Skip to content

chore(deps): bump the actions-version-updates group across 1 directory with 14 updates#93

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-version-updates-66237abebc
Open

chore(deps): bump the actions-version-updates group across 1 directory with 14 updates#93
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-version-updates-66237abebc

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps the actions-version-updates group with 14 updates in the / directory:

Package From To
step-security/harden-runner 2.12.0 2.19.4
actions/checkout 4.2.2 7.0.0
actions/dependency-review-action 4.7.1 5.0.0
docker/setup-buildx-action 3.10.0 4.1.0
docker/build-push-action 6.17.0 7.3.0
ruby/setup-ruby 1.288.0 1.315.0
stefanzweifel/git-auto-commit-action 5.2.0 7.2.0
actions/download-artifact 4.3.0 8.0.1
JetBrains/qodana-action 201551778d1453e36c5c0aa26f89a94775cb1acc f5aa2889b113c16bd6aee47817b027537ee33ac7
ossf/scorecard-action 2.4.1 2.4.3
github/codeql-action/upload-sarif 3.28.18 4.36.2
mridang/action-test-reporter 1.2.5 1.7.0
actions/upload-artifact 4.6.2 7.0.1
dorny/test-reporter 2.0.0 3.0.0

Updates step-security/harden-runner from 2.12.0 to 2.19.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

... (truncated)

Commits
  • 9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
  • 485dce8 Update agent to v1.8.6
  • ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
  • ec41b78 Default to audit mode when api-key missing with use-policy-store
  • 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
  • 1dee3df Update agent to v1.8.5
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 8d3c67d Release v2.19.0 (#661)
  • Additional commits viewable in compare view

Updates actions/checkout from 4.2.2 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Updates actions/dependency-review-action from 4.7.1 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

  • There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
  • Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
  • There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

... (truncated)

Commits
  • a1d282b Merge pull request #1098 from actions/ahpook/v5-release
  • eb6c199 update examples to show @​v5
  • 3943c2c v5.0.0 release branch
  • 454943c Merge pull request #1094 from actions/ashelytc/security-findings
  • 6d92a12 revert @​typescript-eslint/parser update
  • a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
  • b6b7079 update @​typescript-eslint/parser to 8.40.0
  • 821a21d update more dependencies
  • 05aaaae run npm audit fix
  • 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
  • Additional commits viewable in compare view

Updates docker/setup-buildx-action from 3.10.0 to 4.1.0

Release notes

Sourced from docker/setup-buildx-action's releases.

v4.1.0

Full Changelog: docker/setup-buildx-action@v4.0.0...v4.1.0

v4.0.0

Full Changelog: docker/setup-buildx-action@v3.12.0...v4.0.0

v3.12.0

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

v3.11.1

Full Changelog: docker/setup-buildx-action@v3.11.0...v3.11.1

v3.11.0

Full Changelog: docker/setup-buildx-action@v3.10.0...v3.11.0

Commits
  • d7f5e7f Merge pull request #489 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 92bc5c9 chore: update generated content
  • da11e35 build(deps): bump @​docker/actions-toolkit from 0.79.0 to 0.90.0
  • f021e16 Merge pull request #492 from docker/dependabot/npm_and_yarn/undici-6.24.1
  • b5af94f chore: update generated content
  • 16ad977 build(deps): bump undici from 6.23.0 to 6.25.0
  • d7a12d7 Merge pull request #495 from docker/dependabot/npm_and_yarn/glob-10.5.0
  • 28ff27d build(deps): bump glob from 10.3.12 to 13.0.6
  • daf436b Merge pull request #496 from docker/dependabot/npm_and_yarn/fast-xml-parser-5...
  • 9725348 chore: update generated content
  • Additional commits viewable in compare view

Updates docker/build-push-action from 6.17.0 to 7.3.0

Release notes

Sourced from docker/build-push-action's releases.

v7.3.0

Full Changelog: docker/build-push-action@v7.2.0...v7.3.0

v7.2.0

Full Changelog: docker/build-push-action@v7.1.0...v7.2.0

v7.1.0

Full Changelog: docker/build-push-action@v7.0.0...v7.1.0

v7.0.0

Full Changelog: docker/build-push-action@v6.19.2...v7.0.0

v6.19.2

... (truncated)

Commits
  • 53b7df9 Merge pull request #1572 from docker/dependabot/npm_and_yarn/docker/actions-t...
  • 154298c [dependabot skip] chore: update generated content
  • cb1238b chore(deps): Bump @​docker/actions-toolkit from 0.91.0 to 0.92.0
  • 24f845d Merge pull request #1566 from docker/dependabot/npm_and_yarn/js-yaml-4.2.0
  • 9c69730 [dependabot skip] chore: update generated content
  • bc3a3a5 Merge pull request #1574 from docker/dependabot/github_actions/aws-actions/co...
  • a82c504 chore(deps): Bump js-yaml from 4.1.1 to 4.3.0
  • 0285a75 Merge pull request #1573 from docker/dependabot/github_actions/actions/cache-...
  • c6ad2a3 Merge pull request #1575 from docker/dependabot/github_actions/actions/checko...
  • d37484f Merge pull request #1564 from docker/dependabot/npm_and_yarn/undici-6.27.0
  • Additional commits viewable in compare view

Updates ruby/setup-ruby from 1.288.0 to 1.315.0

Release notes

Sourced from ruby/setup-ruby's releases.

v1.315.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.314.0...v1.315.0

v1.314.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.313.0...v1.314.0

v1.313.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.312.0...v1.313.0

v1.312.0

What's Changed

New Contributors

Full Changelog: ruby/setup-ruby@v1.311.0...v1.312.0

v1.311.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.310.0...v1.311.0

v1.310.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.309.0...v1.310.0

v1.309.0

What's Changed

... (truncated)

Commits
  • 0dafeac Add ruby-3.4.10
  • bf35c27 Bump actions/checkout from 6 to 7
  • 9eb537c Add support for ubuntu-26.04 and ubuntu-26.04-arm
  • e1a3b10 Improve versions-strings-for-builder.rb
  • 0df5288 Remove gem install sassc on Windows JRuby
  • 89f9052 Add jruby-10.0.6.0
  • 12fd324 Use BUNDLE_LOCKFILE when detecting the lockfile
  • a99ac84 Add jruby-9.4.15.0
  • afeafc3 Add ruby-4.0.5
  • 28c65f7 Update CRuby releases on Windows
  • Additional commits viewable in compare view

Updates stefanzweifel/git-auto-commit-action from 5.2.0 to 7.2.0

Release notes

Sourced from stefanzweifel/git-auto-commit-action's releases.

v7.2.0

Added

Fixed

Dependency Updates

v7.1.0

Added

Changes

Dependency Updates

v7.0.0

Added

Changed

Dependency Updates

v6.0.1

Fixed

... (truncat...

Description has been truncated

…y with 14 updates

Bumps the actions-version-updates group with 14 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.12.0` | `2.19.4` |
| [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `7.0.0` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.7.1` | `5.0.0` |
| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.10.0` | `4.1.0` |
| [docker/build-push-action](https://github.com/docker/build-push-action) | `6.17.0` | `7.3.0` |
| [ruby/setup-ruby](https://github.com/ruby/setup-ruby) | `1.288.0` | `1.315.0` |
| [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) | `5.2.0` | `7.2.0` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4.3.0` | `8.0.1` |
| [JetBrains/qodana-action](https://github.com/jetbrains/qodana-action) | `201551778d1453e36c5c0aa26f89a94775cb1acc` | `f5aa2889b113c16bd6aee47817b027537ee33ac7` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.1` | `2.4.3` |
| [github/codeql-action/upload-sarif](https://github.com/github/codeql-action) | `3.28.18` | `4.36.2` |
| [mridang/action-test-reporter](https://github.com/mridang/action-test-reporter) | `1.2.5` | `1.7.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` |
| [dorny/test-reporter](https://github.com/dorny/test-reporter) | `2.0.0` | `3.0.0` |



Updates `step-security/harden-runner` from 2.12.0 to 2.19.4
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@0634a26...9af89fc)

Updates `actions/checkout` from 4.2.2 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@11bd719...9c091bb)

Updates `actions/dependency-review-action` from 4.7.1 to 5.0.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@da24556...a1d282b)

Updates `docker/setup-buildx-action` from 3.10.0 to 4.1.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@b5ca514...d7f5e7f)

Updates `docker/build-push-action` from 6.17.0 to 7.3.0
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@1dc7386...53b7df9)

Updates `ruby/setup-ruby` from 1.288.0 to 1.315.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](ruby/setup-ruby@09a7688...0dafeac)

Updates `stefanzweifel/git-auto-commit-action` from 5.2.0 to 7.2.0
- [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases)
- [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md)
- [Commits](stefanzweifel/git-auto-commit-action@b863ae1...4a55954)

Updates `actions/download-artifact` from 4.3.0 to 8.0.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@d3f86a1...3e5f45b)

Updates `JetBrains/qodana-action` from 201551778d1453e36c5c0aa26f89a94775cb1acc to f5aa2889b113c16bd6aee47817b027537ee33ac7
- [Release notes](https://github.com/jetbrains/qodana-action/releases)
- [Commits](JetBrains/qodana-action@2015517...f5aa288)

Updates `ossf/scorecard-action` from 2.4.1 to 2.4.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@f49aabe...4eaacf0)

Updates `github/codeql-action/upload-sarif` from 3.28.18 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ff0a06e...8aad20d)

Updates `mridang/action-test-reporter` from 1.2.5 to 1.7.0
- [Release notes](https://github.com/mridang/action-test-reporter/releases)
- [Changelog](https://github.com/mridang/action-test-reporter/blob/master/release.config.mjs)
- [Commits](mridang/action-test-reporter@v1.2.5...v1.7.0)

Updates `actions/upload-artifact` from 4.6.2 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...043fb46)

Updates `dorny/test-reporter` from 2.0.0 to 3.0.0
- [Release notes](https://github.com/dorny/test-reporter/releases)
- [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md)
- [Commits](dorny/test-reporter@6e6a65b...a43b3a5)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-version-updates
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: actions/dependency-review-action
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: docker/build-push-action
  dependency-version: 7.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: ruby/setup-ruby
  dependency-version: 1.315.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-version-updates
- dependency-name: stefanzweifel/git-auto-commit-action
  dependency-version: 7.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: JetBrains/qodana-action
  dependency-version: f5aa2889b113c16bd6aee47817b027537ee33ac7
  dependency-type: direct:production
  dependency-group: actions-version-updates
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-version-updates
- dependency-name: github/codeql-action/upload-sarif
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: mridang/action-test-reporter
  dependency-version: 1.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-version-updates
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: dorny/test-reporter
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions workflows labels Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Qodana for PHP

It seems all right 👌

No new problems were found according to the checks applied

💡 Qodana analysis was run in the pull request mode: only the changed files were checked
☁️ View the detailed Qodana report

Contact Qodana team

Contact us at qodana-support@jetbrains.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions workflows

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants