Skip to content

Bump the all-actions group across 1 directory with 5 updates#68

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/all-actions-b7b06892ec
Open

Bump the all-actions group across 1 directory with 5 updates#68
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/all-actions-b7b06892ec

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 13, 2026

Bumps the all-actions group with 5 updates in the / directory:

Package From To
actions/checkout 4 6
github/codeql-action 4.32.0 4.35.1
dorny/test-reporter 1 3
marocchino/sticky-pull-request-comment 2 3
actions/upload-artifact 4 7

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

... (truncated)

Commits

Updates github/codeql-action from 4.32.0 to 4.35.1

Release notes

Sourced from github/codeql-action's releases.

v4.35.1

v4.35.0

v4.34.1

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

v4.33.0

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v4.32.6

  • Update default CodeQL bundle version to 2.24.3. #3548

v4.32.5

  • Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
  • Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
  • The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
  • Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
  • Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
  • Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
  • The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

v4.32.4

  • Update default CodeQL bundle version to 2.24.2. #3493
  • Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
  • When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
  • Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
  • Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

v4.32.3

  • Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

... (truncated)

Commits
  • c10b806 Merge pull request #3782 from github/update-v4.35.1-d6d1743b8
  • c5ffd06 Update changelog for v4.35.1
  • d6d1743 Merge pull request #3781 from github/henrymercer/update-git-minimum-version
  • 65d2efa Add changelog note
  • 2437b20 Update minimum git version for overlay to 2.36.0
  • ea5f719 Merge pull request #3775 from github/dependabot/npm_and_yarn/node-forge-1.4.0
  • 45ceeea Merge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f28
  • 24448c9 Rebuild
  • 7c51060 Update changelog and version after v4.35.0
  • b8bb9f2 Merge pull request #3776 from github/update-v4.35.0-0078ad667
  • Additional commits viewable in compare view

Updates dorny/test-reporter from 1 to 3

Release notes

Sourced from dorny/test-reporter's releases.

v3.0.0

Note: The v3 release requires NodeJS 24 runtime on GitHub Actions runners.

What's Changed

Other Changes

New Contributors

Full Changelog: dorny/test-reporter@v2.7.0...v3.0.0

v2.7.0

What's Changed

Other Changes

New Contributors

Full Changelog: dorny/test-reporter@v2.6.0...v2.7.0

v2.6.0

We updated all dependency packages to latest versions to fix reported security vulnerabilities.

What's Changed

  • Fix: For workflow_run events, resolve the commit of the check run from related pull request head commits first (matching workflow_run.head_branch, then first PR), and fall back to workflow_run.head_sha for non-PR runs dorny/test-reporter#673
  • Change: The test-reporter action will listed all artifacts associated with the build run dorny/test-reporter#693
  • Maintenance: Upgrade to ESLint v9 dorny/test-reporter#629

New Contributors

Full Changelog: dorny/test-reporter@v2.5.0...v2.6.0

... (truncated)

Changelog

Sourced from dorny/test-reporter's changelog.

Changelog

3.0.0

2.7.0

2.6.0

  • Fix: For workflow_run events, resolve the commit of the check run from related pull request head commits first (matching workflow_run.head_branch, then first PR), and fall back to workflow_run.head_sha for non-PR runs dorny/test-reporter#673
  • Change: The test-reporter action will listed all artifacts associated with the build run dorny/test-reporter#693
  • Maintenance: Upgrade to ESLint v9 dorny/test-reporter#629

2.5.0

2.4.0

2.3.0

2.2.0

2.1.1

2.1.0

... (truncated)

Commits
  • a43b3a5 test-reporter release v3.0.0
  • 79216dc Merge pull request #744 from dorny/dependabot/npm_and_yarn/flatted-3.4.2
  • 62c3873 Merge pull request #745 from dorny/feature/workflow_permissions
  • bd74ca6 Explicitly use lowest permissions required to run workflow
  • 0c2b2aa Merge pull request #738 from dav-tb/feature/node24-runtime
  • f7eee30 Use the @types/node definitions for NodeJS 24 runtime
  • ad0a96f Upgrade action runtime to Node.js 24
  • 543415c Merge pull request #741 from dorny/release/v2.7.0
  • f1284d0 Bump flatted from 3.4.1 to 3.4.2
  • 3c1b53f Merge pull request #743 from dorny/dependabot/npm_and_yarn/types/adm-zip-0.5.8
  • Additional commits viewable in compare view

Updates marocchino/sticky-pull-request-comment from 2 to 3

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v3.0.0

What's Changed

  • Update node to 24
  • Update deps

New Contributors

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.4...v3.0.0

v2.9.4

What's Changed

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.3...v2.9.4

v2.9.3

What's Changed

  • Update deps (including security issues)
  • Test with vitest instead of jest
  • Use biome

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.2...v2.9.3

v2.9.2

What's Changed

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.1...v2.9.2

v2.9.1

What's Changed

... (truncated)

Commits
  • d4d6b09 📦️ Build
  • 3868baa build(deps-dev): Bump typescript from 5.9.3 to 6.0.2 (#1670)
  • 26f73b0 build(deps): Bump brace-expansion (#1678)
  • f6e304e build(deps-dev): Bump @​biomejs/biome from 2.4.7 to 2.4.10 (#1675)
  • a7709b6 build(deps-dev): Bump @​types/node from 25.5.0 to 25.5.2 (#1677)
  • 0746c6f build(deps-dev): Bump rollup from 4.59.0 to 4.60.1 (#1676)
  • 2a4b1c3 build(deps-dev): Bump vitest from 4.1.0 to 4.1.2 (#1674)
  • 1ab42d2 build(deps): Bump picomatch from 4.0.3 to 4.0.4 (#1673)
  • 5a61de7 build(deps-dev): Bump @​biomejs/biome from 2.4.6 to 2.4.7 (#1666)
  • 7cb1e16 Add number_force that overrides pull_request number (#1652)
  • Additional commits viewable in compare view

Updates actions/upload-artifact from 4 to 7

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

... (truncated)

Commits
  • 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
  • 634250c Include changes in typespec/ts-http-runtime 0.3.5
  • e454baa Readme: bump all the example versions to v7 (#796)
  • 74fad66 Update the readme with direct upload details (#795)
  • bbbca2d Support direct file uploads (#764)
  • 589182c Upgrade the module to ESM and bump dependencies (#762)
  • 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
  • 02a8460 Add proxy integration test
  • b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
  • e516bc8 docs: correct description of Node.js 24 support in README
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the all-actions group across 1 directory with 5 updates
5e8c893 
Bumps the all-actions group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4` | `6` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.32.0` | `4.35.1` |
| [dorny/test-reporter](https://github.com/dorny/test-reporter) | `1` | `3` |
| [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment) | `2` | `3` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4` | `7` |



Updates `actions/checkout` from 4 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v4...v6)

Updates `github/codeql-action` from 4.32.0 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.32.0...v4.35.1)

Updates `dorny/test-reporter` from 1 to 3
- [Release notes](https://github.com/dorny/test-reporter/releases)
- [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md)
- [Commits](dorny/test-reporter@v1...v3)

Updates `marocchino/sticky-pull-request-comment` from 2 to 3
- [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases)
- [Commits](marocchino/sticky-pull-request-comment@v2...v3)

Updates `actions/upload-artifact` from 4 to 7
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
- dependency-name: dorny/test-reporter
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
- dependency-name: marocchino/sticky-pull-request-comment
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 13, 2026
@dependabot dependabot bot requested a review from felickz as a code owner April 13, 2026 07:55
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 13, 2026
@dependabot dependabot bot deployed to bad test April 13, 2026 07:55 Active
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 13, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 5e8c893.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/scorecard.yml

PackageVersionLicenseIssue Type
github/codeql-action/upload-sarifee09113642cdd89dfd282ecd8d96340380bbee26NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/upload-artifact 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a 🟢 5.7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 54 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 10SAST tool is run on all commits
actions/github/codeql-action/upload-sarif ee09113642cdd89dfd282ecd8d96340380bbee26 UnknownUnknown

Scanned Files

  • .github/workflows/scorecard.yml

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 13, 2026

Code Coverage

Package Line Rate Branch Rate Complexity Health
PowerShell Action 25% 0% 0
Summary 25% (76 / 300) 100% (0 / 0) 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felickz felickz Awaiting requested review from felickz felickz is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants