Skip to content

chore(deps): bump the actions-version-updates group across 1 directory with 11 updates#15

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-version-updates-588ea602ad
Open

chore(deps): bump the actions-version-updates group across 1 directory with 11 updates#15
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-version-updates-588ea602ad

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 6, 2026
edited
Loading

Copy link
Copy Markdown

Bumps the actions-version-updates group with 11 updates in the / directory:

Package From To
step-security/harden-runner 2.12.0 2.19.1
actions/checkout 4.2.2 6.0.2
actions/dependency-review-action 4.7.1 4.9.0
actions/add-to-project 0.5.0 2.0.0
tspascoal/get-user-teams-membership 3 4
actions-ecosystem/action-add-labels 1.1.0 1.1.3
subosito/flutter-action 2.19.0 2.23.0
stefanzweifel/git-auto-commit-action 5.2.0 7.1.0
ossf/scorecard-action 2.4.1 2.4.3
github/codeql-action 3.28.18 4.35.3
mridang/action-test-reporter 1.7.0 3

Updates step-security/harden-runner from 2.12.0 to 2.19.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

What's Changed

Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

... (truncated)

Commits

Updates actions/checkout from 4.2.2 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

... (truncated)

Commits

Updates actions/dependency-review-action from 4.7.1 to 4.9.0

Release notes

Sourced from actions/dependency-review-action's releases.

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

  • There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
  • Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
  • There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

v4.8.2

Minor fixes:

... (truncated)

Commits
  • 2031cfc Merge pull request #1064 from actions/ahpook/release-4.9.0
  • d02fa39 Updates for release 4.9.0
  • 4038a34 Merge pull request #1021 from actions/dependabot/github_actions/actions/check...
  • a632b83 Merge pull request #1058 from actions/dependabot/github_actions/actions/stale...
  • 57a3d46 Merge pull request #1060 from jantiebot/main
  • 5ecdc4b Merge pull request #1045 from forks-felickz/main
  • e8c2f9a fix: remove inferrable type annotation to pass eslint
  • 0e129e1 Prettier - Refactor summary table rendering for improved readability
  • aa60746 Add 'show-patched-versions' option to configuration and update summary handling
  • e404798 Merge upstream actions/dependency-review-action main
  • Additional commits viewable in compare view

Updates actions/add-to-project from 0.5.0 to 2.0.0

Release notes

Sourced from actions/add-to-project's releases.

v2

What's Changed

... (truncated)

Commits
  • 5afcf98 Merge pull request #712 from salmanmkc/node24
  • ffed68f Merge main and update action runtime to Node 24
  • 27022a1 Merge pull request #777 from actions/dependabot/npm_and_yarn/types/node-25.5.0
  • cc89d2e Merge pull request #778 from actions/dependabot/npm_and_yarn/globals-17.4.0
  • ef8e6ff Merge pull request #779 from actions/dependabot/npm_and_yarn/eslint-plugin-je...
  • eb406b3 Merge pull request #780 from actions/dependabot/npm_and_yarn/handlebars-4.7.9
  • bb8d4d7 Bump handlebars from 4.7.8 to 4.7.9
  • a6fcf8b Bump eslint-plugin-jest from 29.12.1 to 29.15.1
  • b35f5d3 Bump globals from 17.0.0 to 17.4.0
  • 036fea0 Bump @​types/node from 25.0.3 to 25.5.0
  • Additional commits viewable in compare view

Updates tspascoal/get-user-teams-membership from 3 to 4

Release notes

Sourced from tspascoal/get-user-teams-membership's releases.

4.0.0

What's Changed

Maintenance release to upgrade to node 24

Runtime Dependencies Updates

New Contributors

Full Changelog: tspascoal/get-user-teams-membership@v3...v4.0.0

Commits
  • 818140d dist for for 4.0.1
  • a6c1534 Merge pull request #61 from tspascoal/add-unit-tests
  • 59b7148 bump version on package.json
  • 44e3797 Add unit tests
  • d99840d Merge pull request #60 from tspascoal/user-required
  • 097de9a Merge pull request #59 from tspascoal/improve-performance
  • ddff291 fix: make username input required in getInput
  • 8fba4f0 Improve performance by increasing the page size
  • 90aeb63 Merge pull request #58 from tspascoal/copilot/fix-isteammember-output-docs
  • 05c1b17 fix name in action.yml
  • Additional commits viewable in compare view

Updates actions-ecosystem/action-add-labels from 1.1.0 to 1.1.3

Commits
  • 18f1af5 Make github_token not requirement (#259)
  • 7548625 Update default branch for release trigger (#254)
  • a8ae047 Update workflow trigger pull_request -> pull_request_target (#183)
  • b2442fe Make github_token input optional (#160)
  • 442934f Bump lodash from 4.17.15 to 4.17.19 (#69)
  • 4efa0cd Bump @​actions/core from 1.2.4 to 1.2.6 (#100)
  • cff25c1 Bump jest-circus from 24.9.0 to 26.0.1 (#40)
  • 7fd0d4e Bump @​zeit/ncc from 0.20.5 to 0.22.3 (#42)
  • bdfefdd Bump @​types/semver from 6.2.1 to 7.2.0 (#41)
  • 96c379d Bump typescript from 3.8.3 to 3.9.3 (#39)
  • Additional commits viewable in compare view

Updates subosito/flutter-action from 2.19.0 to 2.23.0

Release notes

Sourced from subosito/flutter-action's releases.

v2.23.0

What's Changed

New Contributors

Full Changelog: subosito/flutter-action@v2...v2.23.0

v2.22.0

What's Changed

New Contributors

Full Changelog: subosito/flutter-action@v2...v2.22.0

v2.21.0

What's Changed

New Contributors

Full Changelog: subosito/flutter-action@v2.20.0...v2.21.0

v2.20.0

What's Changed

New Contributors

Full Changelog: subosito/flutter-action@v2...v2.20.0

Commits

Updates stefanzweifel/git-auto-commit-action from 5.2.0 to 7.1.0

Release notes

Sourced from stefanzweifel/git-auto-commit-action's releases.

v7.1.0

Added

Changes

Dependency Updates

v7.0.0

Added

@dependabot
chore(deps): bump the actions-version-updates group across 1 director…
839496a 
…y with 11 updates

Bumps the actions-version-updates group with 11 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.12.0` | `2.19.1` |
| [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `6.0.2` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.7.1` | `4.9.0` |
| [actions/add-to-project](https://github.com/actions/add-to-project) | `0.5.0` | `2.0.0` |
| [tspascoal/get-user-teams-membership](https://github.com/tspascoal/get-user-teams-membership) | `3` | `4` |
| [actions-ecosystem/action-add-labels](https://github.com/actions-ecosystem/action-add-labels) | `1.1.0` | `1.1.3` |
| [subosito/flutter-action](https://github.com/subosito/flutter-action) | `2.19.0` | `2.23.0` |
| [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) | `5.2.0` | `7.1.0` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.1` | `2.4.3` |
| [github/codeql-action](https://github.com/github/codeql-action) | `3.28.18` | `4.35.3` |
| [mridang/action-test-reporter](https://github.com/mridang/action-test-reporter) | `1.7.0` | `3` |



Updates `step-security/harden-runner` from 2.12.0 to 2.19.1
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@0634a26...a5ad31d)

Updates `actions/checkout` from 4.2.2 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@11bd719...de0fac2)

Updates `actions/dependency-review-action` from 4.7.1 to 4.9.0
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@da24556...2031cfc)

Updates `actions/add-to-project` from 0.5.0 to 2.0.0
- [Release notes](https://github.com/actions/add-to-project/releases)
- [Commits](actions/add-to-project@v0.5.0...v2.0.0)

Updates `tspascoal/get-user-teams-membership` from 3 to 4
- [Release notes](https://github.com/tspascoal/get-user-teams-membership/releases)
- [Commits](tspascoal/get-user-teams-membership@v3...v4)

Updates `actions-ecosystem/action-add-labels` from 1.1.0 to 1.1.3
- [Release notes](https://github.com/actions-ecosystem/action-add-labels/releases)
- [Commits](actions-ecosystem/action-add-labels@v1.1.0...v1.1.3)

Updates `subosito/flutter-action` from 2.19.0 to 2.23.0
- [Release notes](https://github.com/subosito/flutter-action/releases)
- [Commits](subosito/flutter-action@v2.19.0...1a44944)

Updates `stefanzweifel/git-auto-commit-action` from 5.2.0 to 7.1.0
- [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases)
- [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md)
- [Commits](stefanzweifel/git-auto-commit-action@b863ae1...04702ed)

Updates `ossf/scorecard-action` from 2.4.1 to 2.4.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@f49aabe...4eaacf0)

Updates `github/codeql-action` from 3.28.18 to 4.35.3
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@ff0a06e...e46ed2c)

Updates `mridang/action-test-reporter` from 1.7.0 to 3
- [Release notes](https://github.com/mridang/action-test-reporter/releases)
- [Changelog](https://github.com/mridang/action-test-reporter/blob/master/release.config.mjs)
- [Commits](mridang/action-test-reporter@7cdeb98...464f095)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-version-updates
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: actions/dependency-review-action
  dependency-version: 4.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-version-updates
- dependency-name: actions/add-to-project
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: tspascoal/get-user-teams-membership
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: actions-ecosystem/action-add-labels
  dependency-version: 1.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-version-updates
- dependency-name: subosito/flutter-action
  dependency-version: 2.23.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-version-updates
- dependency-name: stefanzweifel/git-auto-commit-action
  dependency-version: 7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-version-updates
- dependency-name: github/codeql-action
  dependency-version: 4.35.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
- dependency-name: mridang/action-test-reporter
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-version-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants