Skip to content

ci(deps): bump the github-actions group across 1 directory with 12 updates#34

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/workflows/github-actions-bb40223a29
Open

ci(deps): bump the github-actions group across 1 directory with 12 updates#34
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/workflows/github-actions-bb40223a29

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 18, 2026
edited
Loading

Bumps the github-actions group with 12 updates in the /.github/workflows directory:

Package From To
step-security/harden-runner 2.16.1 2.19.3
step-security/action-gh-release 2.6.1 3.0.0
step-security/action-semantic-pull-request 6.1.1 6.1.2
step-security/rust-cache 2.8.3 2.9.1
taiki-e/install-action 2.73.0 2.79.1
step-security/paths-filter 3.0.5 4.0.1
github/codeql-action 4.35.1 4.35.5
actions/labeler 6.0.1 6.1.0
actions/github-script 8.0.0 9.0.0
googleapis/release-please-action 4.4.0 5.0.0
actions/upload-artifact 7.0.0 7.0.1
actions/dependency-review-action 4.9.0 5.0.0

Updates step-security/harden-runner from 2.16.1 to 2.19.3

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.3

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

... (truncated)

Commits
  • ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
  • ec41b78 Default to audit mode when api-key missing with use-policy-store
  • 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
  • 1dee3df Update agent to v1.8.5
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 8d3c67d Release v2.19.0 (#661)
  • 6c3c2f2 Feature/deploy on self hosted vm (#658)
  • 376d25a fix: detect ubuntu-slim runners early and bail out
  • Additional commits viewable in compare view

Updates step-security/action-gh-release from 2.6.1 to 3.0.0

Release notes

Sourced from step-security/action-gh-release's releases.

v3.0.0

What's Changed

New Contributors

Full Changelog: step-security/action-gh-release@v2...v3.0.0

Commits
  • 277bfa8 Merge pull request #86 from step-security/auto-cherry-pick
  • fcbd57a chore: Cherry-pick conflicting changes from upstream
  • 28e0835 fix: apply code build script
  • 147407f release: cut v3.0.0 for Node 24 upgrade (#670)
  • b06017c release: cut v3.0.0 for Node 24 upgrade (#670)
  • 7f52c03 Merge pull request #87 from step-security/npm-audit-fix
  • e09057e fix: apply audit fixes
  • 38e3839 fix: apply audit fixes
  • 30dad22 Merge pull request #85 from step-security/auto-cherry-pick
  • e5ef807 chore: Bump version to 2.6.2
  • Additional commits viewable in compare view

Updates step-security/action-semantic-pull-request from 6.1.1 to 6.1.2

Release notes

Sourced from step-security/action-semantic-pull-request's releases.

v6.1.2

What's Changed

Full Changelog: step-security/action-semantic-pull-request@v6...v6.1.2

Commits
  • 75d2dd5 Merge pull request #162 from step-security/Raj-StepSecurity-patch-11
  • dce66ee Update actions_release.yml
  • 80eb62b Merge pull request #161 from step-security/yarn-audit-fix
  • ac0700f fix: apply audit fixes
  • 92d4228 fix: apply audit fixes
  • 91fa82f fix: apply audit fixes
  • fed9df2 Merge pull request #160 from step-security/feat/update-subscription-check
  • 9d0ba60 code linted
  • 21be1b8 feat: added banner and update subscription check to make maintained actions f...
  • 57d5042 Merge pull request #159 from step-security/yarn-audit-fix
  • Additional commits viewable in compare view

Updates step-security/rust-cache from 2.8.3 to 2.9.1

Release notes

Sourced from step-security/rust-cache's releases.

v2.9.1

What's Changed

Full Changelog: step-security/rust-cache@v2...v2.9.1

v2.8.4

What's Changed

New Contributors

Full Changelog: step-security/rust-cache@v2...v2.8.4

Commits
  • 851174d fix: test vulns fixed (#279)
  • f0d17cd Merge branch 'main' into fix/test-vulnerabilities-fixed
  • 90bb4a5 chore: Cherry-picked changes from upstream (#281)
  • 595123a Merge pull request #280 from step-security/auto-cherry-pick
  • b1072eb conflicted commits cherry-picked
  • 374bbf5 fix: apply code build script
  • dd5ecff fix: apply code build script
  • 7791ac0 Compare case-insenitively for full cache key match (#303)
  • 49df1bd Consider all installed toolchains in cache key (#293)
  • 84286e5 Consider all installed toolchains in cache key (#293)
  • Additional commits viewable in compare view

Updates taiki-e/install-action from 2.73.0 to 2.79.1

Release notes

Sourced from taiki-e/install-action's releases.

2.79.1

  • Update tombi@latest to 0.11.5.

  • Update cargo-nextest@latest to 0.9.136.

  • Update typos@latest to 1.46.2.

  • Update mise@latest to 2026.5.10.

2.79.0

  • Support more host architectures. (#1841, thanks @​Gelbpunkt)

  • Deprecate mdbook-alerts because the feature now included in mdbook and the repository has been archived. (#1844)

  • Deprecate iai-callgrind-runner because it has been renamed to gungraun-runner. gungraun-runner is also supported by this action. (#1844)

2.78.3

  • Update zizmor@latest to 1.25.2.

  • Update cargo-zigbuild@latest to 0.22.3. (#1814, thanks @​simonhollingshead)

  • Update wasm-tools@latest to 1.249.0.

  • Update gungraun-runner@latest to 0.19.0.

2.78.2

  • Update wasm-pack@latest to 0.15.0.

  • Update zizmor@latest to 1.25.0.

  • Update mise@latest to 2026.5.9.

  • Update cargo-nextest@latest to 0.9.135.

  • Update cyclonedx@latest to 0.32.0.

  • Update prek@latest to 0.4.0.

2.78.1

  • Update mise@latest to 2026.5.7.

  • Diagnostic improvements.

2.78.0

  • Support cargo-mutants. (#1812, thanks @​jakewimmer)

  • Update covgate@latest to 0.2.0.

  • Update cargo-llvm-cov@latest to 0.8.7.

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

  • Update vacuum@latest to 0.26.5.

  • Update cargo-shear@latest to 1.12.4.

[2.79.1] - 2026-05-18

  • Update tombi@latest to 0.11.5.

  • Update cargo-nextest@latest to 0.9.136.

  • Update typos@latest to 1.46.2.

  • Update mise@latest to 2026.5.10.

[2.79.0] - 2026-05-17

  • Support more host architectures. (#1841, thanks @​Gelbpunkt)

  • Deprecate mdbook-alerts because the feature now included in mdbook and the repository has been archived. (#1844)

  • Deprecate iai-callgrind-runner because it has been renamed to gungraun-runner. gungraun-runner is also supported by this action. (#1844)

[2.78.3] - 2026-05-17

  • Update zizmor@latest to 1.25.2.

  • Update cargo-zigbuild@latest to 0.22.3. (#1814, thanks @​simonhollingshead)

  • Update wasm-tools@latest to 1.249.0.

  • Update gungraun-runner@latest to 0.19.0.

[2.78.2] - 2026-05-16

  • Update wasm-pack@latest to 0.15.0.

  • Update zizmor@latest to 1.25.0.

... (truncated)

Commits

Updates step-security/paths-filter from 3.0.5 to 4.0.1

Release notes

Sourced from step-security/paths-filter's releases.

v4.0.1

What's Changed

Full Changelog: step-security/paths-filter@v3...v4.0.1

Commits
  • 5c5241b Merge pull request #243 from step-security/feat/update-subscription-check
  • 4a740b4 claude comments addressed
  • c3c4a64 feat: added banner and update subscription check to make maintained actions f...
  • e7a5f27 Merge pull request #241 from step-security/auto-cherry-pick
  • 81a12d9 chore: Cherry-picked changes from upstream for conflicting changes
  • 8f54c5a feat: add merge_group event support
  • 6a7c5d6 Merge pull request #240 from step-security/auto-cherry-pick
  • c79c47b chore: Cherry-picked changes from upstream in package.json
  • 000dc59 feat: update action runtime to node24
  • 60b52a2 Merge pull request #236 from step-security/auto-cherry-pick
  • Additional commits viewable in compare view

Updates github/codeql-action from 4.35.1 to 4.35.5

Release notes

Sourced from github/codeql-action's releases.

v4.35.5

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
  • Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

  • Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
  • Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
  • Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
  • Update default CodeQL bundle version to 2.25.2. #3823
Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
  • Add support for SHA-256 Git object IDs. #3893

4.35.5 - 15 May 2026

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
  • Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

  • Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
  • Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
  • Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
  • Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

4.34.1 - 20 Mar 2026

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

... (truncated)

Commits
  • 9e0d7b8 Merge pull request #3905 from github/update-v4.35.5-d4b485515
  • 6d7d599 Add changelog entry for #3899
  • 51f7e38 Update changelog for v4.35.5
  • d4b4855 Merge pull request #3899 from github/mbg/esbuild/split
  • 127de81 Merge remote-tracking branch 'origin/main' into mbg/esbuild/split
  • 7fde13f Use src + basename in header to avoid issues on Windows
  • dfa61e7 Improve pattern matching and error handling
  • 52aafec Import and call runWrapper normally in analyze tests
  • 0d08c01 Auto-generate shared bundle
  • 14085a6 Auto-generate entry points
  • Additional commits viewable in compare view

Updates actions/labeler from 6.0.1 to 6.1.0

Release notes

Sourced from actions/labeler's releases.

v6.1.0

Enhancements

  • Add changed-files-labels-limit and max-files-changed configuration options to cap the number of labels added by @​bluca in actions/labeler#923

Bug Fixes

Dependency Updates

New Contributors

Full Changelog: actions/labeler@v6...v6.1.0

Commits
  • f27b608 chore: upgrade dependencies (@​actions/core, @​actions/github, js-yaml, minimat...
  • c5dadc2 Add 'changed-files-labels-limit' and 'max-files-changed' configs to allow cap...
  • e52e4fb Bump minimatch from 10.0.1 to 10.2.3 (#926)
  • 77a4082 Fix: Preserve manually added labels during workflow run and refine label sync...
  • 25abb3c Improve Labeler Action Documentation and Error Handling for Permissions (#897)
  • 395c8cf Bump brace-expansion from 1.1.11 to 1.1.12 and document breaking changes in v...
  • See full diff in compare view

Updates actions/github-script from 8.0.0 to 9.0.0

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

Commits
  • 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
  • ca10bbd fix: use @​octokit/core/types import for v7 compatibility
  • 86e48e2 ...

    Description has been truncated

@dependabot
ci(deps): bump the github-actions group across 1 directory with 12 up…
cc1fdac 
…dates

Bumps the github-actions group with 12 updates in the /.github/workflows directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.16.1` | `2.19.3` |
| [step-security/action-gh-release](https://github.com/step-security/action-gh-release) | `2.6.1` | `3.0.0` |
| [step-security/action-semantic-pull-request](https://github.com/step-security/action-semantic-pull-request) | `6.1.1` | `6.1.2` |
| [step-security/rust-cache](https://github.com/step-security/rust-cache) | `2.8.3` | `2.9.1` |
| [taiki-e/install-action](https://github.com/taiki-e/install-action) | `2.73.0` | `2.79.1` |
| [step-security/paths-filter](https://github.com/step-security/paths-filter) | `3.0.5` | `4.0.1` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.5` |
| [actions/labeler](https://github.com/actions/labeler) | `6.0.1` | `6.1.0` |
| [actions/github-script](https://github.com/actions/github-script) | `8.0.0` | `9.0.0` |
| [googleapis/release-please-action](https://github.com/googleapis/release-please-action) | `4.4.0` | `5.0.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.9.0` | `5.0.0` |



Updates `step-security/harden-runner` from 2.16.1 to 2.19.3
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@fe10465...ab7a940)

Updates `step-security/action-gh-release` from 2.6.1 to 3.0.0
- [Release notes](https://github.com/step-security/action-gh-release/releases)
- [Commits](step-security/action-gh-release@dc29ef0...277bfa8)

Updates `step-security/action-semantic-pull-request` from 6.1.1 to 6.1.2
- [Release notes](https://github.com/step-security/action-semantic-pull-request/releases)
- [Commits](step-security/action-semantic-pull-request@bc0cf74...75d2dd5)

Updates `step-security/rust-cache` from 2.8.3 to 2.9.1
- [Release notes](https://github.com/step-security/rust-cache/releases)
- [Commits](step-security/rust-cache@9be15b8...851174d)

Updates `taiki-e/install-action` from 2.73.0 to 2.79.1
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](taiki-e/install-action@7a562df...b550161)

Updates `step-security/paths-filter` from 3.0.5 to 4.0.1
- [Release notes](https://github.com/step-security/paths-filter/releases)
- [Commits](step-security/paths-filter@6eee183...5c5241b)

Updates `github/codeql-action` from 4.35.1 to 4.35.5
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@c10b806...9e0d7b8)

Updates `actions/labeler` from 6.0.1 to 6.1.0
- [Release notes](https://github.com/actions/labeler/releases)
- [Commits](actions/labeler@634933e...f27b608)

Updates `actions/github-script` from 8.0.0 to 9.0.0
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@ed59741...3a2844b)

Updates `googleapis/release-please-action` from 4.4.0 to 5.0.0
- [Release notes](https://github.com/googleapis/release-please-action/releases)
- [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md)
- [Commits](googleapis/release-please-action@16a9c90...45996ed)

Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@bbbca2d...043fb46)

Updates `actions/dependency-review-action` from 4.9.0 to 5.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@2031cfc...a1d282b)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: step-security/action-gh-release
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: step-security/action-semantic-pull-request
  dependency-version: 6.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: step-security/rust-cache
  dependency-version: 2.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: taiki-e/install-action
  dependency-version: 2.79.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: step-security/paths-filter
  dependency-version: 4.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-version: 4.35.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/labeler
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/github-script
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: googleapis/release-please-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/dependency-review-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added area/ci CI/CD area/deps Dependencies labels May 18, 2026
@github-actions github-actions Bot added the area/config Configuration label May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/ci CI/CD area/config Configuration area/deps Dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants