Skip to content

Bump the major-minor-patch group across 1 directory with 10 updates#33

Closed
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/develop/major-minor-patch-407f35b210
Closed

Bump the major-minor-patch group across 1 directory with 10 updates#33
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/develop/major-minor-patch-407f35b210

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 27, 2026

Copy link
Copy Markdown

Bumps the major-minor-patch group with 10 updates in the / directory:

Package From To
actions/checkout 6.0.1 6.0.2
github/codeql-action 4.31.6 4.32.4
actions/dependency-review-action 4.8.2 4.8.3
docker/setup-buildx-action 3.11.1 3.12.0
docker/login-action 3.6.0 3.7.0
docker/build-push-action 6.18.0 6.19.2
aquasecurity/trivy-action 0.33.1 0.34.1
actions/setup-dotnet 5.0.1 5.1.0
dorny/test-reporter 2.3.0 2.5.0
marocchino/sticky-pull-request-comment 2.9.0 2.9.4

Updates actions/checkout from 6.0.1 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

... (truncated)

Commits
  • de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
  • 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
  • See full diff in compare view

Updates github/codeql-action from 4.31.6 to 4.32.4

Release notes

Sourced from github/codeql-action's releases.

v4.32.4

  • Update default CodeQL bundle version to 2.24.2. #3493
  • Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
  • When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
  • Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
  • Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

v4.32.3

  • Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

v4.32.2

  • Update default CodeQL bundle version to 2.24.1. #3460

v4.32.1

  • A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
  • Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

v4.32.0

  • Update default CodeQL bundle version to 2.24.0. #3425

v4.31.11

  • When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409
  • Improved error handling throughout the CodeQL Action. #3415
  • Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #3318
  • The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #3403

v4.31.10

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.10 - 12 Jan 2026

  • Update default CodeQL bundle version to 2.23.9. #3393

See the full CHANGELOG.md for more information.

v4.31.9

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.9 - 16 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.8

CodeQL Action Changelog

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.32.4 - 20 Feb 2026

  • Update default CodeQL bundle version to 2.24.2. #3493
  • Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
  • When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
  • Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
  • Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

4.32.3 - 13 Feb 2026

  • Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

4.32.2 - 05 Feb 2026

  • Update default CodeQL bundle version to 2.24.1. #3460

4.32.1 - 02 Feb 2026

  • A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
  • Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

4.32.0 - 26 Jan 2026

  • Update default CodeQL bundle version to 2.24.0. #3425

4.31.11 - 23 Jan 2026

  • When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409
  • Improved error handling throughout the CodeQL Action. #3415
  • Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #3318
  • The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #3403

4.31.10 - 12 Jan 2026

  • Update default CodeQL bundle version to 2.23.9. #3393

4.31.9 - 16 Dec 2025

No user facing changes.

4.31.8 - 11 Dec 2025

... (truncated)

Commits
  • 89a39a4 Merge pull request #3494 from github/update-v4.32.4-39ba80c47
  • e5d84c8 Apply remaining review suggestions
  • 0c20209 Apply suggestions from code review
  • 314172e Fix typo
  • cdda72d Add changelog entries
  • cfda84c Update changelog for v4.32.4
  • 39ba80c Merge pull request #3493 from github/update-bundle/codeql-bundle-v2.24.2
  • 00150da Add changelog note
  • d97dce6 Update default bundle to codeql-bundle-v2.24.2
  • 50fdbb9 Merge pull request #3492 from github/henrymercer/new-repository-properties-ff
  • Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.8.2 to 4.8.3

Release notes

Sourced from actions/dependency-review-action's releases.

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

Commits
  • 05fe457 Merge pull request #1054 from actions/ahpook/release-4.8.3
  • 3a8496c Update generated package files for v4.8.3
  • 0f22a01 Update CONTRIBUTING for new release process
  • 58be343 Updating package versions for 4.8.3
  • 9284e0c Merge pull request #931 from actions/dependabot/npm_and_yarn/spdx-licenses-20...
  • 8b76656 Bump spdx-expression-parse in the spdx-licenses group across 1 directory
  • 43f5f02 Merge pull request #1052 from actions/juxtin/fix-long-summaries
  • f0033fc Merge pull request #1053 from actions/dependabot/npm_and_yarn/fast-xml-parser...
  • b379e2e Bump fast-xml-parser from 5.3.5 to 5.3.6
  • 2e1cf54 Properly truncate long summaries and catch errors
  • Additional commits viewable in compare view

Updates docker/setup-buildx-action from 3.11.1 to 3.12.0

Release notes

Sourced from docker/setup-buildx-action's releases.

v3.12.0

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

Commits
  • 8d2750c Merge pull request #455 from crazy-max/install-deprecated
  • e81846b deprecate install input
  • 65d18f8 Merge pull request #454 from docker/dependabot/github_actions/actions/checkout-6
  • 000d75d build(deps): bump actions/checkout from 5 to 6
  • 1583c0f Merge pull request #443 from nicolasleger/patch-1
  • ed158e7 doc: bump actions/checkout from 4 to 5
  • 4cc794f Merge pull request #441 from docker/dependabot/github_actions/actions/checkout-5
  • 4dfc3d6 build(deps): bump actions/checkout from 4 to 5
  • af1b253 Merge pull request #440 from crazy-max/k3s-build
  • 3c6ab92 ci: k3s test with latest buildx
  • Additional commits viewable in compare view

Updates docker/login-action from 3.6.0 to 3.7.0

Release notes

Sourced from docker/login-action's releases.

v3.7.0

Full Changelog: docker/login-action@v3.6.0...v3.7.0

Commits
  • c94ce9f Merge pull request #915 from docker/dependabot/npm_and_yarn/lodash-4.17.23
  • 8339c95 Merge pull request #912 from docker/scope
  • c83e932 build(deps): bump lodash from 4.17.21 to 4.17.23
  • b268aa5 chore: update generated content
  • a603229 documentation for scope input
  • 7567f92 Add scope input to set scopes for the authentication token
  • 0567fa5 Merge pull request #914 from dphi/add-support-for-amazonaws.eu
  • f6ef577 feat: add support for AWS European Sovereign Cloud ECR registries
  • 916386b Merge pull request #911 from crazy-max/ensure-redact
  • 5b3f94a chore: update generated content
  • Additional commits viewable in compare view

Updates docker/build-push-action from 6.18.0 to 6.19.2

Release notes

Sourced from docker/build-push-action's releases.

v6.19.2

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

Commits
  • 10e90e3 Merge pull request #1458 from crazy-max/git-auth-port
  • 5262538 chore: update generated content
  • cd130e4 preserve port in GIT_AUTH_TOKEN host
  • 806c751 Merge pull request #1452 from crazy-max/update-yarn
  • 601a80b Merge pull request #1456 from crazy-max/auth-token-dyn-host
  • 8f7fd7c chore: update generated content
  • 710e335 derive GIT_AUTH_TOKEN host from GitHub server URL
  • c4ca848 update yarn to 4.9.2
  • ee4ca42 Merge pull request #1398 from docker/dependabot/npm_and_yarn/tmp-0.2.4
  • f1b3bb5 chore: update generated content
  • Additional commits viewable in compare view

Updates aquasecurity/trivy-action from 0.33.1 to 0.34.1

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.34.1

What's Changed

Full Changelog: aquasecurity/trivy-action@0.34.0...0.34.1

v0.34.0

What's Changed

Full Changelog: aquasecurity/trivy-action@0.33.1...0.34.0

Commits
  • e368e32 ci(test): add zizmor security linter for GitHub Actions (#502)
  • c1824fd chore(deps): Update trivy to v0.69.1 (#506)
  • bc61dc5 Merge commit from fork
  • 5eb7ef2 ci: use checks bundle v2 in sync workflow (#505)
  • 22438a4 Merge pull request #496 from aquasecurity/bump-trivy-1765431074
  • 0024b3f chore(deps): Update trivy to v0.68.1
  • 83690f7 ci: install trivy in bump-trivy workflow and update tests (#495)
  • df65449 chore: update README (#493)
  • 0317097 ci: use setup-bats in bump-trivy workflow (#494)
  • See full diff in compare view

Updates actions/setup-dotnet from 5.0.1 to 5.1.0

Release notes

Sourced from actions/setup-dotnet's releases.

v5.1.0

What's Changed

Documentation

Dependency updates

New Contributors

Full Changelog: actions/setup-dotnet@v5...v5.1.0

Commits
  • baa11fb Bump test dependencies to resolve System.Net.Http vulnerability, update workf...
  • 24ec4f2 Upgrade to latest actions packages (#687)
  • 4c100cb Fix icons (#604)
  • 25328d8 Bump actions/checkout from 5 to 6 (#684)
  • 937b8dd Update README with note on setting DOTNET_INSTALL_DIR for Linux permission is...
  • See full diff in compare view

Updates dorny/test-reporter from 2.3.0 to 2.5.0

Release notes

Sourced from dorny/test-reporter's releases.

v2.5.0

What's Changed

Features

Project maintanance

Full Changelog: dorny/test-reporter@v2.4.0...v2.5.0

v2.4.0

What's Changed

New Contributors

Full Changelog: dorny/test-reporter@v2.3.0...v2.4.0

Changelog

Sourced from dorny/test-reporter's changelog.

Changelog

2.5.0

2.4.0

2.3.0

2.2.0

2.1.1

2.1.0

2.0.0

1.9.1

... (truncated)

Commits
  • b082adf test-reporter release v2.5.0
  • bcafc9f Merge pull request #707 from dorny/feature/700-nette-tester-junit-reporter
  • b0cbac6 Rebuild the dist/index.js file
  • c92a289 Remove unnecessary output files
  • 6697ec4 Merge pull request #695 from dorny/dependabot/github_actions/actions/upload-a...
  • 6387029 Create tester-junit reporter for Nette Tester tool
  • 6896772 Merge pull request #706 from dorny/release/v2.4.0
  • e17be7e test-reporter release v2.4.0
  • 6efb86e Merge pull request #704 from dorny/bugfix/703-refactor-deprecated-substr-func...
  • 055bc8c Rebuild the dist/index.js file
  • Additional commits viewable in compare view

Updates marocchino/sticky-pull-request-comment from 2.9.0 to 2.9.4

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v2.9.4

What's Changed

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.3...v2.9.4

v2.9.3

What's Changed

  • Update deps (including security issues)
  • Test with vitest instead of jest
  • Use biome

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.2...v2.9.3

v2.9.2

What's Changed

Bumps the major-minor-patch group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.1` | `6.0.2` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.31.6` | `4.32.4` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.8.2` | `4.8.3` |
| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.11.1` | `3.12.0` |
| [docker/login-action](https://github.com/docker/login-action) | `3.6.0` | `3.7.0` |
| [docker/build-push-action](https://github.com/docker/build-push-action) | `6.18.0` | `6.19.2` |
| [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.33.1` | `0.34.1` |
| [actions/setup-dotnet](https://github.com/actions/setup-dotnet) | `5.0.1` | `5.1.0` |
| [dorny/test-reporter](https://github.com/dorny/test-reporter) | `2.3.0` | `2.5.0` |
| [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment) | `2.9.0` | `2.9.4` |



Updates `actions/checkout` from 6.0.1 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@8e8c483...de0fac2)

Updates `github/codeql-action` from 4.31.6 to 4.32.4
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v4.31.6...89a39a4)

Updates `actions/dependency-review-action` from 4.8.2 to 4.8.3
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@3c4e3dc...05fe457)

Updates `docker/setup-buildx-action` from 3.11.1 to 3.12.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@e468171...8d2750c)

Updates `docker/login-action` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@5e57cd1...c94ce9f)

Updates `docker/build-push-action` from 6.18.0 to 6.19.2
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@2634353...10e90e3)

Updates `aquasecurity/trivy-action` from 0.33.1 to 0.34.1
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@b6643a2...e368e32)

Updates `actions/setup-dotnet` from 5.0.1 to 5.1.0
- [Release notes](https://github.com/actions/setup-dotnet/releases)
- [Commits](actions/setup-dotnet@2016bd2...baa11fb)

Updates `dorny/test-reporter` from 2.3.0 to 2.5.0
- [Release notes](https://github.com/dorny/test-reporter/releases)
- [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md)
- [Commits](dorny/test-reporter@fe45e95...b082adf)

Updates `marocchino/sticky-pull-request-comment` from 2.9.0 to 2.9.4
- [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases)
- [Commits](marocchino/sticky-pull-request-comment@331f8f5...7737449)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: major-minor-patch
- dependency-name: github/codeql-action
  dependency-version: 4.32.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: actions/dependency-review-action
  dependency-version: 4.8.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: major-minor-patch
- dependency-name: docker/setup-buildx-action
  dependency-version: 3.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: docker/login-action
  dependency-version: 3.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: docker/build-push-action
  dependency-version: 6.19.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.34.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: actions/setup-dotnet
  dependency-version: 5.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: dorny/test-reporter
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: marocchino/sticky-pull-request-comment
  dependency-version: 2.9.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: major-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 27, 2026
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout de0fac2e4500dabe0009e67214ff5f5447ce83dd 🟢 6.2
Details
CheckScoreReason
Maintained⚠️ 45 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/github/codeql-action/upload-sarif 89a39a4e59826350b863aa6b6252a07ad50cf83e UnknownUnknown

Scanned Files

  • .github/workflows/scorecard.yml

@dependabot @github

dependabot Bot commented on behalf of github Mar 6, 2026

Copy link
Copy Markdown
Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Mar 6, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/develop/major-minor-patch-407f35b210 branch March 6, 2026 03:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants