chore(deps): bump the actions group with 3 updates

[dependabot]

Bumps the actions group with 3 updates: actions/checkout, taiki-e/install-action and hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml.

Updates actions/checkout from 6.0.3 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

• block checking out fork pr for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462
• getting ready for checkout v7 release by @​aiqiaoy in actions/checkout#2464
• update error wording by @​aiqiaoy in actions/checkout#2467

New Contributors

• @​aiqiaoy made their first contribution in actions/checkout#2454

Full Changelog: actions/checkout@v6.0.3...v7.0.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

... (truncated)

Commits

• 9c091bb update error wording (#2467)
• 1044a6d getting ready for checkout v7 release (#2464)
• f028218 Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)
• d914b26 upgrade module to esm and update dependencies (#2463)
• 537c7ef Bump @​actions/core and @​actions/tool-cache and Remove uuid (#2459)
• 130a169 Bump js-yaml from 4.1.0 to 4.2.0 (#2461)
• 7d09575 Bump flatted from 3.3.1 to 3.4.2 (#2460)
• 0f9f3aa Bump actions/publish-immutable-action (#2458)
• f9e715a block checking out fork pr for pull_request_target and workflow_run (#2454)
• See full diff in compare view

Updates taiki-e/install-action from 2.81.5 to 2.82.0

Release notes

Sourced from taiki-e/install-action's releases.

2.82.0

• Support cargo-vet. (#1908, thanks @​jakewimmer)

• Support cargo-crap. (#1905, thanks @​BartoszCiesla)

• Support cargo-leptos. (#1903, thanks @​404Simon)

• Update kingfisher@latest to 1.103.0.

• Update cargo-xwin@latest to 0.23.0.

• Update wasmtime@latest to 45.0.2.

• Update cargo-deny@latest to 0.19.9.

• Update prek@latest to 0.4.5.

• Update trivy@latest to 0.71.1.

• Update mise@latest to 2026.6.10.

2.81.11

• Update wasm-tools@latest to 1.252.0.

• Update wasm-bindgen@latest to 0.2.125.

• Update uv@latest to 0.11.21.

• Update protoc@latest to 3.35.1.

• Update mise@latest to 2026.6.9.

• Update jaq@latest to 3.1.0.

• Update cargo-insta@latest to 1.48.0.

• Update biome@latest to 2.5.0.

2.81.10

• Update tombi@latest to 1.1.3.

• Update release-plz@latest to 0.3.159.

• Update cosign@latest to 3.1.1.

2.81.9

• Update wasm-bindgen@latest to 0.2.123.

• Update tombi@latest to 1.1.2.

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

[2.82.0] - 2026-06-17

• Support cargo-vet. (#1908, thanks @​jakewimmer)

• Support cargo-crap. (#1905, thanks @​BartoszCiesla)

• Support cargo-leptos. (#1903, thanks @​404Simon)

• Update kingfisher@latest to 1.103.0.

• Update cargo-xwin@latest to 0.23.0.

• Update wasmtime@latest to 45.0.2.

• Update cargo-deny@latest to 0.19.9.

• Update prek@latest to 0.4.5.

• Update trivy@latest to 0.71.1.

• Update mise@latest to 2026.6.10.

[2.81.11] - 2026-06-15

• Update wasm-tools@latest to 1.252.0.

• Update wasm-bindgen@latest to 0.2.125.

• Update uv@latest to 0.11.21.

• Update protoc@latest to 3.35.1.

• Update mise@latest to 2026.6.9.

• Update jaq@latest to 3.1.0.

• Update cargo-insta@latest to 1.48.0.

... (truncated)

Commits

• b8cecb8 Release 2.82.0
• 9811714 Update changelog
• e700546 Update wasmtime manifest
• fdfb4a4 Update mise manifest
• ef03904 Update martin manifest
• b6d0983 Update kingfisher@latest to 1.103.0
• ebeb9b1 Update just manifest
• 119edcf Update cargo-xwin@latest to 0.23.0
• cd319da Update wasmtime@latest to 45.0.2
• 4942894 Update cargo-xwin manifest
• Additional commits viewable in compare view

Updates hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml from 2576c19549f6c9d3d5608955fbc636628185c89e to 3f7d0bbed133629b62052fd181a84e4e1c774f9a

Changelog

Sourced from hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml's changelog.

Changelog

[Unreleased]

Added — attestation unforgeability proof (Idris2, PROOF-PROGRAMME §3.2)

• src/abi/AttestationUnforgeability.idr: Idris2 proof that the intent→evidence→seal attestation chain is unforgeable. Models chain_hash = H(intent‖evidence‖report) + the Ed25519 signature with the cryptographic facts (chain-hash collision-resistance, Ed25519 EUF-CMA message- and signer-binding, signature correctness) as a parameters block — hypotheses, not postulate (PA021 bans escape hatches), so it is an honest conditional theorem. Under %default total it Qed-closes integrity (tampering any phase invalidates the seal), authenticity (a verifying seal comes from the matching key), and nonRepudiation (a genuine seal verifies), plus two corollaries. Typechecks under Idris2 0.8.0. Closes #123.

Added — contractile registry (INDEX.a2ml)

• .machine_readable/contractiles/INDEX.a2ml: the previously-missing contractile registry, modelled on echidna's canonical INDEX. Catalogues all six verbs (must / trust / intend / adjust / bust / dust) with their actual current locations across the three pre-consolidation trees, flags the duplicate trust Trustfile, and records the canonical trident target. The physical consolidation of the three trees stays in #124 — it couples to the contractile gen-just generator (which reads the root contractiles/ tree) and needs the standards CONTRACTILE-SPEC to do safely.

Added — assay / assimilate / aggregate proof-integration subcommands

Three new a-themed subcommands that wire panic-attack into the PROOF-PROGRAMME loop (survey → swap → fold-in-proofs):

• panic-attack assay [TARGET] [--proven DIR]… (src/assay/mod.rs): surveys a target for code that has a formally proven drop-in equivalent in a proven / proven-servers library and reports each candidate with the proof artifact that backs it — operationalising the "Proven cross-fit" table in PROOF-PROGRAMME.md mechanically instead of by hand. Built-in catalogue: SafePath (canonicalize/unwrap pattern) and SafeUrl (VERISIMDB_URL). On this repo: safe-path Offered (port present in src/safe_path.rs, call sites still to rewire), safe-url NoReplacementSource (not yet ported).
• panic-attack assimilate [TARGET] --candidate ID [--proven DIR] [--from FILE] [--all] [--dry-run]: performs a swap — stages the proven module into the tree, backs up the original (*.orig), and writes a provenance record (source BLAKE3 hash + proof backing + pending call-site rewires) under .assimilated/. Module swaps are automatic; call-site rewiring is reported, never auto-edited (mechanically editing arbitrary call sites is not a reviewable operation).
• panic-attack aggregate --proof PATH… [--label PATH=NAME] [--covers PATH=SPEC] [--report BASE]

... (truncated)

Commits

• 3f7d0bb fix(assail): UnboundedAllocation is Medium, not Critical
• 6a814fa chore(deps): bump the rust-minor group with 2 updates (#126)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions