Skip to content

Bump the major-minor-patch group across 1 directory with 5 updates#35

Closed
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/develop/major-minor-patch-681c62abb6
Closed

Bump the major-minor-patch group across 1 directory with 5 updates#35
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/develop/major-minor-patch-681c62abb6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 6, 2026

Copy link
Copy Markdown

Bumps the major-minor-patch group with 5 updates in the / directory:

Package From To
actions/checkout 6.0.1 6.0.2
aquasecurity/trivy-action 0.33.1 0.34.2
actions/upload-artifact 4.6.2 7.0.0
actions/setup-dotnet 5.0.1 5.2.0
marocchino/sticky-pull-request-comment 2.9.0 2.9.4

Updates actions/checkout from 6.0.1 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

... (truncated)

Commits
  • de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
  • 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
  • See full diff in compare view

Updates aquasecurity/trivy-action from 0.33.1 to 0.34.2

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.34.2

What's Changed

New Contributors

Full Changelog: aquasecurity/trivy-action@0.34.1...0.34.2

v0.34.1

What's Changed

Full Changelog: aquasecurity/trivy-action@0.34.0...0.34.1

v0.34.0

What's Changed

Full Changelog: aquasecurity/trivy-action@0.33.1...0.34.0

Commits
  • 97e0b38 chore: bump Trivy version to v0.69.2 in test workflow and README (#515)
  • 4c61e63 chore: bump default Trivy version to v0.69.2 (#513)
  • 1bd0625 Merge pull request #508 from nikpivkin/feat/pass-yaml-ignore-file
  • bce3086 remove unused init-cache target
  • 5a9fbb1 supress progress bar when download db
  • 1615450 update trivyignores input description
  • df85774 add comment about fd3
  • 56c8dae remove unused variable
  • e368e32 ci(test): add zizmor security linter for GitHub Actions (#502)
  • 6476b93 feat: support for YAML ignore file
  • Additional commits viewable in compare view

Updates actions/upload-artifact from 4.6.2 to 7.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

... (truncated)

Commits
  • bbbca2d Support direct file uploads (#764)
  • 589182c Upgrade the module to ESM and bump dependencies (#762)
  • 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
  • 02a8460 Add proxy integration test
  • b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
  • e516bc8 docs: correct description of Node.js 24 support in README
  • ddc45ed docs: update README to correct action name for Node.js 24 support
  • 615b319 chore: release v6.0.0 for Node.js 24 support
  • 017748b Merge pull request #744 from actions/fix-storage-blob
  • 38d4c79 chore: rebuild dist
  • Additional commits viewable in compare view

Updates actions/setup-dotnet from 5.0.1 to 5.2.0

Release notes

Sourced from actions/setup-dotnet's releases.

v5.2.0

What's changed

Enhancements

Dependency Updates

Full Changelog: actions/setup-dotnet@v5...v5.2.0

v5.1.0

What's Changed

Documentation

Dependency updates

New Contributors

Full Changelog: actions/setup-dotnet@v5...v5.1.0

Commits
  • c2fa09f Bump minimatch from 3.1.2 to 3.1.5 (#705)
  • 02574b1 Add support for optional architecture input for cross-architecture .NET insta...
  • 16c7b3c Bump fast-xml-parser from 4.4.1 to 5.3.6 (#671)
  • 131b410 Add support for workloads input (#693)
  • baa11fb Bump test dependencies to resolve System.Net.Http vulnerability, update workf...
  • 24ec4f2 Upgrade to latest actions packages (#687)
  • 4c100cb Fix icons (#604)
  • 25328d8 Bump actions/checkout from 5 to 6 (#684)
  • 937b8dd Update README with note on setting DOTNET_INSTALL_DIR for Linux permission is...
  • See full diff in compare view

Updates marocchino/sticky-pull-request-comment from 2.9.0 to 2.9.4

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v2.9.4

What's Changed

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.3...v2.9.4

v2.9.3

What's Changed

  • Update deps (including security issues)
  • Test with vitest instead of jest
  • Use biome

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.2...v2.9.3

v2.9.2

What's Changed

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.1...v2.9.2

v2.9.1

What's Changed

New Contributors

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.0...v2.9.1

Commits
  • 7737449 📦️ Build
  • 8b423c6 Merge pull request #1564 from marocchino/dependabot/npm_and_yarn/types/node-2...
  • 3ac8a74 build(deps-dev): Bump @​types/node from 24.0.12 to 24.0.13
  • e430cfc Merge pull request #1563 from marocchino/dependabot/npm_and_yarn/types/node-2...
  • 99f9378 build(deps-dev): Bump @​types/node from 24.0.11 to 24.0.12
  • 2216b3a Merge pull request #1562 from marocchino/dependabot/npm_and_yarn/biomejs/biom...
  • 482d7fd build(deps-dev): Bump @​biomejs/biome from 2.0.4 to 2.1.1
  • c2da581 Merge pull request #1561 from marocchino/dependabot/npm_and_yarn/types/node-2...
  • 76f8462 build(deps-dev): Bump @​types/node from 24.0.3 to 24.0.11
  • 246151a ⬆️ Update biome
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the major-minor-patch group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.1` | `6.0.2` |
| [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.33.1` | `0.34.2` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.0` |
| [actions/setup-dotnet](https://github.com/actions/setup-dotnet) | `5.0.1` | `5.2.0` |
| [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment) | `2.9.0` | `2.9.4` |



Updates `actions/checkout` from 6.0.1 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@8e8c483...de0fac2)

Updates `aquasecurity/trivy-action` from 0.33.1 to 0.34.2
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@b6643a2...97e0b38)

Updates `actions/upload-artifact` from 4.6.2 to 7.0.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4.6.2...bbbca2d)

Updates `actions/setup-dotnet` from 5.0.1 to 5.2.0
- [Release notes](https://github.com/actions/setup-dotnet/releases)
- [Commits](actions/setup-dotnet@2016bd2...c2fa09f)

Updates `marocchino/sticky-pull-request-comment` from 2.9.0 to 2.9.4
- [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases)
- [Commits](marocchino/sticky-pull-request-comment@331f8f5...7737449)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: major-minor-patch
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.34.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: major-minor-patch
- dependency-name: actions/setup-dotnet
  dependency-version: 5.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: marocchino/sticky-pull-request-comment
  dependency-version: 2.9.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: major-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 6, 2026
@github-actions

github-actions Bot commented Mar 6, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout de0fac2e4500dabe0009e67214ff5f5447ce83dd 🟢 6
Details
CheckScoreReason
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/upload-artifact bbbca2ddaa5d8feaa63e36b76fdaad77386f024f 🟢 6.2
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1029 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 10SAST tool is run on all commits

Scanned Files

  • .github/workflows/scorecard.yml

@dependabot @github

dependabot Bot commented on behalf of github Mar 13, 2026

Copy link
Copy Markdown
Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Mar 13, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/develop/major-minor-patch-681c62abb6 branch March 13, 2026 03:57
mm-psy added a commit that referenced this pull request Mar 16, 2026
* Enhance Docker publish workflow for SBOM generation

Updated Docker publish workflow to include first image tag extraction and modified image reference for Trivy scanning.

* Clean up docker-publish.yml by removing blank lines

Removed unnecessary blank lines in the Docker publish workflow.

* Add comment for priority setting

* Refactor Docker publish workflow: improve tag logic, variable names, and documentation
mm-psy added a commit that referenced this pull request Mar 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants