chore(deps): update github actions

[oep-renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/create-github-app-token	action	minor	v3.0.0 → v3.1.1
actions/github-script	action	major	v8 → v9
actions/setup-node	action	minor	v6.3.0 → v6.4.0
actions/upload-artifact	action	patch	v7.0.0 → v7.0.1
astral-sh/setup-uv	action	minor	v8.0.0 → v8.1.0
debian	container	digest	f065376 → f9c6a2f
github/codeql-action	action	patch	v4.35.1 → v4.35.2
renovatebot/github-action	action	patch	v46.1.7 → v46.1.12
step-security/harden-runner	action	minor	v2.16.1 → v2.19.0
tj-actions/changed-files	action	patch	v47.0.5 → v47.0.6

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v3.1.1

Compare Source

Bug Fixes

• improve error message when app identifier is empty (#​362) (07e2b76), closes #​249

v3.1.0

Compare Source

Bug Fixes

• deps: bump p-retry from 7.1.1 to 8.0.0 (#​357) (3bbe07d)

Features

• add client-id input and deprecate app-id (#​353) (e6bd4e6)
• update permission inputs (#​358) (076e948)

actions/github-script (actions/github-script)

v9

Compare Source

v9.0.0

Compare Source

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in #​695
• ci: use deployment: false for integration test environments by @​salmanmkc in #​712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in #​700

New Contributors

• @​Copilot made their first contribution in #​695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in #​1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in #​1533

New Contributors

• @​Copilot made their first contribution in #​1525

Full Changelog: actions/setup-node@v6...v6.4.0

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

astral-sh/setup-uv (astral-sh/setup-uv)

v8.1.0: 🌈 New input no-project

Compare Source

Changes

This add the a new boolean input no-project.
It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#​856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#​860)
• Add a release-gate step to the release workflow @​zanieb (#​859)
• Draft commitish releases @​eifinger (#​858)
• Add action-types.yml to instructions @​eifinger (#​857)
• chore: update known checksums for 0.11.7 @​github-actions[bot] (#​853)
• Refactor version resolving @​eifinger (#​852)
• chore: update known checksums for 0.11.6 @​github-actions[bot] (#​850)
• chore: update known checksums for 0.11.5 @​github-actions[bot] (#​845)
• chore: update known checksums for 0.11.4 @​github-actions[bot] (#​843)
• Add a release workflow @​zanieb (#​839)
• chore: update known checksums for 0.11.3 @​github-actions[bot] (#​836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#​833)
• Pin setup-uv docs to v8 @​eifinger (#​829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @​dependabot[bot] (#​855)

github/codeql-action (github/codeql-action)

v4.35.2

Compare Source

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #​3807
• Update default CodeQL bundle version to 2.25.2. #​3823

renovatebot/github-action (renovatebot/github-action)

v46.1.12

Compare Source

Bug Fixes

• deps: update dependency @​actions/core to v3.0.1 (e8a6055)

Documentation

• update references to renovatebot/github-action to v46.1.11 (317011a)

Miscellaneous Chores

• deps: update dependency typescript-eslint to v8.59.0 (8e3560a)

Continuous Integration

• deps: update ghcr.io/renovatebot/renovate docker tag to v43.142.0 (0fee00d)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.142.1 (c7cfc88)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.144.0 (39e7d09)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.145.0 (0bbd415)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.146.0 (889c739)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.147.0 (7addce6)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.150.0 (804ce16)

v46.1.11

Compare Source

Documentation

• update references to renovatebot/github-action to v46.1.10 (0b264d2)

Miscellaneous Chores

• deps: update actions/setup-node action to v6.4.0 (951a814)
• deps: update dependency prettier to v3.8.3 (a763833)
• deps: update dependency typescript-eslint to v8.58.2 (119d68e)

Build System

• deps: lock file maintenance (f82feed)

Continuous Integration

• deps: update ghcr.io/renovatebot/renovate docker tag to v43.132.3 (99cc805)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.133.0 (a63d39b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.135.0 (955b000)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.136.0 (65167cd)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.136.1 (7b21b86)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.136.3 (28a2dc0)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.137.0 (b0cf2a4)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.138.0 (3700882)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.138.1 (f516ce2)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.138.3 (3411548)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.139.0 (5201886)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.139.1 (5856263)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.139.4 (999691d)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.139.5 (f703a54)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.139.6 (3ba85c2)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.139.7 (96f2f09)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.139.8 (5af45e5)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.140.0 (01e9139)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.141.0 (814a2a4)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.141.1 (fb3abdf)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.141.2 (e3a9af5)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.141.5 (4f14b2f)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.141.6 (2357784)

v46.1.10

Compare Source

Documentation

• update references to renovatebot/github-action to v46.1.9 (ed96e8a)

Miscellaneous Chores

• deps: update actions/cache action to v5.0.5 (0b43175)
• deps: update dependency globals to v17.5.0 (429b645)
• deps: update dependency prettier to v3.8.2 (8bfc8a3)
• deps: update dependency typescript-eslint to v8.58.1 (#​1026) (f0c5d61)
• deps: update node.js to v24.15.0 (c493ede)

Build System

• deps: lock file maintenance (5f318b8)

Continuous Integration

• add Zizmor for GitHub Actions linting (#​1025) (3ce6ef9)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.111.1 (77016cf)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.111.2 (d4ee47a)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.111.3 (9533edc)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.113.0 (7028a3e)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.115.1 (00ae40b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.123.0 (4d39d22)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.123.3 (06b71b8)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.123.4 (bd145c9)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.123.5 (59cbcc3)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.123.6 (195ddbe)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.123.8 (9286cb7)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.124.1 (dbcd02c)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.125.0 (754b499)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.125.1 (5ee1022)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.126.0 (a4188be)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.127.2 (#​1027) (b962e40)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.127.3 (6e1df28)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.128.1 (5429eaa)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.129.0 (9f025e5)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.130.1 (#​1028) (0f49bd4)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.131.0 (8c3b0ff)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.132.0 (81c8ffb)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.132.1 (f84cc28)

v46.1.9

Compare Source

Documentation

• update references to renovatebot/github-action to v46.1.8 (65fadb1)

Miscellaneous Chores

• deps: update dependency @​types/node to v24.12.1 (574fb8e)
• deps: update dependency @​types/node to v24.12.2 (8eec7f0)
• deps: update dependency esbuild to v0.27.5 (fb75c7e)
• deps: update dependency esbuild to v0.27.7 (709e29c)
• deps: update dependency esbuild to v0.28.0 (143a7fb)
• deps: update dependency typescript-eslint to v8.58.0 (20ecf26)

Build System

• deps: lock file maintenance (646e9b0)

Continuous Integration

• deps: update ghcr.io/renovatebot/renovate docker tag to v43.104.6 (e6e6157)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.104.7 (38c3a5d)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.104.8 (34a118b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.108.1 (d946ea8)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.109.0 (16020af)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.109.1 (22a6725)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.109.3 (f9ce60c)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.10 (8e63580)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.12 (4700a42)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.13 (2155516)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.14 (747253b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.16 (84e3bcc)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.17 (b649498)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.2 (c149fdf)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.4 (9deca28)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.7 (eb7409a)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.8 (2e39b3e)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.110.9 (b45c6e7)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.111.0 (9feb404)

v46.1.8

Compare Source

Documentation

• update references to renovatebot/github-action to v46.1.7 (784cabc)

Miscellaneous Chores

• configure pnpm (42adbac)
• deps: update dependency conventional-changelog-conventionalcommits to v9.3.1 (0dd322f)
• deps: update dependency typescript-eslint to v8.57.2 (91d6038)
• deps: update pnpm to v10.33.0 (10556c1)
• deps: update pnpm/action-setup action to v5 (#​1022) (97c4175)
• update lodash to v4.18.1 (8a6b3d7)
• update lodash-es to v4.18.1 (b99db03)

Build System

• deps: lock file maintenance (768a348)

Continuous Integration

• deps: update ghcr.io/renovatebot/renovate docker tag to v43.100.0 (9cf5ad2)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.101.1 (b404d85)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.101.2 (7045453)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.101.4 (b48791f)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.101.7 (e606f42)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.102.0 (4ec3adc)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.102.10 (a064167)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.102.11 (5bae778)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.102.2 (9d053ec)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.102.3 (641d4cb)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.102.6 (e59ffc6)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.102.8 (234aba7)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.103.0 (36d2aba)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.104.0 (4cea95b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.104.1 (5274e54)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.104.2 (2ef116f)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.104.3 (db16b25)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.104.4 (a45eeac)

step-security/harden-runner (step-security/harden-runner)

v2.19.0

Compare Source

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

• Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
• System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

Compare Source

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

Compare Source

What's Changed

Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

tj-actions/changed-files (tj-actions/changed-files)

v47.0.6

Compare Source

What's Changed

• Upgraded to v47.0.5 by @​github-actions[bot] in #​2816
• Updated README.md by @​github-actions[bot] in #​2817
• chore(deps): bump actions/setup-node from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​2818
• chore(deps-dev): bump @​types/node from 25.3.3 to 25.3.5 by @​dependabot[bot] in #​2820
• chore(deps): bump github/codeql-action from 4.32.5 to 4.32.6 by @​dependabot[bot] in #​2819
• chore(deps-dev): bump @​types/node from 25.3.5 to 25.5.0 by @​dependabot[bot] in #​2825
• chore(deps): bump actions/download-artifact from 8.0.0 to 8.0.1 by @​dependabot[bot] in #​2824
• chore(deps): bump github/codeql-action from 4.32.6 to 4.35.1 by @​dependabot[bot] in #​2834
• chore(deps-dev): bump eslint-plugin-jest from 29.15.0 to 29.15.1 by @​dependabot[bot] in #​2831
• chore(deps): bump yaml from 2.8.2 to 2.8.3 by @​dependabot[bot] in #​2830
• chore(deps): bump nrwl/nx-set-shas from 4.4.0 to 5.0.1 by @​dependabot[bot] in #​2829
• chore(deps-dev): bump jest from 30.2.0 to 30.3.0 by @​dependabot[bot] in #​2822
• chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 by @​dependabot[bot] in #​2849
• chore(deps-dev): bump prettier from 3.8.1 to 3.8.3 by @​dependabot[bot] in #​2848
• chore(deps-dev): bump @​types/node from 25.5.0 to 25.6.0 by @​dependabot[bot] in #​2846
• chore(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @​dependabot[bot] in #​2844
• chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @​dependabot[bot] in #​2843
• chore(deps): bump lodash from 4.17.23 to 4.18.1 by @​dependabot[bot] in #​2837

Full Changelog: tj-actions/changed-files@v47.0.5...v47.0.6

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • On day 1 and 15 of the month (* * 1,15 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.