chore(deps): update github actions#2092
Open
oep-renovate[bot] wants to merge 1 commit intodevelopfrom
Open
Conversation
Signed-off-by: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
AlbertvanHouten
approved these changes
Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.2.1→v3.0.0v4.8.3→v4.9.070fc10c→3e5f45bv7.3.1→v8.0.0v5.5.2→v6.0.0efa25f7→3c5f7eav4.32.5→v4.35.19b1ef60→e80098bv46.1.3→v46.1.7v2.15.0→v2.16.1Release Notes
actions/create-github-app-token (actions/create-github-app-token)
v3.0.0Compare Source
NODE_USE_ENV_PROXYfor proxy support (#342) (4451bcb)Bug Fixes
BREAKING CHANGES
v2.2.2Compare Source
Bug Fixes
actions/dependency-review-action (actions/dependency-review-action)
v4.9.0: Dependency Review Action 4.9.0Compare Source
This feature release contains a couple of notable changes:
show_patched_versionswhich will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @felickz!allow-package-dependencylists, including case (in)sensitivity and url-encoded namespaces Thanks @juxtin!What's Changed
Patched VersiontoVulnerabilitiessummary by @felickz in #1045New Contributors
Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0
astral-sh/setup-uv (astral-sh/setup-uv)
v8.0.0: 🌈 Immutable releases and secure tagsCompare Source
This is the first immutable release of
setup-uv🥳All future releases are also immutable, if you want to know more about what this means checkout the docs.
This release also has two breaking changes
New format for
manifest-fileThe previously deprecated way of defining a custom version manifest to control which
uvversions are available and where to download them from got removed. The functionality is still there but you have to use the new format.No more major and minor tags
To increase security even more we will stop publishing minor tags. You won't be able to use
@v8or@v8.0any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.🚨 Breaking changes
🧰 Maintenance
v7.6.0: 🌈 Fetch uv from Astral's mirror by defaultCompare Source
Changes
We now default to download uv from
releases.astral.sh.This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates
v7.5.0: 🌈 Useastral-sh/versionsas version providerCompare Source
No more rate-limits
This release addresses a long-standing source of timeouts and rate-limit failures in setup-uv.
Previously, the action resolved version identifiers like 0.5.x by iterating over available uv releases via the GitHub API to find the best match. In contrast, latest and exact versions such as 0.5.0 skipped version resolution entirely and downloaded uv directly.
The
manifest-fileinput was an earlier attempt to improve this. It allows providing an url to a file that lists available versions, checksums, and even custom download URLs. The action also shipped with such a manifest.However, because that bundled file could become outdated whenever new uv releases were published, the action still had to fall back to the GitHub API in many cases.
This release solves the problem by sourcing version data from Astral’s versions repository via the raw content endpoint:
https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson
By using the raw endpoint instead of the GitHub API, version resolution no longer depends on API authentication and is much less likely to run into rate limits or timeouts.
The
manifest-fileinput lets you override that source with your own URL, for example to test custom uv builds or alternate download locations.The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:
{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]} {"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}Changes
🚀 Enhancements
📚 Documentation
v7.4.0: 🌈 Add riscv64 architecture support to platform detectionCompare Source
Changes
Thank you @luhenry for adding support for riscv64 arch
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates
codecov/codecov-action (codecov/codecov-action)
v6.0.0Compare Source
What's Changed
Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0
v5.5.4Compare Source
This is a mirror of
v5.5.2.v6will be released which requiresnode24What's Changed
Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4
v5.5.3Compare Source
What's Changed
Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3
github/codeql-action (github/codeql-action)
v4.35.1Compare Source
v4.35.0Compare Source
v4.34.1Compare Source
v4.34.0Compare Source
none. We expect this rollout to be complete by the end of April 2026. #3584v4.33.0Compare Source
Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562
To opt out of this change:
github-codeql-file-coverage-on-prsand the type "True/false", then set this property totruein the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set theCODEQL_ACTION_FILE_COVERAGE_ON_PRSenvironment variable totruein your workflow.CODEQL_ACTION_FILE_COVERAGE_ON_PRSenvironment variable totruein your workflow.CODEQL_ACTION_FILE_COVERAGE_ON_PRSenvironment variable totruein your workflow.Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557
The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as
github-codeql-disable-overlaythat was previously only available on GitHub.com. #3559Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563
Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564
A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570
v4.32.6Compare Source
renovatebot/github-action (renovatebot/github-action)
v46.1.7Compare Source
Documentation
Miscellaneous Chores
Build System
Continuous Integration
v46.1.6Compare Source
Documentation
Miscellaneous Chores
Build System
Continuous Integration
v46.1.5Compare Source
Documentation
Miscellaneous Chores
Build System
Continuous Integration
v46.1.4Compare Source
Documentation
Miscellaneous Chores
Build System
Continuous Integration
step-security/harden-runner (step-security/harden-runner)
v2.16.1Compare Source
What's Changed
Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint
Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1
v2.16.0Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0
v2.15.1Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1
Configuration
📅 Schedule: Branch creation - On day 1 of the month ( * * 1 * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Renovate Bot.