Skip to content

Update [Github] Update GHA Dependencies (major) #161108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update [Github] Update GHA Dependencies (major) #161108

wants to merge 1 commit into from
+24 −24

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Sep 29, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
actions/attest-build-provenance action major v1.4.4 -> v3.0.0
actions/checkout action major v4.3.0 -> v5.0.0
actions/github-script action major v7.1.0 -> v8.0.0
actions/github-script action major v6.4.1 -> v8.0.0
actions/labeler action major v4.3.0 -> v6.0.1
actions/setup-node action major v4.4.0 -> v5.0.0
actions/setup-python action major v5.6.0 -> v6.0.0
github/codeql-action action major v2.28.1 -> v3.30.6
macos github-runner major 14 -> 15
node uses-with major 18 -> 22
tj-actions/changed-files action major v46.0.5 -> v47.0.0
windows github-runner major 2022 -> 2025

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v3.0.0

Compare Source

What's Changed
⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/attest-build-provenance@v2.4.0...v3.0.0

v2.4.0

Compare Source

What's Changed
  • Bump undici from 5.28.5 to 5.29.0 by @​dependabot in #​633
  • Bump actions/attest from 2.3.0 to 2.4.0 by @​bdehamer in #​654
    • Includes support for the new well-known summary file which will accumulate paths to all attestations generated in a given workflow run

Full Changelog: actions/attest-build-provenance@v2.3.0...v2.4.0

v2.3.0

Compare Source

What's Changed
  • Bump actions/attest from 2.2.1 to 2.3.0 by @​bdehamer in #​615
    • Updates @sigstore/oci from 0.4.0 to 0.5.0

Full Changelog: actions/attest-build-provenance@v2.2.3...v2.3.0

v2.2.3

Compare Source

What's Changed

Full Changelog: actions/attest-build-provenance@v2.2.2...v2.2.3

v2.2.2

Compare Source

What's Changed

Full Changelog: actions/attest-build-provenance@v2.2.1...v2.2.2

v2.2.1

Compare Source

What's Changed

Full Changelog: actions/attest-build-provenance@v2.2.0...v2.2.1

v2.2.0

Compare Source

What's Changed
  • Bump actions/attest from v2.1.0 to v2.2.0 by @​bdehamer in #​449
    • Includes support for now subject-checksums input parameter

Full Changelog: actions/attest-build-provenance@v2.1.0...v2.2.0

v2.1.0

Compare Source

What's Changed

Full Changelog: actions/attest-build-provenance@v2.0.1...v2.1.0

v2.0.1

Compare Source

What's Changed
  • Bump actions/attest from 2.0.0 to 2.0.1 by @​bdehamer in #​406
    • Deduplicate subjects before adding to in-toto statement

Full Changelog: actions/attest-build-provenance@v2.0.0...v2.0.1

v2.0.0

Compare Source

The attest-build-provenance action now supports attesting multiple subjects simultaneously. When identifying multiple subjects with the subject-path input a single attestation is created with references to each of the supplied subjects, rather than generating separate attestations for each artifact. This reduces the number of attestations that you need to create and manage.

What's Changed

Full Changelog: actions/attest-build-provenance@v1.4.4...v2.0.0

actions/checkout (actions/checkout)

v5.0.0

Compare Source

What's Changed
⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

actions/github-script (actions/github-script)

v8.0.0

Compare Source

actions/labeler (actions/labeler)

v6.0.1

Compare Source

What's Changed

New Contributors

Full Changelog: actions/labeler@v6.0.0...v6.0.1

v6.0.0

Compare Source

What's Changed

  • Add workflow file for publishing releases to immutable action package by @​jcambass in #​802
Breaking Changes
  • Upgrade Node.js version to 24 in action and dependencies @​salmanmkc in #​891
    Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. Release Notes
Dependency Upgrades
Documentation changes

New Contributors

Full Changelog: actions/labeler@v5...v6.0.0

v5.0.0

Compare Source

What's Changed

This release contains the following breaking changes:

  1. The ability to apply labels based on the names of base and/or head branches was added (#​186 and #​54). The match object for changed files was expanded with new combinations in order to make it more intuitive and flexible (#​423 and #​101). As a result, the configuration file structure was significantly redesigned and is not compatible with the structure of the previous version. Please read the action documentation to find out how to adapt your configuration files for use with the new action version.

  2. The bug related to the sync-labels input was fixed (#​112). Now the input value is read correctly.

  3. By default, dot input is set to true. Now, paths starting with a dot (e.g. .github) are matched by default.

  4. Version 5 of this action updated the runtime to Node.js 20. All scripts are now run with Node.js 20 instead of Node.js 16 and are affected by any breaking changes between Node.js 16 and 20.

For more information, please read the action documentation.

New Contributors

Full Changelog: actions/labeler@v4...v5.0.0

actions/setup-node (actions/setup-node)

v5.0.0

Compare Source

What's Changed
Breaking Changes

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades
New Contributors

Full Changelog: actions/setup-node@v4...v5.0.0

actions/setup-python (actions/setup-python)

v6.0.0

Compare Source

What's Changed

Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:
Bug fixes:
Dependency updates:

New Contributors

Full Changelog: actions/setup-python@v5...v6.0.0

github/codeql-action (github/codeql-action)

v3.30.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.6 - 02 Oct 2025

  • Update default CodeQL bundle version to 2.23.2. #​3168

See the full CHANGELOG.md for more information.

v3.30.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.5 - 26 Sep 2025

  • We fixed a bug that was introduced in 3.30.4 with upload-sarif which resulted in files without a .sarif extension not getting uploaded. #​3160

See the full CHANGELOG.md for more information.

v3.30.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.4 - 25 Sep 2025
  • We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the codeql-action/init step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the codeql-action/init step. #​3099 and #​3100
  • We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. #​3107
  • You can now run the latest CodeQL nightly bundle by passing tools: nightly to the init action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. #​3130
  • Update default CodeQL bundle version to 2.23.1. #​3118

See the full CHANGELOG.md for more information.

v3.30.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.3 - 10 Sep 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.2 - 09 Sep 2025

  • Fixed a bug which could cause language autodetection to fail. #​3084
  • Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #​3064

See the full CHANGELOG.md for more information.

v3.30.1

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.1 - 05 Sep 2025
  • Update default CodeQL bundle version to 2.23.0. #​3077

See the full CHANGELOG.md for more information.

v3.30.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.0 - 01 Sep 2025

  • Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #​3054

See the full CHANGELOG.md for more information.

v3.29.11

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.11 - 21 Aug 2025

  • Update default CodeQL bundle version to 2.22.4. #​3044

See the full CHANGELOG.md for more information.

v3.29.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.10 - 18 Aug 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.29.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.9 - 12 Aug 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.29.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.8 - 08 Aug 2025

  • Fix an issue where the Action would autodetect unsupported languages such as HTML. #​3015

See the full CHANGELOG.md for more information.

v3.29.7

Compare Source

This is a re-release of v3.29.5 to mitigate an issue that was discovered with v3.29.6.

v3.29.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.6 - 07 Aug 2025
  • The cleanup-level input to the analyze Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #​2999
  • Update default CodeQL bundle version to 2.22.3. #​3000

See the full CHANGELOG.md for more information.

v3.29.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.5 - 29 Jul 2025

  • Update default CodeQL bundle version to 2.22.2. #​2986

See the full CHANGELOG.md for more information.

v3.29.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.4 - 23 Jul 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.29.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.3 - 21 Jul 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.29.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.2 - 30 Jun 2025

  • Experimental: When the quality-queries input for the init action is provided with an argument, separate .quality.sarif files are produced and uploaded for each language with the results of the specified queries. Do not use this in production as it is part of an internal experiment and subject to change at any time. #​2935

See the full CHANGELOG.md for more information.

v3.29.1

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.1 - 27 Jun 2025

  • Fix bug in PR analysis where user-provided include query filter fails to exclude non-included queries. #​2938
  • Update default CodeQL bundle version to 2.22.1. #​2950

See the full CHANGELOG.md for more information.

v3.29.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.0 - 11 Jun 2025

  • Update default CodeQL bundle version to 2.22.0. #​2925
  • Bump minimum CodeQL bundle version to 2.16.6. #​2912

See the full CHANGELOG.md for more information.

v3.28.21

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.21 - 28 July 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.28.20

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.20 - 21 July 2025

See the full CHANGELOG.md for more information.

v3.28.19

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.19 - 03 Jun 2025

  • The CodeQL Action no longer includes its own copy of the extractor for the actions language, which is currently in public preview.
    The actions extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the actions language and you have pinned
    your tools: property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable
    actions analysis.
  • Update default CodeQL bundle version to 2.21.4. #​2910

See the full CHANGELOG.md for more information.

v3.28.18

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.18 - 16 May 2025
  • Update default CodeQL bundle version to 2.21.3. #​2893
  • Skip validating SARIF produced by CodeQL for improved performance. #​2894
  • The number of threads and amount of RAM used by CodeQL can now be set via the CODEQL_THREADS and CODEQL_RAM runner environment variables. If set, these environment variables override the threads and ram inputs respectively. #​2891

See the full CHANGELOG.md for more information.

v3.28.17

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.17 - 02 May 2025

  • Update default CodeQL bundle version to 2.21.2. #​2872

See the full CHANGELOG.md for more information.

v3.28.16

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.16 - 23 Apr 2025
  • Update default CodeQL bundle version to 2.21.1. #​2863

See the full CHANGELOG.md for more information.

v3.28.15

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.15 - 07 Apr 2025

  • Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #​2842

See the full CHANGELOG.md for more information.

v3.28.14

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.14 - 07 Apr 2025

  • Update default CodeQL bundle version to 2.21.0. #​2838

See the full CHANGELOG.md for more information.

v3.28.13

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.13 - 24 Mar 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.28.12

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.12 - 19 Mar 2025

  • Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
  • Update default CodeQL bundle version to 2.20.7. #​2810

See the full CHANGELOG.md for more information.

v3.28.11

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.11 - 07 Mar 2025

  • Update default CodeQL bundle version to 2.20.6. #​2793

See the full CHANGELOG.md for more information.

v3.28.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.10 - 21 Feb 2025

  • Update default CodeQL bundle version to 2.20.5. #​2772
  • Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #​2768

See the full CHANGELOG.md for more information.

v3.28.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.9 - 07 Feb 2025

  • Update default CodeQL bundle version to 2.20.4. #​2753

See the full CHANGELOG.md for more information.

v3.28.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.8 - 29 Jan 2025

  • Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #​2744

See the full CHANGELOG.md for more information.

v3.28.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.7 - 29 Jan 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.28.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.6 - 27 Jan 2025
  • Re-enable debug artifact upload for CLI versions 2.20.3 or greater. #​2726

See the full CHANGELOG.md for more information.

v3.28.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.5 - 24 Jan 2025
  • Update default CodeQL bundle version to 2.20.3. #​2717

See the full CHANGELOG.md for more information.

v3.28.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.4 - 23 Jan 2025

No user facing changes.

See the full CHANGELOG.md for more information.

[v3.28.3](https://redirect.github.com/github/codeql-action/rel

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 12:59 AM, only on Monday ( * 0 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@llvmbot llvmbot added libc++ libc++ C++ Standard Library. Not GNU libstdc++. Not libc++abi. github:workflow labels Sep 29, 2025
@llvmbot
Copy link
Member

llvmbot commented Sep 29, 2025
edited
Loading

@llvm/pr-subscribers-libcxx

@llvm/pr-subscribers-github-workflow

Author: Mend Renovate (renovate-bot)

Changes

This PR contains the following updates:

Package Type Update Change Pending
actions/attest-build-provenance action major v1.0.0 -> v3.0.0
actions/checkout action major v4.1.1 -> v5.0.0
actions/github-script action major v7.0.1 -> v8.0.0
actions/github-script action major v6.4.1 -> v8.0.0
actions/labeler action major v4.3.0 -> v6.0.1
actions/setup-node action major v4.2.0 -> v5.0.0
actions/setup-python action major v5.4.0 -> v6.0.0
github/codeql-action action major v2.20.6 -> v3.30.4 v3.30.5
macos github-runner major 14 -> 15
node uses-with major 18 -> 22
tj-actions/changed-files action major v46.0.5 -> v47.0.0
windows github-runner major 2022 -> 2025

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

<details>
<summary>actions/attest-build-provenance (actions/attest-build-provenance)</summary>

v3.0.0

Compare Source

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: <actions/attest-build-provenance@v2.4.0...v3.0.0>

v2.4.0

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v2.3.0...v2.4.0>

v2.3.0

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v2.2.3...v2.3.0>

v2.2.3

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v2.2.2...v2.2.3>

v2.2.2

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v2.2.1...v2.2.2>

v2.2.1

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v2.2.0...v2.2.1>

v2.2.0

Compare Source

What's Changed
  • Bump actions/attest from v2.1.0 to v2.2.0 by @&#8203;bdehamer in #&#8203;449
    • Includes support for now subject-checksums input parameter

Full Changelog: <actions/attest-build-provenance@v2.1.0...v2.2.0>

v2.1.0

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v2.0.1...v2.1.0>

v2.0.1

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v2.0.0...v2.0.1>

v2.0.0

Compare Source

The attest-build-provenance action now supports attesting multiple subjects simultaneously. When identifying multiple subjects with the subject-path input a single attestation is created with references to each of the supplied subjects, rather than generating separate attestations for each artifact. This reduces the number of attestations that you need to create and manage.

What's Changed

Full Changelog: <actions/attest-build-provenance@v1.4.4...v2.0.0>

v1.4.4

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v1.4.3...v1.4.4>

v1.4.3

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v1.4.2...v1.4.3>

v1.4.2

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v1.4.1...v1.4.2>

v1.4.1

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v1.4.0...v1.4.1>

v1.4.0

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v1.3.3...v1.4.0>

v1.3.3

Compare Source

What's Changed
  • Bump actions/attest from 1.3.2 to 1.3.3 by @&#8203;bdehamer in #&#8203;152
    • Bugfix for properly handling glob exclusion patterns in subject-path input

Full Changelog: <actions/attest-build-provenance@v1.3.2...v1.3.3>

v1.3.2

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v1.3.1...v1.3.2>

v1.3.1

Compare Source

What's Changed
  • Bump actions/attest from 1.3.0 to 1.3.1 by @&#8203;bdehamer in #&#8203;117
    • Bugfix when detecting support for the referrers API with OCI registries

Full Changelog: <actions/attest-build-provenance@v1.3.0...v1.3.1>

v1.3.0

Compare Source

What's Changed
  • Bump actions/attest-build-provenance/predicate from 1.0.0 to 1.1.0 by @&#8203;bdehamer in #&#8203;116
  • Bump actions/attest from 1.2.0 to 1.3.0 by @&#8203;bdehamer in #&#8203;116
    • Dynamic construction of GitHub API URLs based on GITHUB_SERVER_URL
    • Improved handling of Rekor 409 responses
    • Bugfix - detection of registries with support for the OCI referrers API

Full Changelog: <actions/attest-build-provenance@v1.2.0...v1.3.0>

v1.2.0

Compare Source

What's Changed
  • Bump actions/attest from 1.1.2 to 1.2.0 by @&#8203;bdehamer in #&#8203;101
    • Batch processing w/ exponential backoff
    • Bugfix when pushing attestation to OCI registry

Full Changelog: <actions/attest-build-provenance@v1.1.2...v1.2.0>

v1.1.2

Compare Source

What's Changed
  • Bump actions/attest from 1.1.1 to 1.1.2 by @&#8203;bdehamer in #&#8203;79
    • Downcase subject name for OCI images
    • Fix accept header when retrieving image manifest
    • Support variants of the Docker Hub registry name

Full Changelog: <actions/attest-build-provenance@v1.1.1...v1.1.2>

v1.1.1

Compare Source

What's Changed

Full Changelog: <actions/attest-build-provenance@v1.1.0...v1.1.1>

v1.1.0

Compare Source

What's Changed
  • Bump actions/attest to v1.1.0 by @&#8203;bdehamer in #&#8203;65
    • adds list support for subjectPath input
    • limit attestation subject count
    • ensure subject globs match only files

Full Changelog: <actions/attest-build-provenance@v1.0.0...v1.1.0>

</details>

<details>
<summary>actions/checkout (actions/checkout)</summary>

v5.0.0

Compare Source

What's Changed
⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

Compare Source

What's Changed
New Contributors

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

Compare Source

v4.2.1

Compare Source

v4.2.0

Compare Source

v4.1.7

Compare Source

v4.1.6

Compare Source

v4.1.5

Compare Source

v4.1.4

Compare Source

v4.1.3

Compare Source

v4.1.2

Compare Source

</details>

<details>
<summary>actions/github-script (actions/github-script)</summary>

v8.0.0

Compare Source

v7.1.0

Compare Source

What's Changed

New Contributors

Full Changelog: <actions/github-script@v7...v7.1.0>

</details>

<details>
<summary>actions/labeler (actions/labeler)</summary>

v6.0.1

Compare Source

What's Changed

New Contributors

Full Changelog: <actions/labeler@v6.0.0...v6.0.1>

v6.0.0

Compare Source

What's Changed

Breaking Changes
Dependency Upgrades
Documentation changes

New Contributors

Full Changelog: <actions/labeler@v5...v6.0.0>

v5.0.0

Compare Source

What's Changed

This release contains the following breaking changes:

  1. The ability to apply labels based on the names of base and/or head branches was added (#&#8203;186 and #&#8203;54). The match object for changed files was expanded with new combinations in order to make it more intuitive and flexible (#&#8203;423 and #&#8203;101). As a result, the configuration file structure was significantly redesigned and is not compatible with the structure of the previous version. Please read the action documentation to find out how to adapt your configuration files for use with the new action version.

  2. The bug related to the sync-labels input was fixed (#&#8203;112). Now the input value is read correctly.

  3. By default, dot input is set to true. Now, paths starting with a dot (e.g. .github) are matched by default.

  4. Version 5 of this action updated the runtime to Node.js 20. All scripts are now run with Node.js 20 instead of Node.js 16 and are affected by any breaking changes between Node.js 16 and 20.

For more information, please read the action documentation.

New Contributors

Full Changelog: <actions/labeler@v4...v5.0.0>

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

v5.0.0

Compare Source

What's Changed
Breaking Changes

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@<!-- -->v5
- uses: actions/setup-node@<!-- -->v5
  with:
    package-manager-cache: false

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades
New Contributors

Full Changelog: <actions/setup-node@v4...v5.0.0>

v4.4.0

Compare Source

What's Changed
Bug fixes:
Enhancement:
Dependency update:
New Contributors

Full Changelog: <actions/setup-node@v4...v4.4.0>

v4.3.0

Compare Source

What's Changed

Dependency updates

New Contributors

Full Changelog: <actions/setup-node@v4...v4.3.0>

</details>

<details>
<summary>actions/setup-python (actions/setup-python)</summary>

v6.0.0

Compare Source

What's Changed
Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:
Bug fixes:
Dependency updates:
New Contributors

</details>

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 12:59 AM, only on Monday ( * 0 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • <!-- rebase-check -->If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMzEuOSIsInVwZGF0ZWRJblZlciI6IjQxLjEzMS45IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Full diff: https://github.com/llvm/llvm-project/pull/161108.diff

18 Files Affected:

  • (modified) .github/workflows/build-ci-container-windows.yml (+2-2)
  • (modified) .github/workflows/check-ci.yml (+1-1)
  • (modified) .github/workflows/docs.yml (+2-2)
  • (modified) .github/workflows/issue-write.yml (+1-1)
  • (modified) .github/workflows/libclang-python-tests.yml (+1-1)
  • (modified) .github/workflows/libcxx-build-and-test.yaml (+1-1)
  • (modified) .github/workflows/llvm-bugs.yml (+3-3)
  • (modified) .github/workflows/new-prs.yml (+1-1)
  • (modified) .github/workflows/pr-code-format.yml (+2-2)
  • (modified) .github/workflows/pr-code-lint.yml (+3-3)
  • (modified) .github/workflows/premerge.yaml (+1-1)
  • (modified) .github/workflows/release-asset-audit.yml (+1-1)
  • (modified) .github/workflows/release-binaries.yml (+1-1)
  • (modified) .github/workflows/release-documentation.yml (+1-1)
  • (modified) .github/workflows/release-doxygen.yml (+1-1)
  • (modified) .github/workflows/release-sources.yml (+1-1)
  • (modified) .github/workflows/scorecard.yml (+1-1)
  • (modified) .github/workflows/unprivileged-download-artifact/action.yml (+1-1)
diff --git a/.github/workflows/build-ci-container-windows.yml b/.github/workflows/build-ci-container-windows.yml
index 167e7cf06b3b2..b10633a8b9e32 100644
--- a/.github/workflows/build-ci-container-windows.yml
+++ b/.github/workflows/build-ci-container-windows.yml
@@ -18,7 +18,7 @@ on:
 jobs:
   build-ci-container-windows:
     if: github.repository_owner == 'llvm'
-    runs-on: windows-2022
+    runs-on: windows-2025
     outputs:
       container-name: ${{ steps.vars.outputs.container-name }}
       container-name-tag: ${{ steps.vars.outputs.container-name-tag }}
@@ -56,7 +56,7 @@ jobs:
       - build-ci-container-windows
     permissions:
       packages: write
-    runs-on: windows-2022
+    runs-on: windows-2025
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
diff --git a/.github/workflows/check-ci.yml b/.github/workflows/check-ci.yml
index 7e8c15696e344..c0f84285be188 100644
--- a/.github/workflows/check-ci.yml
+++ b/.github/workflows/check-ci.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           sparse-checkout: .ci
       - name: Setup Python
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: 3.13
           cache: 'pip'
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 8cdd39c164cca..e383b7304d8fe 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -60,7 +60,7 @@ jobs:
           fetch-depth: 2
       - name: Get subprojects that have doc changes
         id: docs-changed-subprojects
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
           skip_initial_fetch: true
           base_sha: 'HEAD~1'
@@ -95,7 +95,7 @@ jobs:
             workflow:
               - '.github/workflows/docs.yml'
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.11'
           cache: 'pip'
diff --git a/.github/workflows/issue-write.yml b/.github/workflows/issue-write.yml
index db9389b6afe53..8a083f9143ec6 100644
--- a/.github/workflows/issue-write.yml
+++ b/.github/workflows/issue-write.yml
@@ -40,7 +40,7 @@ jobs:
 
       - name: 'Comment on PR'
         if: steps.download-artifact.outputs.artifact-id != ''
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/libclang-python-tests.yml b/.github/workflows/libclang-python-tests.yml
index e168928325561..06c3cbe5fa9b6 100644
--- a/.github/workflows/libclang-python-tests.yml
+++ b/.github/workflows/libclang-python-tests.yml
@@ -34,7 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Setup Python
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Setup ccache
diff --git a/.github/workflows/libcxx-build-and-test.yaml b/.github/workflows/libcxx-build-and-test.yaml
index 2e6ff7f91b6fc..26b1913a9ba23 100644
--- a/.github/workflows/libcxx-build-and-test.yaml
+++ b/.github/workflows/libcxx-build-and-test.yaml
@@ -236,7 +236,7 @@ jobs:
             **/crash_diagnostics/*
 
   windows:
-    runs-on: windows-2022
+    runs-on: windows-2025
     needs: [ stage2 ]
     strategy:
       fail-fast: false
diff --git a/.github/workflows/llvm-bugs.yml b/.github/workflows/llvm-bugs.yml
index 5470662c97628..174757f689585 100644
--- a/.github/workflows/llvm-bugs.yml
+++ b/.github/workflows/llvm-bugs.yml
@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-24.04
     if: github.repository == 'llvm/llvm-project'
     steps:
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 18
+          node-version: 22
           check-latest: true
       - run: npm install mailgun.js form-data
       - name: Send notification
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           MAILGUN_API_KEY: ${{ secrets.LLVM_BUGS_KEY }}
         with:
diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
index e1f2e754c1a3d..dc8cd100f3e68 100644
--- a/.github/workflows/new-prs.yml
+++ b/.github/workflows/new-prs.yml
@@ -67,7 +67,7 @@ jobs:
       github.event.pull_request.draft == false &&
       github.event.pull_request.commits < 10
     steps:
-      - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           configuration-path: .github/new-prs-labeler.yml
           # workaround for https://github.com/actions/labeler/issues/112
diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml
index 61c8680cd72a1..98de1062ebb2d 100644
--- a/.github/workflows/pr-code-format.yml
+++ b/.github/workflows/pr-code-format.yml
@@ -25,7 +25,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
           separator: ","
           skip_initial_fetch: true
@@ -48,7 +48,7 @@ jobs:
           clangformat: 21.1.0
 
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.11'
           cache: 'pip'
diff --git a/.github/workflows/pr-code-lint.yml b/.github/workflows/pr-code-lint.yml
index daefc9baacce7..7979b4864823e 100644
--- a/.github/workflows/pr-code-lint.yml
+++ b/.github/workflows/pr-code-lint.yml
@@ -27,13 +27,13 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Fetch LLVM sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 2
       
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
           separator: ","
           skip_initial_fetch: true
@@ -56,7 +56,7 @@ jobs:
           clang-tidy: 21.1.0
       
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.12'
 
diff --git a/.github/workflows/premerge.yaml b/.github/workflows/premerge.yaml
index 63ab4a8356971..385e534807960 100644
--- a/.github/workflows/premerge.yaml
+++ b/.github/workflows/premerge.yaml
@@ -139,7 +139,7 @@ jobs:
 
   premerge-check-macos:
     name: MacOS Premerge Checks
-    runs-on: macos-14
+    runs-on: macos-15
     if: >-
       github.repository_owner == 'llvm' &&
       (startswith(github.ref_name, 'release/') ||
diff --git a/.github/workflows/release-asset-audit.yml b/.github/workflows/release-asset-audit.yml
index 6546540a1b547..b658167d1db36 100644
--- a/.github/workflows/release-asset-audit.yml
+++ b/.github/workflows/release-asset-audit.yml
@@ -38,7 +38,7 @@ jobs:
         if: >-
           github.event_name != 'pull_request' &&
           failure()
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}
           script: |
diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index 8f422a0147748..4690200939fd6 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -301,7 +301,7 @@ jobs:
 
     - name: Attest Build Provenance
       id: provenance
-      uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
       with:
         subject-path: ${{ needs.prepare.outputs.release-binary-filename }}
 
diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml
index 712ff1831170e..2f7cdb7a3e636 100644
--- a/.github/workflows/release-documentation.yml
+++ b/.github/workflows/release-documentation.yml
@@ -37,7 +37,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           cache: 'pip'
           cache-dependency-path: './llvm/docs/requirements.txt'
diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml
index 17c677413f744..c31319e47833d 100644
--- a/.github/workflows/release-doxygen.yml
+++ b/.github/workflows/release-doxygen.yml
@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           cache: 'pip'
           cache-dependency-path: './llvm/docs/requirements.txt'
diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
index 14cc4c4e9b94f..ad9c5a93e56be 100644
--- a/.github/workflows/release-sources.yml
+++ b/.github/workflows/release-sources.yml
@@ -92,7 +92,7 @@ jobs:
       - name: Attest Build Provenance
         if: github.event_name != 'pull_request'
         id: provenance
-        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
           subject-path: "*.xz"
       - if: github.event_name != 'pull_request'
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 40db5504294ef..305d09980d245 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@80f993039571a6de66594ecaa432875a6942e8e0 # v2.20.6
+        uses: github/codeql-action/upload-sarif@303c0aef88fc2fe5ff6d63d3b1596bfd83dfa1f9 # v3.30.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/unprivileged-download-artifact/action.yml b/.github/workflows/unprivileged-download-artifact/action.yml
index 9d8fb59a67c0e..72815b26bcf41 100644
--- a/.github/workflows/unprivileged-download-artifact/action.yml
+++ b/.github/workflows/unprivileged-download-artifact/action.yml
@@ -27,7 +27,7 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+    - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       id: artifact-url
       with:
         script: |

boomanaiden154
boomanaiden154 reviewed Sep 29, 2025
View reviewed changes
Copy link
Contributor

@boomanaiden154 boomanaiden154 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably want to avoid windows/mac updates given we're often explicitly using old versions and those updates usually manually need intervention anyways. Some of these changes should also probably be pieced out, but the vast majority are probably good.

@renovate-bot renovate-bot force-pushed the renovate/major-github-update-gha-dependencies branch 3 times, most recently from 275faa7 to 327d174 Compare October 5, 2025 16:52
@renovate-bot renovate-bot changed the title Update [Github] Update GHA Dependencies (major) chore(deps): update [github] update gha dependencies (major) Oct 6, 2025
@renovate-bot renovate-bot changed the title chore(deps): update [github] update gha dependencies (major) Update [Github] Update GHA Dependencies (major) Oct 6, 2025
@renovate-bot renovate-bot force-pushed the renovate/major-github-update-gha-dependencies branch from 327d174 to 2b66c41 Compare October 7, 2025 11:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@boomanaiden154 boomanaiden154 boomanaiden154 left review comments

Assignees

@boomanaiden154 boomanaiden154

Labels
github:workflow libc++ libc++ C++ Standard Library. Not GNU libstdc++. Not libc++abi.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@renovate-bot @llvmbot @boomanaiden154