Skip to content

Bump the github-actions group across 1 directory with 10 updates#3944

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/github-actions-12a10de6c4
Open

Bump the github-actions group across 1 directory with 10 updates#3944
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/github-actions-12a10de6c4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Dec 2, 2025
edited
Loading

Bumps the github-actions group with 10 updates in the / directory:

Package From To
step-security/harden-runner 2.5.1 2.19.4
actions/checkout 2.7.0 6.0.3
arduino/setup-protoc 1.3.0 3.0.0
github/codeql-action 2.21.3 4.36.1
actions/dependency-review-action 3.0.7 5.0.0
actions/setup-java 3.12.0 5.2.0
google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml 8bd1ce1c4be9d98053ffd9e6e14585276a36762c fa4ff678dd5d0a4fa3d628e57af8162873e93cd6
google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml 8bd1ce1c4be9d98053ffd9e6e14585276a36762c fa4ff678dd5d0a4fa3d628e57af8162873e93cd6
ossf/scorecard-action 2.3.3 2.4.3
actions/upload-artifact 4.3.3 7.0.1

Updates step-security/harden-runner from 2.5.1 to 2.19.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

... (truncated)

Commits
  • 9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
  • 485dce8 Update agent to v1.8.6
  • ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
  • ec41b78 Default to audit mode when api-key missing with use-policy-store
  • 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
  • 1dee3df Update agent to v1.8.5
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 8d3c67d Release v2.19.0 (#661)
  • Additional commits viewable in compare view

Updates actions/checkout from 2.7.0 to 6.0.3

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

... (truncated)

Commits
  • df4cb1c Update changelog for v6.0.3 (#2446)
  • 1cce339 Fix checkout init for SHA-256 repositories (#2439)
  • 900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
  • 0c366fd Update changelog (#2357)
  • de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
  • 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
  • 8e8c483 Clarify v6 README (#2328)
  • 033fa0d Add worktree support for persist-credentials includeIf (#2327)
  • c2d88d3 Update all references from v5 and v4 to v6 (#2314)
  • 1af3b93 update readme/changelog for v6 (#2311)
  • Additional commits viewable in compare view

Updates arduino/setup-protoc from 1.3.0 to 3.0.0

Release notes

Sourced from arduino/setup-protoc's releases.

v3.0.0

What's Changed

New Contributors

Full Changelog: arduino/setup-protoc@v2.1.0...v3.0.0

v2.1.0

What's Changed

New Contributors

Full Changelog: arduino/setup-protoc@v2.0.0...v2.1.0

v2.0.0

Changelog

Adding support for the MINOR.PATCH tag naming

Breaking

Full Changelog: arduino/setup-protoc@v1.3.0...v2.0.0

Contributors

Commits

Updates github/codeql-action from 2.21.3 to 4.36.1

Release notes

Sourced from github/codeql-action's releases.

v4.36.1

No user facing changes.

v4.36.0

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
  • Add support for SHA-256 Git object IDs. #3893
  • Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
  • Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

  • Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
  • Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
  • Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
  • Update default CodeQL bundle version to 2.25.2. #3823

v4.35.1

v4.35.0

v4.34.1

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

v4.33.0

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.1 - 02 Jun 2026

No user facing changes.

4.36.0 - 22 May 2026

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
  • Add support for SHA-256 Git object IDs. #3893
  • Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
  • Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

  • Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
  • Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
  • Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
  • Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

... (truncated)

Commits
  • 87557b9 Merge pull request #3940 from github/update-v4.36.1-2a1689ed4
  • 9431011 Update changelog for v4.36.1
  • 2a1689e Merge pull request #3939 from github/henrymercer/skip-overlay-revert-when-exp...
  • 5245323 Disable missing diff-ranges fallback when overlay enabled manually
  • d1eb120 Merge pull request #3933 from github/update-supported-enterprise-server-versions
  • 115001b Merge pull request #3934 from github/dependabot/npm_and_yarn/npm-minor-86fb5c...
  • cef2e7a Merge pull request #3925 from github/dependabot/github_actions/dot-github/wor...
  • 5e6adf7 Merge pull request #3936 from github/dependabot/npm_and_yarn/tmp-0.2.7
  • ad170e6 Merge branch 'main' into dependabot/github_actions/dot-github/workflows/actio...
  • 6a37b3a Rebuild
  • Additional commits viewable in compare view

Updates actions/dependency-review-action from 3.0.7 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

  • There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
  • Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
  • There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

... (truncated)

Commits
  • a1d282b Merge pull request #1098 from actions/ahpook/v5-release
  • eb6c199 update examples to show @​v5
  • 3943c2c v5.0.0 release branch
  • 454943c Merge pull request #1094 from actions/ashelytc/security-findings
  • 6d92a12 revert @​typescript-eslint/parser update
  • a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
  • b6b7079 update @​typescript-eslint/parser to 8.40.0
  • 821a21d update more dependencies
  • 05aaaae run npm audit fix
  • 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
  • Additional commits viewable in compare view

Updates actions/setup-java from 3.12.0 to 5.2.0

Release notes

Sourced from actions/setup-java's releases.

v5.2.0

What's Changed

Enhancement

Documentation Changes

Dependency Updates

New Contributors

Full Changelog: actions/setup-java@v5...v5.2.0

v5.1.0

What's Changed

New Features

Bug Fixes & Improvements

Documentation changes

Dependency updates

New Contributors

Full Changelog: actions/setup-java@v5...v5.1.0

... (truncated)

Commits
  • be666c2 Chore: Version Update and Checkout Update to v6 (#973)
  • f7a6fef Bump actions/checkout from 5 to 6 (#961)
  • d81c4e4 Upgrade @​actions/cache to v5 (#968)
  • 1b1bbe1 readme update (#972)
  • 5d7b214 Retry on HTTP 522 Connection timed out (#964)
  • f2beeb2 Bump actions/publish-action from 0.3.0 to 0.4.0 (#912)
  • 4e7e684 feat: Add support for .sdkmanrc file in java-version-file parameter (#736)
  • 46c56d6 Add GitHub Token Support for GraalVM and Refactor Code (#849)
  • 66b9457 Update SapMachine URLs (#955)
  • 6ba5449 Enhance error logging for network failures to include endpoint/IP details, ad...
  • Additional commits viewable in compare view

Updates google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml from 8bd1ce1c4be9d98053ffd9e6e14585276a36762c to fa4ff678dd5d0a4fa3d628e57af8162873e93cd6

Commits
  • fa4ff67 Merge pull request #131 from BeyondEvil/feat/add-runs-on-input
  • e3f946a feat: add runs-on input to reusable workflows
  • b8ac13f Merge pull request #127 from SVilgelm/patch-1
  • 05957d4 Merge pull request #130 from google/gate-outputs-with-flag-20260519
  • 3a7550f feat: gate reusable workflow outputs with a flag
  • f6fb127 Pin download-artifact action to SHA
  • 9a49870 Update unified workflow example to ...

    Description has been truncated

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 2, 2025
@dependabot dependabot Bot requested a review from a team as a code owner December 2, 2025 02:02
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 2, 2025
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-12a10de6c4 branch from 8286473 to 688296f Compare January 1, 2026 22:03
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-12a10de6c4 branch from 688296f to 9553dbc Compare February 1, 2026 22:54
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-12a10de6c4 branch from 9553dbc to c64b1c6 Compare March 1, 2026 22:53
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-12a10de6c4 branch from c64b1c6 to 97b9157 Compare April 2, 2026 03:17
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-12a10de6c4 branch from 97b9157 to b469139 Compare May 2, 2026 02:17
@dependabot
Bump the github-actions group across 1 directory with 10 updates
d333715 
Bumps the github-actions group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.5.1` | `2.19.4` |
| [actions/checkout](https://github.com/actions/checkout) | `2.7.0` | `6.0.3` |
| [arduino/setup-protoc](https://github.com/arduino/setup-protoc) | `1.3.0` | `3.0.0` |
| [github/codeql-action](https://github.com/github/codeql-action) | `2.21.3` | `4.36.1` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `3.0.7` | `5.0.0` |
| [actions/setup-java](https://github.com/actions/setup-java) | `3.12.0` | `5.2.0` |
| [google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml](https://github.com/google/osv-scanner-action) | `8bd1ce1c4be9d98053ffd9e6e14585276a36762c` | `fa4ff678dd5d0a4fa3d628e57af8162873e93cd6` |
| [google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml](https://github.com/google/osv-scanner-action) | `8bd1ce1c4be9d98053ffd9e6e14585276a36762c` | `fa4ff678dd5d0a4fa3d628e57af8162873e93cd6` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.3.3` | `2.4.3` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.3.3` | `7.0.1` |



Updates `step-security/harden-runner` from 2.5.1 to 2.19.4
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@8ca2b8b...9af89fc)

Updates `actions/checkout` from 2.7.0 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v2.7.0...df4cb1c)

Updates `arduino/setup-protoc` from 1.3.0 to 3.0.0
- [Release notes](https://github.com/arduino/setup-protoc/releases)
- [Commits](arduino/setup-protoc@149f6c8...c65c819)

Updates `github/codeql-action` from 2.21.3 to 4.36.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v2.21.3...87557b9)

Updates `actions/dependency-review-action` from 3.0.7 to 5.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@7d90b4f...a1d282b)

Updates `actions/setup-java` from 3.12.0 to 5.2.0
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](actions/setup-java@cd89f46...be666c2)

Updates `google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml` from 8bd1ce1c4be9d98053ffd9e6e14585276a36762c to fa4ff678dd5d0a4fa3d628e57af8162873e93cd6
- [Release notes](https://github.com/google/osv-scanner-action/releases)
- [Commits](google/osv-scanner-action@8bd1ce1...fa4ff67)

Updates `google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml` from 8bd1ce1c4be9d98053ffd9e6e14585276a36762c to fa4ff678dd5d0a4fa3d628e57af8162873e93cd6
- [Release notes](https://github.com/google/osv-scanner-action/releases)
- [Commits](google/osv-scanner-action@8bd1ce1...fa4ff67)

Updates `ossf/scorecard-action` from 2.3.3 to 2.4.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@dc50aa9...4eaacf0)

Updates `actions/upload-artifact` from 4.3.3 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@6546280...043fb46)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/dependency-review-action
  dependency-version: 4.8.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-java
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: arduino/setup-protoc
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-version: 4.31.6
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml
  dependency-version: '08b0aaeb6b6c6659ff98c5463e60e4b70008bfff'
  dependency-type: direct:production
  dependency-group: github-actions
- dependency-name: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml
  dependency-version: '08b0aaeb6b6c6659ff98c5463e60e4b70008bfff'
  dependency-type: direct:production
  dependency-group: github-actions
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: step-security/harden-runner
  dependency-version: 2.13.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-12a10de6c4 branch from b469139 to d333715 Compare June 3, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dixoncharles113-ai dixoncharles113-ai dixoncharles113-ai approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dixoncharles113-ai