Skip to content

chore: bump the github-actions group across 1 directory with 6 updates#72

Closed
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/github_actions/github-actions-ca36e7c7ae
Closed

chore: bump the github-actions group across 1 directory with 6 updates#72
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/github_actions/github-actions-ca36e7c7ae

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 20, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 6 updates in the / directory:

Package From To
dataaxiom/ghcr-cleanup-action 1.0.16 1.2.1
step-security/harden-runner 2.17.0 2.19.4
gradle/actions 5.0.1 6.1.0
actions/dependency-review-action 4.9.0 5.0.0
epam/ai-dial-ci 3.2.0 4.3.0
oss-review-toolkit/ort-ci-github-action 1.0.1 1.2.0

Updates dataaxiom/ghcr-cleanup-action from 1.0.16 to 1.2.1

Release notes

Sourced from dataaxiom/ghcr-cleanup-action's releases.

v1.2.1

  • fix: tolerate every 404 on package version delete (was: fail on the second) (fix #121)
  • fix: eliminate spurious "wasn't found" warnings from cosign signature dual-cascade race
  • fix: per-image log buffer flushes audit trail even when a cascade errors mid-flight

v1.2.0

  • feature: cross-run manifest cache; warm runs only fetch newly-published manifests (hit rate logged)
  • perf: parallel API throughout — package pagination, manifest fetches, untag PUTs, child/referrer deletes
  • perf: batched untagging — one reload per batch instead of one per tag
  • perf: push token reuse across untag PUTs + 429/secondary rate-limit retries on registry auth
  • fix: repository input is now informational; cleanup uses owner + package directly (supports unlinked / cross-account packages)
  • log volume cap at 1000 lines per group (info); per-image log output buffered to avoid interleaving under concurrent deletes
  • package version upgrades

v1.1.0

  • fix: preserve OCI 1.1 subject-bearing referrers (cosign sigstore-bundles, attestations) during cleanup — were silently deleted as untagged #71
  • fix: keep-n-tagged now gates untag operations; a matched tag is not stripped from an image that keep-n-tagged would protect (#99, #101)
  • fix: shared multi-arch platform digests no longer cascade-deleted when one of multiple parent indexes is removed (#91)
  • fix: delete-partial-images excludes fully ghost images #112
  • fix: Octokit error output visible at all log levels (was suppressed when log-level was error or warn)
  • fix: expand-packages rejects fine-grained PATs upfront with a clear message
  • fix: setFailed message no longer overwritten by an empty Error in early-failure paths
  • feat: ReDoS guard on user-supplied regex (delete-tags, exclude-tags, package) when use-regex: true
  • feat: code refactor/split, removal of anys where possible using typed classes
  • chore(deps): Node.js 24
  • docs: README rewrite + Limitations section (5,000-download undeletable policy, nested-manifest non-support)
Commits
  • f092b48 Merge pull request #122 from rohanmars/main
  • fa3daf5 ci: hoist fork-PR approval gate to a single job (was per matrix entry)
  • c1ba289 fix: synchronously claim digests before delete to prevent concurrent duplicat...
  • f5e37e7 fix: tolerate all 404s on package version delete; always flush per-tree log b...
  • 374e202 Merge pull request #120 from rohanmars/code-review
  • e1e6176 perf: cap per-listing log volume at 1000 lines (truncate at INFO)
  • 6516895 fix: drop the post-reload untag-ops invariant assertion (3.1.5 retraction)
  • 5a020af feat: buffer deleteImage logs per top-level tree, flush atomically
  • 8263ff3 chore: refresh dependencies to latest patches within current ranges
  • 5a3f4cc chore: update coverage badge to 94.47%
  • Additional commits viewable in compare view

Updates step-security/harden-runner from 2.17.0 to 2.19.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

... (truncated)

Commits
  • 9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
  • 485dce8 Update agent to v1.8.6
  • ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
  • ec41b78 Default to audit mode when api-key missing with use-policy-store
  • 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
  • 1dee3df Update agent to v1.8.5
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 8d3c67d Release v2.19.0 (#661)
  • Additional commits viewable in compare view

Updates gradle/actions from 5.0.1 to 6.1.0

Release notes

Sourced from gradle/actions's releases.

v6.1.0

New: Basic Cache Provider

A new MIT-licensed Basic Caching provider is now available as an alternative to the proprietary Enhanced Caching provided by gradle-actions-caching. Choose Basic Caching by setting cache-provider: basic on setup-gradle or dependency-submission actions.

  • Built on @actions/cache -- fully open source
  • Caches ~/.gradle/caches and ~/.gradle/wrapper directories
  • Cache key derived from build files (*.gradle*, gradle-wrapper.properties, etc.)
  • Clean cache on build file changes (no restore keys, preventing stale entry accumulation)

Limitations vs Enhanced Caching: No cache cleanup, no deduplication of cached content, cached content is fixed unless build files change.

Revamped Licensing & Distribution Documentation

  • New DISTRIBUTION.md documents the licensing of each component (particularly Basic Caching vs Enhanced Caching)
  • Simplified licensing notices in README, docs, and runtime log output
  • Clear usage tiers: Enhanced Caching is free for public repos and in Free Preview for private repos

What's Changed

Full Changelog: gradle/actions@v6.0.1...v6.1.0

v6.0.1

[!IMPORTANT] The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post. TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

The license changes in v6 introduced a gradle-actions-caching license notice that is printed in logs and in each job summary.

With this release, the license notice will be muted if build-scan terms have been accepted, or if a Develocity access key is provided.

What's Changed

Full Changelog: gradle/actions@v6.0.0...v6.0.1

v6.0.0

[!IMPORTANT]

... (truncated)

Commits
  • 50e97c2 Link to docs for caching providers
  • f2e6298 Restructure caching documentation for basic and enhanced providers (#934)
  • b294b1e Really fix integ-test-full
  • 83d3189 Revise license details for gradle-actions-caching
  • 1d5db06 Update license link for gradle-actions-caching component
  • 1c80961 Fix license link for Enhanced Caching component
  • 9e99920 Fix integ-test-full workflow
  • bb8aaaf Fix workflow permissions
  • f5dfb43 [bot] Update dist directory
  • ff9ae24 Add open-source 'basic' cache provider and revamp licensing documentation (#930)
  • Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.9.0 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits
  • a1d282b Merge pull request #1098 from actions/ahpook/v5-release
  • eb6c199 update examples to show @​v5
  • 3943c2c v5.0.0 release branch
  • 454943c Merge pull request #1094 from actions/ashelytc/security-findings
  • 6d92a12 revert @​typescript-eslint/parser update
  • a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
  • b6b7079 update @​typescript-eslint/parser to 8.40.0
  • 821a21d update more dependencies
  • 05aaaae run npm audit fix
  • 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
  • Additional commits viewable in compare view

Updates epam/ai-dial-ci from 3.2.0 to 4.3.0

Release notes

Sourced from epam/ai-dial-ci's releases.

4.3.0

What's Changed

Full Changelog: epam/ai-dial-ci@4.2.0...4.3.0

4.2.0

What's Changed

Full Changelog: epam/ai-dial-ci@4.1.0...4.2.0

4.1.0

What's Changed

New Contributors

Full Changelog: epam/ai-dial-ci@4.0.1...4.1.0

4.0.1

What's Changed

Full Changelog: epam/ai-dial-ci@4.0.0...4.0.1

4.0.0

What's Changed

[!caution] There's a breaking change in branching strategy that require manual actions. See more in related PR description

... (truncated)

Commits
  • 627c642 feat: add support of trusted publishing to npmjs registry (#494)
  • 0d37166 fix: npm publish script should not use reserved name "publish" (#493)
  • 9a85c64 feat: make review env availability check script generic (#492)
  • 38aeecc feat: add ability to create stable GitHub releases as drafts (#491)
  • d273ed8 feat: improved changelog generation (#488)
  • f79ec27 chore: increase timeout-minutes for deploy job of deploy-review command (#487)
  • 5dfd62a fix: use related environment for monitor job
  • 01f7d22 chore: support another GitHub environment in deploy review workflow (#484)
  • 80dd0c7 chore: rename GitLab variables in legacy e2e-test workflow (#483)
  • 829d71e fix: show GitLab host and pipeline URL in logs (#480)
  • Additional commits viewable in compare view

Updates oss-review-toolkit/ort-ci-github-action from 1.0.1 to 1.2.0

Commits
  • 086d928 deps: update actions/cache action to v5.0.5
  • 31f3860 deps: update actions/upload-artifact action to v7.0.1
  • 35e1afd ci: Add a workflow to validate the Renovate config
  • 08b7556 ci(renovate): Use the config preset from the .github repo
  • 15444ef deps: update actions/cache action to v5
  • 06ee8d5 deps: update actions/upload-artifact action to v7
  • 9450696 deps: update actions/cache action to v4.3.0
  • b3f00a5 Add Renovate configuration for automated dependency updates
  • 62e59b4 rearrange input by lex order
  • 2f757c4 make ort jdk java options configurable
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Dependencies update github_actions Pull requests that update GitHub Actions code labels May 20, 2026
@dependabot dependabot Bot requested a review from MykhailoRyzhman as a code owner May 20, 2026 14:45
@dependabot dependabot Bot added dependencies Dependencies update github_actions Pull requests that update GitHub Actions code labels May 20, 2026
@statgpt-actions

This comment has been minimized.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-ca36e7c7ae branch from 6d37db1 to 1cedb43 Compare May 21, 2026 14:58
@statgpt-actions

This comment has been minimized.

Bumps the github-actions group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [dataaxiom/ghcr-cleanup-action](https://github.com/dataaxiom/ghcr-cleanup-action) | `1.0.16` | `1.2.1` |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.17.0` | `2.19.4` |
| [gradle/actions](https://github.com/gradle/actions) | `5.0.1` | `6.1.0` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.9.0` | `5.0.0` |
| [epam/ai-dial-ci](https://github.com/epam/ai-dial-ci) | `3.2.0` | `4.3.0` |
| [oss-review-toolkit/ort-ci-github-action](https://github.com/oss-review-toolkit/ort-ci-github-action) | `1.0.1` | `1.2.0` |



Updates `dataaxiom/ghcr-cleanup-action` from 1.0.16 to 1.2.1
- [Release notes](https://github.com/dataaxiom/ghcr-cleanup-action/releases)
- [Commits](dataaxiom/ghcr-cleanup-action@cd0cdb9...f092b48)

Updates `step-security/harden-runner` from 2.17.0 to 2.19.4
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f808768...9af89fc)

Updates `gradle/actions` from 5.0.1 to 6.1.0
- [Release notes](https://github.com/gradle/actions/releases)
- [Commits](gradle/actions@f29f5a9...50e97c2)

Updates `actions/dependency-review-action` from 4.9.0 to 5.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@2031cfc...a1d282b)

Updates `epam/ai-dial-ci` from 3.2.0 to 4.3.0
- [Release notes](https://github.com/epam/ai-dial-ci/releases)
- [Commits](epam/ai-dial-ci@3.2.0...4.3.0)

Updates `oss-review-toolkit/ort-ci-github-action` from 1.0.1 to 1.2.0
- [Commits](oss-review-toolkit/ort-ci-github-action@9acdf1e...086d928)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: dataaxiom/ghcr-cleanup-action
  dependency-version: 1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: epam/ai-dial-ci
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: gradle/actions
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: oss-review-toolkit/ort-ci-github-action
  dependency-version: 1.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-ca36e7c7ae branch from 1cedb43 to 443d63f Compare May 27, 2026 11:35
@statgpt-actions

Copy link
Copy Markdown
Collaborator

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/test.yml

PackageVersionLicenseIssue Type
epam/ai-dial-ci/actions/java_prepare4.3.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/epam/ai-dial-ci/actions/java_prepare 4.3.0 UnknownUnknown
actions/oss-review-toolkit/ort-ci-github-action 086d928d24ef1653dc0777296b312fda5faaaf52 UnknownUnknown

Scanned Files

  • .github/workflows/test.yml

@dependabot @github

dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 4, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/github-actions-ca36e7c7ae branch June 4, 2026 01:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependencies update github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant