From 0ecba8e9264c694ad65c621d7422801016fb08c8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 01:24:24 +0000 Subject: [PATCH] build(deps): bump the github-actions group with 2 updates Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10) Updates `github/codeql-action` from 4.35.5 to 4.36.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](https://github.com/github/codeql-action/compare/v4.35.5...v4.36.1) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.36.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 16 ++++++++-------- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/commitlint.yml | 2 +- .github/workflows/och-self-scan.yml | 4 ++-- .github/workflows/osv.yml | 4 ++-- .github/workflows/pages.yml | 2 +- .github/workflows/pre-release-gate.yml | 8 ++++---- .github/workflows/release.yml | 6 +++--- .github/workflows/scorecard.yml | 4 ++-- .github/workflows/semgrep.yml | 4 ++-- .github/workflows/verify-global-install.yml | 2 +- 11 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b25268f1..5bf4e5ff 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - run: pnpm exec biome ci . @@ -25,7 +25,7 @@ jobs: typecheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - name: Build workspace .d.ts so cross-package types resolve @@ -50,7 +50,7 @@ jobs: env: MISE_NODE_VERSION: ${{ matrix.node-version }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - run: pnpm --filter '!@opencodehub/docs' -r test @@ -58,7 +58,7 @@ jobs: sarif-validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - run: pnpm -F @opencodehub/sarif build @@ -67,13 +67,13 @@ jobs: banned-strings: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - run: bash scripts/check-banned-strings.sh licenses: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - run: pnpm install --frozen-lockfile --ignore-scripts - name: license allowlist @@ -94,7 +94,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install osv-scanner run: | curl -sL -o /tmp/osv-scanner \ @@ -106,7 +106,7 @@ jobs: --lockfile=pnpm-lock.yaml \ --format=sarif \ --output=osv.sarif || true - - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 if: always() with: sarif_file: osv.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 522884c5..6cc673ea 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,12 +27,12 @@ jobs: matrix: language: [javascript-typescript, python] steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: languages: ${{ matrix.language }} queries: security-and-quality - - uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 - - uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/autobuild@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 + - uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 19a5b0b2..7622838c 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -12,7 +12,7 @@ jobs: commitlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 diff --git a/.github/workflows/och-self-scan.yml b/.github/workflows/och-self-scan.yml index ef9cd052..bdc8034b 100644 --- a/.github/workflows/och-self-scan.yml +++ b/.github/workflows/och-self-scan.yml @@ -24,7 +24,7 @@ jobs: security-events: write issues: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 @@ -81,7 +81,7 @@ jobs: - name: Upload SARIF to code scanning if: always() - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: sarif_file: .codehub/scan.sarif category: opencodehub-self diff --git a/.github/workflows/osv.yml b/.github/workflows/osv.yml index 2a5ff7af..3ed0ee79 100644 --- a/.github/workflows/osv.yml +++ b/.github/workflows/osv.yml @@ -24,7 +24,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install osv-scanner run: | curl -sL -o /tmp/osv-scanner \ @@ -36,7 +36,7 @@ jobs: --lockfile=pnpm-lock.yaml \ --format=sarif \ --output=osv.sarif || true - - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 if: always() with: sarif_file: osv.sarif diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 1fd43104..818f97a5 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -21,7 +21,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 # NOTE: --ignore-scripts removed so sharp's native binary download # and Playwright's chromium install (via rehype-mermaid) are allowed. diff --git a/.github/workflows/pre-release-gate.yml b/.github/workflows/pre-release-gate.yml index 949b9efc..1b96ee1e 100644 --- a/.github/workflows/pre-release-gate.yml +++ b/.github/workflows/pre-release-gate.yml @@ -42,7 +42,7 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 @@ -54,7 +54,7 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 @@ -68,7 +68,7 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 persist-credentials: false @@ -90,7 +90,7 @@ jobs: if: startsWith(github.head_ref, 'release-please--') runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3ccedabe..ed618657 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -113,7 +113,7 @@ jobs: hashes-b64: ${{ steps.hashes.outputs.b64 }} steps: - name: Checkout released SHA - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ needs.resolve.outputs.sha }} fetch-depth: 0 @@ -314,7 +314,7 @@ jobs: - name: Upload SARIF to code scanning if: hashFiles('artifacts/och-scan.sarif') != '' - uses: github/codeql-action/upload-sarif@f4d0a7abf7b1d0f530e480f564a7e2371488107a # codeql-bundle-v2.25.4 + uses: github/codeql-action/upload-sarif@2ceebd64c474b9e68028c6bf6585fca7cdbb8ad6 # codeql-bundle-v2.25.4 with: sarif_file: artifacts/och-scan.sarif category: opencodehub-release @@ -343,7 +343,7 @@ jobs: contents: read id-token: write # OIDC token for npm trusted publishing AND provenance steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ needs.resolve.outputs.sha }} persist-credentials: false diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 98bc0329..523ead61 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -19,7 +19,7 @@ jobs: contents: read actions: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: persist-credentials: false - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 @@ -32,6 +32,6 @@ jobs: name: SARIF path: results.sarif retention-days: 5 - - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 with: sarif_file: results.sarif diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 9a2335f2..7a11dad0 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -26,7 +26,7 @@ jobs: container: image: semgrep/semgrep steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: semgrep scan (p/auto + p/owasp-top-ten) # `|| true` so the SARIF upload step still runs on findings; # gating happens through GitHub code scanning, not the scan's @@ -39,7 +39,7 @@ jobs: --config p/owasp-top-ten \ --sarif --output=semgrep.sarif \ --metrics=off || true - - uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 + - uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4 if: always() with: sarif_file: semgrep.sarif diff --git a/.github/workflows/verify-global-install.yml b/.github/workflows/verify-global-install.yml index 3d712f5b..b381b107 100644 --- a/.github/workflows/verify-global-install.yml +++ b/.github/workflows/verify-global-install.yml @@ -111,7 +111,7 @@ jobs: node: "22" installer: nvm steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false