Skip to content

chore(deps): bump the actions-deps group with 4 updates#173

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-deps-ba5b4f6d55
Open

chore(deps): bump the actions-deps group with 4 updates#173
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-deps-ba5b4f6d55

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the actions-deps group with 4 updates: actions/checkout, changesets/action, actions/attest-build-provenance and github/codeql-action/upload-sarif.

Updates actions/checkout from 6.0.3 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Updates changesets/action from 1.8.0 to 1.9.0

Release notes

Sourced from changesets/action's releases.

v1.9.0

Minor Changes

  • #636 b072bcc Thanks @​bluwy! - Add a new @changesets/action/pr-comment sub-action to comment on PRs

  • #625 8795eee Thanks @​bluwy! - Add a new @changesets/action/pr-status sub-action to generate the changeset status comment for PRs as an alternative to the Changesets Bot.

Patch Changes

  • #535 34f64f6 Thanks @​Andarist! - Fixed an issue with GitHub releases not being created for successfully published packages when some packages failed to be published to the registry.

  • #632 1d54b9e Thanks @​bluwy! - Simplify internal implementation to get changelog entries for a package version

  • #629 e0c90aa Thanks @​bluwy! - Fix custom version and publish command argument parsing

  • #645 f9585d9 Thanks @​Andarist! - Improved force-push handling when using commitMode: "github-api" so updating an existing branch no longer temporarily resets the target branch to the base commit, avoiding cases where GitHub closes open pull requests during the update. This should remove a possibility of a GitHub state race that caused the force-pushed PRs not being reopened.

Changelog

Sourced from changesets/action's changelog.

@​changesets/action

2.0.0-next.3

Major Changes

  • #680 ca57073 Thanks @​bluwy! - Add a new push-git-tags option that complements create-github-releases to control specifically if git tags should be created but not GitHub releases.

    If create-github-releases was previously set to false, which also indirectly disabled git tag creation, git tags will now be created instead by default. If this is not desired, set push-git-tags to false explicitly.

  • #681 7359107 Thanks @​bluwy! - Rename the root action inputs and outputs to better match the sub-actions' conventions.

    Inputs:

    • version -> version-script
    • publish -> publish-script
    • commit -> commit-message
    • title -> pr-title
    • branch -> pr-base-branch

    Outputs:

    • pull-request-number -> pr-number
  • #674 164652b Thanks @​bluwy! - Remove support for passing custom GitHub token through the GITHUB_TOKEN environment variable. It should be passed to the github-token input instead.

  • #673 823cf74 Thanks @​bluwy! - Update to Changesets v3 packages

  • #668 0eae789 Thanks @​bluwy! - Rename the input and output names to kebab-case instead of camelCase to match the official GitHub actions pattern

Minor Changes

  • #678 f71ae04 Thanks @​Andarist! - Published packages detection done through stdout parsing was replaced with one based on the shared output file using CHANGESETS_OUTPUT environment variable. When using custom scripts this environment variable should always be passed down to the Changesets CLI invocations.

2.0.0-next.2

Patch Changes

  • #670 5a8b9b7 Thanks @​Andarist! - Authenticate git CLI pushes with the configured GitHub token using Git extra headers instead of writing to a global .netrc file.

  • #670 5a8b9b7 Thanks @​Andarist! - Derive the Git server URL from the GitHub Actions context when configuring git CLI authentication to support GitHub Enterprise Server setups.

2.0.0-next.1

Patch Changes

  • #663 ccb3811 Thanks @​Andarist! - Fix the computed publish plan path passed internally to changeset pack by the /pack subaction.

  • #662 5c88881 Thanks @​Andarist! - Fixed usage of --from-publish-plan flag used by the /pack subaction

  • #666 dc29b73 Thanks @​Andarist! - Fix the /version subaction to not crash on missing pr-base-branch input. This input is meant to be optional.

... (truncated)

Commits

Updates actions/attest-build-provenance from 4.1.0 to 4.1.1

Release notes

Sourced from actions/attest-build-provenance's releases.

v4.1.1

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

Full Changelog: actions/attest-build-provenance@v4.1.0...v4.1.1

Commits

Updates github/codeql-action/upload-sarif from 4.36.1 to 4.36.2

Release notes

Sourced from github/codeql-action/upload-sarif's releases.

v4.36.2

  • Cache CodeQL CLI version information across Actions steps. #3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
  • Update default CodeQL bundle version to 2.25.6. #3948
Changelog

Sourced from github/codeql-action/upload-sarif's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.2 - 04 Jun 2026

  • Cache CodeQL CLI version information across Actions steps. #3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937
  • Update default CodeQL bundle version to 2.25.6. #3948

4.36.1 - 02 Jun 2026

No user facing changes.

4.36.0 - 22 May 2026

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
  • Add support for SHA-256 Git object IDs. #3893
  • Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
  • Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

  • Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
  • Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
  • Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
  • Update default CodeQL bundle version to 2.25.2. #3823

... (truncated)

Commits
  • 8aad20d Merge pull request #3949 from github/update-v4.36.2-dcb947ce1
  • f521b08 Add additional changelog notes
  • 8aeff0f Update changelog for v4.36.2
  • dcb947c Merge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6
  • c251bce Add changelog note
  • 62953c1 Update default bundle to codeql-bundle-v2.25.6
  • 423b570 Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a...
  • c35d1b1 Merge pull request #3947 from github/dependabot/github_actions/dot-github/wor...
  • cb1a588 Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoff
  • ba47406 Merge pull request #3943 from github/henrymercer/cache-cli-version-info
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the actions-deps group with 4 updates: [actions/checkout](https://github.com/actions/checkout), [changesets/action](https://github.com/changesets/action), [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) and [github/codeql-action/upload-sarif](https://github.com/github/codeql-action).


Updates `actions/checkout` from 6.0.3 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)

Updates `changesets/action` from 1.8.0 to 1.9.0
- [Release notes](https://github.com/changesets/action/releases)
- [Changelog](https://github.com/changesets/action/blob/main/CHANGELOG.md)
- [Commits](changesets/action@63a615b...a45c4d5)

Updates `actions/attest-build-provenance` from 4.1.0 to 4.1.1
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](actions/attest-build-provenance@a2bbfa2...0f67c3f)

Updates `github/codeql-action/upload-sarif` from 4.36.1 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@87557b9...8aad20d)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-deps
- dependency-name: changesets/action
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-deps
- dependency-name: actions/attest-build-provenance
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-deps
- dependency-name: github/codeql-action/upload-sarif
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-deps
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot
dependabot Bot requested a review from a team as a code owner July 1, 2026 18:27
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@netlify

netlify Bot commented Jul 1, 2026

Copy link
Copy Markdown

Deploy Preview for openzeppelin-ui ready!

Name Link
🔨 Latest commit 5ec27f0
🔍 Latest deploy log https://app.netlify.com/projects/openzeppelin-ui/deploys/6a455c050059220008e59fd5
😎 Deploy Preview https://deploy-preview-173--openzeppelin-ui.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cla: allowlist cla: signed dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants