Bump the github-actions group with 8 updates

[dependabot]

Bumps the github-actions group with 8 updates:

Package	From	To
step-security/harden-runner	2.11.1	2.12.0
actions/setup-node	4.3.0	4.4.0
oven-sh/setup-bun	2.0.1	2.0.2
google-github-actions/auth	2.1.8	2.1.10
github/codeql-action	3.28.13	3.28.16
actions/download-artifact	4.2.1	4.3.0
softprops/action-gh-release	2.2.1	2.2.2
codecov/codecov-action	5.4.0	5.4.2

Updates step-security/harden-runner from 2.11.1 to 2.12.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.12.0

What's Changed

1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

Commits

• 0634a26 Merge pull request #541 from step-security/rc-20
• 2e3c511 Update action.yml
• 40873e6 Update README.md
• 484c279 Update README.md
• 4c8582f Update agent versions
• e8d595c fix disable_sudo_and_containers bug
• 5d277fc fix journalctl related bug
• ff2ab22 Merge pull request #536 from rohan-stepsecurity/feat/flag/disable-sudo-and-co...
• b81d650 fix: run sudo command only when both disable-sudo and disable-sudo-and-docker...
• 769df4e Update agent
• Additional commits viewable in compare view

Updates actions/setup-node from 4.3.0 to 4.4.0

Release notes

Sourced from actions/setup-node's releases.

v4.4.0

What's Changed

Bug fixes:

• Make eslint-compact matcher compatible with Stylelint by @​FloEdelmann in actions/setup-node#98
• Add support for indented eslint output by @​fregante in actions/setup-node#1245

Enhancement:

• Support private mirrors by @​marco-ippolito in actions/setup-node#1240

Dependency update:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in actions/setup-node#1262

New Contributors

• @​FloEdelmann made their first contribution in actions/setup-node#98
• @​fregante made their first contribution in actions/setup-node#1245
• @​marco-ippolito made their first contribution in actions/setup-node#1240

Full Changelog: actions/setup-node@v4...v4.4.0

Commits

• 49933ea Bump @​action/cache from 4.0.2 to 4.0.3 (#1262)
• e3ce749 feat: support private mirrors (#1240)
• 40337cb Add support for indented eslint output (#1245)
• 1ccdddc Make eslint-compact matcher compatible with Stylelint (#98)
• See full diff in compare view

Updates oven-sh/setup-bun from 2.0.1 to 2.0.2

Release notes

Sourced from oven-sh/setup-bun's releases.

v2.0.2

oven-sh/setup-bun is the github action for setting up Bun.

What's Changed

• fix: allow more spaces for .tool-versions by @​ronnnnn in oven-sh/setup-bun#94
• chore(docs): missing version on examples by @​Marukome0743 in oven-sh/setup-bun#96
• fix: use hash instead of url for primary cache key (#102) by @​xhyrom in oven-sh/setup-bun#103
• ci: add setup bun download url by @​xhyrom in oven-sh/setup-bun#105
• Make bun resolve to given file path when an absolute path is given by @​fbarbare in oven-sh/setup-bun#114
• build: use text-based Bun lockfile by @​okineadev in oven-sh/setup-bun#116
• ci: remove unnecessary steps & cleanup by @​okineadev in oven-sh/setup-bun#118
• build: bump @​actions/cache version by @​rmichalak in oven-sh/setup-bun#128
• fix(docs): remove wildcard in version by @​afonsojramos in oven-sh/setup-bun#124

New Contributors

• @​ronnnnn made their first contribution in oven-sh/setup-bun#94
• @​Marukome0743 made their first contribution in oven-sh/setup-bun#96
• @​fbarbare made their first contribution in oven-sh/setup-bun#114
• @​okineadev made their first contribution in oven-sh/setup-bun#116
• @​rmichalak made their first contribution in oven-sh/setup-bun#128
• @​afonsojramos made their first contribution in oven-sh/setup-bun#124

Full Changelog: oven-sh/setup-bun@v2...v2.0.2

Commits

• 735343b [autofix.ci] apply automated fixes
• 27ecfff ci: update autofix ci
• fcc30ed fix(docs): remove wildcard in version (#124)
• 56408e9 release: v2.0.2
• 85cb7f6 build: bump @​actions/cache version (#128)
• 54cb141 ci: remove unnecessary steps & cleanup (#118)
• 6fb6603 build: use text-based Bun lockfile (#116)
• 9bdeab4 [autofix.ci] apply automated fixes
• f09eb1e fix: make bun resolve to given file path when an absolute path is given (#114)
• 8f1bc2e ci: add setup bun download url (#105)
• Additional commits viewable in compare view

Updates google-github-actions/auth from 2.1.8 to 2.1.10

Release notes

Sourced from google-github-actions/auth's releases.

v2.1.10

What's Changed

• Declare workflow permissions by @​sethvargo in google-github-actions/auth#482
• Document that the OIDC token expires in 5min by @​sethvargo in google-github-actions/auth#483
• Release: v2.1.10 by @​google-github-actions-bot in google-github-actions/auth#484

Full Changelog: google-github-actions/auth@v2.1.9...v2.1.10

v2.1.9

What's Changed

• Use our custom boolean parsing by @​sethvargo in google-github-actions/auth#478
• Update deps by @​sethvargo in google-github-actions/auth#479
• Release: v2.1.9 by @​google-github-actions-bot in google-github-actions/auth#480

Full Changelog: google-github-actions/auth@v2.1.8...v2.1.9

Commits

• ba79af0 Release: v2.1.10 (#484)
• bfaa66b Document that the OIDC token expires in 5min (#483)
• d0822ad Declare workflow permissions (#482)
• 7b53cdc Release: v2.1.9 (#480)
• a9cfddf Update deps (#479)
• b011f39 Use our custom boolean parsing (#478)
• See full diff in compare view

Updates github/codeql-action from 3.28.13 to 3.28.16

Release notes

Sourced from github/codeql-action's releases.

v3.28.16

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

See the full CHANGELOG.md for more information.

v3.28.15

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

See the full CHANGELOG.md for more information.

v3.28.14

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.14 - 07 Apr 2025

• Update default CodeQL bundle version to 2.21.0. #2838

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• Update default CodeQL bundle version to 2.21.2. #2872

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

3.28.14 - 07 Apr 2025

• Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

• Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
• Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #2793

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

3.28.9 - 07 Feb 2025

• Update default CodeQL bundle version to 2.20.4. #2753

3.28.8 - 29 Jan 2025

• Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

3.28.7 - 29 Jan 2025

No user facing changes.

... (truncated)

Commits

• 28deaed Merge pull request #2865 from github/update-v3.28.16-2a8cbadc0
• 03c5d71 Update changelog for v3.28.16
• 2a8cbad Merge pull request #2863 from github/update-bundle/codeql-bundle-v2.21.1
• f76eaf5 Add changelog note
• e63b3f5 Update default bundle to codeql-bundle-v2.21.1
• 4c3e536 Merge pull request #2853 from github/dependabot/npm_and_yarn/npm-7d84c66b66
• 56dd02f Merge pull request #2852 from github/dependabot/github_actions/actions-457587...
• 192406d Merge branch 'main' into dependabot/github_actions/actions-4575878e06
• c7dbb20 Merge pull request #2857 from github/nickfyson/address-vulns
• 9a45cd8 move use of input variables into env vars
• Additional commits viewable in compare view

Updates actions/download-artifact from 4.2.1 to 4.3.0

Release notes

Sourced from actions/download-artifact's releases.

v4.3.0

What's Changed

• feat: implement new artifact-ids input by @​GrantBirki in actions/download-artifact#401
• Fix workflow example for downloading by artifact ID by @​joshmgross in actions/download-artifact#402
• Prep for v4.3.0 release by @​robherley in actions/download-artifact#404

New Contributors

• @​GrantBirki made their first contribution in actions/download-artifact#401

Full Changelog: actions/download-artifact@v4.2.1...v4.3.0

Commits

• d3f86a1 Merge pull request #404 from actions/robherley/v4.3.0
• fc02353 prep for v4.3.0 release
• 7745437 Merge pull request #402 from actions/joshmgross/download-by-id-example
• 84fc7a0 Remove path filters from Check dist workflow
• 67f2bc3 Fix workflow example for downloading by artifact ID
• 8ea3c2c Merge pull request #401 from actions/download-by-id
• d219c63 add supporting unit tests for artifact downloads with ids
• 54124fb revert getArtifact() changes - for now we have to list and filter by artifa...
• b83057b bundle
• 171183c use the same artifactClient.getArtifact structure as seen above in `isSingl...
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.2.1 to 2.2.2

Release notes

Sourced from softprops/action-gh-release's releases.

v2.2.2

What's Changed

Bug fixes 🐛

• fix: updating release draft status from true to false by @​galargh in softprops/action-gh-release#316

Other Changes 🔄

• chore: simplify ref_type test by @​steinybot in softprops/action-gh-release#598
• fix(docs): clarify the default for tag_name by @​muzimuzhi in softprops/action-gh-release#599
• test(release): add unit tests when searching for a release by @​rwaskiewicz in softprops/action-gh-release#603
• dependency updates

New Contributors

• @​steinybot made their first contribution in softprops/action-gh-release#598
• @​muzimuzhi made their first contribution in softprops/action-gh-release#599
• @​galargh made their first contribution in softprops/action-gh-release#316
• @​rwaskiewicz made their first contribution in softprops/action-gh-release#603

Full Changelog: softprops/action-gh-release@v2...v2.2.2

Changelog

Sourced from softprops/action-gh-release's changelog.

2.2.2

What's Changed

Bug fixes 🐛

• fix: updating release draft status from true to false by @​galargh in softprops/action-gh-release#316

Other Changes 🔄

• chore: simplify ref_type test by @​steinybot in softprops/action-gh-release#598
• fix(docs): clarify the default for tag_name by @​muzimuzhi in softprops/action-gh-release#599
• test(release): add unit tests when searching for a release by @​rwaskiewicz in softprops/action-gh-release#603
• dependency updates

2.2.1

What's Changed

Bug fixes 🐛

• fix: big file uploads by @​xen0n in softprops/action-gh-release#562

Other Changes 🔄

• chore(deps): bump @​types/node from 22.10.1 to 22.10.2 by @​dependabot in softprops/action-gh-release#559
• chore(deps): bump @​types/node from 22.10.2 to 22.10.5 by @​dependabot in softprops/action-gh-release#569
• chore: update error and warning messages for not matching files in files field by @​ytimocin in softprops/action-gh-release#568

2.2.0

What's Changed

Exciting New Features 🎉

• feat: read the release assets asynchronously by @​xen0n in softprops/action-gh-release#552

Bug fixes 🐛

• fix(docs): clarify the default for tag_name by @​alexeagle in softprops/action-gh-release#544

Other Changes 🔄

• chore(deps): bump typescript from 5.6.3 to 5.7.2 by @​dependabot in softprops/action-gh-release#548
• chore(deps): bump @​types/node from 22.9.0 to 22.9.4 by @​dependabot in softprops/action-gh-release#547
• chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 by @​dependabot in softprops/action-gh-release#545
• chore(deps): bump @​vercel/ncc from 0.38.2 to 0.38.3 by @​dependabot in softprops/action-gh-release#543
• chore(deps): bump prettier from 3.3.3 to 3.4.1 by @​dependabot in softprops/action-gh-release#550
• chore(deps): bump @​types/node from 22.9.4 to 22.10.1 by @​dependabot in softprops/action-gh-release#551
• chore(deps): bump prettier from 3.4.1 to 3.4.2 by @​dependabot in softprops/action-gh-release#554

... (truncated)

Commits

• da05d55 release 2.2.2
• 6b18c2f test(release): add unit tests when searching for a release (#603)
• e2b105c chore(deps): bump actions/setup-node in the github-actions group (#607)
• e707470 chore(deps): bump the npm group with 4 updates (#608)
• 36833a1 fix: updating release draft status (#316)
• 8bb7207 chore(deps): bump actions/setup-node in the github-actions group (#597)
• 93bb5ff fix(docs): clarify the default for tag_name (#599)
• 581b12c chore: simplify ref_type test (#598)
• b540ad2 chore(deps): bump @​octokit/request (#605)
• ac224e9 chore(deps): bump the npm group across 1 directory with 5 updates (#604)
• Additional commits viewable in compare view

Updates codecov/codecov-action from 5.4.0 to 5.4.2

Release notes

Sourced from codecov/codecov-action's releases.

v5.4.2

What's Changed

• fix: hotfix oidc by @​thomasrockhu-codecov in codecov/codecov-action#1813

Full Changelog: codecov/codecov-action@v5.4.1...v5.4.2

v5.4.1

What's Changed

• build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @​dependabot in codecov/codecov-action#1786
• chore(release): wrapper -0.2.1 by @​codecov-releaser-app in codecov/codecov-action#1788
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @​dependabot in codecov/codecov-action#1798
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.12 by @​dependabot in codecov/codecov-action#1797
• build(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @​dependabot in codecov/codecov-action#1803
• fix: use the github core methods by @​thomasrockhu-codecov in codecov/codecov-action#1807
• chore(release): 5.4.1 by @​thomasrockhu-codecov in codecov/codecov-action#1810

Full Changelog: codecov/codecov-action@v5.4.0...v5.4.1

v5.4.1-beta

What's Changed

• build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @​dependabot in codecov/codecov-action#1786
• chore(release): wrapper -0.2.1 by @​codecov-releaser-app in codecov/codecov-action#1788
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @​dependabot in codecov/codecov-action#1798
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.12 by @​dependabot in codecov/codecov-action#1797
• build(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @​dependabot in codecov/codecov-action#1803

Full Changelog: codecov/codecov-action@v5.4.0...v5.4.1-beta

Changelog

Sourced from codecov/codecov-action's changelog.

v5.4.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.1..v5.4.2

v5.4.1

What's Changed

• fix: use the github core methods by @​thomasrockhu-codecov in codecov/codecov-action#1807
• build(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @​app/dependabot in codecov/codecov-action#1803
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.12 by @​app/dependabot in codecov/codecov-action#1797
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @​app/dependabot in codecov/codecov-action#1798
• chore(release): wrapper -0.2.1 by @​app/codecov-releaser-app in codecov/codecov-action#1788
• build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @​app/dependabot in codecov/codecov-action#1786

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.0..v5.4.1

v5.4.0

What's Changed

• update wrapper submodule to 0.2.0, add recurse_submodules arg by @​matt-codecov in codecov/codecov-action#1780
• build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @​app/dependabot in codecov/codecov-action#1775
• build(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @​app/dependabot in codecov/codecov-action#1776
• build(deps): bump github/codeql-action from 3.28.9 to 3.28.10 by @​app/dependabot in codecov/codecov-action#1777
• Clarify in README that use_pypi bypasses integrity checks too by @​webknjaz in codecov/codecov-action#1773
• Fix use of safe.directory inside containers by @​Flamefire in codecov/codecov-action#1768
• Fix description for report_type input by @​craigscott-crascit in codecov/codecov-action#1770
• build(deps): bump github/codeql-action from 3.28.8 to 3.28.9 by @​app/dependabot in codecov/codecov-action#1765
• Fix a typo in the example by @​miranska in codecov/codecov-action#1758
• build(deps): bump github/codeql-action from 3.28.5 to 3.28.8 by @​app/dependabot in codecov/codecov-action#1757
• build(deps): bump github/codeql-action from 3.28.1 to 3.28.5 by @​app/dependabot in codecov/codecov-action#1753

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.3.1..v5.4.0

v5.3.1

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.3.0..v5.3.1

v5.3.0

... (truncated)

Commits

• ad3126e fix: hotfix oidc (#1813)
• cf3f51a chore(release): 5.4.1 (#1810)
• e4cdaba fix: use the github core methods (#1807)
• f95a404 build(deps): bump github/codeql-action from 3.28.12 to 3.28.13 (#1803)
• ea99328 build(deps): bump github/codeql-action from 3.28.11 to 3.28.12 (#1797)
• 13d0469 build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 (#1798)
• 3440e5e chore(release): wrapper -0.2.1 (#1788)
• cd4e7cf build(deps): bump github/codeql-action from 3.28.10 to 3.28.11 (#1786)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions