ci: bump the github-actions-all group with 5 updates by dependabot[bot] · Pull Request #82 · ssa1004/commerce-ops

dependabot · 2026-06-22T06:18:47Z

Bumps the github-actions-all group with 5 updates:

Package	From	To
actions/checkout	`5`	`7`
azure/setup-helm	`4.3.0`	`5.0.0`
github/codeql-action	`3`	`4`
gradle/actions	`4`	`6`
actions/upload-artifact	`5.0.0`	`7.0.1`

Updates actions/checkout from 5 to 7

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

block checking out fork pr for pull_request_target and workflow_run by @aiqiaoy in actions/checkout#2454

Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @dependabot[bot] in actions/checkout#2458

Bump flatted from 3.3.1 to 3.4.2 by @dependabot[bot] in actions/checkout#2460

Bump js-yaml from 4.1.0 to 4.2.0 by @dependabot[bot] in actions/checkout#2461

Bump @actions/core and @actions/tool-cache and Remove uuid by @dependabot[bot] in actions/checkout#2459

upgrade module to esm and update dependencies by @aiqiaoy in actions/checkout#2463

Bump the minor-npm-dependencies group across 1 directory with 3 updates by @dependabot[bot] in actions/checkout#2462

getting ready for checkout v7 release by @aiqiaoy in actions/checkout#2464

update error wording by @aiqiaoy in actions/checkout#2467

New Contributors

@aiqiaoy made their first contribution in actions/checkout#2454

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

Update changelog by @ericsciple in actions/checkout#2357

fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in actions/checkout#2414

Fix checkout init for SHA-256 repositories by @yaananth in actions/checkout#2439

Update changelog for v6.0.3 by @yaananth in actions/checkout#2446

New Contributors

@yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @TingluoHuang in actions/checkout#2355

Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Update all references from v5 and v4 to v6 by @ericsciple in actions/checkout#2314

Add worktree support for persist-credentials includeIf by @ericsciple in actions/checkout#2327

Clarify v6 README by @ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

Persist creds to a separate file by @ericsciple in actions/checkout#2286

v6-beta by @ericsciple in actions/checkout#2298

... (truncated)

Commits

9c091bb update error wording (#2467)
1044a6d getting ready for checkout v7 release (#2464)
f028218 Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)
d914b26 upgrade module to esm and update dependencies (#2463)
537c7ef Bump @actions/core and @actions/tool-cache and Remove uuid (#2459)
130a169 Bump js-yaml from 4.1.0 to 4.2.0 (#2461)
7d09575 Bump flatted from 3.3.1 to 3.4.2 (#2460)
0f9f3aa Bump actions/publish-immutable-action (#2458)
f9e715a block checking out fork pr for pull_request_target and workflow_run (#2454)
df4cb1c Update changelog for v6.0.3 (#2446)
Additional commits viewable in compare view

Updates azure/setup-helm from 4.3.0 to 5.0.0

Release notes

Sourced from azure/setup-helm's releases.

v5.0.0

Changed

#259 Update Node.js runtime from node20 to node24

#263 Bump undici

#257 Bump undici and @actions/http-client

#256 Bump minimatch

#248 Bump the actions group with 2 updates

#247 Bump the actions group with 3 updates

#246 Bump @types/node from 25.0.2 to 25.0.3 in the actions group

#245 Bump the actions group with 3 updates

#243 Bump the actions group with 2 updates

#240 Bump prettier from 3.6.2 to 3.7.3 in the actions group

#229 Bump the actions group across 1 directory with 3 updates

#231 Bump js-yaml from 3.14.1 to 3.14.2

#234 Bump glob from 10.4.5 to 10.5.0

#225 Fix build error

#222 Bump @types/node from 24.7.2 to 24.8.1 in the actions group

#220 Bump the actions group across 1 directory with 4 updates

#216 Bump the actions group across 1 directory with 4 updates

#213 Bump the actions group with 2 updates

#211 Bump undici

#212 Bump jest from 30.0.5 to 30.1.2 in the actions group

#210 Bump @types/node from 24.2.1 to 24.3.0 in the actions group

v4.3.1

Changed

#167 Pinning Action Dependencies for Security and Reliability

#181 Fix types, and update node version.

#191 chore(tests): Mock arch to make tests pass on arm host

#192 chore: remove unnecessary prebuild script

#203 Update helm version retrieval to use JSON output for latest version

#207 ci(workflows): update helm version to v3.18.4 and add matrix for tests

Added

#197 Add pre-commit hook

Changelog

Sourced from azure/setup-helm's changelog.

Change Log

[5.0.0] - 2026-03-23

Changed

#259 Update Node.js runtime from node20 to node24

#263 Bump undici

#257 Bump undici and @actions/http-client

#256 Bump minimatch

#248 Bump the actions group with 2 updates

#247 Bump the actions group with 3 updates

#246 Bump @types/node from 25.0.2 to 25.0.3 in the actions group

#245 Bump the actions group with 3 updates

#243 Bump the actions group with 2 updates

#240 Bump prettier from 3.6.2 to 3.7.3 in the actions group

#229 Bump the actions group across 1 directory with 3 updates

#231 Bump js-yaml from 3.14.1 to 3.14.2

#234 Bump glob from 10.4.5 to 10.5.0

#225 Fix build error

#222 Bump @types/node from 24.7.2 to 24.8.1 in the actions group

#220 Bump the actions group across 1 directory with 4 updates

#216 Bump the actions group across 1 directory with 4 updates

#213 Bump the actions group with 2 updates

#211 Bump undici

#212 Bump jest from 30.0.5 to 30.1.2 in the actions group

#210 Bump @types/node from 24.2.1 to 24.3.0 in the actions group

[4.3.1] - 2025-08-12

Changed

#167 Pinning Action Dependencies for Security and Reliability

#181 Fix types, and update node version.

#191 chore(tests): Mock arch to make tests pass on arm host

#192 chore: remove unnecessary prebuild script

#203 Update helm version retrieval to use JSON output for latest version

#207 ci(workflows): update helm version to v3.18.4 and add matrix for tests

Added

#197 Add pre-commit hook

[4.3.0] - 2025-02-15

#152 feat: log when restoring from cache

#157 Dependencies Update

#137 Add dependabot

[4.2.0] - 2024-04-15

... (truncated)

Commits

dda3372 build
3894c84 chore(release): v5.0.0 (#265)
ca66f38 Update Node.js runtime from node20 to node24 (#259)
316ed5a Bump undici (#263)
bc9bc0c Bump undici and @actions/http-client (#257)
16e3094 Bump minimatch (#256)
6e42753 Bump actions/stale in /.github/workflows in the actions group (#255)
9651d9d Bump actions/checkout in /.github/workflows in the actions group (#251)
658bff9 Bump the actions group with 2 updates (#248)
331c814 Bump the actions group with 3 updates (#247)
Additional commits viewable in compare view

Updates github/codeql-action from 3 to 4

Release notes

Sourced from github/codeql-action's releases.

v3.36.2

Cache CodeQL CLI version information across Actions steps. #3943

Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #3937

Update default CodeQL bundle version to 2.25.6. #3948

v3.36.1

No user facing changes.

v3.36.0

Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894

Add support for SHA-256 Git object IDs. #3893

Update default CodeQL bundle version to 2.25.5. #3926

v3.35.5

We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899

For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791

If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892

Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v3.35.4

Update default CodeQL bundle version to 2.25.4. #3881

v3.35.3

Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837

Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850

Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853

Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852

Update default CodeQL bundle version to 2.25.3. #3865

v3.35.2

The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795

The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789

Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807

Update default CodeQL bundle version to 2.25.2. #3823

v3.35.1

Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v3.35.0

Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767

Update default CodeQL bundle version to 2.25.1. #3773

v3.34.1

Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v3.34.0

Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569

We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584

Update default CodeQL bundle version to 2.25.0. #3585

... (truncated)

Commits

0ad7c1f Rebuild
25c25b5 Update changelog and version after v4.36.1
87557b9 Merge pull request #3940 from github/update-v4.36.1-2a1689ed4
9431011 Update changelog for v4.36.1
2a1689e Merge pull request #3939 from github/henrymercer/skip-overlay-revert-when-exp...
d40e417 Only do initial wait when not running tests
5245323 Disable missing diff-ranges fallback when overlay enabled manually
948a63a Add FF to force JGit-based Git backend
See full diff in compare view

Updates gradle/actions from 4 to 6

Release notes

Sourced from gradle/actions's releases.

v6.0.0

[!IMPORTANT] The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post. TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

Caching functionality of 'gradle-actions' has been extracted into a separate gradle-actions-caching library, and is no longer open-source. See this blog post for more context.

Existing, rudimentary, configuration-cache support has been removed, pending a fully functional implementation in gradle-actions-caching.

Dependencies updated to address security vulnerabilities

[!IMPORTANT]

Licensing notice

The caching functionality in `gradle-actions` has been extracted into `gradle-actions-caching`, a proprietary commercial component that is not covered by the MIT License. The bundled `gradle-actions-caching` component is licensed and governed by a separate license, available at https://gradle.com/legal/terms-of-use/.

The `gradle-actions-caching` component is used only when caching is enabled and is not loaded or used when caching is disabled.

Use of the `gradle-actions-caching` component is subject to a separate license, available at https://gradle.com/legal/terms-of-use/. If you do not agree to these license terms, do not use the `gradle-actions-caching` component.

What's Changed

Bump the npm-dependencies group in /sources with 2 updates by @dependabot[bot] in gradle/actions#866

Update known wrapper checksums by @github-actions[bot] in gradle/actions#868

Dependency updates by @bigdaz in gradle/actions#876

Update known wrapper checksums by @github-actions[bot] in gradle/actions#878

Bump @types/node from 25.3.3 to 25.3.5 in /sources in the npm-dependencies group across 1 directory by @dependabot[bot] in gradle/actions#877

Bump the github-actions group across 3 directories with 3 updates by @dependabot[bot] in gradle/actions#867

Update known wrapper checksums by @github-actions[bot] in gradle/actions#881

Bump the npm-dependencies group in /sources with 6 updates by @dependabot[bot] in gradle/actions#879

Bump the github-actions group across 3 directories with 5 updates by @dependabot[bot] in gradle/actions#880

Remove configuration-cache support by @bigdaz in gradle/actions#884

Extract caching logic into a separate gradle-actions-caching component by @bigdaz in gradle/actions#885

Update gradle-actions-caching library to v0.3.0 by @bot-githubaction in gradle/actions#899

Avoid windows shutdown bug by @bigdaz in gradle/actions#900

Dependency updates by @bigdaz in gradle/actions#905

Fix critical and high npm vulnerabilities by @bigdaz in gradle/actions#904

Fix rendering of job-disabled message by @bigdaz in gradle/actions#909

Full Changelog: gradle/actions@v5.0.2...v6.0.0

v5.0.2

Summary

This release contains no functional changes. It updates dependencies and known Gradle wrapper checksums.

What's Changed

Update dependencies by @bigdaz in gradle/actions#851

... (truncated)

Commits

3f131e8 [bot] Update dist directory
97715a2 Redesign the caching Job Summary (#985)
8b6cdb5 CI: add requireable aggregate/no-op checks for branch protection (#984)
5852e0e [bot] Update dist directory
318eed7 Hide obsolete Job summaries (#902)
a740661 Improve typings (#938)
7ae0d02 Update gradle-actions-caching library to v0.6.0 (#982)
e473973 Scope CI-integ-test concurrency groups per-branch
35a4a3f Queue up integ-test runs
b6eebf3 [bot] Update dist directory
Additional commits viewable in compare view

Updates actions/upload-artifact from 5.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

Update the readme with direct upload details by @danwkennedy in actions/upload-artifact#795

Readme: bump all the example versions to v7 by @danwkennedy in actions/upload-artifact#796

Include changes in typespec/ts-http-runtime 0.3.5 by @yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Add proxy integration test by @Link- in actions/upload-artifact#754

Upgrade the module to ESM and bump dependencies by @danwkennedy in actions/upload-artifact#762

Support direct file uploads by @danwkennedy in actions/upload-artifact#764

New Contributors

@Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Upload Artifact Node 24 support by @salmanmkc in actions/upload-artifact#719

fix: update @actions/artifact for Node.js 24 punycode deprecation by @salmanmkc in actions/upload-artifact#744

prepare release v6.0.0 for Node.js 24 support by @salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

Commits

043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
634250c Include changes in typespec/ts-http-runtime 0.3.5
e454baa Readme: bump all the example versions to v7 (#796)
74fad66 Update the readme with direct upload details (#795)
bbbca2d Support direct file uploads (#764)
589182c Upgrade the module to ESM and bump dependencies (#762)
47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
02a8460 Add proxy integration test
b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
e516bc8 docs: correct description of Node.js 24 support in README
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the github-actions-all group with 5 updates: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `5` | `7` | | [azure/setup-helm](https://github.com/azure/setup-helm) | `4.3.0` | `5.0.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `3` | `4` | | [gradle/actions](https://github.com/gradle/actions) | `4` | `6` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `5.0.0` | `7.0.1` | Updates `actions/checkout` from 5 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v5...v7) Updates `azure/setup-helm` from 4.3.0 to 5.0.0 - [Release notes](https://github.com/azure/setup-helm/releases) - [Changelog](https://github.com/Azure/setup-helm/blob/main/CHANGELOG.md) - [Commits](Azure/setup-helm@b9e5190...dda3372) Updates `github/codeql-action` from 3 to 4 - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](github/codeql-action@v3...v4) Updates `gradle/actions` from 4 to 6 - [Release notes](https://github.com/gradle/actions/releases) - [Commits](gradle/actions@v4...v6) Updates `actions/upload-artifact` from 5.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@330a01c...043fb46) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions-all - dependency-name: azure/setup-helm dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions-all - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions-all - dependency-name: gradle/actions dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions-all - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions-all ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-06-22T06:18:48Z

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

dependabot · 2026-06-22T06:53:56Z

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

This was referenced Jun 22, 2026

ci: bump actions/checkout from 5 to 7 #62

Closed

ci: bump actions/upload-artifact from 5.0.0 to 7.0.1 #68

Closed

ci: bump azure/setup-helm from 4.3.0 to 5.0.0 #69

Closed

ssa1004 closed this Jun 22, 2026

dependabot Bot deleted the dependabot/github_actions/github-actions-all-0026f89a17 branch June 22, 2026 06:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: bump the github-actions-all group with 5 updates#82

ci: bump the github-actions-all group with 5 updates#82
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github-actions-all-0026f89a17

dependabot Bot commented on behalf of github Jun 22, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 22, 2026

Uh oh!

dependabot Bot commented on behalf of github Jun 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Jun 22, 2026

v7.0.0

What's Changed

New Contributors

v6.0.3

What's Changed

New Contributors

v6.0.2

What's Changed

v6.0.1

What's Changed

v6.0.0

What's Changed

v5.0.0

Changed

v4.3.1

Changed

Added

Change Log

[5.0.0] - 2026-03-23

Changed

[4.3.1] - 2025-08-12

Changed

Added

[4.3.0] - 2025-02-15

[4.2.0] - 2024-04-15

v3.36.2

v3.36.1

v3.36.0

v3.35.5

v3.35.4

v3.35.3

v3.35.2

v3.35.1

v3.35.0

v3.34.1

v3.34.0

v6.0.0

Summary

Licensing notice

What's Changed

v5.0.2

Summary

What's Changed

v7.0.1

What's Changed

v7.0.0

v7 What's new

Direct Uploads

ESM

What's Changed

New Contributors

v6.0.0

v6 - What's new

Node.js 24

What's Changed

Uh oh!

dependabot Bot commented on behalf of github Jun 22, 2026

Labels

Uh oh!

dependabot Bot commented on behalf of github Jun 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant