build(deps): bump the github-actions group across 1 directory with 8 updates

[dependabot]

Bumps the github-actions group with 8 updates in the / directory:

Package	From	To
actions/checkout	4	6
actions/create-github-app-token	2.0.6	3.0.0
tj-actions/changed-files	46	47
github/codeql-action	3	4
fossas/fossa-action	1.7.0	1.8.0
actions/setup-python	5	6
ossf/scorecard-action	2.4.2	2.4.3
actions/upload-artifact	4.6.2	7.0.0

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 2.0.6 to 3.0.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)
• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)
• deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
• deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits

• f8d387b build(release): 3.0.0 [skip ci]
• d2129bd style: remove extra blank line in release workflow
• 77b94ef build: refresh generated artifacts
• 3ab4c66 chore: move undici to devDependencies
• 739cf66 docs: update README action versions
• db40289 build(deps): bump actions versions in test.yml
• 496a7ac test: migrate from AVA to Node.js native test runner (#346)
• 3870dc3 Rename end-to-end proxy job in test workflow
• 4451bcb fix!: require NODE_USE_ENV_PROXY for proxy support (#342)
• dce0ab0 fix: remove custom proxy handling (#143)
• Additional commits viewable in compare view

Updates tj-actions/changed-files from 46 to 47

Release notes

Sourced from tj-actions/changed-files's releases.

v47

Changes in v47.0.2

What's Changed

• chore(deps-dev): bump eslint-plugin-jest from 29.2.1 to 29.11.0 by @​dependabot[bot] in tj-actions/changed-files#2751
• chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in tj-actions/changed-files#2741
• chore(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 by @​dependabot[bot] in tj-actions/changed-files#2743
• chore(deps): bump @​actions/core from 2.0.0 to 2.0.2 by @​dependabot[bot] in tj-actions/changed-files#2757
• Updated README.md by @​github-actions[bot] in tj-actions/changed-files#2768
• chore: update dist by @​jackton1 in tj-actions/changed-files#2769
• chore: update matrix-example.yml by @​jackton1 in tj-actions/changed-files#2752
• feat: add support for excluding symlinks and fix bug with commit not found by @​jackton1 in tj-actions/changed-files#2770
• chore(deps): bump github/codeql-action from 4.31.7 to 4.31.10 by @​dependabot[bot] in tj-actions/changed-files#2761
• Updated README.md by @​github-actions[bot] in tj-actions/changed-files#2771
• chore(deps-dev): bump eslint-plugin-jest from 29.11.0 to 29.12.1 by @​dependabot[bot] in tj-actions/changed-files#2756
• chore(deps-dev): bump @​types/lodash from 4.17.21 to 4.17.23 by @​dependabot[bot] in tj-actions/changed-files#2759
• fix: Update test.yml by @​jackton1 in tj-actions/changed-files#2781
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in tj-actions/changed-files#2777
• chore(deps): bump @​stdlib/utils-convert-path from 0.2.2 to 0.2.3 by @​dependabot[bot] in tj-actions/changed-files#2795
• chore(deps-dev): bump @​types/node from 25.0.0 to 25.2.2 by @​dependabot[bot] in tj-actions/changed-files#2793
• chore(deps): bump actions/setup-node from 6.1.0 to 6.2.0 by @​dependabot[bot] in tj-actions/changed-files#2766

Full Changelog: tj-actions/changed-files@v47.0.1...v47.0.2

---

Changes in v47.0.1

What's Changed

• Upgraded to v47 by @​github-actions[bot] in tj-actions/changed-files#2663
• chore(deps-dev): bump @​types/node from 24.3.1 to 24.4.0 by @​dependabot[bot] in tj-actions/changed-files#2664
• chore(deps-dev): bump ts-jest from 29.4.1 to 29.4.3 by @​dependabot[bot] in tj-actions/changed-files#2671
• chore(deps-dev): bump @​vercel/ncc from 0.38.3 to 0.38.4 by @​dependabot[bot] in tj-actions/changed-files#2670
• chore(deps-dev): bump @​types/uuid from 10.0.0 to 11.0.0 by @​dependabot[bot] in tj-actions/changed-files#2668
• chore(deps-dev): bump @​types/node from 24.4.0 to 24.5.2 by @​dependabot[bot] in tj-actions/changed-files#2669
• chore(deps): bump github/codeql-action from 3.30.3 to 3.30.4 by @​dependabot[bot] in tj-actions/changed-files#2675
• chore(deps-dev): bump ts-jest from 29.4.3 to 29.4.4 by @​dependabot[bot] in tj-actions/changed-files#2672
• chore(deps): bump github/codeql-action from 3.30.4 to 3.30.5 by @​dependabot[bot] in tj-actions/changed-files#2676
• chore(deps-dev): bump jest from 30.1.3 to 30.2.0 by @​dependabot[bot] in tj-actions/changed-files#2677
• chore(deps-dev): bump @​types/node from 24.5.2 to 24.6.1 by @​dependabot[bot] in tj-actions/changed-files#2679
• chore(deps-dev): bump @​types/node from 24.6.1 to 24.6.2 by @​dependabot[bot] in tj-actions/changed-files#2681
• chore(deps): bump github/codeql-action from 3.30.5 to 3.30.6 by @​dependabot[bot] in tj-actions/changed-files#2680
• chore(deps-dev): bump @​types/node from 24.6.2 to 24.9.1 by @​dependabot[bot] in tj-actions/changed-files#2695
• chore(deps): bump github/codeql-action from 3.30.6 to 4.30.9 by @​dependabot[bot] in tj-actions/changed-files#2693
• chore(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @​dependabot[bot] in tj-actions/changed-files#2690
• chore(deps): bump github/codeql-action from 4.30.9 to 4.31.2 by @​dependabot[bot] in tj-actions/changed-files#2702
• chore(deps-dev): bump @​types/node from 24.9.1 to 24.9.2 by @​dependabot[bot] in tj-actions/changed-files#2700
• chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in tj-actions/changed-files#2698
• chore(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in tj-actions/changed-files#2697
• chore(deps-dev): bump @​types/micromatch from 4.0.9 to 4.0.10 by @​dependabot[bot] in tj-actions/changed-files#2699
• chore(deps-dev): bump ts-jest from 29.4.4 to 29.4.5 by @​dependabot[bot] in tj-actions/changed-files#2688

... (truncated)

Changelog

Sourced from tj-actions/changed-files's changelog.

Changelog

47.0.5 - (2026-03-03)

🔄 Update

• Updated README.md (#2805)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (35dace0) - (github-actions[bot])

• Updated README.md (#2803)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (9ee99eb) - (github-actions[bot])

⚙️ Miscellaneous Tasks

• deps-dev: Bump @​types/node from 25.3.2 to 25.3.3 (#2814) (22103cc) - (dependabot[bot])
• deps: Bump github/codeql-action from 4.32.4 to 4.32.5 (#2815) (6c02e90) - (dependabot[bot])
• deps-dev: Bump eslint-plugin-prettier from 5.5.4 to 5.5.5 (#2764) (05f9457) - (dependabot[bot])
• deps: Bump lodash and @​types/lodash (#2807) (52ed872) - (dependabot[bot])
• deps: Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (#2774) (1cc5746) - (dependabot[bot])
• deps-dev: Bump prettier from 3.7.4 to 3.8.1 (#2775) (de2962f) - (dependabot[bot])
• deps: Bump github/codeql-action from 4.32.2 to 4.32.4 (#2806) (37e96cc) - (dependabot[bot])
• deps-dev: Bump eslint-plugin-jest from 29.12.1 to 29.15.0 (#2799) (2180b0f) - (dependabot[bot])
• deps: Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#2809) (cf021c1) - (dependabot[bot])
• deps: Bump actions/download-artifact from 7.0.0 to 8.0.0 (#2810) (b54ac6f) - (dependabot[bot])
• deps-dev: Bump @​types/node from 25.2.2 to 25.3.2 (#2811) (0f2a510) - (dependabot[bot])

⬆️ Upgrades

• Upgraded to v47.0.4 (#2802)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> Co-authored-by: Tonye Jack jtonye@ymail.com (b7ac303) - (github-actions[bot])

47.0.4 - (2026-02-17)

🔄 Update

• Release-tagger action to version 6.0.6 (#2801) (7dee1b0) - (Tonye Jack)

47.0.3 - (2026-02-17)

🔄 Update

• Release-tagger action to version 6.0.0 (#2800) (28b28f6) - (Tonye Jack)

⚙️ Miscellaneous Tasks

• deps: Bump github/codeql-action from 4.31.10 to 4.32.2 (#2790) (875e6e5) - (dependabot[bot])

... (truncated)

Commits

• 24d32ff upgrade: to node24 (#2662)
• 9a67555 chore(deps-dev): bump jest from 30.0.5 to 30.1.3 (#2655)
• b67e30d chore(deps): bump tj-actions/git-cliff from 2.1.0 to 2.2.0 (#2660)
• 62aef42 chore(deps): bump github/codeql-action from 3.30.2 to 3.30.3 (#2661)
• e874f3c chore(deps): bump github/codeql-action from 3.29.11 to 3.30.2 (#2659)
• 8c14441 chore(deps): bump actions/setup-node from 4.4.0 to 5.0.0 (#2656)
• e995ac4 chore(deps-dev): bump @​types/node from 24.3.0 to 24.3.1 (#2657)
• 3b04099 chore(deps-dev): bump @​types/node from 24.2.1 to 24.3.0 (#2649)
• e7b6c97 chore(deps): bump github/codeql-action from 3.29.9 to 3.29.11 (#2651)
• 765d62b chore(deps): bump tj-actions/git-cliff from 2.0.2 to 2.1.0 (#2648)
• Additional commits viewable in compare view

Updates github/codeql-action from 3 to 4

Release notes

Sourced from github/codeql-action's releases.

v3.33.0

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562 To opt out of this change:
  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557
• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559
• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563
• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564
• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v3.32.6

• Update default CodeQL bundle version to 2.24.3. #3548

v3.32.5

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

v3.32.4

• Update default CodeQL bundle version to 2.24.2. #3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

v3.32.3

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

v3.32.2

• Update default CodeQL bundle version to 2.24.1. #3460

v3.32.1

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

v3.32.0

• Update default CodeQL bundle version to 2.24.0. #3425

v3.31.11

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409
• Improved error handling throughout the CodeQL Action. #3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #3403

... (truncated)

Commits

• 82d7a77 Merge pull request #3567 from github/dependabot/npm_and_yarn/ava-7.0.0
• 0d0df94 Rebuild
• 373dec9 Rebuild
• 9771a76 Merge branch 'main' into dependabot/npm_and_yarn/npm-minor-aebc49e072
• 363219d Merge branch 'main' into dependabot/npm_and_yarn/ava-7.0.0
• 378e4b3 Merge pull request #3568 from github/henrymercer/fix-rebuild
• See full diff in compare view

Updates fossas/fossa-action from 1.7.0 to 1.8.0

Commits

• c414b9a Pin version opt (#266)
• ba7c3df Bump @​actions/core from 2.0.1 to 2.0.2 (#263)
• c95b9b8 Bump @​actions/tool-cache from 2.0.2 to 3.0.0 (#262)
• 76d09c3 Bump globals from 16.5.0 to 17.0.0 (#260)
• 9f3e862 Bump @​typescript-eslint/parser from 8.48.0 to 8.52.0 (#257)
• c01ee11 Bump @​types/node from 24.10.1 to 25.0.3 (#258)
• 2317073 Bump @​actions/core from 1.11.1 to 2.0.1 (#256)
• 47e4002 Bump @​actions/exec from 1.1.1 to 2.0.0 (#252)
• 7f84733 Bump @​eslint/eslintrc from 3.3.1 to 3.3.3 (#248)
• c09a922 Bump @​typescript-eslint/parser from 8.46.2 to 8.48.0 (#246)
• Additional commits viewable in compare view

Updates actions/setup-python from 5 to 6

Release notes

Sourced from actions/setup-python's releases.

v6.0.0

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in actions/setup-python#1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

• Add support for pip-version by @​priyagupta108 in actions/setup-python#1129
• Enhance reading from .python-version by @​krystof-k in actions/setup-python#787
• Add version parsing from Pipfile by @​aradkdj in actions/setup-python#1067

Bug fixes:

• Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @​aparnajyothi-y in actions/setup-python#1183
• Change missing cache directory error to warning by @​aparnajyothi-y in actions/setup-python#1182
• Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @​aparnajyothi-y in actions/setup-python#1122
• Include python version in PyPy python-version output by @​cdce8p in actions/setup-python#1110
• Update docs: clarification on pip authentication with setup-python by @​priya-kinthali in actions/setup-python#1156

Dependency updates:

• Upgrade idna from 2.9 to 3.7 in /tests/data by @​dependabot[bot] in actions/setup-python#843
• Upgrade form-data to fix critical vulnerabilities #182 & #183 by @​aparnajyothi-y in actions/setup-python#1163
• Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @​aparnajyothi-y in actions/setup-python#1165
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-python#1181
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in actions/setup-python#1095

New Contributors

• @​krystof-k made their first contribution in actions/setup-python#787
• @​cdce8p made their first contribution in actions/setup-python#1110
• @​aradkdj made their first contribution in actions/setup-python#1067

Full Changelog: actions/setup-python@v5...v6.0.0

v5.6.0

What's Changed

• Workflow updates related to Ubuntu 20.04 by @​aparnajyothi-y in actions/setup-python#1065
• Fix for Candidate Not Iterable Error by @​aparnajyothi-y in actions/setup-python#1082
• Upgrade semver and @​types/semver by @​dependabot in actions/setup-python#1091
• Upgrade prettier from 2.8.8 to 3.5.3 by @​dependabot in actions/setup-python#1046
• Upgrade ts-jest from 29.1.2 to 29.3.2 by @​dependabot in actions/setup-python#1081

Full Changelog: actions/setup-python@v5...v5.6.0

v5.5.0

What's Changed

Enhancements:

• Support free threaded Python versions like '3.13t' by @​colesbury in actions/setup-python#973
• Enhance Workflows: Include ubuntu-arm runners, Add e2e Testing for free threaded and Upgrade @​action/cache from 4.0.0 to 4.0.3 by @​priya-kinthali in actions/setup-python#1056
• Add support for .tool-versions file in setup-python by @​mahabaleshwars in actions/setup-python#1043

Bug fixes:

• Fix architecture for pypy on Linux ARM64 by @​mayeut in actions/setup-python#1011 This update maps arm64 to aarch64 for Linux ARM64 PyPy installations.

... (truncated)

Commits

• a309ff8 Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)
• bfe8cc5 Upgrade @​actions dependencies to Node 24 compatible versions (#1259)
• 4f41a90 Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)
• 83679a8 Bump @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...
• bfc4944 Bump prettier from 3.5.3 to 3.6.2 (#1234)
• 97aeb3e Bump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)
• 443da59 Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...
• cfd55ca graalpy: add graalpy early-access and windows builds (#880)
• bba65e5 Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)
• 18566f8 Improve wording and "fix example" (remove 3.13) on testing against pre-releas...
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.2 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in ossf/scorecard-action#1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in ossf/scorecard-action#1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in ossf/scorecard-action#1566
• setup codeowners for requesting reviews by @​spencerschrock in ossf/scorecard-action#1576
• 🌱 Improve printing options by @​deivid-rodriguez in ossf/scorecard-action#1584

New Contributors

• @​timothyklee made their first contribution in ossf/scorecard-action#1566
• @​pankajtaneja5 made their first contribution in ossf/scorecard-action#1574
• @​deivid-rodriguez made their first contribution in ossf/scorecard-action#1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

Commits

• 4eaacf0 bump docker to ghcr v2.4.3 (#1587)