Skip to content

Bump the major-minor-patch group across 1 directory with 11 updates#39

Closed
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/develop/major-minor-patch-92a69162bb
Closed

Bump the major-minor-patch group across 1 directory with 11 updates#39
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/github_actions/develop/major-minor-patch-92a69162bb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 16, 2026

Copy link
Copy Markdown

Bumps the major-minor-patch group with 11 updates in the / directory:

Package From To
actions/checkout 6.0.1 6.0.2
actions/dependency-review-action 4.8.2 4.9.0
docker/setup-buildx-action 3.11.1 4.0.0
docker/login-action 3.6.0 4.0.0
docker/metadata-action 5.10.0 6.0.0
docker/build-push-action 6.18.0 7.0.0
aquasecurity/trivy-action 0.33.1 0.35.0
actions/upload-artifact 4.6.2 7.0.0
actions/setup-dotnet 5.0.1 5.2.0
dorny/test-reporter 2.3.0 2.6.0
marocchino/sticky-pull-request-comment 2.9.0 3.0.2

Updates actions/checkout from 6.0.1 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

... (truncated)

Commits
  • de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
  • 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
  • See full diff in compare view

Updates actions/dependency-review-action from 4.8.2 to 4.9.0

Release notes

Sourced from actions/dependency-review-action's releases.

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

  • There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
  • Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
  • There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

Commits
  • 2031cfc Merge pull request #1064 from actions/ahpook/release-4.9.0
  • d02fa39 Updates for release 4.9.0
  • 4038a34 Merge pull request #1021 from actions/dependabot/github_actions/actions/check...
  • a632b83 Merge pull request #1058 from actions/dependabot/github_actions/actions/stale...
  • 57a3d46 Merge pull request #1060 from jantiebot/main
  • 5ecdc4b Merge pull request #1045 from forks-felickz/main
  • e8c2f9a fix: remove inferrable type annotation to pass eslint
  • 0e129e1 Prettier - Refactor summary table rendering for improved readability
  • aa60746 Add 'show-patched-versions' option to configuration and update summary handling
  • e404798 Merge upstream actions/dependency-review-action main
  • Additional commits viewable in compare view

Updates docker/setup-buildx-action from 3.11.1 to 4.0.0

Release notes

Sourced from docker/setup-buildx-action's releases.

v4.0.0

Full Changelog: docker/setup-buildx-action@v3.12.0...v4.0.0

v3.12.0

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

Commits
  • 4d04d5d Merge pull request #485 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • cd74e05 chore: update generated content
  • eee38ec build(deps): bump @​docker/actions-toolkit from 0.77.0 to 0.79.0
  • 7a83f65 Merge pull request #484 from docker/dependabot/github_actions/docker/setup-qe...
  • a5aa967 Merge pull request #464 from crazy-max/rm-deprecated
  • e73d53f build(deps): bump docker/setup-qemu-action from 3 to 4
  • 28a438e Merge pull request #483 from crazy-max/node24
  • 034e9d3 chore: update generated content
  • b4664d8 remove deprecated inputs/outputs
  • a8257de node 24 as default runtime
  • Additional commits viewable in compare view

Updates docker/login-action from 3.6.0 to 4.0.0

Release notes

Sourced from docker/login-action's releases.

v4.0.0

Full Changelog: docker/login-action@v3.7.0...v4.0.0

v3.7.0

Full Changelog: docker/login-action@v3.6.0...v3.7.0

Commits
  • b45d80f Merge pull request #929 from crazy-max/node24
  • 176cb9c node 24 as default runtime
  • cad8984 Merge pull request #920 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
  • 92cbcb2 chore: update generated content
  • 5a2d6a7 build(deps): bump the aws-sdk-dependencies group with 2 updates
  • 44512b6 Merge pull request #928 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 28737a5 chore: update generated content
  • dac0793 build(deps): bump @​docker/actions-toolkit from 0.76.0 to 0.77.0
  • 62029f3 Merge pull request #919 from docker/dependabot/npm_and_yarn/actions/core-3.0.0
  • 08c8f06 chore: update generated content
  • Additional commits viewable in compare view

Updates docker/metadata-action from 5.10.0 to 6.0.0

Release notes

Sourced from docker/metadata-action's releases.

v6.0.0

Full Changelog: docker/metadata-action@v5.10.0...v6.0.0

Commits
  • 030e881 Merge pull request #607 from crazy-max/allow-comments
  • 4b529ac chore: update generated content
  • b0082b3 preserve comments in list input values with commentNoInfix
  • 7b19fec Merge pull request #604 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 281c9b0 chore: update generated content
  • 5f43b3b test: stabilize github mock setup since ESM
  • 9d53276 github class moved since actions-toolkit v0.77.0
  • eaa3d39 chore(deps): Bump @​docker/actions-toolkit from 0.68.0 to 0.77.0
  • 6b695f7 Merge pull request #605 from crazy-max/node24
  • a1afadc node 24 as default runtime
  • Additional commits viewable in compare view

Updates docker/build-push-action from 6.18.0 to 7.0.0

Release notes

Sourced from docker/build-push-action's releases.

v7.0.0

Full Changelog: docker/build-push-action@v6.19.2...v7.0.0

v6.19.2

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

Commits
  • d08e5c3 Merge pull request #1479 from docker/dependabot/npm_and_yarn/docker/actions-t...
  • cbd2dff chore: update generated content
  • f76f51f chore(deps): Bump @​docker/actions-toolkit from 0.78.0 to 0.79.0
  • 7d03e66 Merge pull request #1473 from crazy-max/rm-deprecated-envs
  • 98f853d chore: update generated content
  • cadccf6 remove deprecated envs
  • 03fe877 Merge pull request #1478 from docker/dependabot/github_actions/docker/setup-b...
  • 827e366 chore(deps): Bump docker/setup-buildx-action from 3 to 4
  • e25db87 Merge pull request #1474 from crazy-max/rm-export-build-tool
  • 1ac2573 Merge pull request #1470 from crazy-max/node24
  • Additional commits viewable in compare view

Updates aquasecurity/trivy-action from 0.33.1 to 0.35.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.35.0

What's Changed

Full Changelog: aquasecurity/trivy-action@0.34.2...0.35.0

v0.34.2

What's Changed

New Contributors

Full Changelog: aquasecurity/trivy-action@0.34.1...0.34.2

v0.34.1

What's Changed

Full Changelog: aquasecurity/trivy-action@0.34.0...0.34.1

v0.34.0

What's Changed

Full Changelog: aquasecurity/trivy-action@0.33.1...0.34.0

Commits
  • 57a97c7 chore(deps): Update trivy to v0.69.3 (#519)
  • 97e0b38 chore: bump Trivy version to v0.69.2 in test workflow and README (#515)
  • 4c61e63 chore: bump default Trivy version to v0.69.2 (#513)
  • 1bd0625 Merge pull request #508 from nikpivkin/feat/pass-yaml-ignore-file
  • bce3086 remove unused init-cache target
  • 5a9fbb1 supress progress bar when download db
  • 1615450 update trivyignores input description
  • df85774 add comment about fd3
  • 56c8dae remove unused variable
  • e368e32 ci(test): add zizmor security linter for GitHub Actions (#502)
  • Additional commits viewable in compare view

Updates actions/upload-artifact from 4.6.2 to 7.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

... (truncated)

Commits
  • bbbca2d Support direct file uploads (#764)
  • 589182c Upgrade the module to ESM and bump dependencies (#762)
  • 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
  • 02a8460 Add proxy integration test
  • b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
  • e516bc8 docs: correct description of Node.js 24 support in README
  • ddc45ed docs: update README to correct action name for Node.js 24 support
  • 615b319 chore: release v6.0.0 for Node.js 24 support
  • 017748b Merge pull request #744 from actions/fix-storage-blob
  • 38d4c79 chore: rebuild dist
  • Additional commits viewable in compare view

Updates actions/setup-dotnet from 5.0.1 to 5.2.0

Release notes

Sourced from actions/setup-dotnet's releases.

v5.2.0

What's changed

Enhancements

Dependency Updates

Full Changelog: actions/setup-dotnet@v5...v5.2.0

v5.1.0

What's Changed

Documentation

Dependency updates

New Contributors

Full Changelog: actions/setup-dotnet@v5...v5.1.0

Commits
  • c2fa09f Bump minimatch from 3.1.2 to 3.1.5 (#705)
  • 02574b1 Add support for optional architecture input for cross-architecture .NET insta...
  • 16c7b3c Bump fast-xml-parser from 4.4.1 to 5.3.6 (#671)
  • 131b410 Add support for workloads input (#693)
  • baa11fb Bump test dependencies to resolve System.Net.Http vulnerability, update workf...
  • 24ec4f2 Upgrade to latest actions packages (#687)
  • 4c100cb Fix icons (#604)
  • 25328d8 Bump actions/checkout from 5 to 6 (#684)
  • 937b8dd Update README with note on setting DOTNET_INSTALL_DIR for Linux permission is...
  • See full diff in compare view

Updates dorny/test-reporter from 2.3.0 to 2.6.0

Release notes

Sourced from dorny/test-reporter's releases.

v2.6.0

We updated all dependency packages to latest versions to fix reported security vulnerabilities.

What's Changed

  • Fix: For workflow_run events, resolve the commit of the check run from related pull request head commits first (matching workflow_run.head_branch, then first PR), and fall back to workflow_run.head_sha for non-PR runs dorny/test-reporter#673
  • Change: The test-reporter action will listed all artifacts associated with the build run dorny/test-reporter#693
  • Maintenance: Upgrade to ESLint v9 dorny/test-reporter#629

New Contributors

Full Changelog: dorny/test-reporter@v2.5.0...v2.6.0

v2.5.0

What's Changed

Features

Project maintanance

Full Changelog: dorny/test-reporter@v2.4.0...v2.5.0

v2.4.0

What's Changed

New Contributors

Full Changelog: dorny/test-reporter@v2.3.0...v2.4.0

Changelog

Sourced from

Bumps the major-minor-patch group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.1` | `6.0.2` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.8.2` | `4.9.0` |
| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.11.1` | `4.0.0` |
| [docker/login-action](https://github.com/docker/login-action) | `3.6.0` | `4.0.0` |
| [docker/metadata-action](https://github.com/docker/metadata-action) | `5.10.0` | `6.0.0` |
| [docker/build-push-action](https://github.com/docker/build-push-action) | `6.18.0` | `7.0.0` |
| [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.33.1` | `0.35.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.0` |
| [actions/setup-dotnet](https://github.com/actions/setup-dotnet) | `5.0.1` | `5.2.0` |
| [dorny/test-reporter](https://github.com/dorny/test-reporter) | `2.3.0` | `2.6.0` |
| [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment) | `2.9.0` | `3.0.2` |



Updates `actions/checkout` from 6.0.1 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@8e8c483...de0fac2)

Updates `actions/dependency-review-action` from 4.8.2 to 4.9.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@3c4e3dc...2031cfc)

Updates `docker/setup-buildx-action` from 3.11.1 to 4.0.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@e468171...4d04d5d)

Updates `docker/login-action` from 3.6.0 to 4.0.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@5e57cd1...b45d80f)

Updates `docker/metadata-action` from 5.10.0 to 6.0.0
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](docker/metadata-action@c299e40...030e881)

Updates `docker/build-push-action` from 6.18.0 to 7.0.0
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@2634353...d08e5c3)

Updates `aquasecurity/trivy-action` from 0.33.1 to 0.35.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@b6643a2...57a97c7)

Updates `actions/upload-artifact` from 4.6.2 to 7.0.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4.6.2...bbbca2d)

Updates `actions/setup-dotnet` from 5.0.1 to 5.2.0
- [Release notes](https://github.com/actions/setup-dotnet/releases)
- [Commits](actions/setup-dotnet@2016bd2...c2fa09f)

Updates `dorny/test-reporter` from 2.3.0 to 2.6.0
- [Release notes](https://github.com/dorny/test-reporter/releases)
- [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md)
- [Commits](dorny/test-reporter@fe45e95...3d76b34)

Updates `marocchino/sticky-pull-request-comment` from 2.9.0 to 3.0.2
- [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases)
- [Commits](marocchino/sticky-pull-request-comment@331f8f5...70d2764)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: major-minor-patch
- dependency-name: actions/dependency-review-action
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: major-minor-patch
- dependency-name: docker/login-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: major-minor-patch
- dependency-name: docker/metadata-action
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: major-minor-patch
- dependency-name: docker/build-push-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: major-minor-patch
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: major-minor-patch
- dependency-name: actions/setup-dotnet
  dependency-version: 5.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: dorny/test-reporter
  dependency-version: 2.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: major-minor-patch
- dependency-name: marocchino/sticky-pull-request-comment
  dependency-version: 3.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: major-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 16, 2026
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout de0fac2e4500dabe0009e67214ff5f5447ce83dd 🟢 5.9
Details
CheckScoreReason
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy🟢 9security policy file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST🟢 8SAST tool detected but not run on all commits
actions/actions/upload-artifact bbbca2ddaa5d8feaa63e36b76fdaad77386f024f 🟢 6.2
Details
CheckScoreReason
Maintained🟢 1028 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 10SAST tool is run on all commits

Scanned Files

  • .github/workflows/scorecard.yml

@dependabot @github

dependabot Bot commented on behalf of github Mar 20, 2026

Copy link
Copy Markdown
Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Mar 20, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/develop/major-minor-patch-92a69162bb branch March 20, 2026 03:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants