chore: bump the github-actions group across 1 directory with 6 updates

[dependabot]

Bumps the github-actions group with 6 updates in the / directory:

Package	From	To
dataaxiom/ghcr-cleanup-action	1.0.16	1.1.0
step-security/harden-runner	2.17.0	2.19.3
gradle/actions	5.0.1	6.1.0
actions/dependency-review-action	4.9.0	5.0.0
epam/ai-dial-ci	3.2.0	4.2.0
oss-review-toolkit/ort-ci-github-action	1.0.1	1.2.0

Updates dataaxiom/ghcr-cleanup-action from 1.0.16 to 1.1.0

Release notes

Sourced from dataaxiom/ghcr-cleanup-action's releases.

v1.1.0

• fix: preserve OCI 1.1 subject-bearing referrers (cosign sigstore-bundles, attestations) during cleanup — were silently deleted as untagged #71
• fix: keep-n-tagged now gates untag operations; a matched tag is not stripped from an image that keep-n-tagged would protect (#99, #101)
• fix: shared multi-arch platform digests no longer cascade-deleted when one of multiple parent indexes is removed (#91)
• fix: delete-partial-images excludes fully ghost images #112
• fix: Octokit error output visible at all log levels (was suppressed when log-level was error or warn)
• fix: expand-packages rejects fine-grained PATs upfront with a clear message
• fix: setFailed message no longer overwritten by an empty Error in early-failure paths
• feat: ReDoS guard on user-supplied regex (delete-tags, exclude-tags, package) when use-regex: true
• feat: code refactor/split, removal of anys where possible using typed classes
• chore(deps): Node.js 24
• docs: README rewrite + Limitations section (5,000-download undeletable policy, nested-manifest non-support)

Commits

• 34a2b6c Merge pull request #115 from rohanmars/pr/post-114-polish
• 7caf315 orchestrator: throw on run() before reload(), don't silently no-op
• 470a04a utils: rename ManifestLayer → ManifestDescriptor
• a7a3201 image-deleter: explain why performUntagging reloads per tag
• c1c13a6 chore: add husky pre-commit hook for prettier + bundle
• bcdcd73 security: validate user-supplied regex patterns to prevent ReDoS
• 8ff0d89 fix: code-review feedback — consistent cache-invariant throw, stray string id
• cfd5a6a refactor: replace cache-invariant continue skips with explicit throws
• 608e836 refactor: introduce GhPackage interface, fix id string→number
• 9efeca2 refactor: introduce Manifest interfaces, drop any types in registry
• Additional commits viewable in compare view

Updates step-security/harden-runner from 2.17.0 to 2.19.3

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.3

What's Changed

• Default to audit mode when api-key missing with use-policy-store by @​varunsh-coder in step-security/harden-runner#665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in step-security/harden-runner#657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in step-security/harden-runner#657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

• Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
• System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

... (truncated)

Commits

• ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
• ec41b78 Default to audit mode when api-key missing with use-policy-store
• 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
• 1dee3df Update agent to v1.8.5
• a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
• 6e92856 build dist and trim ubuntu-slim message
• 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
• 8d3c67d Release v2.19.0 (#661)
• 6c3c2f2 Feature/deploy on self hosted vm (#658)
• 376d25a fix: detect ubuntu-slim runners early and bail out
• See full diff in compare view

Updates gradle/actions from 5.0.1 to 6.1.0

Release notes

Sourced from gradle/actions's releases.

v6.1.0

New: Basic Cache Provider

A new MIT-licensed Basic Caching provider is now available as an alternative to the proprietary Enhanced Caching provided by gradle-actions-caching. Choose Basic Caching by setting cache-provider: basic on setup-gradle or dependency-submission actions.

• Built on @actions/cache -- fully open source
• Caches ~/.gradle/caches and ~/.gradle/wrapper directories
• Cache key derived from build files (*.gradle*, gradle-wrapper.properties, etc.)
• Clean cache on build file changes (no restore keys, preventing stale entry accumulation)

Limitations vs Enhanced Caching: No cache cleanup, no deduplication of cached content, cached content is fixed unless build files change.

Revamped Licensing & Distribution Documentation

• New DISTRIBUTION.md documents the licensing of each component (particularly Basic Caching vs Enhanced Caching)
• Simplified licensing notices in README, docs, and runtime log output
• Clear usage tiers: Enhanced Caching is free for public repos and in Free Preview for private repos

What's Changed

• Use a unique cache entry for wrapper-validation test by @​bigdaz in gradle/actions#921
• Update Dependencies by @​bigdaz in gradle/actions#922
• Update dependencies and resolve npm vulnerabilities by @​bigdaz in gradle/actions#933
• Add open-source 'basic' cache provider and revamp licensing documentation by @​bigdaz in gradle/actions#930
• Restructure caching documentation for basic and enhanced providers by @​bigdaz in gradle/actions#934

Full Changelog: gradle/actions@v6.0.1...v6.1.0

v6.0.1

[!IMPORTANT] The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post. TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

The license changes in v6 introduced a gradle-actions-caching license notice that is printed in logs and in each job summary.

With this release, the license notice will be muted if build-scan terms have been accepted, or if a Develocity access key is provided.

What's Changed

• Bump actions used in docs by @​Goooler in gradle/actions#792
• Add typing information for use by typesafegithub by @​bigdaz in gradle/actions#910
• Mute license warning when terms are accepted by @​bigdaz in gradle/actions#911
• Mention explicit license acceptance in notice by @​bigdaz in gradle/actions#912
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.1 to 2.21.2 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in gradle/actions#907

Full Changelog: gradle/actions@v6.0.0...v6.0.1

v6.0.0

[!IMPORTANT]

... (truncated)

Commits

• 50e97c2 Link to docs for caching providers
• f2e6298 Restructure caching documentation for basic and enhanced providers (#934)
• b294b1e Really fix integ-test-full
• 83d3189 Revise license details for gradle-actions-caching
• 1d5db06 Update license link for gradle-actions-caching component
• 1c80961 Fix license link for Enhanced Caching component
• 9e99920 Fix integ-test-full workflow
• bb8aaaf Fix workflow permissions
• f5dfb43 [bot] Update dist directory
• ff9ae24 Add open-source 'basic' cache provider and revamp licensing documentation (#930)
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.9.0 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Updates epam/ai-dial-ci from 3.2.0 to 4.2.0

Release notes

Sourced from epam/ai-dial-ci's releases.

4.2.0

What's Changed

• feat: add ability to create stable GitHub releases as drafts by @​nepalevov in epam/ai-dial-ci#491

Full Changelog: epam/ai-dial-ci@4.1.0...4.2.0

4.1.0

What's Changed

• feat: improved changelog generation by @​nepalevov in epam/ai-dial-ci#488
• fix: show GitLab host and pipeline URL in logs by @​nepalevov in epam/ai-dial-ci#480
• chore: rename GitLab variables in legacy e2e-test workflow by @​nepalevov in epam/ai-dial-ci#483
• chore: support another GitHub environment in deploy review workflow by @​MykhailoRyzhman in epam/ai-dial-ci#484
• chore: increase timeout-minutes for deploy job of deploy-review command by @​MykhailoRyzhman in epam/ai-dial-ci#487

New Contributors

• @​MykhailoRyzhman made their first contribution in epam/ai-dial-ci#484

Full Changelog: epam/ai-dial-ci@4.0.1...4.1.0

4.0.1

What's Changed

• hotfix: pin ORT scanner version by @​nepalevov in epam/ai-dial-ci#482
• feat: pass commit SHA to review environment trigger by @​nepalevov in epam/ai-dial-ci#479
• fix: add logic to perform Java style checks only once per run by @​nepalevov in epam/ai-dial-ci#467
• fix: dispatch whitelist check in deploy-review slash command by @​nepalevov in epam/ai-dial-ci#468

Full Changelog: epam/ai-dial-ci@4.0.0...4.0.1

4.0.0

What's Changed

[!caution] There's a breaking change in branching strategy that require manual actions. See more in related PR description

• feat!: add release candidates to branching strategy by @​nepalevov in epam/ai-dial-ci#461

Full Changelog: epam/ai-dial-ci@3.2.0...4.0.0

Commits

• 38aeecc feat: add ability to create stable GitHub releases as drafts (#491)
• d273ed8 feat: improved changelog generation (#488)
• f79ec27 chore: increase timeout-minutes for deploy job of deploy-review command (#487)
• 5dfd62a fix: use related environment for monitor job
• 01f7d22 chore: support another GitHub environment in deploy review workflow (#484)
• 80dd0c7 chore: rename GitLab variables in legacy e2e-test workflow (#483)
• 829d71e fix: show GitLab host and pipeline URL in logs (#480)
• dcf3f8c hotfix: pin ORT scanner version (#482)
• 5596130 feat: pass commit SHA to review environment trigger (#479)
• 2e6b70d fix: dispatch whitelist check in deploy-review slash command (#468)
• Additional commits viewable in compare view

Updates oss-review-toolkit/ort-ci-github-action from 1.0.1 to 1.2.0

Commits

• 086d928 deps: update actions/cache action to v5.0.5
• 31f3860 deps: update actions/upload-artifact action to v7.0.1
• 35e1afd ci: Add a workflow to validate the Renovate config
• 08b7556 ci(renovate): Use the config preset from the .github repo
• 15444ef deps: update actions/cache action to v5
• 06ee8d5 deps: update actions/upload-artifact action to v7
• 9450696 deps: update actions/cache action to v4.3.0
• b3f00a5 Add Renovate configuration for automated dependency updates
• 62e59b4 rearrange input by lex order
• 2f757c4 make ort jdk java options configurable
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[statgpt-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/test.yml

Package	Version	License	Issue Type
epam/ai-dial-ci/actions/java_prepare	4.2.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/epam/ai-dial-ci/actions/java_prepare	4.2.0	Unknown	Unknown
actions/oss-review-toolkit/ort-ci-github-action	086d928d24ef1653dc0777296b312fda5faaaf52	Unknown	Unknown

Scanned Files

• .github/workflows/test.yml