Skip to content

chore(deps): bump the actions-updates group across 1 directory with 5 updates#96

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions-updates-8249a36a12
Closed

chore(deps): bump the actions-updates group across 1 directory with 5 updates#96
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions-updates-8249a36a12

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 4, 2026
edited
Loading

Bumps the actions-updates group with 5 updates in the / directory:

Package From To
step-security/harden-runner 2.13.1 2.15.0
actions/checkout 5.0.0 6.0.2
actions/cache 4.3.0 5.0.3
actions/create-github-app-token 2.1.4 2.2.1
release-plz/action 0.5.118 0.5.127

Updates step-security/harden-runner from 2.13.1 to 2.15.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.15.0

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

What's Changed

  1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

  2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

What's Changed

  • Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
  • Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

What's Changed

  • Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

What's Changed

  • Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
  • Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

Commits
  • a90bcbc Update readme (#637)
  • f0a59d8 Release v2.15.0 (#639)
  • 5ef0c07 Merge pull request #635 from step-security/rc-34
  • eb43c7b update agent
  • e3f713f Merge pull request #631 from step-security/rc-31
  • 423acdd chore: fix npm audit vulnerabilities
  • 0ddb86c update agent
  • 20cf305 Merge pull request #622 from step-security/feature/custom-property-skip
  • c51e8ee feat: skip agent install and post step on subsequent runs for GitHub-hosted r...
  • e152b90 feat: skip harden-runner based on repository custom property
  • Additional commits viewable in compare view

Updates actions/checkout from 5.0.0 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

... (truncated)

Commits

Updates actions/cache from 4.3.0 to 5.0.3

Release notes

Sourced from actions/cache's releases.

v5.0.3

What's Changed

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

v5.0.1

What's Changed

v5.0.0

What's Changed

Full Changelog: actions/cache@v5...v5.0.1

v5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

What's Changed

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.3

5.0.2

  • Bump @actions/cache to v5.0.3 #1692

5.0.1

  • Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

4.3.0

  • Bump @actions/cache to v4.1.0

... (truncated)

Commits

Updates actions/create-github-app-token from 2.1.4 to 2.2.1

Release notes

Sourced from actions/create-github-app-token's releases.

v2.2.1

2.2.1 (2025-12-05)

Bug Fixes

  • deps: bump the production-dependencies group with 2 updates (#311) (b212e6a)

v2.2.0

2.2.0 (2025-11-21)

Bug Fixes

  • deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
  • deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)
  • deps: bump the production-dependencies group with 2 updates (#292) (55e2a4b)

Features

Commits
  • 29824e6 build(release): 2.2.1 [skip ci]
  • b212e6a fix(deps): bump the production-dependencies group with 2 updates (#311)
  • 8efbf9b ci: create stale workflow (#309)
  • 7e473ef build(release): 2.2.0 [skip ci]
  • dce3be8 fix(deps): bump p-retry from 6.2.1 to 7.1.0 (#294)
  • 5480f43 fix(deps): bump glob from 10.4.5 to 10.5.0 (#305)
  • d90aa53 feat: update permission inputs (#296)
  • 55e2a4b fix(deps): bump the production-dependencies group with 2 updates (#292)
  • cc6f999 ci(test): trigger on merge_group (#308)
  • 40fa6b5 build(deps-dev): bump @​sinonjs/fake-timers from 14.0.0 to 15.0.0 (#295)
  • Additional commits viewable in compare view

Updates release-plz/action from 0.5.118 to 0.5.127

Release notes

Sourced from release-plz/action's releases.

v0.5.127

What's Changed

Full Changelog: release-plz/action@v0.5...v0.5.127

v0.5.126

What's Changed

Full Changelog: release-plz/action@v0.5...v0.5.126

v0.5.125

What's Changed

Full Changelog: release-plz/action@v0.5...v0.5.125

v0.5.124

What's Changed

Full Changelog: release-plz/action@v0.5...v0.5.124

v0.5.123

What's Changed

Full Changelog: release-plz/action@v0.5...v0.5.123

v0.5.122

What's Changed

New Contributors

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the actions-updates group across 1 directory with 5…
78e964d 
… updates

Bumps the actions-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.13.1` | `2.15.0` |
| [actions/checkout](https://github.com/actions/checkout) | `5.0.0` | `6.0.2` |
| [actions/cache](https://github.com/actions/cache) | `4.3.0` | `5.0.3` |
| [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `2.1.4` | `2.2.1` |
| [release-plz/action](https://github.com/release-plz/action) | `0.5.118` | `0.5.127` |



Updates `step-security/harden-runner` from 2.13.1 to 2.15.0
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@f4a75cf...a90bcbc)

Updates `actions/checkout` from 5.0.0 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@08c6903...de0fac2)

Updates `actions/cache` from 4.3.0 to 5.0.3
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@0057852...cdf6c1f)

Updates `actions/create-github-app-token` from 2.1.4 to 2.2.1
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](actions/create-github-app-token@6701853...29824e6)

Updates `release-plz/action` from 0.5.118 to 0.5.127
- [Release notes](https://github.com/release-plz/action/releases)
- [Commits](release-plz/action@d529f73...f708778)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-updates
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-updates
- dependency-name: actions/cache
  dependency-version: 5.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions-updates
- dependency-name: actions/create-github-app-token
  dependency-version: 2.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-updates
- dependency-name: release-plz/action
  dependency-version: 0.5.127
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 4, 2026
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 5, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Mar 5, 2026
@dependabot dependabot bot deleted the dependabot/github_actions/actions-updates-8249a36a12 branch March 5, 2026 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants