Skip to content

chore: bump the github-actions group across 1 directory with 5 updates#65

Closed
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/github_actions/github-actions-a61246670a
Closed

chore: bump the github-actions group across 1 directory with 5 updates#65
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/github_actions/github-actions-a61246670a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 12, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 5 updates in the / directory:

Package From To
step-security/harden-runner 2.17.0 2.19.1
gradle/actions 5.0.1 6.1.0
actions/dependency-review-action 4.9.0 5.0.0
epam/ai-dial-ci 3.2.0 4.0.1
oss-review-toolkit/ort-ci-github-action 1.0.1 1.2.0

Updates step-security/harden-runner from 2.17.0 to 2.19.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

Commits
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 8d3c67d Release v2.19.0 (#661)
  • 6c3c2f2 Feature/deploy on self hosted vm (#658)
  • 376d25a fix: detect ubuntu-slim runners early and bail out
  • See full diff in compare view

Updates gradle/actions from 5.0.1 to 6.1.0

Release notes

Sourced from gradle/actions's releases.

v6.1.0

New: Basic Cache Provider

A new MIT-licensed Basic Caching provider is now available as an alternative to the proprietary Enhanced Caching provided by gradle-actions-caching. Choose Basic Caching by setting cache-provider: basic on setup-gradle or dependency-submission actions.

  • Built on @actions/cache -- fully open source
  • Caches ~/.gradle/caches and ~/.gradle/wrapper directories
  • Cache key derived from build files (*.gradle*, gradle-wrapper.properties, etc.)
  • Clean cache on build file changes (no restore keys, preventing stale entry accumulation)

Limitations vs Enhanced Caching: No cache cleanup, no deduplication of cached content, cached content is fixed unless build files change.

Revamped Licensing & Distribution Documentation

  • New DISTRIBUTION.md documents the licensing of each component (particularly Basic Caching vs Enhanced Caching)
  • Simplified licensing notices in README, docs, and runtime log output
  • Clear usage tiers: Enhanced Caching is free for public repos and in Free Preview for private repos

What's Changed

Full Changelog: gradle/actions@v6.0.1...v6.1.0

v6.0.1

[!IMPORTANT] The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post. TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

The license changes in v6 introduced a gradle-actions-caching license notice that is printed in logs and in each job summary.

With this release, the license notice will be muted if build-scan terms have been accepted, or if a Develocity access key is provided.

What's Changed

Full Changelog: gradle/actions@v6.0.0...v6.0.1

v6.0.0

[!IMPORTANT]

... (truncated)

Commits
  • 50e97c2 Link to docs for caching providers
  • f2e6298 Restructure caching documentation for basic and enhanced providers (#934)
  • b294b1e Really fix integ-test-full
  • 83d3189 Revise license details for gradle-actions-caching
  • 1d5db06 Update license link for gradle-actions-caching component
  • 1c80961 Fix license link for Enhanced Caching component
  • 9e99920 Fix integ-test-full workflow
  • bb8aaaf Fix workflow permissions
  • f5dfb43 [bot] Update dist directory
  • ff9ae24 Add open-source 'basic' cache provider and revamp licensing documentation (#930)
  • Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.9.0 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits
  • a1d282b Merge pull request #1098 from actions/ahpook/v5-release
  • eb6c199 update examples to show @​v5
  • 3943c2c v5.0.0 release branch
  • 454943c Merge pull request #1094 from actions/ashelytc/security-findings
  • 6d92a12 revert @​typescript-eslint/parser update
  • a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
  • b6b7079 update @​typescript-eslint/parser to 8.40.0
  • 821a21d update more dependencies
  • 05aaaae run npm audit fix
  • 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
  • Additional commits viewable in compare view

Updates epam/ai-dial-ci from 3.2.0 to 4.0.1

Release notes

Sourced from epam/ai-dial-ci's releases.

4.0.1

What's Changed

Full Changelog: epam/ai-dial-ci@4.0.0...4.0.1

4.0.0

What's Changed

[!caution] There's a breaking change in branching strategy that require manual actions. See more in related PR description

Full Changelog: epam/ai-dial-ci@3.2.0...4.0.0

Commits
  • dcf3f8c hotfix: pin ORT scanner version (#482)
  • 5596130 feat: pass commit SHA to review environment trigger (#479)
  • 2e6b70d fix: dispatch whitelist check in deploy-review slash command (#468)
  • def98b4 chore(docs): add section on skipping Release Candidates in README
  • ff72673 chore(docs): clarify Makefile targets for Python packages in README
  • e743ff2 chore(docs): update python repo requirements
  • d9f4842 fix: add logic to perform Java style checks only once per run (#467)
  • 1242c28 chore: set empty permissions to Validate PR title example in README
  • 26b2fca chore: bump dependabot/fetch-metadata from 2.4.0 to 3.0.0
  • fcf17a2 feat!: add release candidates to branching strategy (#461)
  • Additional commits viewable in compare view

Updates oss-review-toolkit/ort-ci-github-action from 1.0.1 to 1.2.0

Commits
  • 086d928 deps: update actions/cache action to v5.0.5
  • 31f3860 deps: update actions/upload-artifact action to v7.0.1
  • 35e1afd ci: Add a workflow to validate the Renovate config
  • 08b7556 ci(renovate): Use the config preset from the .github repo
  • 15444ef deps: update actions/cache action to v5
  • 06ee8d5 deps: update actions/upload-artifact action to v7
  • 9450696 deps: update actions/cache action to v4.3.0
  • b3f00a5 Add Renovate configuration for automated dependency updates
  • 62e59b4 rearrange input by lex order
  • 2f757c4 make ort jdk java options configurable
  • Additional commits viewable in compare view

@dependabot
dependabot Bot requested a review from MykhailoRyzhman as a code owner May 12, 2026 14:31
@dependabot dependabot Bot added dependencies Dependencies update github_actions Pull requests that update GitHub Actions code labels May 12, 2026
@statgpt-actions

This comment has been minimized.

Bumps the github-actions group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.17.0` | `2.19.1` |
| [gradle/actions](https://github.com/gradle/actions) | `5.0.1` | `6.1.0` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.9.0` | `5.0.0` |
| [epam/ai-dial-ci](https://github.com/epam/ai-dial-ci) | `3.2.0` | `4.0.1` |
| [oss-review-toolkit/ort-ci-github-action](https://github.com/oss-review-toolkit/ort-ci-github-action) | `1.0.1` | `1.2.0` |



Updates `step-security/harden-runner` from 2.17.0 to 2.19.1
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f808768...a5ad31d)

Updates `gradle/actions` from 5.0.1 to 6.1.0
- [Release notes](https://github.com/gradle/actions/releases)
- [Commits](gradle/actions@f29f5a9...50e97c2)

Updates `actions/dependency-review-action` from 4.9.0 to 5.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@2031cfc...a1d282b)

Updates `epam/ai-dial-ci` from 3.2.0 to 4.0.1
- [Release notes](https://github.com/epam/ai-dial-ci/releases)
- [Commits](epam/ai-dial-ci@3.2.0...4.0.1)

Updates `oss-review-toolkit/ort-ci-github-action` from 1.0.1 to 1.2.0
- [Commits](oss-review-toolkit/ort-ci-github-action@9acdf1e...086d928)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: epam/ai-dial-ci
  dependency-version: 4.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: gradle/actions
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: oss-review-toolkit/ort-ci-github-action
  dependency-version: 1.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/github_actions/github-actions-a61246670a branch from 7643fc4 to 848471d Compare May 12, 2026 16:39
@statgpt-actions

Copy link
Copy Markdown
Collaborator

⚠️ Dependency review workflow failed - results may be outdated. Check logs

@dependabot @github

dependabot Bot commented on behalf of github May 20, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this May 20, 2026
@dependabot
dependabot Bot deleted the dependabot/github_actions/github-actions-a61246670a branch May 20, 2026 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependencies update github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant