chore(deps): update github actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/create-github-app-token	action	minor	v3.1.1 → v3.2.0
actions/setup-node	action	minor	v6.3.0 → v6.4.0
anthropics/claude-code-action	action	patch	v1.0.108 → v1.0.123
github/codeql-action	action	patch	v4.35.2 → v4.35.4	v4.35.5
pnpm/action-setup	action	minor	v4.2.0 → v4.4.0
taiki-e/install-action	action	minor	v2.75.24 → v2.78.0	v2.79.0 (+3)

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

anthropics/claude-code-action (anthropics/claude-code-action)

v1.0.123

Compare Source

What's Changed

• fix: allow , in branch names by @​bugbubug in #​1310
• fix: dereference symlinks when snapshotting sensitive paths to .claude-pr/ by @​matanbaruch in #​1186
• fix: exclude .claude-pr snapshot from git staging by @​cvan20191 in #​1277
• fix: write execution file when SDK throws by @​Jerry2003826 in #​1255
• fix: handle non-user actors (e.g. Copilot) in permission and actor checks by @​krislavten in #​1144
• chore: bump pinned Bun to 1.3.14 by @​ashwin-ant in #​1312

New Contributors

• @​bugbubug made their first contribution in #​1310
• @​matanbaruch made their first contribution in #​1186
• @​cvan20191 made their first contribution in #​1277
• @​Jerry2003826 made their first contribution in #​1255
• @​krislavten made their first contribution in #​1144

Full Changelog: anthropics/claude-code-action@v1...v1.0.123

v1.0.122

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.122

v1.0.121

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.121

v1.0.120

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.120

v1.0.119

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.119

v1.0.118

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.118

v1.0.117

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.117

v1.0.116

Compare Source

What's Changed

• Update HackerOne links in SECURITY.md by @​OctavianGuzu in #​1268

Full Changelog: anthropics/claude-code-action@v1...v1.0.116

v1.0.115

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.115

v1.0.114

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.114

v1.0.113

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.113

v1.0.112

Compare Source

What's Changed

• fix: make trigger_phrase match case-insensitive by @​JustinBis in #​1279

New Contributors

• @​JustinBis made their first contribution in #​1279

Full Changelog: anthropics/claude-code-action@v1...v1.0.112

v1.0.111

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.111

v1.0.110

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.110

v1.0.109

Compare Source

What's Changed

• docs: pull_request_target guidance and base-action trust model by @​OctavianGuzu in #​1250

Full Changelog: anthropics/claude-code-action@v1...v1.0.109

github/codeql-action (github/codeql-action)

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

pnpm/action-setup (pnpm/action-setup)

v4.4.0

Compare Source

Updated the action to use Node.js 24.

v4.3.0

Compare Source

What's Changed

• docs: fix the run_install example in the Readme by @​dreyks in #​175
• chore: remove unused @types/node-fetch dependency by @​silverwind in #​186
• Clarify that package_json_file is relative to GITHUB_WORKSPACE by @​chris-martin in #​184
• feat: store caching by @​jrmajor in #​188
• refactor: remove star imports by @​KSXGitHub in #​196
• fix(ci): exclude macos by @​KSXGitHub in #​197

New Contributors

• @​dreyks made their first contribution in #​175
• @​silverwind made their first contribution in #​186
• @​chris-martin made their first contribution in #​184
• @​jrmajor made their first contribution in #​188
• @​Boosted-Bonobo made their first contribution in #​199

Full Changelog: pnpm/action-setup@v4.2.0...v4.3.0

taiki-e/install-action (taiki-e/install-action)

v2.78.0: 2.78.0

Compare Source

• Support cargo-mutants. (#​1812, thanks @​jakewimmer)

• Update covgate@latest to 0.2.0.

• Update cargo-llvm-cov@latest to 0.8.7.

• Update uv@latest to 0.11.14.

• Update martin@latest to 1.9.1.

• Update tombi@latest to 0.11.4.

v2.77.7: 2.77.7

Compare Source

• Update mise@latest to 2026.5.6.

• Update cargo-deny@latest to 0.19.6.

v2.77.6: 2.77.6

Compare Source

• Fix wasm-pack installation failure.

• Update mise@latest to 2026.5.5.

• Update release-plz@latest to 0.3.158.

• Update just@latest to 1.51.0.

v2.77.5: 2.77.5

Compare Source

• Update biome@latest to 2.4.15.

• Update mise@latest to 2026.5.4.

• Update cargo-deny@latest to 0.19.5.

v2.77.4: 2.77.4

Compare Source

• Update tombi@latest to 0.11.1.

• Update cargo-llvm-cov@latest to 0.8.6.

• Update uv@latest to 0.11.12.

v2.77.3: 2.77.3

Compare Source

• Update typos@latest to 1.46.1.

• Update rclone@latest to 1.74.1.

• Update tombi@latest to 0.11.0.

• Update osv-scanner@latest to 2.3.8.

• Update mise@latest to 2026.5.3.

v2.77.2: 2.77.2

Compare Source

• Update martin@latest to 1.9.0.

• Update wasm-bindgen@latest to 0.2.121.

• Update uv@latest to 0.11.11.

• Update mise@latest to 2026.5.1.

• Update prek@latest to 0.3.13.

• Update tombi@latest to 0.10.6.

v2.77.1: 2.77.1

Compare Source

• Support taiki-e/install-action@rust tag.

• Update tombi@latest to 0.10.3.

• Update martin@latest to 1.8.2.

v2.77.0: 2.77.0

Compare Source

• Support rust. (#​1779)

  This installs rust using rustup.

  If rustup is not yet installed, this action downloads rustup-init for the current platform using HTTPS with tlsv1.2+, verifies SHA256 checksum, and then installs rustup using it.

  This also supports installing additional components at the same time by +<additional> syntax:

  - uses: taiki-e/install-action@v2
    with:
      # Install rust stable with rustfmt component and wasm32-wasip1 target.
      tool: rust+rustfmt+wasm32-wasip1
      # When installing another rust version:
      # tool: rust@nightly + rustfmt + wasm32-wasip1

• Fix issue where x86_64 binary will be installed on AArch64 Windows even when AArch64 Windows binary available.

• Update mise@latest to 2026.5.0.

• Diagnostic improvements.

v2.76.0: 2.76.0

Compare Source

• Support mdbook-d2. (#​1737, thanks @​nhu)

• Support cargo-apple-runner. (#​1731, thanks @​madsmtm)

• Support cargo-binstall on riscv64 Linux.

• Update cargo-deb@latest to 3.7.0.

• Update tombi@latest to 0.10.2.

v2.75.30: 2.75.30

Compare Source

• Support cargo-spellcheck on AArch64 Linux/Windows.

• Update cargo-spellcheck@latest to 0.15.7.

• Update biome@latest to 2.4.14.

v2.75.29: 2.75.29

Compare Source

• Update syft@latest to 1.44.0.

• Update rclone@latest to 1.74.0.

• Update osv-scanner@latest to 2.3.6.

v2.75.28: 2.75.28

Compare Source

• Update wasmtime@latest to 44.0.1.

• Update typos@latest to 1.46.0.

• Update tombi@latest to 0.10.1.

• Update sccache@latest to 0.15.0.

• Update mise@latest to 2026.4.28.

• Update gungraun-runner@latest to 0.18.2.

• Update cyclonedx@latest to 0.31.0.

v2.75.27: 2.75.27

Compare Source

• Update cargo-udeps@latest to 0.1.61.

• Update wasm-tools@latest to 1.248.0.

• Update cargo-deb@latest to 3.6.4.

v2.75.26: 2.75.26

Compare Source

• Update wasm-bindgen@latest to 0.2.120.

• Update mise@latest to 2026.4.25.

• Update martin@latest to 1.8.0.

• Update vacuum@latest to 0.26.4.

v2.75.25: 2.75.25

Compare Source

• Update uv@latest to 0.11.8.

• Update typos@latest to 1.45.2.

• Update tombi@latest to 0.9.25.

• Update mise@latest to 2026.4.24.

---

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

• Branch creation
  • "before 10am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for viteplus-preview canceled.

Name	Link
🔨 Latest commit	0c0e128
🔍 Latest deploy log	https://app.netlify.com/projects/viteplus-preview/deploys/6a0a575d26268800080ef9d6