Bump the github-actions group across 1 directory with 5 updates by dependabot[bot] · Pull Request #3524 · jfrog/jfrog-cli

dependabot · 2026-06-01T05:58:02Z

Bumps the github-actions group with 5 updates in the / directory:

Package	From	To
actions/checkout	`5`	`6`
dependabot/fetch-metadata	`3.0.0`	`3.1.0`
jfrog/frogbot	`2`	`3`
nuget/setup-nuget	`3`	`4`
astral-sh/setup-uv	`5`	`7`

Updates actions/checkout from 5 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

Persist creds to a separate file by @ericsciple in actions/checkout#2286

v6-beta by @ericsciple in actions/checkout#2298

update readme/changelog for v6 by @ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Port v6 cleanup to v5 by @ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in actions/checkout#2356

v6.0.1

Add worktree support for persist-credentials includeIf by @ericsciple in actions/checkout#2327

v6.0.0

Persist creds to a separate file by @ericsciple in actions/checkout#2286

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

v5.0.1

Port v6 cleanup to v5 by @ericsciple in actions/checkout#2301

v5.0.0

Update actions checkout to use node 24 by @salmanmkc in actions/checkout#2226

v4.3.1

Port v6 cleanup to v4 by @ericsciple in actions/checkout#2305

v4.3.0

docs: update README.md by @motss in actions/checkout#1971

Add internal repos for checking out multiple repositories by @mouismail in actions/checkout#1977

Documentation update - add recommended permissions to Readme by @benwells in actions/checkout#2043

Adjust positioning of user email note and permissions heading by @joshmgross in actions/checkout#2044

Update README.md by @nebuk89 in actions/checkout#2194

Update CODEOWNERS for actions by @TingluoHuang in actions/checkout#2224

Update package dependencies by @salmanmkc in actions/checkout#2236

v4.2.2

url-helper.ts now leverages well-known environment variables by @jww3 in actions/checkout#1941

Expand unit test coverage for isGhes by @jww3 in actions/checkout#1946

v4.2.1

Check out other refs/* by commit if provided, fall back to ref by @orhantoy in actions/checkout#1924

v4.2.0

Add Ref and Commit outputs by @lucacome in actions/checkout#1180

Dependency updates by @dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in actions/checkout#1739

Bump actions/checkout from 3 to 4 by @dependabot in actions/checkout#1697

Check out other refs/* by commit by @orhantoy in actions/checkout#1774

Pin actions/checkout's own workflows to a known, good, stable version. by @jww3 in actions/checkout#1776

v4.1.6

Check platform to set archive extension appropriately by @cory-miller in actions/checkout#1732

... (truncated)

Commits

de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
8e8c483 Clarify v6 README (#2328)
033fa0d Add worktree support for persist-credentials includeIf (#2327)
c2d88d3 Update all references from v5 and v4 to v6 (#2314)
1af3b93 update readme/changelog for v6 (#2311)
71cf226 v6-beta (#2298)
069c695 Persist creds to a separate file (#2286)
ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
See full diff in compare view

Updates dependabot/fetch-metadata from 3.0.0 to 3.1.0

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.1.0

What's Changed

Add permissions to all workflows by @truggeri in dependabot/fetch-metadata#687

build(deps-dev): bump globals from 16.0.0 to 17.4.0 by @dependabot[bot] in dependabot/fetch-metadata#690

build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 by @dependabot[bot] in dependabot/fetch-metadata#693

build(deps-dev): bump @hono/node-server from 1.19.10 to 1.19.13 by @dependabot[bot] in dependabot/fetch-metadata#694

build(deps-dev): bump hono from 4.12.7 to 4.12.12 by @dependabot[bot] in dependabot/fetch-metadata#695

Dynamically update the tracking tag in action by @truggeri in dependabot/fetch-metadata#696

fix: handle duplicate dependency names in parseMetadataLinks by @devantler in dependabot/fetch-metadata#700

fix: remove $ anchor from updateFragment regex to handle pip directory suffixes by @devantler in dependabot/fetch-metadata#698

Updates to README for permissions clarification by @truggeri in dependabot/fetch-metadata#697

fix: resolve update-type null for Python, Composer, and Terraform PRs by @vitorsdcs in dependabot/fetch-metadata#704

build(deps-dev): bump globals from 17.4.0 to 17.5.0 by @dependabot[bot] in dependabot/fetch-metadata#703

build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @dependabot[bot] in dependabot/fetch-metadata#701

build(deps): bump @actions/github from 9.0.0 to 9.1.0 in the dependencies group across 1 directory by @dependabot[bot] in dependabot/fetch-metadata#702

build(deps-dev): bump hono from 4.12.12 to 4.12.14 by @dependabot[bot] in dependabot/fetch-metadata#705

v3.1.0 by @fetch-metadata-action-automation[bot] in dependabot/fetch-metadata#692

New Contributors

@devantler made their first contribution in dependabot/fetch-metadata#700

@vitorsdcs made their first contribution in dependabot/fetch-metadata#704

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

Commits

25dd0e3 v3.1.0 (#692)
e073f50 Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.14
0670e16 build(deps-dev): bump hono from 4.12.12 to 4.12.14
7a7fe10 Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...
5168191 Updating dist build
23882e1 build(deps): bump @actions/github in the dependencies group
1072469 Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...
43f8a00 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
b4d904a Merge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0
c8046bb build(deps-dev): bump globals from 17.4.0 to 17.5.0
Additional commits viewable in compare view

Updates jfrog/frogbot from 2 to 3

Release notes

Sourced from jfrog/frogbot's releases.

v2.34.0

What's Changed

Exciting New Features 🎉

Adding Signature Validation When getFrogbot.sh Downloads Frogbot by @orto17 in jfrog/frogbot#1312

Other Changes 📚

Update dependencies for 2.34.0 release by @eranturgeman in jfrog/frogbot#1335

Signature validation - Fallback to use storage API by @orto17 in jfrog/frogbot#1337

Full Changelog: jfrog/frogbot@v2.33.1...v2.34.0

v2.33.0

What's Changed

Improvements 🌱

Update action NodeJS version to Node24 by @eranturgeman in jfrog/frogbot#1321

Bug Fixes 🛠

Fix nil pointer dereference in getTotalFindingsFromScanResults V2 by @eranturgeman in jfrog/frogbot#1316

Other Changes 📚

Manually merging Master to Dev (#1309) by @eranturgeman in jfrog/frogbot#1310

Update dependencies for 2.33.0 release by @eranturgeman in jfrog/frogbot#1322

Full Changelog: jfrog/frogbot@v2...v2.33.0

v2.32.3

Full Changelog: jfrog/frogbot@v2...v2.32.3

v2.32.2

What's Changed

Improvements 🌱

PR Scan - Option to scan only changed files in SAST by @attiasas in jfrog/frogbot#1284

Support 'Scanned - No Issues' severity by @attiasas in jfrog/frogbot#1288

Bug Fixes 🛠

Fix Gradle automated dependency updates for multi-module projects by @orto17 in jfrog/frogbot#1275

Full Changelog: jfrog/frogbot@v2...v2.32.2

v2.32.1

... (truncated)

Commits

3fa9530 Update dependencies for 3.2.0 release (#1336)
19fb828 Support config profile attributes in scans (#1308)
72e741e Fix V3 action and improve OIDC error recognition (#1332)
1a3c445 Populate project key to getConfigurationProfile (#1328)
7d2644c Adding Signature Validation When getFrogbot.sh Downloads Frogbot (#1313)
62d6847 Add Frogbot V3 GitHub Action support (#1327)
d2687b3 Fix GitLab integration tests for V3 (#1325)
5575ab4 Fix nil pointer issue (#1317)
fd2ca4d Adding validations to fetched config profile (#1318)
8db703e Fix GitHub integration tests for frogbot v3 (#1319)
Additional commits viewable in compare view

Updates nuget/setup-nuget from 3 to 4

Release notes

Sourced from nuget/setup-nuget's releases.

v4.0

What's Changed

Migrate to ESM and update all npm packages to latest versions by @jeffkl in NuGet/setup-nuget#234

Full Changelog: NuGet/setup-nuget@v3.0.1...v4.0

v3.1.0

What's Changed

Remove DEP0169 url.parse() usage from setup-nuget v3 runtime path by @Copilot in NuGet/setup-nuget#233

Full Changelog: NuGet/setup-nuget@v3...v3.1.0

Commits

fd55a6f Migrate to ESM and update all npm packages to latest versions (#234)
b26b823 Remove DEP0169 url.parse() usage from setup-nuget v3 runtime path (#233)
357a986 Upgrade NuGet setup action to version 3 (#226)
See full diff in compare view

Updates astral-sh/setup-uv from 5 to 7

Release notes

Sourced from astral-sh/setup-uv's releases.

v7.2.1 🌈 update known checksums up to 0.9.28

Changes

🧰 Maintenance

chore: update known checksums for 0.9.28 @github-actions[bot] (#744)

chore: update known checksums for 0.9.27 @github-actions[bot] (#742)

chore: update known checksums for 0.9.26 @github-actions[bot] (#734)

chore: update known checksums for 0.9.25 @github-actions[bot] (#733)

chore: update known checksums for 0.9.24 @github-actions[bot] (#730)

📚 Documentation

Clarify impact of using actions/setup-python @eifinger (#732)

⬆️ Dependency updates

Bump zizmorcore/zizmor-action from 0.3.0 to 0.4.1 @dependabot[bot] (#741)

v7.0.0 🌈 node24 and a lot of bugfixes

Changes

This release comes with a load of bug fixes and a speed up. Because of switching from node20 to node24 it is also a breaking change. If you are running on GitHub hosted runners this will just work, if you are using self-hosted runners make sure, that your runners are up to date. If you followed the normal installation instructions your self-hosted runner will keep itself updated.

This release also removes the deprecated input server-url which was used to download uv releases from a different server. The manifest-file input supersedes that functionality by adding a flexible way to define available versions and where they should be downloaded from.

Fixes

The action now respects when the environment variable UV_CACHE_DIR is already set and does not overwrite it. It now also finds cache-dir settings in config files if you set them.

Some users encountered problems that cache pruning took forever because they had some uv processes running in the background. Starting with uv version 0.8.24 this action uses uv cache prune --ci --force to ignore the running processes

If you just want to install uv but not have it available in path, this action now respects UV_NO_MODIFY_PATH

Some other actions also set the env var UV_CACHE_DIR. This action can now deal with that but as this could lead to unwanted behavior in some edgecases a warning is now displayed.

Improvements

If you are using minimum version specifiers for the version of uv to install for example
[tool.uv]
required-version = ">=0.8.17"
This action now detects that and directly uses the latest version. Previously it would download all available releases from the uv repo to determine the highest matching candidate for the version specifier, which took much more time.

If you are using other specifiers like 0.8.x this action still needs to download all available releases because the specifier defines an upper bound (not 0.9.0 or later) and "latest" would possibly not satisfy that.

🚨 Breaking changes

... (truncated)

Commits

37802ad Fetch uv from Astral's mirror by default (#809)
9f00d18 chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#808)
fd8f376 Switch to ESM for source and test, use CommonJS for dist (#806)
f9070de Bump deps (#805)
cadb67b chore: update known checksums for 0.10.10 (#804)
e06108d Use astral-sh/versions as primary version provider (#802)
0f6ec07 docs: replace copilot instructions with AGENTS.md (#794)
821e5c9 docs: add cross-client dependabot rollup skill (#793)
6ee6290 chore(deps): bump versions (#792)
9f332a1 Add riscv64 architecture support to platform detection (#791)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the github-actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `5` | `6` | | [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `3.0.0` | `3.1.0` | | [jfrog/frogbot](https://github.com/jfrog/frogbot) | `2` | `3` | | [nuget/setup-nuget](https://github.com/nuget/setup-nuget) | `3` | `4` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `5` | `7` | Updates `actions/checkout` from 5 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v5...v6) Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@v3.0.0...v3.1.0) Updates `jfrog/frogbot` from 2 to 3 - [Release notes](https://github.com/jfrog/frogbot/releases) - [Commits](jfrog/frogbot@v2...v3) Updates `nuget/setup-nuget` from 3 to 4 - [Release notes](https://github.com/nuget/setup-nuget/releases) - [Commits](NuGet/setup-nuget@v3...v4) Updates `astral-sh/setup-uv` from 5 to 7 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@v5...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: jfrog/frogbot dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: nuget/setup-nuget dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: astral-sh/setup-uv dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 1, 2026

ehl-jf added the ignore for release Automatically generated release notes label Jun 1, 2026

ehl-jf approved these changes Jun 1, 2026

View reviewed changes

github-actions Bot enabled auto-merge (squash) June 1, 2026 05:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the github-actions group across 1 directory with 5 updates#3524

Bump the github-actions group across 1 directory with 5 updates#3524
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/github-actions-3421bebd79

dependabot Bot commented on behalf of github Jun 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Jun 1, 2026

v6.0.0

What's Changed

v6-beta

What's Changed

v5.0.1

What's Changed

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v3.1.0

What's Changed

New Contributors

v2.34.0

What's Changed

Exciting New Features 🎉

Other Changes 📚

v2.33.0

What's Changed

Improvements 🌱

Bug Fixes 🛠

Other Changes 📚

v2.32.3

v2.32.2

What's Changed

Improvements 🌱

Bug Fixes 🛠

v2.32.1

v4.0

What's Changed

v3.1.0

What's Changed

v7.2.1 🌈 update known checksums up to 0.9.28

Changes

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v7.0.0 🌈 node24 and a lot of bugfixes

Changes

Fixes

Improvements

🚨 Breaking changes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant