Skip to content

build(deps): bump the actions group across 1 directory with 8 updates#2556

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions-c9d1a87f4a
Closed

build(deps): bump the actions group across 1 directory with 8 updates#2556
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions-c9d1a87f4a

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 23, 2026
edited
Loading

Bumps the actions group with 8 updates in the / directory:

Package From To
actions/upload-artifact 6 7
hashicorp/setup-terraform 3 4
actions/download-artifact 7 8
docker/setup-buildx-action 3 4
docker/login-action 3 4
microsoft/setup-msbuild 2.0.0 3.0.0
docker/build-push-action 6 7
lycheeverse/lychee-action 2.7.0 2.8.0

Updates actions/upload-artifact from 6 to 7

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

Commits

Updates hashicorp/setup-terraform from 3 to 4

Release notes

Sourced from hashicorp/setup-terraform's releases.

v4.0.0

BREAKING CHANGES:

  • Upgrade to Node.js 24 - setup-terraform now requires Node.js 24 (#503)

v3.1.2

NOTES:

  • This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (#430)

v3.1.1

BUG FIXES:

  • wrapper: Fix wrapper to output to stdout and stderr immediately when data is received (#395)

v3.1.0

ENHANCEMENTS:

  • Automatically fallback to darwin/amd64 for Terraform versions before 1.0.2 as releases for darwin/arm64 are not available (#409)
Changelog

Sourced from hashicorp/setup-terraform's changelog.

4.0.0 (2026-02-24)

BREAKING CHANGES:

  • Upgrade to Node.js 24 - setup-terraform now requires Node.js 24 (#503)

3.1.2 (2024-08-19)

NOTES:

  • This release introduces no functional changes. It does however include dependency updates which address upstream CVEs. (#430)

3.1.1 (2024-05-07)

BUG FIXES:

  • wrapper: Fix wrapper to output to stdout and stderr immediately when data is received (#395)
Commits
  • 5e8dbf3 Update package version
  • 6eb9b2a Update changelog
  • af062bc feat: upgrade to node 24 (#503)
  • ce70bcf Bump @​actions/github from 7.0.0 to 8.0.0 (#528)
  • d92091b Bump actions/checkout from 6.0.1 to 6.0.2 in the github-actions group (#527)
  • dcc3150 Bump actions/setup-node from 6.1.0 to 6.2.0 in the github-actions group (#525)
  • 93d5a27 Bump @​actions/github from 6.0.1 to 7.0.0 (#523)
  • 92e4d08 Bump dessant/lock-threads in the github-actions group (#519)
  • 071811a Bump the github-actions group with 2 updates (#517)
  • 712b439 Bump actions/checkout from 5.0.0 to 6.0.0 in the github-actions group (#515)
  • Additional commits viewable in compare view

Updates actions/download-artifact from 7 to 8

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

Updates docker/setup-buildx-action from 3 to 4

Release notes

Sourced from docker/setup-buildx-action's releases.

v4.0.0

Full Changelog: docker/setup-buildx-action@v3.12.0...v4.0.0

v3.12.0

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

v3.11.1

Full Changelog: docker/setup-buildx-action@v3.11.0...v3.11.1

v3.11.0

Full Changelog: docker/setup-buildx-action@v3.10.0...v3.11.0

v3.10.0

Full Changelog: docker/setup-buildx-action@v3.9.0...v3.10.0

v3.9.0

Full Changelog: docker/setup-buildx-action@v3.8.0...v3.9.0

v3.8.0

Full Changelog: docker/setup-buildx-action@v3.7.1...v3.8.0

... (truncated)

Commits
  • 4d04d5d Merge pull request #485 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • cd74e05 chore: update generated content
  • eee38ec build(deps): bump @​docker/actions-toolkit from 0.77.0 to 0.79.0
  • 7a83f65 Merge pull request #484 from docker/dependabot/github_actions/docker/setup-qe...
  • a5aa967 Merge pull request #464 from crazy-max/rm-deprecated
  • e73d53f build(deps): bump docker/setup-qemu-action from 3 to 4
  • 28a438e Merge pull request #483 from crazy-max/node24
  • 034e9d3 chore: update generated content
  • b4664d8 remove deprecated inputs/outputs
  • a8257de node 24 as default runtime
  • Additional commits viewable in compare view

Updates docker/login-action from 3 to 4

Release notes

Sourced from docker/login-action's releases.

v4.0.0

Full Changelog: docker/login-action@v3.7.0...v4.0.0

v3.7.0

Full Changelog: docker/login-action@v3.6.0...v3.7.0

v3.6.0

Full Changelog: docker/login-action@v3.5.0...v3.6.0

v3.5.0

Full Changelog: docker/login-action@v3.4.0...v3.5.0

v3.4.0

Full Changelog: docker/login-action@v3.3.0...v3.4.0

... (truncated)

Commits
  • 4907a6d Merge pull request #930 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
  • 1e233e6 chore: update generated content
  • 6c24ead build(deps): bump the aws-sdk-dependencies group with 2 updates
  • ee034d7 Merge pull request #958 from docker/dependabot/npm_and_yarn/lodash-4.18.1
  • 1527209 Merge pull request #937 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
  • d39362a build(deps): bump lodash from 4.17.23 to 4.18.1
  • a6f092b chore: update generated content
  • 60953f0 build(deps): bump the proxy-agent-dependencies group with 2 updates
  • 62c6885 Merge pull request #936 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 102c0e6 chore: update generated content
  • Additional commits viewable in compare view

Updates microsoft/setup-msbuild from 2.0.0 to 3.0.0

Release notes

Sourced from microsoft/setup-msbuild's releases.

v3 Update to move to Node24

What's Changed

New Contributors

Full Changelog: microsoft/setup-msbuild@v2...v3

v1.0.0 Release

This is the initial release of the microsoft/setup-msbuild GitHub Action. Use this task if needing to ensure you have msbuild.exe in the PATH for subsequent action tasks, like building .NET Framework applications.

Special thanks to @​warrenbuckley for inspiration on this!

Commits

Updates docker/build-push-action from 6 to 7

Release notes

Sourced from docker/build-push-action's releases.

v7.0.0

Full Changelog: docker/build-push-action@v6.19.2...v7.0.0

v6.19.2

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

v6.18.0

[!NOTE] Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

[!NOTE] Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

... (truncated)

Commits
  • d08e5c3 Merge pull request #1479 from docker/dependabot/npm_and_yarn/docker/actions-t...
  • cbd2dff chore: update generated content
  • f76f51f chore(deps): Bump @​docker/actions-toolkit from 0.78.0 to 0.79.0
  • 7d03e66 Merge pull request #1473 from crazy-max/rm-deprecated-envs
  • 98f853d chore: update generated content
  • cadccf6 remove deprecated envs
  • 03fe877 Merge pull request #1478 from docker/dependabot/github_actions/docker/setup-b...
  • 827e366 chore(deps): Bump docker/setup-buildx-action from 3 to 4
  • e25db87 Merge pull request #1474 from crazy-max/rm-export-build-tool
  • 1ac2573 Merge pull request #1470 from crazy-max/node24
  • Additional commits viewable in compare view

Updates lycheeverse/lychee-action from 2.7.0 to 2.8.0

Release notes

Sourced from lycheeverse/lychee-action's releases.

v2.8.0

What's Changed

New Contributors

Full Changelog: lycheeverse/lychee-action@v2.7.0...v2.8.0

Commits
  • 8646ba3 Add message with Summary report URL (#326)
  • c6e7911 [create-pull-request] automated change
  • 631725a Bump peter-evans/create-pull-request from 7 to 8 (#318)
  • 942f324 Bump actions/cache from 4 to 5 (#319)
  • 79de881 Bump actions/checkout from 5 to 6 (#316)
  • 1ef33e2 Update test to use --root-dir instead of the deprecated --base (#315)
  • 50a631e Update args for lychee-action to use root-dir (#314)
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 23, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 23, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-c9d1a87f4a branch from fbf4c70 to 2e28244 Compare March 30, 2026 13:09
Matovidlo added a commit that referenced this pull request Apr 3, 2026
@Matovidlo @claude
build(deps): consolidate all dependabot dependency updates
cb12346 
Merges all open dependabot PRs (#2555, #2556, #2563, #2566, #2568, #2569)
into a single update:

Go modules:
- ariga.io/atlas 0.38.0 → 1.1.0
- entgo.io/ent 0.14.5 → 0.14.6
- github.com/DataDog/dd-trace-go/v2 2.5.0 → 2.7.0
- github.com/fatih/color 1.18.0 → 1.19.0
- github.com/go-jose/go-jose/v3 3.0.4 → 3.0.5 (security)
- github.com/go-jose/go-jose/v4 4.1.3 → 4.1.4 (security)
- github.com/go-resty/resty/v2 2.17.1 → 2.17.2
- github.com/keboola/go-utils 1.4.0 → 1.4.1
- github.com/klauspost/compress 1.18.4 → 1.18.5
- github.com/mattn/go-sqlite3 1.14.33 → 1.14.38
- github.com/rs/zerolog 1.34.0 → 1.35.0
- github.com/schollz/progressbar/v3 3.18.0 → 3.19.0
- github.com/valyala/fastjson 1.6.7 → 1.6.10
- github.com/xtaci/kcp-go/v5 5.6.67 → 5.6.72
- go.etcd.io/etcd/{api,client,tests}/v3 3.6.7 → 3.6.9
- go.opentelemetry.io/contrib/instrumentation/grpc/otelgrpc 0.65.0 → 0.67.0
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 0.65.0 → 0.67.0
- go.opentelemetry.io/contrib/propagators/b3 1.40.0 → 1.42.0
- go.opentelemetry.io/otel/* 1.40.0 → 1.42.0
- goa.design/plugins/v3 3.24.3 → 3.25.3 (also pulls goa.design/goa/v3)
- golang.org/x/{crypto,image,mod,net,sync,term,text,tools} various → latest
- google.golang.org/grpc 1.78.0 → 1.79.3 (security: auth bypass fix)
- k8s.io/client-go 0.33.3 → 0.35.3

GitHub Actions:
- actions/upload-artifact v6 → v7
- actions/download-artifact v7 → v8
- docker/setup-buildx-action v3 → v4
- docker/login-action v3 → v4
- docker/build-push-action v6 → v7
- hashicorp/setup-terraform v3 → v4
- microsoft/setup-msbuild v2.0.0 → v3.0.0
- lycheeverse/lychee-action v2.7.0 → v2.8.0

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Matovidlo Matovidlo mentioned this pull request Apr 3, 2026
Draft
@dependabot
build(deps): bump the actions group across 1 directory with 8 updates
63ab2c0 
Bumps the actions group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `6` | `7` |
| [hashicorp/setup-terraform](https://github.com/hashicorp/setup-terraform) | `3` | `4` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `7` | `8` |
| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3` | `4` |
| [docker/login-action](https://github.com/docker/login-action) | `3` | `4` |
| [microsoft/setup-msbuild](https://github.com/microsoft/setup-msbuild) | `2.0.0` | `3.0.0` |
| [docker/build-push-action](https://github.com/docker/build-push-action) | `6` | `7` |
| [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) | `2.7.0` | `2.8.0` |



Updates `actions/upload-artifact` from 6 to 7
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v6...v7)

Updates `hashicorp/setup-terraform` from 3 to 4
- [Release notes](https://github.com/hashicorp/setup-terraform/releases)
- [Changelog](https://github.com/hashicorp/setup-terraform/blob/main/CHANGELOG.md)
- [Commits](hashicorp/setup-terraform@v3...v4)

Updates `actions/download-artifact` from 7 to 8
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v7...v8)

Updates `docker/setup-buildx-action` from 3 to 4
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@v3...v4)

Updates `docker/login-action` from 3 to 4
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@v3...v4)

Updates `microsoft/setup-msbuild` from 2.0.0 to 3.0.0
- [Release notes](https://github.com/microsoft/setup-msbuild/releases)
- [Commits](microsoft/setup-msbuild@v2.0.0...v3.0.0)

Updates `docker/build-push-action` from 6 to 7
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@v6...v7)

Updates `lycheeverse/lychee-action` from 2.7.0 to 2.8.0
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](lycheeverse/lychee-action@v2.7.0...v2.8.0)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: hashicorp/setup-terraform
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/download-artifact
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: docker/setup-buildx-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: docker/login-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: microsoft/setup-msbuild
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: docker/build-push-action
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: lycheeverse/lychee-action
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-c9d1a87f4a branch from 2e28244 to 63ab2c0 Compare April 6, 2026 12:25
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 13, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Apr 13, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/actions-c9d1a87f4a branch April 13, 2026 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jachym-tousek-keboola jachym-tousek-keboola Awaiting requested review from jachym-tousek-keboola jachym-tousek-keboola is a code owner

@Matovidlo Matovidlo Awaiting requested review from Matovidlo Matovidlo is a code owner

@hosekpeter hosekpeter Awaiting requested review from hosekpeter hosekpeter is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants