- Update Node.js version to 24.x
[@&#8203;salmanmkc](https://redirect.github.com/salmanmkc)
([#&#8203;404](https://redirect.github.com/actions/deploy-pages/issues/404))
- Add workflow file for publishing releases to immutable action package
[@&#8203;Jcambass](https://redirect.github.com/Jcambass)
([#&#8203;374](https://redirect.github.com/actions/deploy-pages/issues/374))
- Bump braces from 3.0.2 to 3.0.3 in the npm\_and\_yarn group across 1
directory [@&#8203;dependabot](https://redirect.github.com/dependabot)
([#&#8203;360](https://redirect.github.com/actions/deploy-pages/issues/360))
- Make the rebuild dist workflow work nicer with Dependabot
[@&#8203;yoannchaudet](https://redirect.github.com/yoannchaudet)
([#&#8203;361](https://redirect.github.com/actions/deploy-pages/issues/361))
- Bump the non-breaking-changes group across 1 directory with 3 updates
[@&#8203;dependabot](https://redirect.github.com/dependabot)
([#&#8203;358](https://redirect.github.com/actions/deploy-pages/issues/358))
- Delete repeated sentence
[@&#8203;garethsb](https://redirect.github.com/garethsb)
([#&#8203;359](https://redirect.github.com/actions/deploy-pages/issues/359))
- Update README.md
[@&#8203;tsusdere](https://redirect.github.com/tsusdere)
([#&#8203;348](https://redirect.github.com/actions/deploy-pages/issues/348))
- Bump the non-breaking-changes group with 4 updates
[@&#8203;dependabot](https://redirect.github.com/dependabot)
([#&#8203;341](https://redirect.github.com/actions/deploy-pages/issues/341))
- Remove error message for file permissions
[@&#8203;TooManyBees](https://redirect.github.com/TooManyBees)
([#&#8203;340](https://redirect.github.com/actions/deploy-pages/issues/340))

***

See details of [all code
changes](https://redirect.github.com/actions/deploy-pages/compare/v4.0.5...v4.0.6)
since previous release.

:warning: For use with products other than GitHub.com, such as GitHub
Enterprise Server, please consult the [compatibility
table](https://redirect.github.com/actions/deploy-pages/#compatibility).

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action)
| action | major | `v4.9.0` → `v5.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/dependency-review-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/dependency-review-action)
|

---

### Release Notes

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v5.0.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v5.0.0):
5.0.0

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.9.0...v5.0.0)

This is a new major version of the Dependency Review Action which
updates the runtime to node24. This requires a minimum Actions Runner
version
[v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
to run.

#### What's Changed

- Add .github/copilot-instructions.md for Copilot coding agent by
[@&#8203;ahpook](https://redirect.github.com/ahpook) in
[#&#8203;1067](https://redirect.github.com/actions/dependency-review-action/pull/1067)
- Update Node.js runtime from 20 to 24 by
[@&#8203;scottschreckengaust](https://redirect.github.com/scottschreckengaust)
in
[#&#8203;1084](https://redirect.github.com/actions/dependency-review-action/pull/1084)
- Bump spdx-license-ids from 3.0.20 to 3.0.23 by
[@&#8203;mongolyy](https://redirect.github.com/mongolyy) in
[#&#8203;1091](https://redirect.github.com/actions/dependency-review-action/pull/1091)
- docs: bump actions/checkout from v4 to v6 in workflow examples by
[@&#8203;Marukome0743](https://redirect.github.com/Marukome0743) in
[#&#8203;1077](https://redirect.github.com/actions/dependency-review-action/pull/1077)
- fix: patched version display for advisories with non-strict semver
ranges (e.g. Maven beta versions) by
[@&#8203;tspascoal](https://redirect.github.com/tspascoal) in
[#&#8203;1076](https://redirect.github.com/actions/dependency-review-action/pull/1076)
- Resolve security findings by
[@&#8203;AshelyTC](https://redirect.github.com/AshelyTC) in
[#&#8203;1094](https://redirect.github.com/actions/dependency-review-action/pull/1094)
- v5.0.0 release branch by
[@&#8203;ahpook](https://redirect.github.com/ahpook) in
[#&#8203;1098](https://redirect.github.com/actions/dependency-review-action/pull/1098)

#### New Contributors

-
[@&#8203;scottschreckengaust](https://redirect.github.com/scottschreckengaust)
made their first contribution in
[#&#8203;1084](https://redirect.github.com/actions/dependency-review-action/pull/1084)
- [@&#8203;mongolyy](https://redirect.github.com/mongolyy) made their
first contribution in
[#&#8203;1091](https://redirect.github.com/actions/dependency-review-action/pull/1091)
- [@&#8203;Marukome0743](https://redirect.github.com/Marukome0743) made
their first contribution in
[#&#8203;1077](https://redirect.github.com/actions/dependency-review-action/pull/1077)

**Full Changelog**:
<actions/dependency-review-action@v4.9.0...v5.0.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[actions/configure-pages](https://redirect.github.com/actions/configure-pages)
| action | major | `v5` → `v6.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/configure-pages/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/configure-pages)
|

---

### Release Notes

<details>
<summary>actions/configure-pages (actions/configure-pages)</summary>

###
[`v6.0.0`](https://redirect.github.com/actions/configure-pages/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/actions/configure-pages/compare/v5.0.0...v6.0.0)

### Changelog

- upgrade to node 24
[@&#8203;salmanmkc](https://redirect.github.com/salmanmkc)
([#&#8203;186](https://redirect.github.com/actions/configure-pages/issues/186))
- Upgrade IA Publish
[@&#8203;Jcambass](https://redirect.github.com/Jcambass)
([#&#8203;165](https://redirect.github.com/actions/configure-pages/issues/165))
- Add workflow file for publishing releases to immutable action package
[@&#8203;Jcambass](https://redirect.github.com/Jcambass)
([#&#8203;163](https://redirect.github.com/actions/configure-pages/issues/163))
- pin draft release version
[@&#8203;YiMysty](https://redirect.github.com/YiMysty)
([#&#8203;162](https://redirect.github.com/actions/configure-pages/issues/162))
- Bump espree from 9.6.1 to 10.1.0
[@&#8203;dependabot](https://redirect.github.com/dependabot)
([#&#8203;160](https://redirect.github.com/actions/configure-pages/issues/160))
- Bump eslint-config-prettier from 8.8.0 to 9.1.0
[@&#8203;dependabot](https://redirect.github.com/dependabot)
([#&#8203;143](https://redirect.github.com/actions/configure-pages/issues/143))
- Be more friendly to Dependabot
[@&#8203;yoannchaudet](https://redirect.github.com/yoannchaudet)
([#&#8203;158](https://redirect.github.com/actions/configure-pages/issues/158))
- Bump eslint-plugin-github from 4.10.2 to 5.0.1
[@&#8203;dependabot](https://redirect.github.com/dependabot)
([#&#8203;154](https://redirect.github.com/actions/configure-pages/issues/154))
- Bump braces from 3.0.2 to 3.0.3 in the npm\_and\_yarn group
[@&#8203;dependabot](https://redirect.github.com/dependabot)
([#&#8203;156](https://redirect.github.com/actions/configure-pages/issues/156))
- Bump undici from 5.28.3 to 5.28.4
[@&#8203;dependabot](https://redirect.github.com/dependabot)
([#&#8203;145](https://redirect.github.com/actions/configure-pages/issues/145))

See details of [all code
changes](https://redirect.github.com/actions/configure-pages/compare/v5.0.0...v5.0.1)
since previous release.

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…#184)

This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[stefanzweifel/git-auto-commit-action](https://redirect.github.com/stefanzweifel/git-auto-commit-action)
| action | major | `v6.0.1` → `v7.1.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/stefanzweifel/git-auto-commit-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/stefanzweifel/git-auto-commit-action)
|

---

### Release Notes

<details>
<summary>stefanzweifel/git-auto-commit-action
(stefanzweifel/git-auto-commit-action)</summary>

###
[`v7.1.0`](https://redirect.github.com/stefanzweifel/git-auto-commit-action/blob/HEAD/CHANGELOG.md#v710---2025-12-17)

[Compare
Source](https://redirect.github.com/stefanzweifel/git-auto-commit-action/compare/v7...v7.1.0)

##### Added

- Add skip\_push input option
([#&#8203;401](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/401))
[@&#8203;kvanzuijlen](https://redirect.github.com/@&#8203;kvanzuijlen)

##### Changes

- docs: fix typo in README.md
([#&#8203;400](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/400))
[@&#8203;GideonBear](https://redirect.github.com/@&#8203;GideonBear)

##### Dependency Updates

- Bump actions/checkout from 5 to 6
([#&#8203;399](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/399))
\[@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)]\(<https://github.com/@&#8203;[dependabot[bot>]]\(<https://github.com/apps/dependabot>))
- Bump bats from 1.12.0 to 1.13.0
([#&#8203;398](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/398))
\[@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)]\(<https://github.com/@&#8203;[dependabot[bot>]]\(<https://github.com/apps/dependabot>))

###
[`v7.0.0`](https://redirect.github.com/stefanzweifel/git-auto-commit-action/blob/HEAD/CHANGELOG.md#v700---2025-10-12)

[Compare
Source](https://redirect.github.com/stefanzweifel/git-auto-commit-action/compare/v6.0.1...v7)

##### Added

- Restore skip\_fetch, skip\_checkout, create\_branch
([#&#8203;388](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/388))
[@&#8203;stefanzweifel](https://redirect.github.com/@&#8203;stefanzweifel)
- Restore Detached State Detection
([#&#8203;393](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/393))
[@&#8203;stefanzweifel](https://redirect.github.com/@&#8203;stefanzweifel)
- Add Support for Tag Messages
([#&#8203;391](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/391))
[@&#8203;EliasBoulharts](https://redirect.github.com/@&#8203;EliasBoulharts)

##### Changed

- Run Action on Node 24
([#&#8203;389](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/389))
[@&#8203;stefanzweifel](https://redirect.github.com/@&#8203;stefanzweifel)

##### Dependency Updates

- Bump actions/checkout from 4 to 5
([#&#8203;386](https://redirect.github.com/stefanzweifel/git-auto-commit-action/pull/386))
\[@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)]\(<https://github.com/@&#8203;[dependabot[bot>]]\(<https://github.com/apps/dependabot>))

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTQxLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[peter-evans/create-pull-request](https://redirect.github.com/peter-evans/create-pull-request)
| action | major | `v7.0.11` → `v8.1.1` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/peter-evans/create-pull-request/badge)](https://securityscorecards.dev/viewer/?uri=github.com/peter-evans/create-pull-request)
|

---

### Release Notes

<details>
<summary>peter-evans/create-pull-request
(peter-evans/create-pull-request)</summary>

###
[`v8.1.1`](https://redirect.github.com/peter-evans/create-pull-request/releases/tag/v8.1.1):
Create Pull Request v8.1.1

[Compare
Source](https://redirect.github.com/peter-evans/create-pull-request/compare/v8.1.0...v8.1.1)

#### What's Changed

- build(deps-dev): bump the npm group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4305](https://redirect.github.com/peter-evans/create-pull-request/pull/4305)
- build(deps): bump minimatch by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4311](https://redirect.github.com/peter-evans/create-pull-request/pull/4311)
- build(deps): bump the github-actions group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4316](https://redirect.github.com/peter-evans/create-pull-request/pull/4316)
- build(deps): bump
[@&#8203;tootallnate/once](https://redirect.github.com/tootallnate/once)
and jest-environment-jsdom by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4323](https://redirect.github.com/peter-evans/create-pull-request/pull/4323)
- build(deps-dev): bump undici from 6.23.0 to 6.24.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4328](https://redirect.github.com/peter-evans/create-pull-request/pull/4328)
- build(deps-dev): bump flatted from 3.3.1 to 3.4.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4334](https://redirect.github.com/peter-evans/create-pull-request/pull/4334)
- build(deps): bump picomatch by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4339](https://redirect.github.com/peter-evans/create-pull-request/pull/4339)
- build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4344](https://redirect.github.com/peter-evans/create-pull-request/pull/4344)
- build(deps-dev): bump the npm group with 3 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4349](https://redirect.github.com/peter-evans/create-pull-request/pull/4349)
- fix: retry post-creation API calls on 422 eventual consistency errors
by [@&#8203;peter-evans](https://redirect.github.com/peter-evans) in
[#&#8203;4356](https://redirect.github.com/peter-evans/create-pull-request/pull/4356)

**Full Changelog**:
<peter-evans/create-pull-request@v8.1.0...v8.1.1>

###
[`v8.1.0`](https://redirect.github.com/peter-evans/create-pull-request/releases/tag/v8.1.0):
Create Pull Request v8.1.0

[Compare
Source](https://redirect.github.com/peter-evans/create-pull-request/compare/v8...v8.1.0)

##### What's Changed

- README.md: bump given GitHub actions to their latest versions by
[@&#8203;deining](https://redirect.github.com/deining) in
[#&#8203;4265](https://redirect.github.com/peter-evans/create-pull-request/pull/4265)
- build(deps): bump the github-actions group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4273](https://redirect.github.com/peter-evans/create-pull-request/pull/4273)
- build(deps-dev): bump the npm group with 2 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4274](https://redirect.github.com/peter-evans/create-pull-request/pull/4274)
- build(deps-dev): bump undici from 6.22.0 to 6.23.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;4284](https://redirect.github.com/peter-evans/create-pull-request/pull/4284)
- Update distribution by
[@&#8203;actions-bot](https://redirect.github.com/actions-bot) in
[#&#8203;4289](https://redirect.github.com/peter-evans/create-pull-request/pull/4289)
- fix: Handle remote prune failures gracefully on self-hosted runners by
[@&#8203;peter-evans](https://redirect.github.com/peter-evans) in
[#&#8203;4295](https://redirect.github.com/peter-evans/create-pull-request/pull/4295)
- feat: add
[@&#8203;octokit/plugin-retry](https://redirect.github.com/octokit/plugin-retry)
to handle retriable server errors by
[@&#8203;peter-evans](https://redirect.github.com/peter-evans) in
[#&#8203;4298](https://redirect.github.com/peter-evans/create-pull-request/pull/4298)

##### New Contributors

- [@&#8203;deining](https://redirect.github.com/deining) made their
first contribution in
[#&#8203;4265](https://redirect.github.com/peter-evans/create-pull-request/pull/4265)

**Full Changelog**:
<peter-evans/create-pull-request@v8.0.0...v8.1.0>

###
[`v8.0.0`](https://redirect.github.com/peter-evans/create-pull-request/releases/tag/v8.0.0):
Create Pull Request v8.0.0

[Compare
Source](https://redirect.github.com/peter-evans/create-pull-request/compare/v7.0.11...v8)

##### What's new in v8

- Requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
or later if you are using a self-hosted runner for Node 24 support.

##### What's Changed

- chore: Update checkout action version to v6 by
[@&#8203;yonas](https://redirect.github.com/yonas) in
[#&#8203;4258](https://redirect.github.com/peter-evans/create-pull-request/pull/4258)
- Update actions/checkout references to
[@&#8203;v6](https://redirect.github.com/v6) in docs by
[@&#8203;Copilot](https://redirect.github.com/Copilot) in
[#&#8203;4259](https://redirect.github.com/peter-evans/create-pull-request/pull/4259)
- feat: v8 by
[@&#8203;peter-evans](https://redirect.github.com/peter-evans) in
[#&#8203;4260](https://redirect.github.com/peter-evans/create-pull-request/pull/4260)

##### New Contributors

- [@&#8203;yonas](https://redirect.github.com/yonas) made their first
contribution in
[#&#8203;4258](https://redirect.github.com/peter-evans/create-pull-request/pull/4258)
- [@&#8203;Copilot](https://redirect.github.com/Copilot) made their
first contribution in
[#&#8203;4259](https://redirect.github.com/peter-evans/create-pull-request/pull/4259)

**Full Changelog**:
<peter-evans/create-pull-request@v7.0.11...v8.0.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | major | `v5.0.1` → `v6.0.2` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/checkout/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/checkout)
|

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v6.0.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v602)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v6.0.1...v6.0.2)

- Fix tag handling: preserve annotations and explicit fetch-tags by
[@&#8203;ericsciple](https://redirect.github.com/ericsciple) in
[#&#8203;2356](https://redirect.github.com/actions/checkout/pull/2356)

###
[`v6.0.1`](https://redirect.github.com/actions/checkout/compare/v6.0.0...v6.0.1)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v6...v6.0.1)

###
[`v6.0.0`](https://redirect.github.com/actions/checkout/compare/v5.0.1...v6.0.0)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v5.0.1...v6)

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[actions/download-artifact](https://redirect.github.com/actions/download-artifact)
| action | major | `v5.0.0` → `v7.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/download-artifact/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/download-artifact)
|
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | major | `v6` → `v7.0.1` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/upload-artifact/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-artifact)
|
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | major | `v4.6.2` → `v7.0.1` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/upload-artifact/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-artifact)
|

---

### Release Notes

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v7.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v7.0.0)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v6.0.0...v7.0.0)

##### v7 - What's new

> \[!IMPORTANT]
> actions/download-artifact\@&#8203;v7 now runs on Node.js 24
(`runs.using: node24`) and requires a minimum Actions Runner version of
2.327.1. If you are using self-hosted runners, ensure they are updated
before upgrading.

##### Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary
support for Node 24, however this action was by default still running on
Node.js 20. Now this action by default will run on Node.js 24.

##### What's Changed

- Update GHES guidance to include reference to Node 20 version by
[@&#8203;patrikpolyak](https://redirect.github.com/patrikpolyak) in
[#&#8203;440](https://redirect.github.com/actions/download-artifact/pull/440)
- Download Artifact Node24 support by
[@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in
[#&#8203;415](https://redirect.github.com/actions/download-artifact/pull/415)
- fix: update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
to fix Node.js 24 punycode deprecation by
[@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in
[#&#8203;451](https://redirect.github.com/actions/download-artifact/pull/451)
- prepare release v7.0.0 for Node.js 24 support by
[@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in
[#&#8203;452](https://redirect.github.com/actions/download-artifact/pull/452)

##### New Contributors

- [@&#8203;patrikpolyak](https://redirect.github.com/patrikpolyak) made
their first contribution in
[#&#8203;440](https://redirect.github.com/actions/download-artifact/pull/440)
- [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) made their
first contribution in
[#&#8203;415](https://redirect.github.com/actions/download-artifact/pull/415)

**Full Changelog**:
<actions/download-artifact@v6.0.0...v7.0.0>

###
[`v6.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v5.0.0...v6.0.0)

#### What's Changed

**BREAKING CHANGE:** this update supports Node `v24.x`. This is not a
breaking change per-se but we're treating it as such.

- Update README for download-artifact v5 changes by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[#&#8203;417](https://redirect.github.com/actions/download-artifact/pull/417)
- Update README with artifact extraction details by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[#&#8203;424](https://redirect.github.com/actions/download-artifact/pull/424)
- Readme: spell out the first use of GHES by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;431](https://redirect.github.com/actions/download-artifact/pull/431)
- Bump `@actions/artifact` to `v4.0.0`
- Prepare `v6.0.0` by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;438](https://redirect.github.com/actions/download-artifact/pull/438)

#### New Contributors

- [@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) made
their first contribution in
[#&#8203;431](https://redirect.github.com/actions/download-artifact/pull/431)

**Full Changelog**:
<actions/download-artifact@v5...v6.0.0>

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v7.0.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v7.0.1)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v7...v7.0.1)

##### What's Changed

- Update the readme with direct upload details by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;795](https://redirect.github.com/actions/upload-artifact/pull/795)
- Readme: bump all the example versions to v7 by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;796](https://redirect.github.com/actions/upload-artifact/pull/796)
- Include changes in typespec/ts-http-runtime 0.3.5 by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[#&#8203;797](https://redirect.github.com/actions/upload-artifact/pull/797)

**Full Changelog**:
<actions/upload-artifact@v7...v7.0.1>

###
[`v7.0.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v7.0.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v6.0.0...v7)

#### v7 What's new

##### Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can
set the new `archive` parameter to `false` to skip zipping the file
during upload. Right now, we only support single files. The action will
fail if the glob passed resolves to multiple files. The `name` parameter
is also ignored with this setting. Instead, the name of the artifact
will be the name of the uploaded file.

##### ESM

To support new versions of the `@actions/*` packages, we've upgraded the
package to ESM.

#### What's Changed

- Add proxy integration test by
[@&#8203;Link-](https://redirect.github.com/Link-) in
[#&#8203;754](https://redirect.github.com/actions/upload-artifact/pull/754)
- Upgrade the module to ESM and bump dependencies by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;762](https://redirect.github.com/actions/upload-artifact/pull/762)
- Support direct file uploads by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;764](https://redirect.github.com/actions/upload-artifact/pull/764)

#### New Contributors

- [@&#8203;Link-](https://redirect.github.com/Link-) made their first
contribution in
[#&#8203;754](https://redirect.github.com/actions/upload-artifact/pull/754)

**Full Changelog**:
<actions/upload-artifact@v6...v7.0.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Hans <11695964+hupling@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | major | `v5.0.0` → `v6.4.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/setup-node/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/setup-node)
|

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v6.4.0`](https://redirect.github.com/actions/setup-node/compare/v6.3.0...v6.4.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v6.3.0...v6.4.0)

###
[`v6.3.0`](https://redirect.github.com/actions/setup-node/releases/tag/v6.3.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v6.2.0...v6.3.0)

#### What's Changed

##### Enhancements:

- Support parsing `devEngines` field by
[@&#8203;susnux](https://redirect.github.com/susnux) in
[#&#8203;1283](https://redirect.github.com/actions/setup-node/pull/1283)

> When using node-version-file: package.json, setup-node now
prefers devEngines.runtime over engines.node.

##### Dependency updates:

- Fix npm audit issues by
[@&#8203;gowridurgad](https://redirect.github.com/gowridurgad) in
[#&#8203;1491](https://redirect.github.com/actions/setup-node/pull/1491)
- Replace uuid with crypto.randomUUID() by
[@&#8203;trivikr](https://redirect.github.com/trivikr) in
[#&#8203;1378](https://redirect.github.com/actions/setup-node/pull/1378)
- Upgrade minimatch from 3.1.2 to 3.1.5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[#&#8203;1498](https://redirect.github.com/actions/setup-node/pull/1498)

##### Bug fixes:

- Remove hardcoded bearer for mirror-url
[@&#8203;marco-ippolito](https://redirect.github.com/marco-ippolito) in
[#&#8203;1467](https://redirect.github.com/actions/setup-node/pull/1467)
- Scope test lockfiles by package manager and update cache tests by
[@&#8203;gowridurgad](https://redirect.github.com/gowridurgad) in
[#&#8203;1495](https://redirect.github.com/actions/setup-node/pull/1495)

#### New Contributors

- [@&#8203;susnux](https://redirect.github.com/susnux) made their first
contribution in
[#&#8203;1283](https://redirect.github.com/actions/setup-node/pull/1283)

**Full Changelog**:
<actions/setup-node@v6...v6.3.0>

###
[`v6.2.0`](https://redirect.github.com/actions/setup-node/compare/v6.1.0...v6.2.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v6.1.0...v6.2.0)

###
[`v6.1.0`](https://redirect.github.com/actions/setup-node/releases/tag/v6.1.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v6...v6.1.0)

#### What's Changed

##### Enhancement:

- Remove always-auth configuration handling by
[@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) in
[#&#8203;1436](https://redirect.github.com/actions/setup-node/pull/1436)

##### Dependency updates:

- Upgrade
[@&#8203;actions/cache](https://redirect.github.com/actions/cache) from
4.0.3 to 4.1.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;1384](https://redirect.github.com/actions/setup-node/pull/1384)
- Upgrade actions/checkout from 5 to 6 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;1439](https://redirect.github.com/actions/setup-node/pull/1439)
- Upgrade js-yaml from 3.14.1 to 3.14.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;1435](https://redirect.github.com/actions/setup-node/pull/1435)

##### Documentation update:

- Add example for restore-only cache in documentation by
[@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in
[#&#8203;1419](https://redirect.github.com/actions/setup-node/pull/1419)

**Full Changelog**:
<actions/setup-node@v6...v6.1.0>

###
[`v6.0.0`](https://redirect.github.com/actions/setup-node/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v5.0.0...v6)

##### What's Changed

**Breaking Changes**

- Limit automatic caching to npm, update workflows and documentation by
[@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) in
[#&#8203;1374](https://redirect.github.com/actions/setup-node/pull/1374)

**Dependency Upgrades**

- Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in
v5 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot]
in
[#&#8203;1336](https://redirect.github.com/actions/setup-node/pull/1336)
- Upgrade prettier from 2.8.8 to 3.6.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;1334](https://redirect.github.com/actions/setup-node/pull/1334)
- Upgrade actions/publish-action from 0.3.0 to 0.4.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;1362](https://redirect.github.com/actions/setup-node/pull/1362)

**Full Changelog**:
<actions/setup-node@v5...v6.0.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[actions/download-artifact](https://redirect.github.com/actions/download-artifact)
| action | major | `v5.0.0` → `v6.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/download-artifact/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/download-artifact)
|
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | major | `v4.6.2` → `v6.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/upload-artifact/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-artifact)
|

---

### Release Notes

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v6.0.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v5.0.0...v6.0.0)

#### What's Changed

**BREAKING CHANGE:** this update supports Node `v24.x`. This is not a
breaking change per-se but we're treating it as such.

- Update README for download-artifact v5 changes by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[#&#8203;417](https://redirect.github.com/actions/download-artifact/pull/417)
- Update README with artifact extraction details by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[#&#8203;424](https://redirect.github.com/actions/download-artifact/pull/424)
- Readme: spell out the first use of GHES by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;431](https://redirect.github.com/actions/download-artifact/pull/431)
- Bump `@actions/artifact` to `v4.0.0`
- Prepare `v6.0.0` by
[@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) in
[#&#8203;438](https://redirect.github.com/actions/download-artifact/pull/438)

#### New Contributors

- [@&#8203;danwkennedy](https://redirect.github.com/danwkennedy) made
their first contribution in
[#&#8203;431](https://redirect.github.com/actions/download-artifact/pull/431)

**Full Changelog**:
<actions/download-artifact@v5...v6.0.0>

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v6.0.0`](https://redirect.github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v5.0.0...v6.0.0)

###
[`v5.0.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.6.2...v5.0.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.6.2...v5.0.0)

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Hans <11695964+hupling@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | major | `v3.35.4` → `v4.35.4` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/github/codeql-action/badge)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action)
|

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v4.35.4`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.35.3...v4.35.4)

- Update default CodeQL bundle version to
[2.25.4](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.4).
[#&#8203;3881](https://redirect.github.com/github/codeql-action/pull/3881)

###
[`v4.35.3`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.35.2...v4.35.3)

- *Upcoming breaking change*: Add a deprecation warning for customers
using CodeQL version 2.19.3 and earlier. These versions of CodeQL were
discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15,
and will be unsupported by the next minor release of the CodeQL Action.
[#&#8203;3837](https://redirect.github.com/github/codeql-action/pull/3837)
- Configurations for private registries that use Cloudsmith or GCP OIDC
are now accepted.
[#&#8203;3850](https://redirect.github.com/github/codeql-action/pull/3850)
- Best-effort connection tests for private registries now use `GET`
requests instead of `HEAD` for better compatibility with various
registry implementations. For NuGet feeds, the test is now always
performed against the service index.
[#&#8203;3853](https://redirect.github.com/github/codeql-action/pull/3853)
- Fixed a bug where two diagnostics produced within the same millisecond
could overwrite each other on disk, causing one of them to be lost.
[#&#8203;3852](https://redirect.github.com/github/codeql-action/pull/3852)
- Update default CodeQL bundle version to
[2.25.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.3).
[#&#8203;3865](https://redirect.github.com/github/codeql-action/pull/3865)

###
[`v4.35.2`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.35.1...v4.35.2)

- The undocumented TRAP cache cleanup feature that could be enabled
using the `CODEQL_ACTION_CLEANUP_TRAP_CACHES` environment variable is
deprecated and will be removed in May 2026. If you are affected by this,
we recommend disabling TRAP caching by passing the `trap-caching: false`
input to the `init` Action.
[#&#8203;3795](https://redirect.github.com/github/codeql-action/pull/3795)
- The Git version 2.36.0 requirement for improved incremental analysis
now only applies to repositories that contain submodules.
[#&#8203;3789](https://redirect.github.com/github/codeql-action/pull/3789)
- Python analysis on GHES no longer extracts the standard library,
relying instead on models of the standard library. This should result in
significantly faster extraction and analysis times, while the effect on
alerts should be minimal.
[#&#8203;3794](https://redirect.github.com/github/codeql-action/pull/3794)
- Fixed a bug in the validation of OIDC configurations for private
registries that was added in CodeQL Action 4.33.0 / 3.33.0.
[#&#8203;3807](https://redirect.github.com/github/codeql-action/pull/3807)
- Update default CodeQL bundle version to
[2.25.2](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.2).
[#&#8203;3823](https://redirect.github.com/github/codeql-action/pull/3823)

###
[`v4.35.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.35.0...v4.35.1)

- Fix incorrect minimum required Git version for [improved incremental
analysis](https://redirect.github.com/github/roadmap/issues/1158): it
should have been 2.36.0, not 2.11.0.
[#&#8203;3781](https://redirect.github.com/github/codeql-action/pull/3781)

###
[`v4.35.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.34.1...v4.35.0)

- Reduced the minimum Git version required for [improved incremental
analysis](https://redirect.github.com/github/roadmap/issues/1158) from
2.38.0 to 2.11.0.
[#&#8203;3767](https://redirect.github.com/github/codeql-action/pull/3767)
- Update default CodeQL bundle version to
[2.25.1](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.1).
[#&#8203;3773](https://redirect.github.com/github/codeql-action/pull/3773)

###
[`v4.34.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.34.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.34.0...v4.34.1)

- Downgrade default CodeQL bundle version to
[2.24.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3)
due to issues with a small percentage of Actions and JavaScript
analyses.
[#&#8203;3762](https://redirect.github.com/github/codeql-action/pull/3762)

###
[`v4.34.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.34.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.33.0...v4.34.0)

- Added an experimental change which disables TRAP caching when
[improved incremental
analysis](https://redirect.github.com/github/roadmap/issues/1158) is
enabled, since improved incremental analysis supersedes TRAP caching.
This will improve performance and reduce Actions cache usage. We expect
to roll this change out to everyone in March.
[#&#8203;3569](https://redirect.github.com/github/codeql-action/pull/3569)
- We are rolling out improved incremental analysis to C/C++ analyses
that use build mode `none`. We expect this rollout to be complete by the
end of April 2026.
[#&#8203;3584](https://redirect.github.com/github/codeql-action/pull/3584)
- Update default CodeQL bundle version to
[2.25.0](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0).
[#&#8203;3585](https://redirect.github.com/github/codeql-action/pull/3585)

###
[`v4.33.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.33.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.32.6...v4.33.0)

- Upcoming change: Starting April 2026, the CodeQL Action will skip
collecting file coverage information on pull requests to improve
analysis performance. File coverage information will still be computed
on non-PR analyses. Pull request analyses will log a warning about this
upcoming change.
[#&#8203;3562](https://redirect.github.com/github/codeql-action/pull/3562)

  To opt out of this change:

- **Repositories owned by an organization:** Create a custom repository
property with the name `github-codeql-file-coverage-on-prs` and the type
"True/false", then set this property to `true` in the repository's
settings. For more information, see [Managing custom properties for
repositories in your
organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
Alternatively, if you are using an advanced setup workflow, you can set
the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true`
in your workflow.
- **User-owned repositories using default setup:** Switch to an advanced
setup workflow and set the `CODEQL_ACTION_FILE_COVERAGE_ON_PRS`
environment variable to `true` in your workflow.
- **User-owned repositories using advanced setup:** Set the
`CODEQL_ACTION_FILE_COVERAGE_ON_PRS` environment variable to `true` in
your workflow.
- Fixed [a
bug](https://redirect.github.com/github/codeql-action/issues/3555) which
caused the CodeQL Action to fail loading repository properties if a
"Multi select" repository property was configured for the repository.
[#&#8203;3557](https://redirect.github.com/github/codeql-action/pull/3557)
- The CodeQL Action now loads [custom repository
properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization)
on GitHub Enterprise Server, enabling the customization of features such
as `github-codeql-disable-overlay` that was previously only available on
GitHub.com.
[#&#8203;3559](https://redirect.github.com/github/codeql-action/pull/3559)
- Once [private package
registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries)
can be configured with OIDC-based authentication for organizations, the
CodeQL Action will now be able to accept such configurations.
[#&#8203;3563](https://redirect.github.com/github/codeql-action/pull/3563)
- Fixed the retry mechanism for database uploads. Previously this would
fail with the error "Response body object should not be disturbed or
locked".
[#&#8203;3564](https://redirect.github.com/github/codeql-action/pull/3564)
- A warning is now emitted if the CodeQL Action detects a repository
property whose name suggests that it relates to the CodeQL Action, but
which is not one of the properties recognised by the current version of
the CodeQL Action.
[#&#8203;3570](https://redirect.github.com/github/codeql-action/pull/3570)

###
[`v4.32.6`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.32.5...v4.32.6)

- Update default CodeQL bundle version to
[2.24.3](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3).
[#&#8203;3548](https://redirect.github.com/github/codeql-action/pull/3548)

###
[`v4.32.5`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.32.4...v4.32.5)

- Repositories owned by an organization can now set up the
`github-codeql-disable-overlay` custom repository property to disable
[improved incremental analysis for
CodeQL](https://redirect.github.com/github/roadmap/issues/1158). First,
create a custom repository property with the name
`github-codeql-disable-overlay` and the type "True/false" in the
organization's settings. Then in the repository's settings, set this
property to `true` to disable improved incremental analysis. For more
information, see [Managing custom properties for repositories in your
organization](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization).
This feature is not yet available on GitHub Enterprise Server.
[#&#8203;3507](https://redirect.github.com/github/codeql-action/pull/3507)
- Added an experimental change so that when [improved incremental
analysis](https://redirect.github.com/github/roadmap/issues/1158) fails
on a runner — potentially due to insufficient disk space — the failure
is recorded in the Actions cache so that subsequent runs will
automatically skip improved incremental analysis until something changes
(e.g. a larger runner is provisioned or a new CodeQL version is
released). We expect to roll this change out to everyone in March.
[#&#8203;3487](https://redirect.github.com/github/codeql-action/pull/3487)
- The minimum memory check for improved incremental analysis is now
skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage.
[#&#8203;3515](https://redirect.github.com/github/codeql-action/pull/3515)
- Reduced log levels for best-effort private package registry connection
check failures to reduce noise from workflow annotations.
[#&#8203;3516](https://redirect.github.com/github/codeql-action/pull/3516)
- Added an experimental change which lowers the minimum disk space
requirement for [improved incremental
analysis](https://redirect.github.com/github/roadmap/issues/1158),
enabling it to run on standard GitHub Actions runners. We expect to roll
this change out to everyone in March.
[#&#8203;3498](https://redirect.github.com/github/codeql-action/pull/3498)
- Added an experimental change which allows the `start-proxy` action to
resolve the CodeQL CLI version from feature flags instead of using the
linked CLI bundle version. We expect to roll this change out to everyone
in March.
[#&#8203;3512](https://redirect.github.com/github/codeql-action/pull/3512)
- The previously experimental changes from versions 4.32.3, 4.32.4,
3.32.3 and 3.32.4 are now enabled by default.
[#&#8203;3503](https://redirect.github.com/github/codeql-action/pull/3503),
[#&#8203;3504](https://redirect.github.com/github/codeql-action/pull/3504)

###
[`v4.32.4`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.32.3...v4.32.4)

- Update default CodeQL bundle version to
[2.24.2](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2).
[#&#8203;3493](https://redirect.github.com/github/codeql-action/pull/3493)
- Added an experimental change which improves how certificates are
generated for the authentication proxy that is used by the CodeQL Action
in Default Setup when [private package registries are
configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries).
This is expected to generate more widely compatible certificates and
should have no impact on analyses which are working correctly already.
We expect to roll this change out to everyone in February.
[#&#8203;3473](https://redirect.github.com/github/codeql-action/pull/3473)
- When the CodeQL Action is run [with debugging enabled in Default
Setup](https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup)
and [private package registries are
configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries),
the "Setup proxy for registries" step will output additional diagnostic
information that can be used for troubleshooting.
[#&#8203;3486](https://redirect.github.com/github/codeql-action/pull/3486)
- Added a setting which allows the CodeQL Action to enable network
debugging for Java programs. This will help GitHub staff support
customers with troubleshooting issues in GitHub-managed CodeQL
workflows, such as Default Setup. This setting can only be enabled by
GitHub staff.
[#&#8203;3485](https://redirect.github.com/github/codeql-action/pull/3485)
- Added a setting which enables GitHub-managed workflows, such as
Default Setup, to use a [nightly CodeQL CLI
release](https://redirect.github.com/dsp-testing/codeql-cli-nightlies)
instead of the latest, stable release that is used by default. This will
help GitHub staff support customers whose analyses for a given
repository or organization require early access to a change in an
upcoming CodeQL CLI release. This setting can only be enabled by GitHub
staff.
[#&#8203;3484](https://redirect.github.com/github/codeql-action/pull/3484)

###
[`v4.32.3`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.32.2...v4.32.3)

- Added experimental support for testing connections to [private package
registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries).
This feature is not currently enabled for any analysis. In the future,
it may be enabled by default for Default Setup.
[#&#8203;3466](https://redirect.github.com/github/codeql-action/pull/3466)

###
[`v4.32.2`](https://redirect.github.com/github/codeql-action/compare/v4.32.1...v4.32.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.32.1...v4.32.2)

###
[`v4.32.1`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.32.0...v4.32.1)

- A warning is now shown in Default Setup workflow logs if a [private
package registry is
configured](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries)
using a GitHub Personal Access Token (PAT), but no username is
configured.
[#&#8203;3422](https://redirect.github.com/github/codeql-action/pull/3422)
- Fixed a bug which caused the CodeQL Action to fail when repository
properties cannot successfully be retrieved.
[#&#8203;3421](https://redirect.github.com/github/codeql-action/pull/3421)

###
[`v4.32.0`](https://redirect.github.com/github/codeql-action/releases/tag/v4.32.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.11...v4.32.0)

- Update default CodeQL bundle version to
[2.24.0](https://redirect.github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0).
[#&#8203;3425](https://redirect.github.com/github/codeql-action/pull/3425)

###
[`v4.31.11`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.11)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.10...v4.31.11)

- When running a Default Setup workflow with [Actions debugging
enabled](https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging),
the CodeQL Action will now use more unique names when uploading logs
from the Dependabot authentication proxy as workflow artifacts. This
ensures that the artifact names do not clash between multiple jobs in a
build matrix.
[#&#8203;3409](https://redirect.github.com/github/codeql-action/pull/3409)
- Improved error handling throughout the CodeQL Action.
[#&#8203;3415](https://redirect.github.com/github/codeql-action/pull/3415)
- Added experimental support for automatically excluding [generated
files](https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github)
from the analysis. This feature is not currently enabled for any
analysis. In the future, it may be enabled by default for some
GitHub-managed analyses.
[#&#8203;3318](https://redirect.github.com/github/codeql-action/pull/3318)
- The changelog extracts that are included with releases of the CodeQL
Action are now shorter to avoid duplicated information from appearing in
Dependabot PRs.
[#&#8203;3403](https://redirect.github.com/github/codeql-action/pull/3403)

###
[`v4.31.10`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.10)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.9...v4.31.10)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 4.31.10 - 12 Jan 2026

- Update default CodeQL bundle version to 2.23.9.
[#&#8203;3393](https://redirect.github.com/github/codeql-action/pull/3393)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.10/CHANGELOG.md)
for more information.

###
[`v4.31.9`](https://redirect.github.com/github/codeql-action/compare/v4.31.8...v4.31.9)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.8...v4.31.9)

###
[`v4.31.8`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.7...v4.31.8)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 4.31.8 - 11 Dec 2025

- Update default CodeQL bundle version to 2.23.8.
[#&#8203;3354](https://redirect.github.com/github/codeql-action/pull/3354)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.8/CHANGELOG.md)
for more information.

###
[`v4.31.7`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.6...v4.31.7)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 4.31.7 - 05 Dec 2025

- Update default CodeQL bundle version to 2.23.7.
[#&#8203;3343](https://redirect.github.com/github/codeql-action/pull/3343)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.7/CHANGELOG.md)
for more information.

###
[`v4.31.6`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.5...v4.31.6)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 4.31.6 - 01 Dec 2025

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.6/CHANGELOG.md)
for more information.

###
[`v4.31.5`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.4...v4.31.5)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 4.31.5 - 24 Nov 2025

- Update default CodeQL bundle version to 2.23.6.
[#&#8203;3321](https://redirect.github.com/github/codeql-action/pull/3321)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.5/CHANGELOG.md)
for more information.

###
[`v4.31.4`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.3...v4.31.4)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 4.31.4 - 18 Nov 2025

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.4/CHANGELOG.md)
for more information.

###
[`v4.31.3`](https://redirect.github.com/github/codeql-action/releases/tag/v4.31.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.2...v4.31.3)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 4.31.3 - 13 Nov 2025

- CodeQL Action v3 will be deprecated in December 2026. The Action now
logs a warning for customers who are running v3 but could be running v4.
For more information, see [Upcoming deprecation of CodeQL Action
v3](https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/).
- Update default CodeQL bundle version to 2.23.5.
[#&#8203;3288](https://redirect.github.com/github/codeql-action/pull/3288)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.31.3/CHANGELOG.md)
for more information.

###
[`v4.31.2`](https://redirect.github.com/github/codeql-action/compare/v4.31.1...v4.31.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.1...v4.31.2)

###
[`v4.31.1`](https://redirect.github.com/github/codeql-action/compare/v4.31.0...v4.31.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.31.0...v4.31.1)

###
[`v4.31.0`](https://redirect.github.com/github/codeql-action/compare/v4.30.9...v4.31.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.30.9...v4.31.0)

###
[`v4.30.9`](https://redirect.github.com/github/codeql-action/releases/tag/v4.30.9)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.30.8...v4.30.9)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 4.30.9 - 17 Oct 2025

- Update default CodeQL bundle version to 2.23.3.
[#&#8203;3205](https://redirect.github.com/github/codeql-action/pull/3205)
- Experimental: A new `setup-codeql` action has been added which is
similar to `init`, except it only installs the CodeQL CLI and does not
initialize a database. Do not use this in production as it is part of an
internal experiment and subject to change at any time.
[#&#8203;3204](https://redirect.github.com/github/codeql-action/pull/3204)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.30.9/CHANGELOG.md)
for more information.

###
[`v4.30.8`](https://redirect.github.com/github/codeql-action/releases/tag/v4.30.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.30.7...v4.30.8)

### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

#### 4.30.8 - 10 Oct 2025

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.30.8/CHANGELOG.md)
for more information.

###
[`v4.30.7`](https://redirect.github.com/github/codeql-action/releases/tag/v4.30.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.35.4...v4.30.7)

### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

#### 4.30.7 - 06 Oct 2025

- \[v4+ only] The CodeQL Action now runs on Node.js v24.
[#&#8203;3169](https://redirect.github.com/github/codeql-action/pull/3169)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v4.30.7/CHANGELOG.md)
for more information.

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTU5LjIiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | major | `v4.6.2` → `v5.0.0` | [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/actions/upload-artifact/badge)](https://securityscorecards.dev/viewer/?uri=github.com/actions/upload-artifact)
|

---

### Release Notes

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v5.0.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.6.2...v5.0.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.6.2...v5.0.0)

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Berlin)

- Branch creation
  - Between 12:00 AM and 03:59 AM, only on Monday (`* 0-3 * * 1`)
- Automerge
- At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday
through Friday (`* 0-4,22-23 * * 1-5`)
  - Only on Sunday and Saturday (`* * * * 0,6`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/it-at-m/lhm_actions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDMuMTM5LjciLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Hans <11695964+hupling@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

This PR updates pinned commit SHAs for GitHub Actions marketplace actions across all CI/CD workflows and composite action templates. Core actions like actions/checkout, actions/setup-node, and artifact handling actions are bumped to newer versions. No workflow logic, step configuration, or action inputs are changed; only the pinned SHAs are updated.

Changes

Unified GitHub Actions version pinning update

Layer / File(s) Summary
Core checkout and repository setup actions
.github/workflows/action-reviewdog.yml, .github/workflows/action-superlint.yml, .github/workflows/dependency_review.yaml, .github/workflows/test-action-npm-build.yml, .github/workflows/test-action-npm-release.yml, action-templates/actions/action-actionlint/action.yml, action-templates/actions/action-checkout/action.yml, action-templates/actions/action-codeql/action.yml, action-templates/actions/action-pr-labeler/action.yml, action-templates/actions/action-trivy/action.yml, action-templates/actions/action-npm-release/action.yml, action-templates/actions/action-maven-build/action.yml, action-templates/actions/action-maven-release/action.yml, action-templates/actions/action-dockercompose-healthcheck/action.yml
actions/checkout is updated from v5.0.1 to v6.0.2 across 14 workflow and action template files that perform repository checkout operations.
Build tooling and artifact management actions
.github/workflows/release-actions.yml, action-templates/actions/action-build-docs/action.yml, action-templates/actions/action-npm-build/action.yml, action-templates/actions/action-maven-build/action.yml, action-templates/actions/action-maven-release/action.yml, action-templates/actions/action-create-github-release/action.yml, action-templates/actions/action-deploy-docs/action.yml, action-templates/actions/action-trivy/action.yml
actions/setup-node (v5.0.0 → v6.4.0), actions/upload-artifact (various → v7.0.1), actions/download-artifact (v5.0.0 → v8.0.1), actions/configure-pages, actions/upload-pages-artifact, and actions/deploy-pages (v4.0.5 → v5.0.0) are updated across build, release, and pages deployment templates.
Code analysis and automated commit actions
action-templates/actions/action-codeql/action.yml, action-templates/actions/action-dependency-review/action.yml, .github/workflows/dependency_review.yaml, .github/workflows/action-superlint.yml
github/codeql-action (v3.35.4 → v4.35.4), actions/dependency-review-action (v4.9.0 → v5.0.0), and stefanzweifel/git-auto-commit-action (v6.0.1 → v7.1.0) are updated in security scanning and linting workflows.
Container, release, and filtering actions
action-templates/actions/action-build-image/action.yml, action-templates/actions/action-filter/action.yml, action-templates/actions/action-npm-release/action.yml
Docker actions (docker/login-action v3.7.0 → v4.1.0, docker/metadata-action v5.10.0 → v6.0.0, docker/build-push-action v6.19.2 → v7.1.0), peter-evans/create-pull-request (v7.0.11 → v8.1.1), and dorny/paths-filter (v3.0.3 → v4.0.1) are updated in container build and release automation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops through actions old,
Pinning SHAs, brave and bold,
From v5 to v6, the checkouts flow,
Artifacts dance in versions aglow,
No logic changed, just safer ground,
Where newer builds are safely found! 🚀

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description uses the template structure but fails to populate required sections. The 'Changes' section contains only placeholder dashes, 'Reference' has a placeholder issue number, testing URL is placeholder text, and no concrete information about the 27+ files modified is provided. Replace placeholder content with actual changes: list all updated actions and versions in the Changes section, provide the actual related issue number(s), include a real testing URL or remove if not applicable, and check relevant checklist items.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title 'fix: update diverse actions' directly addresses the main change: updating GitHub Actions to newer versions across multiple workflows and action templates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dev

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@hupling hupling changed the title Dev fix: update diverse actions May 12, 2026
@hupling
hupling marked this pull request as ready for review May 12, 2026 06:04

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
action-templates/actions/action-trivy/action.yml (1)

50-50: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider pinning the CodeQL action to a specific SHA for consistency.

This file pins other actions to commit SHAs (lines 18, 23, 41) for security, but line 50 uses only a tag reference (@v4). While not blocking for this PR, consider pinning to a SHA in a follow-up to maintain consistency with the repo's security practices.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@action-templates/actions/action-trivy/action.yml` at line 50, The GitHub
Action reference "github/codeql-action/upload-sarif@v4" should be pinned to a
specific commit SHA for consistency with other actions; replace the tag "@v4"
with the corresponding commit SHA for the upload-sarif action (the same pattern
used for other actions in this file) and verify the SHA matches the intended
release; update the uses entry for "github/codeql-action/upload-sarif" so it
references the exact commit SHA rather than the floating tag.
action-templates/actions/action-npm-build/action.yml (1)

1-1: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix SHA mismatch in github/codeql-action and address breaking changes from major version updates.

Critical: The pinned SHA for github/codeql-action v4.35.4 is incorrect:

  • Pinned: 68bde559dea0fdcac2102bfdf6230c5f70eb485e
  • Actual v4.35.4 tag: 3ce22a6e336a7fcc318bc58ae1986395bdc83ba7

Update this to the correct SHA immediately.

All other action SHAs are correctly pinned. However, the major version updates introduce breaking changes that may require workflow adjustments:

  • actions/upload-artifact v7: ESM runtime upgrade, Node 24 required; note the new archive parameter behavior for direct uploads
  • peter-evans/create-pull-request v8: Node.js 24 runtime requires self-hosted runners to upgrade to v2.327.1+
  • github/codeql-action v4: Node.js 24 runtime (v3 used Node 20)
  • actions/checkout v6: Credential storage location changed; Docker container actions require runner v2.329.0+
  • actions/setup-node v6: Automatic caching limited to npm only (v5 cached for all managers); always-auth input removed
  • actions/dependency-review-action v5: Verify compatibility with current usage
  • stefanzweifel/git-auto-commit-action v7.1: Verify compatibility with current usage

Ensure runner versions on self-hosted infrastructure meet minimum requirements before merging.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@action-templates/actions/action-npm-build/action.yml` at line 1, Update the
incorrect pinned SHA for github/codeql-action v4.35.4 from
68bde559dea0fdcac2102bfdf6230c5f70eb485e to the correct SHA
3ce22a6e336a7fcc318bc58ae1986395bdc83ba7 in the action YAML (refer to the name:
"Npm build" and the github/codeql-action v4.35.4 reference), and then review and
adjust workflows for breaking changes introduced by the major version upgrades
listed (actions/upload-artifact v7, peter-evans/create-pull-request v8,
github/codeql-action v4, actions/checkout v6, actions/setup-node v6,
actions/dependency-review-action v5, stefanzweifel/git-auto-commit-action v7.1)
ensuring self-hosted runners meet the minimum runner versions and any changed
inputs/behaviors (archive param, Node 24 runtime, credential storage,
caching/always-auth) are handled before merging.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@action-templates/actions/action-build-image/action.yml`:
- Line 39: The updated action pins (actions/checkout@v6.0.2,
actions/download-artifact@v8.0.1, docker/login-action@v4.1.0,
docker/metadata-action@v6.0.0, docker/build-push-action@v7.1.0) require GitHub
Actions Runner v2.327.1+ (Node 24); update documentation and deployment checks
to require that runner version before merging. Add a clear note to the action's
metadata/README and your release/PR checklist stating "Requires runner v2.327.1
or later", and update any self-hosted runner upgrade instructions or CI workflow
configuration to use GitHub-hosted runners that meet v2.327.1+ (or
verify/upgrade self-hosted runners) so the new uses entries (actions/checkout,
actions/download-artifact, docker/* actions) will run correctly.

---

Outside diff comments:
In `@action-templates/actions/action-npm-build/action.yml`:
- Line 1: Update the incorrect pinned SHA for github/codeql-action v4.35.4 from
68bde559dea0fdcac2102bfdf6230c5f70eb485e to the correct SHA
3ce22a6e336a7fcc318bc58ae1986395bdc83ba7 in the action YAML (refer to the name:
"Npm build" and the github/codeql-action v4.35.4 reference), and then review and
adjust workflows for breaking changes introduced by the major version upgrades
listed (actions/upload-artifact v7, peter-evans/create-pull-request v8,
github/codeql-action v4, actions/checkout v6, actions/setup-node v6,
actions/dependency-review-action v5, stefanzweifel/git-auto-commit-action v7.1)
ensuring self-hosted runners meet the minimum runner versions and any changed
inputs/behaviors (archive param, Node 24 runtime, credential storage,
caching/always-auth) are handled before merging.

In `@action-templates/actions/action-trivy/action.yml`:
- Line 50: The GitHub Action reference "github/codeql-action/upload-sarif@v4"
should be pinned to a specific commit SHA for consistency with other actions;
replace the tag "@v4" with the corresponding commit SHA for the upload-sarif
action (the same pattern used for other actions in this file) and verify the SHA
matches the intended release; update the uses entry for
"github/codeql-action/upload-sarif" so it references the exact commit SHA rather
than the floating tag.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ad6f8f22-d932-4b94-accd-2b9398399f0e

📥 Commits

Reviewing files that changed from the base of the PR and between cc7c47f and a6110e5.

📒 Files selected for processing (22)
  • .github/workflows/action-reviewdog.yml
  • .github/workflows/action-superlint.yml
  • .github/workflows/dependency_review.yaml
  • .github/workflows/release-actions.yml
  • .github/workflows/test-action-npm-build.yml
  • .github/workflows/test-action-npm-release.yml
  • action-templates/actions/action-actionlint/action.yml
  • action-templates/actions/action-build-docs/action.yml
  • action-templates/actions/action-build-image/action.yml
  • action-templates/actions/action-checkout/action.yml
  • action-templates/actions/action-codeql/action.yml
  • action-templates/actions/action-create-github-release/action.yml
  • action-templates/actions/action-dependency-review/action.yml
  • action-templates/actions/action-deploy-docs/action.yml
  • action-templates/actions/action-dockercompose-healthcheck/action.yml
  • action-templates/actions/action-filter/action.yml
  • action-templates/actions/action-maven-build/action.yml
  • action-templates/actions/action-maven-release/action.yml
  • action-templates/actions/action-npm-build/action.yml
  • action-templates/actions/action-npm-release/action.yml
  • action-templates/actions/action-pr-labeler/action.yml
  • action-templates/actions/action-trivy/action.yml

steps:
- name: Checkout repository
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚖️ Poor tradeoff

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify that each pinned SHA corresponds to the claimed version tag

echo "Checking actions/checkout v6.0.2 → de0fac2e4500dabe0009e67214ff5f5447ce83dd"
gh api repos/actions/checkout/git/ref/tags/v6.0.2 --jq '.object.sha' | grep -q 'de0fac2e4500dabe0009e67214ff5f5447ce83dd' && echo "✓ actions/checkout SHA verified" || echo "✗ actions/checkout SHA mismatch"

echo "Checking actions/download-artifact v8.0.1 → 3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"
gh api repos/actions/download-artifact/git/ref/tags/v8.0.1 --jq '.object.sha' | grep -q '3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c' && echo "✓ actions/download-artifact SHA verified" || echo "✗ actions/download-artifact SHA mismatch"

echo "Checking docker/login-action v4.1.0 → 4907a6ddec9925e35a0a9e82d7399ccc52663121"
gh api repos/docker/login-action/git/ref/tags/v4.1.0 --jq '.object.sha' | grep -q '4907a6ddec9925e35a0a9e82d7399ccc52663121' && echo "✓ docker/login-action SHA verified" || echo "✗ docker/login-action SHA mismatch"

echo "Checking docker/metadata-action v6.0.0 → 030e881283bb7a6894de51c315a6bfe6a94e05cf"
gh api repos/docker/metadata-action/git/ref/tags/v6.0.0 --jq '.object.sha' | grep -q '030e881283bb7a6894de51c315a6bfe6a94e05cf' && echo "✓ docker/metadata-action SHA verified" || echo "✗ docker/metadata-action SHA mismatch"

echo "Checking docker/build-push-action v7.1.0 → bcafcacb16a39f128d818304e6c9c0c18556b85f"
gh api repos/docker/build-push-action/git/ref/tags/v7.1.0 --jq '.object.sha' | grep -q 'bcafcacb16a39f128d818304e6c9c0c18556b85f' && echo "✓ docker/build-push-action SHA verified" || echo "✗ docker/build-push-action SHA mismatch"

Repository: it-at-m/lhm_actions

Length of output: 655


🌐 Web query:

actions/checkout v6 breaking changes

💡 Result:

actions/checkout v6 breaking-change summary (from official repo docs/changelog): 1) persist-credentials storage location change (behavioral breaking for some environments) - In v6.0.0, persist-credentials was changed to store the credentials in a separate file under $RUNNER_TEMP instead of writing them directly into the local .git/config [1][2]. - Because the credentials are no longer read from .git/config, authenticated git commands from Docker container actions require a minimum Actions Runner version of v2.329.0 (or later) so the container can access the persisted credentials in their new location [1][2]. - For most workflows, this is not expected to require workflow changes: the v6 “What’s new” text states that no workflow changes are required and that git fetch, git push, etc. continue to work automatically [2]. 2) Version/runtime-related notes included with v6 - The v6.0.0 release notes also mention updating the README for Node.js 24 support requirements/details [1]. 3) Related v6 follow-up fixes (not “breaking” but notable) - v6.0.2 includes a fix for tag handling (preserve annotations and explicit fetch-tags) [3][4]. Practical guidance when upgrading from v5 to v6 - If you use persist-credentials: true and especially if you run authenticated git commands inside Docker container actions, ensure your Actions Runner is at least v2.329.0 [2]. - Otherwise, the official docs indicate you should not need to change your workflow steps for typical git fetch/push usage [2].

Citations:


🌐 Web query:

docker/login-action v4 breaking changes

💡 Result:

Main docker/login-action v4 breaking-change: the action now runs on Node.js 24 by default, not Node.js 20. What changed from v3 → v4 (and why it can break CI) 1) Runtime requirement: Node 24 default runtime - v4.0.0 states “Node 24 as default runtime (requires Actions Runner v2.327.1 or later)”[1]. - The PR implementing this changed action.yml from using: 'node20' to using: 'node24'[2]. Impact: if your GitHub Actions runner is older than the stated minimum, or you rely on Node 20-specific behavior, upgrading docker/login-action@v3 to @v4 can fail or behave differently. 2) Module system / build change: switch to ESM - v4.0.0 also notes “Switch to ESM and update config/test wiring”[1]. Impact: this is usually internal to the action, but it’s still a fundamental implementation change that’s worth treating as “breaking” for any unusual wrapper/consumption patterns. Other v4.x updates (not clearly “breaking”) - v4.1.0 is listed as a set of fixes and dependency bumps (e.g., “Fix scoped Docker Hub cleanup path when registry is omitted”)[3], but the release notes provided do not describe additional breaking interface changes beyond what’s already in v4.0.0. Practical migration guidance - Ensure your GitHub-hosted runner or self-hosted runner meets “Actions Runner v2.327.1 or later” before using docker/login-action@v4[1]. - If you have pinned or customized runner/container images that depend on Node 20, update them for Node 24 compatibility. - Otherwise, the typical workflow-level change is just updating uses: docker/login-action@v3uses: docker/login-action@v4[4].

Citations:


🌐 Web query:

docker/metadata-action v6 breaking changes

💡 Result:

docker/metadata-action v6 breaking changes (v6.0.0 released 2026-03-05) 1) Node.js runtime default: Node 24 v6.0.0 makes Node 24 the default runtime and requires GitHub Actions Runner v2.327.1 or later [1][2]. Impact: if your org/pipeline pins or assumes Node 20 behavior, you may need to update affected runner/action configuration so the workflow runs under the newer runtime. 2) ESM migration v6.0.0 includes a switch to ESM (“Switch to ESM and update config/test wiring”) [1][2]. Related notes also indicate ESM-only behavior for @actions/github (CommonJS consumers must use dynamic import) [3]. Impact: this is mainly internal for end users of the GitHub Action; it matters if you embed/require the action’s JS as a library in custom Node code. 3) Parsing behavior change for “list inputs” containing # v6.0.0 changes list input parsing to preserve # inside values while still supporting full-line # comments [1][2]. Impact: if you previously used # in a way that depended on it being treated as comment delimiters even when inside values, your tags/labels rules can change. Other changes in v6.0.0 (mostly dependency bumps) The release notes also list several dependency bumps (lodash, @actions/core, @actions/github, @docker/actions-toolkit, semver, etc.) [1][2].

Citations:


🌐 Web query:

docker/build-push-action v7 breaking changes

💡 Result:

The docker/build-push-action v7.0.0 (released 2026-03-05) introduces several changes that could be breaking depending on usage[1][2][3]. Key breaking changes include: - Node 24 as the default runtime, requiring GitHub Actions Runner version v2.327.1 or later[1][2]. - Removal of deprecated environment variables DOCKER_BUILD_NO_SUMMARY and DOCKER_BUILD_EXPORT_RETENTION_DAYS[1][3]. - Complete removal of legacy export-build tool support for build summary (previously controllable via DOCKER_BUILD_EXPORT_LEGACY, now removed from docs)[1][3][4]. - Switch to ESM (ECMAScript Modules) and internal config/test updates[1]. - Major dependency bumps: @actions/core to 3.0.0 (potential API changes), @docker/actions-toolkit to 0.79.0[1]. No explicit migration guide found in official docs, but full changelog available at docker/build-push-action@v6.19.2...v7.0.0[1][3]. Workflows using removed env vars or old runners will fail. Later patch v7.1.0 (2026-04-10) adds no further breaking changes[5].

Citations:


🏁 Script executed:

cat -n action-templates/actions/action-build-image/action.yml

Repository: it-at-m/lhm_actions

Length of output: 2852


Update requires GitHub Actions Runner version v2.327.1 or later.

All five updated actions (actions/checkout v6.0.2, actions/download-artifact v8.0.1, docker/login-action v4.1.0, docker/metadata-action v6.0.0, docker/build-push-action v7.1.0) mandate Node 24 as the default runtime and require GitHub Actions Runner v2.327.1 or later to function. The pinned SHAs are correct and verified against their respective version tags. Ensure your GitHub-hosted and self-hosted runners meet this minimum version requirement before deploying these updates.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@action-templates/actions/action-build-image/action.yml` at line 39, The
updated action pins (actions/checkout@v6.0.2, actions/download-artifact@v8.0.1,
docker/login-action@v4.1.0, docker/metadata-action@v6.0.0,
docker/build-push-action@v7.1.0) require GitHub Actions Runner v2.327.1+ (Node
24); update documentation and deployment checks to require that runner version
before merging. Add a clear note to the action's metadata/README and your
release/PR checklist stating "Requires runner v2.327.1 or later", and update any
self-hosted runner upgrade instructions or CI workflow configuration to use
GitHub-hosted runners that meet v2.327.1+ (or verify/upgrade self-hosted
runners) so the new uses entries (actions/checkout, actions/download-artifact,
docker/* actions) will run correctly.

@hupling

hupling commented May 12, 2026

Copy link
Copy Markdown
Contributor Author

@hupling hupling closed this May 12, 2026
@hupling
hupling deleted the dev branch May 12, 2026 06:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant