Bump the actions group in /.github/workflows with 12 updates by dependabot[bot] · Pull Request #298 · roocs/rook

dependabot · 2026-06-12T17:40:20Z

Bumps the actions group in /.github/workflows with 12 updates:

Package	From	To
step-security/harden-runner	`2.9.1`	`2.19.4`
actions/create-github-app-token	`1.11.2`	`3.2.0`
actions/checkout	`4.1.7`	`6.0.3`
actions/setup-python	`5.4.0`	`6.2.0`
crazy-max/ghaction-import-gpg	`6.2.0`	`7.0.0`
ad-m/github-push-action	`0.8.0`	`1.3.0`
mamba-org/setup-micromamba	`2.0.4`	`3.0.0`
docker/login-action	`3.3.0`	`4.2.0`
docker/setup-buildx-action	`3.6.1`	`4.1.0`
docker/build-push-action	`6.7.0`	`7.2.0`
actions/labeler	`5.0.0`	`6.1.0`
pypa/gh-action-pypi-publish	`1.12.4`	`1.14.0`

Updates step-security/harden-runner from 2.9.1 to 2.19.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Default to audit mode when api-key missing with use-policy-store by @varunsh-coder in step-security/harden-runner#665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657

What the fix changes

Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).

Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

@devantler made their first contribution in step-security/harden-runner#657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.

System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

... (truncated)

Commits

9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
485dce8 Update agent to v1.8.6
ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
ec41b78 Default to audit mode when api-key missing with use-policy-store
9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
1dee3df Update agent to v1.8.5
a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
6e92856 build dist and trim ubuntu-slim message
4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
8d3c67d Release v2.19.0 (#661)
Additional commits viewable in compare view

Updates actions/create-github-app-token from 1.11.2 to 3.2.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.2.0

3.2.0 (2026-05-12)

Features

add support for enterprise-level GitHub Apps (#263) (952a2a7)

support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

deps: bump @actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)

validate private-key input (#376) (f24bbd8)

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

improve error message when app identifier is empty (#362) (07e2b76), closes #249

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

deps: bump p-retry from 7.1.1 to 8.0.0 (#357) (3bbe07d)

Features

add client-id input and deprecate app-id (#353) (e6bd4e6)

update permission inputs (#358) (076e948)

v3.0.0

3.0.0 (2026-03-14)

feat!: node 24 support (#275) (2e564a0)

fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

remove custom proxy handling (#143) (dce0ab0)

... (truncated)

Changelog

Sourced from actions/create-github-app-token's changelog.

Changelog

3.2.0 (2026-05-12)

Features

add support for enterprise-level GitHub Apps (#263) (952a2a7)

support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

deps: bump @actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)

validate private-key input (#376) (f24bbd8)

Commits

bcd2ba4 chore(main): release 3.2.0 (#370)
f24bbd8 fix: validate private-key input (#376)
363531b docs: capitalize Git as a proper noun in README (#374)
fd28011 docs: update procedure to configure Git (#287)
85eb8dd feat: support full repository names in repositories input (#372)
c9aabb8 build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...
e02e816 build(deps-dev): bump undici from 7.24.6 to 8.2.0 (#366)
8d835bf build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...
952a2a7 feat: add support for enterprise-level GitHub Apps (#263)
43e5c34 fix(deps): bump @actions/core from 3.0.0 to 3.0.1 in the production-dependenc...
Additional commits viewable in compare view

Updates actions/checkout from 4.1.7 to 6.0.3

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

Update changelog by @ericsciple in actions/checkout#2357

fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in actions/checkout#2414

Fix checkout init for SHA-256 repositories by @yaananth in actions/checkout#2439

Update changelog for v6.0.3 by @yaananth in actions/checkout#2446

New Contributors

@yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @TingluoHuang in actions/checkout#2355

Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Update all references from v5 and v4 to v6 by @ericsciple in actions/checkout#2314

Add worktree support for persist-credentials includeIf by @ericsciple in actions/checkout#2327

Clarify v6 README by @ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

Persist creds to a separate file by @ericsciple in actions/checkout#2286

v6-beta by @ericsciple in actions/checkout#2298

update readme/changelog for v6 by @ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Port v6 cleanup to v5 by @ericsciple in actions/checkout#2301

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

Fix checkout init for SHA-256 repositories by @yaananth in actions/checkout#2439

fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in actions/checkout#2414

v6.0.2

Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in actions/checkout#2356

v6.0.1

Add worktree support for persist-credentials includeIf by @ericsciple in actions/checkout#2327

v6.0.0

Persist creds to a separate file by @ericsciple in actions/checkout#2286

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

v5.0.1

Port v6 cleanup to v5 by @ericsciple in actions/checkout#2301

v5.0.0

Update actions checkout to use node 24 by @salmanmkc in actions/checkout#2226

v4.3.1

Port v6 cleanup to v4 by @ericsciple in actions/checkout#2305

v4.3.0

docs: update README.md by @motss in actions/checkout#1971

Add internal repos for checking out multiple repositories by @mouismail in actions/checkout#1977

Documentation update - add recommended permissions to Readme by @benwells in actions/checkout#2043

Adjust positioning of user email note and permissions heading by @joshmgross in actions/checkout#2044

Update README.md by @nebuk89 in actions/checkout#2194

Update CODEOWNERS for actions by @TingluoHuang in actions/checkout#2224

Update package dependencies by @salmanmkc in actions/checkout#2236

v4.2.2

url-helper.ts now leverages well-known environment variables by @jww3 in actions/checkout#1941

Expand unit test coverage for isGhes by @jww3 in actions/checkout#1946

v4.2.1

Check out other refs/* by commit if provided, fall back to ref by @orhantoy in actions/checkout#1924

v4.2.0

Add Ref and Commit outputs by @lucacome in actions/checkout#1180

Dependency updates by @dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in actions/checkout#1739

Bump actions/checkout from 3 to 4 by @dependabot in actions/checkout#1697

Check out other refs/* by commit by @orhantoy in actions/checkout#1774

... (truncated)

Commits

df4cb1c Update changelog for v6.0.3 (#2446)
1cce339 Fix checkout init for SHA-256 repositories (#2439)
900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
0c366fd Update changelog (#2357)
de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
8e8c483 Clarify v6 README (#2328)
033fa0d Add worktree support for persist-credentials includeIf (#2327)
c2d88d3 Update all references from v5 and v4 to v6 (#2314)
1af3b93 update readme/changelog for v6 (#2311)
Additional commits viewable in compare view

Updates actions/setup-python from 5.4.0 to 6.2.0

Release notes

Sourced from actions/setup-python's releases.

v6.2.0

What's Changed

Dependency Upgrades

Upgrade dependencies to Node 24 compatible versions by @salmanmkc in actions/setup-python#1259

Upgrade urllib3 from 2.5.0 to 2.6.3 in /__tests__/data by @dependabot in actions/setup-python#1253 and actions/setup-python#1264

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

What's Changed

Enhancements:

Add support for pip-install input by @gowridurgad in actions/setup-python#1201

Add graalpy early-access and windows builds by @timfel in actions/setup-python#880

Dependency and Documentation updates:

Enhanced wording and updated example usage for allow-prereleases by @yarikoptic in actions/setup-python#979

Upgrade urllib3 from 1.26.19 to 2.5.0 and document breaking changes in v6 by @dependabot in actions/setup-python#1139

Upgrade typescript from 5.4.2 to 5.9.3 and Documentation update by @dependabot in actions/setup-python#1094

Upgrade actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pip-install input by @dependabot in actions/setup-python#1199

Upgrade requests from 2.32.2 to 2.32.4 by @dependabot in actions/setup-python#1130

Upgrade prettier from 3.5.3 to 3.6.2 by @dependabot in actions/setup-python#1234

Upgrade @types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel by @dependabot in actions/setup-python#1235

New Contributors

@yarikoptic made their first contribution in actions/setup-python#979

Full Changelog: actions/setup-python@v6...v6.1.0

v6.0.0

What's Changed

Breaking Changes

Upgrade to node 24 by @salmanmkc in actions/setup-python#1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Add support for pip-version by @priyagupta108 in actions/setup-python#1129

Enhance reading from .python-version by @krystof-k in actions/setup-python#787

Add version parsing from Pipfile by @aradkdj in actions/setup-python#1067

Bug fixes:

Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @aparnajyothi-y in actions/setup-python#1183

Change missing cache directory error to warning by @aparnajyothi-y in actions/setup-python#1182

Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @aparnajyothi-y in actions/setup-python#1122

Include python version in PyPy python-version output by @cdce8p in actions/setup-python#1110

Update docs: clarification on pip authentication with setup-python by @priya-kinthali in actions/setup-python#1156

Dependency updates:

Upgrade idna from 2.9 to 3.7 in /tests/data by @dependabot[bot] in actions/setup-python#843

Upgrade form-data to fix critical vulnerabilities #182 & #183 by @aparnajyothi-y in actions/setup-python#1163

Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @aparnajyothi-y in actions/setup-python#1165

Upgrade actions/checkout from 4 to 5 by @dependabot[bot] in actions/setup-python#1181

Upgrade @actions/tool-cache from 2.0.1 to 2.0.2 by @dependabot[bot] in actions/setup-python#1095

... (truncated)

Commits

a309ff8 Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)
bfe8cc5 Upgrade @actions dependencies to Node 24 compatible versions (#1259)
4f41a90 Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)
83679a8 Bump @types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...
bfc4944 Bump prettier from 3.5.3 to 3.6.2 (#1234)
97aeb3e Bump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)
443da59 Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...
cfd55ca graalpy: add graalpy early-access and windows builds (#880)
bba65e5 Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)
18566f8 Improve wording and "fix example" (remove 3.13) on testing against pre-releas...
Additional commits viewable in compare view

Updates crazy-max/ghaction-import-gpg from 6.2.0 to 7.0.0

Release notes

Sourced from crazy-max/ghaction-import-gpg's releases.

v7.0.0

Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @crazy-max in crazy-max/ghaction-import-gpg#241

Switch to ESM and update config/test wiring by @crazy-max in crazy-max/ghaction-import-gpg#239

Bump @actions/core from 1.11.1 to 3.0.0 in crazy-max/ghaction-import-gpg#232

Bump @actions/exec from 1.1.1 to 3.0.0 in crazy-max/ghaction-import-gpg#242

Bump brace-expansion from 1.1.11 to 1.1.12 in crazy-max/ghaction-import-gpg#221

Bump minimatch from 3.1.2 to 3.1.5 in crazy-max/ghaction-import-gpg#240

Bump openpgp from 6.1.0 to 6.3.0 in crazy-max/ghaction-import-gpg#233

Full Changelog: crazy-max/ghaction-import-gpg@v6.3.0...v7.0.0

v6.3.0

Bump openpgp from 5.11.2 to 6.1.0 in crazy-max/ghaction-import-gpg#215

Bump cross-spawn from 7.0.3 to 7.0.6 in crazy-max/ghaction-import-gpg#212

Full Changelog: crazy-max/ghaction-import-gpg@v6.2.0...v6.3.0

Commits

2dc316d Merge pull request #242 from crazy-max/dependabot/npm_and_yarn/actions/exec-3...
5812792 chore: update generated content
ceb906e build(deps): bump @actions/exec from 1.1.1 to 3.0.0
a9dffd9 Merge pull request #241 from crazy-max/node24
36d49fc node 24 as default runtime
50c4e4f Merge pull request #233 from crazy-max/dependabot/npm_and_yarn/openpgp-6.3.0
c78fe49 chore: update generated content
8dbbb1e Merge pull request #221 from crazy-max/dependabot/npm_and_yarn/brace-expansio...
fc715b0 build(deps): bump openpgp from 6.1.0 to 6.3.0
9946916 build(deps): bump brace-expansion from 1.1.11 to 1.1.12
Additional commits viewable in compare view

Updates ad-m/github-push-action from 0.8.0 to 1.3.0

Release notes

Sourced from ad-m/github-push-action's releases.

v1.3.0

What's Changed

feat: Add addional GH token descriptor name by @ZPascal in ad-m/github-push-action#375

feat: Adjust the detached HEAD documentation by @ZPascal in ad-m/github-push-action#376

Full Changelog: ad-m/github-push-action@v1...v1.3.0

v1.2.0

What's Changed

feat: Add git pull support by @ZPascal in ad-m/github-push-action#373

Full Changelog: ad-m/github-push-action@v1...v1.2.0

v1.1.0

What's Changed

Upgrade Node.js version from 20 to 24 by @H0R5E in ad-m/github-push-action#328

New Contributors

@H0R5E made their first contribution in ad-m/github-push-action#328

Full Changelog: ad-m/github-push-action@v1...v1.1.0

v1.0.0

What's Changed

docs: Adjust the PAT documentation by @ZPascal in ad-m/github-push-action#174

feat: Add push to submodules support by @ZPascal in ad-m/github-push-action#155

docs: Adjust the initial git write access documentation by @ZPascal in ad-m/github-push-action#190

fix: Update the documentation by @ZPascal in ad-m/github-push-action#160

Update the release process and setup the process to specify tags by @ZPascal in ad-m/github-push-action#145

Issue 191 by @ZPascal in ad-m/github-push-action#197

Add only push tags support by @ZPascal in ad-m/github-push-action#154

docs: improve documentation and update image by @jackton1 in ad-m/github-push-action#195

Full Changelog: ad-m/github-push-action@v0.8.0...v1.0.0

Commits

881a632 feat: Adjust the detached HEAD documentation (#376)
f917f9b feat: Add addional GH token descriptor name (#375)
fdfe7e8 feat: Add git pull support (#373)
d30dc2d docs: Adjust the link
4cc7477 Upgrade Node.js version from 20 to 24 (#328)
57116ac docs: Remove the url link
77c5b41 docs: improve documentation and update image (#195)
f17d07c Add only push tags support (#154)
2ebd2b2 Issue 191 (#197)
9870d48 Update the release process and setup the process to specify tags (#145)
Additional commits viewable in compare view

Updates mamba-org/setup-micromamba from 2.0.4 to 3.0.0

Release notes

Sourced from mamba-org/setup-micromamba's releases.

v3.0.0

What's Changed

New features

Update Node.js version from 20 to 24 by @glass-ships in mamba-org/setup-micromamba#296

Hash bytes rather than encoded string by @bhperry in mamba-org/setup-micromamba#297

Dependency updates

Bump the node group with 9 updates by @dependabot[bot] in mamba-org/setup-micromamba#286

Bump the actions group with 2 updates by @dependabot[bot] in mamba-org/setup-micromamba#285

Bump the node group across 1 directory with 13 updates by @dependabot[bot] in mamba-org/setup-micromamba#292

Bump the actions group across 1 directory with 4 updates by @dependabot[bot] in mamba-org/setup-micromamba#289

Bump the node group across 1 directory with 14 updates by @dependabot[bot] in mamba-org/setup-micromamba#294

Other changes

Pin github actions by @pavelzw in mamba-org/setup-micromamba#298

New Contributors

@glass-ships made their first contribution in mamba-org/setup-micromamba#296

Full Changelog: mamba-org/setup-micromamba@v2...v3.0.0

v2.0.7

What's Changed

Bug fixes

Resolve bin hash promise by @bhperry in mamba-org/setup-micromamba#284

Full Changelog: mamba-org/setup-micromamba@v2.0.6...v2.0.7

v2.0.6

What's Changed

New features

v2.0.6 by @jjerphan in mamba-org/setup-micromamba#283

Dependency updates

Bump the node group with 9 updates by @dependabot[bot] in mamba-org/setup-micromamba#276

Bump softprops/action-gh-release from 2.2.2 to 2.3.2 in the actions group by @dependabot[bot] in mamba-org/setup-micromamba#277

Update dependencies and rebuild dist by @jjerphan in mamba-org/setup-micromamba#278

Bump actions/checkout from 4 to 5 in the actions group by @dependabot[bot] in mamba-org/setup-micromamba#281

Bump the node group across 1 directory with 10 updates by @dependabot[bot] in mamba-org/setup-micromamba#282

Full Changelog: mamba-org/setup-micromamba@v2.0.5...v2.0.6

v2.0.5

... (truncated)

Commits

d7c9bd8 Pin github actions (#298)
11aea49 Bump the node group across 1 directory with 14 updates (#294)
5f971b0 Hash bytes rather than encoded string (#297)
4807357 Update Node.js version from 20 to 24 (#296)
8a0111d Bump the actions group across 1 directory with 4 updates (#289)
6a5f054 Bump the node group across 1 directory with 13 updates (#292)
4d84239 Bump the actions group with 2 updates (#285)
8271e47 Bump the node group with 9 updates (#286)
add3a49 Resolve bin hash promise (#284)
7f29b8b v2.0.6 (#283)
Additional commits viewable in compare view

Updates docker/login-action from 3.3.0 to 4.2.0

Release notes

Sourced from docker/login-action's releases.

v4.2.0

Bump @actions/core from 3.0.0 to 3.0.1 in docker/login-action#976

Bump @aws-sdk/client-ecr and @aws-sdk/client-ecr-public to 3.1050.0 in docker/login-action#960

Bump @docker/actions-toolkit from 0.86.0 to 0.90.0 in docker/login-action#970

Bump brace-expansion from 2.0.1 to 5.0.6 in docker/login-action#993

Bump fast-xml-builder from 1.1.4 to 1.2.0 in docker/login-action#985

Bump fast-xml-parser from 5.3.6 to 5.8.0 in docker/login-action#963

Bump http-proxy-agent and https-proxy-agent to 9.0.0 in docker/login-action#961

Bump postcss from 8.5.6 to 8.5.10 in docker/login-action#979

Bump tar from 6.2.1 to 7.5.15 in docker/login-action#991

Bump vite from 7.3.1 to 7.3.3 in docker/login-action#986

Full Changelog: docker/login-action@v4.1.0...v4.2.0

v4.1.0

Fix scoped Docker Hub cleanup path when registry is omitted by @crazy-max in docker/login-action#945

Bump @aws-sdk/client-ecr and @aws-sdk/client-ecr-public to 3.1020.0 in docker/login-action#930

Bump @docker/actions-toolkit from 0.77.0 to 0.86.0 in docker/login-action#932 docker/login-action#936

Bump brace-expansion from 1.1.12 to 1.1.13 in docker/login-action#952

Bump fast-xml-parser from 5.3.4 to 5.3.6 in docker/login-action#942

Bump flatted from 3.3.3 to 3.4.2 in docker/login-action#944

Bump glob from 10.3.12 to 10.5.0 in docker/login-action#940

Bump handlebars from 4.7.8 to 4.7.9 in docker/login-action#949

Bump http-proxy-agent and https-proxy-agent to 8.0.0 in docker/login-action#937

Bump lodash from 4.17.23 to 4.18.1 in docker/login-action#958

Bump minimatch from 3.1.2 to 3.1.5 in docker/login-action#941

Bump picomatch from 4.0.3 to 4.0.4 in docker/login-action#948

Bump undici from 6.23.0 to 6.24.1 in docker/login-action#938

Full Changelog: docker/login-action@v4.0.0...v4.1.0

v4.0.0

Node 24 as default runtime (requires

Bumps the actions group in /.github/workflows with 12 updates: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.9.1` | `2.19.4` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `1.11.2` | `3.2.0` | | [actions/checkout](https://github.com/actions/checkout) | `4.1.7` | `6.0.3` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.4.0` | `6.2.0` | | [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) | `6.2.0` | `7.0.0` | | [ad-m/github-push-action](https://github.com/ad-m/github-push-action) | `0.8.0` | `1.3.0` | | [mamba-org/setup-micromamba](https://github.com/mamba-org/setup-micromamba) | `2.0.4` | `3.0.0` | | [docker/login-action](https://github.com/docker/login-action) | `3.3.0` | `4.2.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.6.1` | `4.1.0` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `6.7.0` | `7.2.0` | | [actions/labeler](https://github.com/actions/labeler) | `5.0.0` | `6.1.0` | | [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) | `1.12.4` | `1.14.0` | Updates `step-security/harden-runner` from 2.9.1 to 2.19.4 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@v2.9.1...9af89fc) Updates `actions/create-github-app-token` from 1.11.2 to 3.2.0 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md) - [Commits](actions/create-github-app-token@136412a...bcd2ba4) Updates `actions/checkout` from 4.1.7 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.1.7...df4cb1c) Updates `actions/setup-python` from 5.4.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v5.4.0...a309ff8) Updates `crazy-max/ghaction-import-gpg` from 6.2.0 to 7.0.0 - [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases) - [Commits](crazy-max/ghaction-import-gpg@cb9bde2...2dc316d) Updates `ad-m/github-push-action` from 0.8.0 to 1.3.0 - [Release notes](https://github.com/ad-m/github-push-action/releases) - [Commits](ad-m/github-push-action@d91a481...881a632) Updates `mamba-org/setup-micromamba` from 2.0.4 to 3.0.0 - [Release notes](https://github.com/mamba-org/setup-micromamba/releases) - [Commits](mamba-org/setup-micromamba@0dea637...d7c9bd8) Updates `docker/login-action` from 3.3.0 to 4.2.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@9780b0c...650006c) Updates `docker/setup-buildx-action` from 3.6.1 to 4.1.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@988b5a0...d7f5e7f) Updates `docker/build-push-action` from 6.7.0 to 7.2.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@5cd11c3...f9f3042) Updates `actions/labeler` from 5.0.0 to 6.1.0 - [Release notes](https://github.com/actions/labeler/releases) - [Commits](actions/labeler@8558fd7...f27b608) Updates `pypa/gh-action-pypi-publish` from 1.12.4 to 1.14.0 - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](pypa/gh-action-pypi-publish@76f52bc...cef2210) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/create-github-app-token dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: crazy-max/ghaction-import-gpg dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: ad-m/github-push-action dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: mamba-org/setup-micromamba dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/login-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/setup-buildx-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/build-push-action dependency-version: 7.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/labeler dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: pypa/gh-action-pypi-publish dependency-version: 1.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 12, 2026

github-actions Bot added the CI label Jun 12, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the actions group in /.github/workflows with 12 updates#298

Bump the actions group in /.github/workflows with 12 updates#298
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/workflows/actions-b46f94108c

dependabot Bot commented on behalf of github Jun 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 12, 2026

v2.19.4

What's Changed

v2.19.3

What's Changed

v2.19.2

What's Changed

v2.19.1

What's Changed

New Contributors

v2.19.0

What's Changed

New Runner Support

Automated Incident Response for Supply Chain Attacks

Bug Fixes

v3.2.0

3.2.0 (2026-05-12)

Features

Bug Fixes

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

Features

v3.0.0

3.0.0 (2026-03-14)

Bug Fixes

Changelog

3.2.0 (2026-05-12)

Features

Bug Fixes

v6.0.3

What's Changed

New Contributors

v6.0.2

What's Changed

v6.0.1

What's Changed

v6.0.0

What's Changed

v6-beta

What's Changed

v5.0.1

What's Changed

Changelog

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v6.2.0

What's Changed

Dependency Upgrades

v6.1.0

What's Changed

Enhancements:

Dependency and Documentation updates:

New Contributors

v6.0.0

What's Changed

Breaking Changes

Enhancements:

Bug fixes:

Dependency updates:

v7.0.0

v6.3.0

v1.3.0

What's Changed

v1.2.0

What's Changed