chore(deps): bump the github-actions group across 1 directory with 8 updates by dependabot[bot] · Pull Request #4989 · open-telemetry/opentelemetry-python

dependabot · 2026-03-17T11:41:22Z

Bumps the github-actions group with 8 updates in the / directory:

Package	From	To
actions/checkout	`4`	`6`
actions/create-github-app-token	`2.0.6`	`3.1.1`
tj-actions/changed-files	`46`	`47`
github/codeql-action	`3`	`4`
fossas/fossa-action	`1.7.0`	`1.9.0`
actions/setup-python	`5`	`6`
ossf/scorecard-action	`2.4.2`	`2.4.3`
actions/upload-artifact	`4.6.2`	`7.0.1`

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

Persist creds to a separate file by @ericsciple in actions/checkout#2286

v6-beta by @ericsciple in actions/checkout#2298

update readme/changelog for v6 by @ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Port v6 cleanup to v5 by @ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

Update actions checkout to use node 24 by @salmanmkc in actions/checkout#2226

Prepare v5.0.0 release by @salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

Port v6 cleanup to v4 by @ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

docs: update README.md by @motss in actions/checkout#1971

Add internal repos for checking out multiple repositories by @mouismail in actions/checkout#1977

Documentation update - add recommended permissions to Readme by @benwells in actions/checkout#2043

... (truncated)

Commits

de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
8e8c483 Clarify v6 README (#2328)
033fa0d Add worktree support for persist-credentials includeIf (#2327)
c2d88d3 Update all references from v5 and v4 to v6 (#2314)
1af3b93 update readme/changelog for v6 (#2311)
71cf226 v6-beta (#2298)
069c695 Persist creds to a separate file (#2286)
ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
08c6903 Prepare v5.0.0 release (#2238)
Additional commits viewable in compare view

Updates actions/create-github-app-token from 2.0.6 to 3.1.1

Release notes

Sourced from actions/create-github-app-token's releases.

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

improve error message when app identifier is empty (#362) (07e2b76), closes #249

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

deps: bump p-retry from 7.1.1 to 8.0.0 (#357) (3bbe07d)

Features

add client-id input and deprecate app-id (#353) (e6bd4e6)

update permission inputs (#358) (076e948)

v3.0.0

3.0.0 (2026-03-14)

feat!: node 24 support (#275) (2e564a0)

fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

deps: bump @actions/core from 1.11.1 to 3.0.0 (#337) (b044133)

deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)

deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)

deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

... (truncated)

Commits

1b10c78 build(release): 3.1.1 [skip ci]
07e2b76 fix: improve error message when app identifier is empty (#362)
ea01216 ci: remove publish-immutable-action workflow (#361)
7bd0371 build(release): 3.1.0 [skip ci]
e6bd4e6 feat: add client-id input and deprecate app-id (#353)
076e948 feat: update permission inputs (#358)
3bbe07d fix(deps): bump p-retry from 7.1.1 to 8.0.0 (#357)
28a99e3 build(deps-dev): bump c8 from 10.1.3 to 11.0.0
4df5060 build(deps-dev): bump open-cli from 8.0.0 to 9.0.0
4843c53 build(deps-dev): bump the development-dependencies group with 3 updates
Additional commits viewable in compare view

Updates tj-actions/changed-files from 46 to 47

Release notes

Sourced from tj-actions/changed-files's releases.

v47

Changes in v47.0.2

What's Changed

chore(deps-dev): bump eslint-plugin-jest from 29.2.1 to 29.11.0 by @dependabot[bot] in tj-actions/changed-files#2751

chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in tj-actions/changed-files#2741

chore(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in tj-actions/changed-files#2743

chore(deps): bump @actions/core from 2.0.0 to 2.0.2 by @dependabot[bot] in tj-actions/changed-files#2757

Updated README.md by @github-actions[bot] in tj-actions/changed-files#2768

chore: update dist by @jackton1 in tj-actions/changed-files#2769

chore: update matrix-example.yml by @jackton1 in tj-actions/changed-files#2752

feat: add support for excluding symlinks and fix bug with commit not found by @jackton1 in tj-actions/changed-files#2770

chore(deps): bump github/codeql-action from 4.31.7 to 4.31.10 by @dependabot[bot] in tj-actions/changed-files#2761

Updated README.md by @github-actions[bot] in tj-actions/changed-files#2771

chore(deps-dev): bump eslint-plugin-jest from 29.11.0 to 29.12.1 by @dependabot[bot] in tj-actions/changed-files#2756

chore(deps-dev): bump @types/lodash from 4.17.21 to 4.17.23 by @dependabot[bot] in tj-actions/changed-files#2759

fix: Update test.yml by @jackton1 in tj-actions/changed-files#2781

chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in tj-actions/changed-files#2777

chore(deps): bump @stdlib/utils-convert-path from 0.2.2 to 0.2.3 by @dependabot[bot] in tj-actions/changed-files#2795

chore(deps-dev): bump @types/node from 25.0.0 to 25.2.2 by @dependabot[bot] in tj-actions/changed-files#2793

chore(deps): bump actions/setup-node from 6.1.0 to 6.2.0 by @dependabot[bot] in tj-actions/changed-files#2766

Full Changelog: tj-actions/changed-files@v47.0.1...v47.0.2

Changes in v47.0.1

What's Changed

Upgraded to v47 by @github-actions[bot] in tj-actions/changed-files#2663

chore(deps-dev): bump @types/node from 24.3.1 to 24.4.0 by @dependabot[bot] in tj-actions/changed-files#2664

chore(deps-dev): bump ts-jest from 29.4.1 to 29.4.3 by @dependabot[bot] in tj-actions/changed-files#2671

chore(deps-dev): bump @vercel/ncc from 0.38.3 to 0.38.4 by @dependabot[bot] in tj-actions/changed-files#2670

chore(deps-dev): bump @types/uuid from 10.0.0 to 11.0.0 by @dependabot[bot] in tj-actions/changed-files#2668

chore(deps-dev): bump @types/node from 24.4.0 to 24.5.2 by @dependabot[bot] in tj-actions/changed-files#2669

chore(deps): bump github/codeql-action from 3.30.3 to 3.30.4 by @dependabot[bot] in tj-actions/changed-files#2675

chore(deps-dev): bump ts-jest from 29.4.3 to 29.4.4 by @dependabot[bot] in tj-actions/changed-files#2672

chore(deps): bump github/codeql-action from 3.30.4 to 3.30.5 by @dependabot[bot] in tj-actions/changed-files#2676

chore(deps-dev): bump jest from 30.1.3 to 30.2.0 by @dependabot[bot] in tj-actions/changed-files#2677

chore(deps-dev): bump @types/node from 24.5.2 to 24.6.1 by @dependabot[bot] in tj-actions/changed-files#2679

chore(deps-dev): bump @types/node from 24.6.1 to 24.6.2 by @dependabot[bot] in tj-actions/changed-files#2681

chore(deps): bump github/codeql-action from 3.30.5 to 3.30.6 by @dependabot[bot] in tj-actions/changed-files#2680

chore(deps-dev): bump @types/node from 24.6.2 to 24.9.1 by @dependabot[bot] in tj-actions/changed-files#2695

chore(deps): bump github/codeql-action from 3.30.6 to 4.30.9 by @dependabot[bot] in tj-actions/changed-files#2693

chore(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in tj-actions/changed-files#2690

chore(deps): bump github/codeql-action from 4.30.9 to 4.31.2 by @dependabot[bot] in tj-actions/changed-files#2702

chore(deps-dev): bump @types/node from 24.9.1 to 24.9.2 by @dependabot[bot] in tj-actions/changed-files#2700

chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in tj-actions/changed-files#2698

chore(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @dependabot[bot] in tj-actions/changed-files#2697

chore(deps-dev): bump @types/micromatch from 4.0.9 to 4.0.10 by @dependabot[bot] in tj-actions/changed-files#2699

chore(deps-dev): bump ts-jest from 29.4.4 to 29.4.5 by @dependabot[bot] in tj-actions/changed-files#2688

... (truncated)

Changelog

Sourced from tj-actions/changed-files's changelog.

Changelog

47.0.6 - (2026-04-18)

🔄 Update

Updated README.md (#2817)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (c23d52b) - (github-actions[bot])

⚙️ Miscellaneous Tasks

deps: Bump lodash from 4.17.23 to 4.18.1 (#2837) (9426d40) - (dependabot[bot])

deps: Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (#2843) (32de080) - (dependabot[bot])

deps: Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#2844) (2487d12) - (dependabot[bot])

deps-dev: Bump @types/node from 25.5.0 to 25.6.0 (#2846) (cef85a3) - (dependabot[bot])

deps-dev: Bump prettier from 3.8.1 to 3.8.3 (#2848) (7b082de) - (dependabot[bot])

deps: Bump github/codeql-action from 4.35.1 to 4.35.2 (#2849) (07224ca) - (dependabot[bot])

deps-dev: Bump jest from 30.2.0 to 30.3.0 (#2822) (2bb1357) - (dependabot[bot])

deps: Bump nrwl/nx-set-shas from 4.4.0 to 5.0.1 (#2829) (cc98117) - (dependabot[bot])

deps: Bump yaml from 2.8.2 to 2.8.3 (#2830) (786e421) - (dependabot[bot])

deps-dev: Bump eslint-plugin-jest from 29.15.0 to 29.15.1 (#2831) (726b41b) - (dependabot[bot])

deps: Bump github/codeql-action from 4.32.6 to 4.35.1 (#2834) (2c3585e) - (dependabot[bot])

deps: Bump actions/download-artifact from 8.0.0 to 8.0.1 (#2824) (3d37a7f) - (dependabot[bot])

deps-dev: Bump @types/node from 25.3.5 to 25.5.0 (#2825) (445b0eb) - (dependabot[bot])

deps: Bump github/codeql-action from 4.32.5 to 4.32.6 (#2819) (4f892cd) - (dependabot[bot])

deps-dev: Bump @types/node from 25.3.3 to 25.3.5 (#2820) (6118651) - (dependabot[bot])

deps: Bump actions/setup-node from 6.2.0 to 6.3.0 (#2818) (e517d7a) - (dependabot[bot])

⬆️ Upgrades

Upgraded to v47.0.5 (#2816)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (4750530) - (github-actions[bot])

47.0.5 - (2026-03-03)

🔄 Update

Updated README.md (#2805)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> (35dace0) - (github-actions[bot])

Updated README.md (#2803)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (9ee99eb) - (github-actions[bot])

⚙️ Miscellaneous Tasks

... (truncated)

Commits

24d32ff upgrade: to node24 (#2662)
9a67555 chore(deps-dev): bump jest from 30.0.5 to 30.1.3 (#2655)
b67e30d chore(deps): bump tj-actions/git-cliff from 2.1.0 to 2.2.0 (#2660)
62aef42 chore(deps): bump github/codeql-action from 3.30.2 to 3.30.3 (#2661)
e874f3c chore(deps): bump github/codeql-action from 3.29.11 to 3.30.2 (#2659)
8c14441 chore(deps): bump actions/setup-node from 4.4.0 to 5.0.0 (#2656)
e995ac4 chore(deps-dev): bump @types/node from 24.3.0 to 24.3.1 (#2657)
3b04099 chore(deps-dev): bump @types/node from 24.2.1 to 24.3.0 (#2649)
e7b6c97 chore(deps): bump github/codeql-action from 3.29.9 to 3.29.11 (#2651)
765d62b chore(deps): bump tj-actions/git-cliff from 2.0.2 to 2.1.0 (#2648)
Additional commits viewable in compare view

Updates github/codeql-action from 3 to 4

Release notes

Sourced from github/codeql-action's releases.

v3.35.3

Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837

Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850

Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853

Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852

Update default CodeQL bundle version to 2.25.3. #3865

v3.35.2

The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795

The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789

Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807

Update default CodeQL bundle version to 2.25.2. #3823

v3.35.1

Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v3.35.0

Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767

Update default CodeQL bundle version to 2.25.1. #3773

v3.34.1

Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v3.34.0

Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569

We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584

Update default CodeQL bundle version to 2.25.0. #3585

v3.33.0

Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562 To opt out of this change:

Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v3.32.6

Update default CodeQL bundle version to 2.24.3. #3548

v3.32.5

Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507

Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487

The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515

Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516

Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498

... (truncated)

Commits

5145c11 Bump ruby/setup-ruby
7108503 Bump @ava/typescript from 6.0.0 to 7.0.0
4fe9b1e Merge pull request #3856 from github/henrymercer/overlay-add-log-group
56733fb Add log group for downloading overlay-base DB
0a63608 Add GHES 3.21 to supported versions table
97be3af Deprecate CodeQL versions 2.19.3 and earlier
See full diff in compare view

Updates fossas/fossa-action from 1.7.0 to 1.9.0

Release notes

Sourced from fossas/fossa-action's releases.

v1.9.0

What's Changed

Bump actions/checkout from 5 to 6 by @dependabot[bot] in fossas/fossa-action#245

Bump @actions/tool-cache from 3.0.1 to 4.0.0 by @dependabot[bot] in fossas/fossa-action#267

Bump undici from 6.23.0 to 6.24.1 by @spatten in fossas/fossa-action#275

Add CI workflow to auto-rebuild dist by @spatten in fossas/fossa-action#276

Bump actions/upload-artifact from 4 to 7 by @dependabot[bot] in fossas/fossa-action#272

Add CodeRabbit configuration by @chad-fossa in fossas/fossa-action#271

Bump @types/node from 25.2.0 to 25.2.1 by @dependabot[bot] in fossas/fossa-action#269

New Contributors

@chad-fossa made their first contribution in fossas/fossa-action#271

Full Changelog: fossas/fossa-action@v1.8.0...v1.9.0

v1.8.0

No release notes provided.

Commits

ff70fe9 Bump @types/node from 25.2.0 to 25.2.1 (#269)
266ac4f Add CodeRabbit configuration (#271)
ad09c5f Bump actions/upload-artifact from 4 to 7 (#272)
0bdc47f Add CI workflow to auto-rebuild dist (#276)
b74b788 Bump undici from 6.23.0 to 6.24.1 (#275)
c9be25a Bump @actions/tool-cache from 3.0.1 to 4.0.0 (#267)
edcc582 Bump actions/checkout from 5 to 6 (#245)
c414b9a Pin version opt (#266)
ba7c3df Bump @actions/core from 2.0.1 to 2.0.2 (#263)
c95b9b8 Bump @actions/tool-cache from 2.0.2 to 3.0.0 (#262)
Additional commits viewable in compare view

Updates actions/setup-python from 5 to 6

Release notes

Sourced from actions/setup-python's releases.

v6.0.0

What's Changed

Breaking Changes

Upgrade to node 24 by @salmanmkc in actions/setup-python#1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Add support for pip-version by @priyagupta108 in actions/setup-python#1129

Enhance reading from .python-version by @krystof-k in actions/setup-python#787

Add version parsing from Pipfile by @aradkdj in actions/setup-python#1067

Bug fixes:

Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @aparnajyothi-y in actions/setup-python#1183

Change missing cache directory error to warning by @aparnajyothi-y in actions/setup-python#1182

Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @aparnajyothi-y in actions/setup-python#1122

Include python version in PyPy python-version output by @cdce8p in actions/setup-python#1110

Update docs: clarification on pip authentication with setup-python by @priya-kinthali in actions/setup-python#1156

Dependency updates:

Upgrade idna from 2.9 to 3.7 in /tests/data by @dependabot[bot] in actions/setup-python#843

Upgrade form-data to fix critical vulnerabilities #182 & #183 by @aparnajyothi-y in actions/setup-python#1163

Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @aparnajyothi-y in actions/setup-python#1165

Upgrade actions/checkout from 4 to 5 by @dependabot[bot] in actions/setup-python#1181

Upgrade @actions/tool-cache from 2.0.1 to 2.0.2 by @dependabot[bot] in actions/setup-python#1095

New Contributors

@krystof-k made their first contribution in actions/setup-python#787

@cdce8p made their first contribution in actions/setup-python#1110

@aradkdj made their first contribution in actions/setup-python#1067

Full Changelog: actions/setup-python@v5...v6.0.0

v5.6.0

What's Changed

Workflow updates related to Ubuntu 20.04 by @aparnajyothi-y in actions/setup-python#1065

Fix for Candidate Not Iterable Error by @aparnajyothi-y in actions/setup-python#1082

Upgrade semver and @types/semver by @dependabot in actions/setup-python#1091

Upgrade prettier from 2.8.8 to 3.5.3 by @dependabot in actions/setup-python#1046

Upgrade ts-jest from 29.1.2 to 29.3.2 by @dependabot in actions/setup-python#1081

Full Changelog: actions/setup-python@v5...v5.6.0

v5.5.0

What's Changed

Enhancements:

Support free threaded Python versions like '3.13t' by @colesbury in actions/setup-python#973

Enhance Workflows: Include ubuntu-arm runners, Add e2e Testing for free threaded and Upgrade @action/cache from 4.0.0 to 4.0.3 by @priya-kinthali in actions/setup-python#1056

Add support for .tool-versions file in setup-python by @mahabaleshwars in actions/setup-python#1043

Bug fixes:

Fix architecture for pypy on Linux ARM64 by @mayeut in actions/setup-python#1011 This update maps arm64 to aarch64 for Linux ARM64 PyPy installations.

... (truncated)

Commits

a309ff8 Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)
bfe8cc5 Upgrade @actions dependencies to Node 24 compatible versions (#1259)
4f41a90 Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)
83679a8 Bump @types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...
bfc4944 Bump prettier from 3.5.3 to 3.6.2 (#1234)
97aeb3e Bump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)
443da59 Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...
cfd55ca graalpy: add graalpy early-access and windows builds (#880)
bba65e5 Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)
18566f8 Improve wording and "fix example" (remove 3.13) on testing against pre-releas...
Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.2 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

docs: clarify GITHUB_TOKEN permissions needed for private repos by @pankajtaneja5 in ossf/scorecard-action#1574

📖 Fix recommended command to test the image in development by @deivid-rodriguez in ossf/scorecard-action#1583

Other

add missing top-level token permissions to workflows by @timothyklee in ossf/scorecard-action#1566

setup codeowners for requesting reviews by @spencerschrockDescription has been truncated Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

…updates Bumps the github-actions group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4` | `6` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `2.0.6` | `3.1.1` | | [tj-actions/changed-files](https://github.com/tj-actions/changed-files) | `46` | `47` | | [github/codeql-action](https://github.com/github/codeql-action) | `3` | `4` | | [fossas/fossa-action](https://github.com/fossas/fossa-action) | `1.7.0` | `1.9.0` | | [actions/setup-python](https://github.com/actions/setup-python) | `5` | `6` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.2` | `2.4.3` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` | Updates `actions/checkout` from 4 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4...v6) Updates `actions/create-github-app-token` from 2.0.6 to 3.1.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@df432ce...1b10c78) Updates `tj-actions/changed-files` from 46 to 47 - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](tj-actions/changed-files@v46...v47) Updates `github/codeql-action` from 3 to 4 - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](github/codeql-action@v3...v4) Updates `fossas/fossa-action` from 1.7.0 to 1.9.0 - [Release notes](https://github.com/fossas/fossa-action/releases) - [Commits](fossas/fossa-action@3ebcea1...ff70fe9) Updates `actions/setup-python` from 5 to 6 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v5...v6) Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@05b42c6...4eaacf0) Updates `actions/upload-artifact` from 4.6.2 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...043fb46) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/create-github-app-token dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: fossas/fossa-action dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: tj-actions/changed-files dependency-version: '47' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-12T02:03:48Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 17, 2026

dependabot Bot requested a review from a team as a code owner March 17, 2026 11:41

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 17, 2026

github-project-automation Bot added this to Python PR digest Mar 17, 2026

dependabot Bot force-pushed the dependabot/github_actions/github-actions-57b60f274f branch 2 times, most recently from 7039099 to 042806c Compare March 23, 2026 19:20

dependabot Bot force-pushed the dependabot/github_actions/github-actions-57b60f274f branch 3 times, most recently from 587f01c to 540c429 Compare April 6, 2026 19:15

dependabot Bot force-pushed the dependabot/github_actions/github-actions-57b60f274f branch 2 times, most recently from 60cb02e to 334ef1b Compare April 13, 2026 20:17

dependabot Bot force-pushed the dependabot/github_actions/github-actions-57b60f274f branch from 334ef1b to cf23715 Compare April 20, 2026 21:22

dependabot Bot changed the title ~~build(deps): bump the github-actions group across 1 directory with 8 updates~~ chore(deps): bump the github-actions group across 1 directory with 8 updates Apr 27, 2026

dependabot Bot force-pushed the dependabot/github_actions/github-actions-57b60f274f branch from cf23715 to 70480aa Compare April 27, 2026 22:55

dependabot Bot force-pushed the dependabot/github_actions/github-actions-57b60f274f branch from 70480aa to 484d7a2 Compare May 4, 2026 23:29

dependabot Bot closed this May 12, 2026

dependabot Bot deleted the dependabot/github_actions/github-actions-57b60f274f branch May 12, 2026 02:03

github-project-automation Bot moved this to Done in Python PR digest May 12, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the github-actions group across 1 directory with 8 updates#4989

chore(deps): bump the github-actions group across 1 directory with 8 updates#4989
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github-actions-57b60f274f

dependabot Bot commented on behalf of github Mar 17, 2026 •

edited

Loading

Uh oh!

dependabot Bot commented on behalf of github May 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v6.0.0

What's Changed

v6-beta

What's Changed

v5.0.1

What's Changed

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v4.3.1

What's Changed

v4.3.0

What's Changed

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

Features

v3.0.0

3.0.0 (2026-03-14)

Bug Fixes

BREAKING CHANGES

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

v47

Changes in v47.0.2

What's Changed

Changes in v47.0.1

What's Changed

Changelog

47.0.6 - (2026-04-18)

🔄 Update

⚙️ Miscellaneous Tasks

⬆️ Upgrades

47.0.5 - (2026-03-03)

🔄 Update

⚙️ Miscellaneous Tasks

v3.35.3

v3.35.2

v3.35.1

v3.35.0

v3.34.1

v3.34.0

v3.33.0

v3.32.6

v3.32.5

v1.9.0

What's Changed

New Contributors

v1.8.0

v6.0.0

What's Changed

Breaking Changes

Enhancements:

Bug fixes:

Dependency updates:

New Contributors

v5.6.0

What's Changed

v5.5.0

What's Changed

Enhancements:

Bug fixes:

v2.4.3

What's Changed

Documentation

Other

Uh oh!

dependabot Bot commented on behalf of github May 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

dependabot Bot commented on behalf of github Mar 17, 2026 •

edited

Loading