Skip to content

Bump the actions group across 1 directory with 5 updates#3337

Merged
matthewhelmke merged 1 commit into
mainfrom
dependabot/github_actions/actions-62f048d53e
May 19, 2026
Merged

Bump the actions group across 1 directory with 5 updates#3337
matthewhelmke merged 1 commit into
mainfrom
dependabot/github_actions/actions-62f048d53e

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 19, 2026

Bumps the actions group with 5 updates in the / directory:

Package From To
step-security/harden-runner 2.19.0 2.19.3
chainguard-dev/actions 1.6.16 1.6.19
sigstore/cosign-installer 4.1.1 4.1.2
hashicorp/setup-terraform 4.0.0 4.0.1
zizmorcore/zizmor-action 0.5.3 0.5.6

Updates step-security/harden-runner from 2.19.0 to 2.19.3

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.3

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

Commits
  • ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
  • ec41b78 Default to audit mode when api-key missing with use-policy-store
  • 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
  • 1dee3df Update agent to v1.8.5
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 376d25a fix: detect ubuntu-slim runners early and bail out
  • See full diff in compare view

Updates chainguard-dev/actions from 1.6.16 to 1.6.19

Release notes

Sourced from chainguard-dev/actions's releases.

v1.6.19

What's Changed

Full Changelog: chainguard-dev/actions@v1.6.18...v1.6.19

v1.6.18

What's Changed

Full Changelog: chainguard-dev/actions@v1.6.17...v1.6.18

v1.6.17

What's Changed

New Contributors

Full Changelog: chainguard-dev/actions@v1.6.16...v1.6.17

Commits
  • c69a264 otel-export: regenerate dist files (#879)
  • 22e1462 build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 in /gofmt (#888)
  • f857142 build(deps): bump step-security/harden-runner from 2.19.0 to 2.19.1 (#887)
  • a0c649b build(deps): bump chainguard-dev/actions in /goimports (#889)
  • 99fe914 build(deps): bump chainguard-dev/actions in /melange-build (#890)
  • d686fcc build(deps): bump chainguard-dev/actions from 1.6.17 to 1.6.18 (#886)
  • aa569d9 build(deps): bump chainguard-dev/actions in /wolfi-build-pkg (#891)
  • b57e4fe build(deps): bump chainguard-dev/actions in /inky-build-pkg (#892)
  • 4a81273 build(deps): bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 (#870)
  • 00249eb build(deps): bump chainguard-dev/actions from 1.6.15 to 1.6.17 (#880)
  • Additional commits viewable in compare view

Updates sigstore/cosign-installer from 4.1.1 to 4.1.2

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.2

What's Changed

Commits

Updates hashicorp/setup-terraform from 4.0.0 to 4.0.1

Release notes

Sourced from hashicorp/setup-terraform's releases.

v4.0.1

BUG FIXES:

  • Fix Node 24 DEP0169 url.parse() deprecation warning by updating @​hashicorp/js-releases to v1.7.7 (#549)
Changelog

Sourced from hashicorp/setup-terraform's changelog.

4.0.1 (2026-05-12)

BUG FIXES:

  • Fix Node 24 DEP0169 url.parse() deprecation warning by updating @​hashicorp/js-releases to v1.7.7 (#549)

4.0.0 (2026-02-24)

BREAKING CHANGES:

  • Upgrade to Node.js 24 - setup-terraform now requires Node.js 24 (#503)

3.1.2 (2024-08-19)

NOTES:

  • This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (#430)

3.1.1 (2024-05-07)

BUG FIXES:

  • wrapper: Fix wrapper to output to stdout and stderr immediately when data is received (#395)

3.1.0 (2024-04-23)

ENHANCEMENTS:

  • Automatically fallback to darwin/amd64 for Terraform versions before 1.0.2 as releases for darwin/arm64 are not available (#409)

3.0.0 (2023-10-30)

NOTES:

  • Updated default runtime to node20 (#346)
  • The wrapper around the installed Terraform binary has been fixed to return the exact STDOUT and STDERR from Terraform when executing commands. Previous versions of setup-terraform may have required workarounds to process the STDOUT in bash, such as filtering out the first line or selectively parsing STDOUT with jq. These workarounds may need to be adjusted with v3.0.0, which will now return just the STDOUT/STDERR from Terraform with no errant characters/statements. (#367)

BUG FIXES:

  • Fixed malformed stdout when wrapper is enabled (#367)

[2.0.3] (2022-11-01)

NOTES

  • Reduced occurrences of GitHub Actions warnings for setting output #247

[2.0.2] (2022-10-12)

BUG FIXES

... (truncated)

Commits
  • dfe3c3f Update package version
  • 61e02cf Update changelog
  • 36079f9 fix: update @​hashicorp/js-releases to v1.7.7 to resolve Node 24 DEP0169 warni...
  • af2ccf2 update axios brace expansion flatted picomatch (#551)
  • 5b1ab0e Bump follow-redirects from 1.15.11 to 1.16.0 (#542)
  • ca190bf Bump miniscruff/changie-action in the github-actions group (#541)
  • 30128a2 chore: update CI node version from 20 to 24 (#544)
  • b0cc02d Bump undici from 6.23.0 to 6.24.1 (#539)
  • 3d7cd03 Update README.md with latest versions (#536)
  • fa68287 Bump actions/setup-node from 6.2.0 to 6.3.0 in the github-actions group (#537)
  • Additional commits viewable in compare view

Updates zizmorcore/zizmor-action from 0.5.3 to 0.5.6

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.5.6

  • 1.25.2 is now available via the action
  • 1.25.2 is now the default version of zizmor used by the action

v0.5.5

This is a no-op release.

v0.5.4

  • 1.25.0 is now available via the action
  • 1.25.0 is now the default version of zizmor used by the action
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the actions group across 1 directory with 5 updates
9690b3f 
Bumps the actions group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.19.0` | `2.19.3` |
| [chainguard-dev/actions](https://github.com/chainguard-dev/actions) | `1.6.16` | `1.6.19` |
| [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `4.1.1` | `4.1.2` |
| [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) | `4.0.0` | `4.0.1` |
| [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.3` | `0.5.6` |



Updates `step-security/harden-runner` from 2.19.0 to 2.19.3
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@8d3c67d...ab7a940)

Updates `chainguard-dev/actions` from 1.6.16 to 1.6.19
- [Release notes](https://github.com/chainguard-dev/actions/releases)
- [Commits](chainguard-dev/actions@0cba302...c69a264)

Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@cad07c2...6f9f177)

Updates `hashicorp/setup-terraform` from 4.0.0 to 4.0.1
- [Release notes](https://github.com/hashicorp/setup-terraform/releases)
- [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md)
- [Commits](hashicorp/setup-terraform@5e8dbf3...dfe3c3f)

Updates `zizmorcore/zizmor-action` from 0.5.3 to 0.5.6
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@b1d7e1f...5f14fd0)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: chainguard-dev/actions
  dependency-version: 1.6.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: hashicorp/setup-terraform
  dependency-version: 4.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github-actions security labels May 19, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 19, 2026 08:11
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github-actions security labels May 19, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented May 19, 2026
edited
Loading

Deploy Preview for ornate-narwhal-088216 ready!

Name Link
🔨 Latest commit 9690b3f
🔍 Latest deploy log https://app.netlify.com/projects/ornate-narwhal-088216/deploys/6a0c1b37f7fa650008612145
😎 Deploy Preview https://deploy-preview-3337--ornate-narwhal-088216.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@matthewhelmke matthewhelmke merged commit 00a5e08 into main May 19, 2026
13 checks passed
@matthewhelmke matthewhelmke deleted the dependabot/github_actions/actions-62f048d53e branch May 19, 2026 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matthewhelmke matthewhelmke matthewhelmke approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github-actions security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matthewhelmke