chore(deps): bump the github-actions group across 1 directory with 7 updates

[dependabot]

Bumps the github-actions group with 7 updates in the / directory:

Package	From	To
actions/checkout	4.1.7	4.2.2
docker/metadata-action	5.5.1	5.7.0
docker/setup-buildx-action	3.6.1	3.11.1
docker/login-action	3.3.0	3.4.0
docker/build-push-action	6.7.0	6.18.0
oxsecurity/megalinter	8.7.0	8.8.0
marocchino/sticky-pull-request-comment	2.9.2	2.9.3

Updates actions/checkout from 4.1.7 to 4.2.2

Release notes

Sourced from actions/checkout's releases.

v4.2.2

What's Changed

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

Full Changelog: actions/checkout@v4.2.1...v4.2.2

v4.2.1

What's Changed

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

New Contributors

• @​Jcambass made their first contribution in actions/checkout#1919

Full Changelog: actions/checkout@v4.2.0...v4.2.1

v4.2.0

What's Changed

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependabot updates in actions/checkout#1777 & actions/checkout#1872

New Contributors

• @​yasonk made their first contribution in actions/checkout#1869
• @​lucacome made their first contribution in actions/checkout#1180

Full Changelog: actions/checkout@v4.1.7...v4.2.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

• Check git version before attempting to disable sparse-checkout by @​jww3 in actions/checkout#1656
• Add SSH user parameter by @​cory-miller in actions/checkout#1685
• Update actions/checkout version in update-main-version.yml by @​jww3 in actions/checkout#1650

v4.1.2

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in actions/checkout#1598

v4.1.1

• Correct link to GitHub Docs by @​peterbe in actions/checkout#1511
• Link to release page from what's new section by @​cory-miller in actions/checkout#1514

v4.1.0

• Add support for partial checkout filters

... (truncated)

Commits

• 11bd719 Prepare 4.2.2 Release (#1953)
• e3d2460 Expand unit test coverage (#1946)
• 163217d url-helper.ts now leverages well-known environment variables. (#1941)
• eef6144 Prepare 4.2.1 release (#1925)
• 6b42224 Add workflow file for publishing releases to immutable action package (#1919)
• de5a000 Check out other refs/* by commit if provided, fall back to ref (#1924)
• d632683 Prepare 4.2.0 release (#1878)
• 6d193bf Bump braces from 3.0.2 to 3.0.3 (#1777)
• db0cee9 Bump the minor-npm-dependencies group across 1 directory with 4 updates (#1872)
• b684943 Add Ref and Commit outputs (#1180)
• Additional commits viewable in compare view

Updates docker/metadata-action from 5.5.1 to 5.7.0

Release notes

Sourced from docker/metadata-action's releases.

v5.7.0

• Global expressions support for labels and annotations by @​crazy-max in docker/metadata-action#489
• Support disabling outputs as environment variables by @​omus in docker/metadata-action#497
• Bump @​docker/actions-toolkit from 0.44.0 to 0.56.0 in docker/metadata-action#507 docker/metadata-action#509
• Bump csv-parse from 5.5.6 to 5.6.0 in docker/metadata-action#482
• Bump moment-timezone from 0.5.46 to 0.5.47 in docker/metadata-action#501
• Bump semver from 7.6.3 to 7.7.1 in docker/metadata-action#504

Full Changelog: docker/metadata-action@v5.6.1...v5.7.0

v5.6.1

• Fix GitHub API request fallback for commit date by @​crazy-max in docker/metadata-action#478
• Revert to default commit SHA length of 7 by @​crazy-max in docker/metadata-action#480

Full Changelog: docker/metadata-action@v5.6.0...v5.6.1

v5.6.0

• Add commit_date global expression by @​trim21 in docker/metadata-action#471 docker/metadata-action#475
• Increase short commit sha length to 12 for uniqueness by @​crazy-max in docker/metadata-action#467
• Bump @​actions/core from 1.10.1 to 1.11.1 docker/metadata-action#460
• Bump @​docker/actions-toolkit from 0.16.1 to 0.44.0 docker/metadata-action#391 docker/metadata-action#399 docker/metadata-action#413 docker/metadata-action#441
• Bump braces from 3.0.2 to 3.0.3 docker/metadata-action#424
• Bump cross-spawn from 7.0.3 to 7.0.5 docker/metadata-action#474
• Bump csv-parse from 5.5.5 to 5.5.6 docker/metadata-action#412
• Bump moment-timezone from 0.5.44 to 0.5.46 docker/metadata-action#383 docker/metadata-action#470 docker/metadata-action#459
• Bump path-to-regexp from 6.2.2 to 6.3.0 docker/metadata-action#454
• Bump semver from 7.6.0 to 7.6.3 docker/metadata-action#400 docker/metadata-action#411 docker/metadata-action#440
• Bump undici from 5.26.3 to 5.28.4 docker/metadata-action#386 docker/metadata-action#402

Full Changelog: docker/metadata-action@v5.5.1...v5.6.0

Commits

• 902fa8e Merge pull request #504 from docker/dependabot/npm_and_yarn/semver-7.7.1
• c30b9c2 chore: update generated content
• 0698804 chore(deps): Bump semver from 7.6.3 to 7.7.1
• bb3eeca Merge pull request #501 from docker/dependabot/npm_and_yarn/moment-timezone-0...
• 94a839c chore: update generated content
• ecd51a0 Merge pull request #509 from docker/dependabot/npm_and_yarn/docker/actions-to...
• a85b1db chore(deps): Bump @​docker/actions-toolkit from 0.55.0 to 0.56.0
• 5a76a0e chore(deps): Bump moment-timezone from 0.5.46 to 0.5.47
• 1cc4a98 Merge pull request #482 from docker/dependabot/npm_and_yarn/csv-parse-5.6.0
• d84de1e chore: update generated content
• Additional commits viewable in compare view

Updates docker/setup-buildx-action from 3.6.1 to 3.11.1

Release notes

Sourced from docker/setup-buildx-action's releases.

v3.11.1

• Fix keep-state not being respected by @​crazy-max in docker/setup-buildx-action#429

Full Changelog: docker/setup-buildx-action@v3.11.0...v3.11.1

v3.11.0

• Keep BuildKit state support by @​crazy-max in docker/setup-buildx-action#427
• Remove aliases created when installing by default by @​hashhar in docker/setup-buildx-action#139
• Bump @​docker/actions-toolkit from 0.56.0 to 0.62.1 in docker/setup-buildx-action#422 docker/setup-buildx-action#425

Full Changelog: docker/setup-buildx-action@v3.10.0...v3.11.0

v3.10.0

• Bump @​docker/actions-toolkit from 0.54.0 to 0.56.0 in docker/setup-buildx-action#408

Full Changelog: docker/setup-buildx-action@v3.9.0...v3.10.0

v3.9.0

• Bump @​docker/actions-toolkit from 0.48.0 to 0.54.0 in docker/setup-buildx-action#402 docker/setup-buildx-action#404

Full Changelog: docker/setup-buildx-action@v3.8.0...v3.9.0

v3.8.0

• Make cloud prefix optional to download buildx if driver is cloud by @​crazy-max in docker/setup-buildx-action#390
• Bump @​actions/core from 1.10.1 to 1.11.1 in docker/setup-buildx-action#370
• Bump @​docker/actions-toolkit from 0.39.0 to 0.48.0 in docker/setup-buildx-action#389
• Bump cross-spawn from 7.0.3 to 7.0.6 in docker/setup-buildx-action#382

Full Changelog: docker/setup-buildx-action@v3.7.1...v3.8.0

v3.7.1

• Switch back to uuid package by @​crazy-max in docker/setup-buildx-action#369

Full Changelog: docker/setup-buildx-action@v3.7.0...v3.7.1

v3.7.0

• Always set buildkitd-flags if opt-in by @​crazy-max in docker/setup-buildx-action#363
• Remove uuid package and switch to crypto by @​crazy-max in docker/setup-buildx-action#366
• Bump @​docker/actions-toolkit from 0.35.0 to 0.39.0 in docker/setup-buildx-action#362
• Bump path-to-regexp from 6.2.2 to 6.3.0 in docker/setup-buildx-action#354

Full Changelog: docker/setup-buildx-action@v3.6.1...v3.7.0

Commits

• e468171 Merge pull request #429 from crazy-max/fix-keep-state
• a3e7502 chore: update generated content
• b145473 fix keep-state not being respected
• 18ce135 Merge pull request #425 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 0e198e9 chore: update generated content
• 05f3f3a build(deps): bump @​docker/actions-toolkit from 0.61.0 to 0.62.1
• 6229134 Merge pull request #427 from crazy-max/keep-state
• c6f6a07 chore: update generated content
• 6c5e29d skip builder creation if one already exists with the same name
• 548b297 ci: keep-state check
• Additional commits viewable in compare view

Updates docker/login-action from 3.3.0 to 3.4.0

Release notes

Sourced from docker/login-action's releases.

v3.4.0

• Bump @​actions/core from 1.10.1 to 1.11.1 in docker/login-action#791
• Bump @​aws-sdk/client-ecr to 3.766.0 in docker/login-action#789 docker/login-action#856
• Bump @​aws-sdk/client-ecr-public to 3.758.0 in docker/login-action#789 docker/login-action#856
• Bump @​docker/actions-toolkit from 0.35.0 to 0.57.0 in docker/login-action#801 docker/login-action#806 docker/login-action#858
• Bump cross-spawn from 7.0.3 to 7.0.6 in docker/login-action#814
• Bump https-proxy-agent from 7.0.5 to 7.0.6 in docker/login-action#823
• Bump path-to-regexp from 6.2.2 to 6.3.0 in docker/login-action#777

Full Changelog: docker/login-action@v3.3.0...v3.4.0

Commits

• 74a5d14 Merge pull request #856 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• 2f4f00e chore: update generated content
• 67c1845 build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...
• 3d4cc89 Merge pull request #844 from graysonpike/master
• 6cc823a Merge pull request #823 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
• d94e792 chore: update generated content
• 033db0d Merge pull request #812 from docker/dependabot/github_actions/codecov/codecov...
• 09c2ae9 build(deps): bump https-proxy-agent
• ba56f00 ci: update deprecated input for codecov-action
• 75bf9a7 Merge pull request #858 from docker/dependabot/npm_and_yarn/docker/actions-to...
• Additional commits viewable in compare view

Updates docker/build-push-action from 6.7.0 to 6.18.0

Release notes

Sourced from docker/build-push-action's releases.

v6.18.0

• Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1 in docker/build-push-action#1381

[!NOTE] Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

• Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0 by @​crazy-max in docker/build-push-action#1364

[!NOTE] Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

• Handle no default attestations env var by @​crazy-max in docker/build-push-action#1343
• Only print secret keys in build summary output by @​crazy-max in docker/build-push-action#1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in docker/build-push-action#1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

v6.15.0

• Bump @​docker/actions-toolkit from 0.55.0 to 0.56.0 in docker/build-push-action#1330

Full Changelog: docker/build-push-action@v6.14.0...v6.15.0

v6.14.0

• Bump @​docker/actions-toolkit from 0.53.0 to 0.55.0 in docker/build-push-action#1324

Full Changelog: docker/build-push-action@v6.13.0...v6.14.0

v6.13.0

• Bump @​docker/actions-toolkit from 0.51.0 to 0.53.0 in docker/build-push-action#1308

Full Changelog: docker/build-push-action@v6.12.0...v6.13.0

v6.12.0

• Bump @​docker/actions-toolkit from 0.49.0 to 0.51.0 in docker/build-push-action#1300

Full Changelog: docker/build-push-action@v6.11.0...v6.12.0

v6.11.0

• Handlebar defaultContext support for build-contexts input by @​crazy-max in docker/build-push-action#1283
• Bump @​docker/actions-toolkit from 0.46.0 to 0.49.0 in docker/build-push-action#1281

Full Changelog: docker/build-push-action@v6.10.0...v6.11.0

v6.10.0

... (truncated)

Commits

• 2634353 Merge pull request #1381 from docker/dependabot/npm_and_yarn/docker/actions-t...
• c0432d2 chore: update generated content
• 0bb1f27 set builder driver and endpoint attributes for dbc summary support
• 5f9dbf9 chore(deps): Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1
• 0788c44 Merge pull request #1375 from crazy-max/remove-gcr
• aa179ca e2e: remove GCR
• 1dc7386 Merge pull request #1364 from crazy-max/history-export-cmd
• 9c9803f chore: update generated content
• db1f6c4 DOCKER_BUILD_EXPORT_LEGACY env var to opt-in for legacy export
• 721e8c7 Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0
• Additional commits viewable in compare view

Updates oxsecurity/megalinter from 8.7.0 to 8.8.0

Release notes

Sourced from oxsecurity/megalinter's releases.

v8.8.0

What's Changed

• Core

  • Retrieve SARIF errors and warnings correctly, by @​bdovaz in oxsecurity/megalinter#4837

• Linters enhancements

  • More config file name checks for ansible-lint activation, by @​nvuillam in oxsecurity/megalinter#5590

• Fixes

  • Fix crash when the markdown table summary is empty, by @​nvuillam in oxsecurity/megalinter#5363
  • Downgrade click to make rstcheck work again, by @​nvuillam in oxsecurity/megalinter#5387

• Doc

  • Display hash as plain text in markdown, by @​johndutchover in oxsecurity/megalinter#5420

• Flavors

  • Add Gherkin descriptor in java flavor, by @​nvuillam in oxsecurity/megalinter#5592

• CI

  • Fix rust setup & disable codecov-cli, by @​nvuillam in oxsecurity/megalinter#5579

• Linter versions upgrades (50)

  • ansible-lint from 25.4.0 to 25.5.0
  • bicep_linter from 0.35.1 to 0.36.1
  • cfn-lint from 1.34.2 to 1.36.0
  • checkstyle from 10.23.1 to 10.25.0
  • clippy from 0.1.86 to 0.1.87
  • clj-kondo from 2025.04.07 to 2025.06.05
  • csharpier from 1.0.1 to 1.0.2
  • cspell from 8.19.4 to 9.1.1
  • dartanalyzer from 3.7.3 to 3.8.1
  • devskim from 1.0.56 to 1.0.59
  • dotnet-format from 9.0.105 to 9.0.106
  • editorconfig-checker from 3.2.1 to 3.3.0
  • gitleaks from 8.25.1 to 8.27.2
  • golangci-lint from 2.1.5 to 2.1.6
  • grype from 0.91.2 to 0.94.0
  • htmlhint from 1.1.4 to 1.5.1
  • kics from 2.1.7 to 2.1.10
  • ktlint from 1.5.0 to 1.6.0
  • kubeconform from 0.6.7 to 0.7.0
  • lightning-flow-scanner from 3.8.0 to 3.23.0
  • ls-lint from 2.3.0 to 2.3.1
  • markdownlint from 0.44.0 to 0.45.0
  • mypy from 1.15.0 to 1.16.0
  • npm-groovy-lint from 15.1.0 to 15.2.0
  • phpcs from 3.12.2 to 3.13.1
  • phpstan from 2.1.14 to 2.1.17
  • pmd from 7.13.0 to 7.14.0

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] (beta, main branch content)

Note: Can be used with oxsecurity/megalinter@beta in your GitHub Action mega-linter.yml file, or with oxsecurity/megalinter:beta docker image

• Core

• New linters

• Disabled linters

• Media

• Linters enhancements

• Fixes

• Reporters

• Doc

  • Update documentation in all megalinter descriptor files to improve accuracy and consistency
  • Fix incorrect information in linters documentation and descriptors
  • Remove dead links

• Flavors

• CI

• mega-linter-runner

• Linter versions upgrades (N)

  • mypy from 1.16.0 to 1.16.1 on 2025-06-16
  • trufflehog from 3.89.1 to 3.89.2 on 2025-06-16
  • bandit from 1.8.3 to 1.8.5 on 2025-06-17
  • rubocop from 1.76.1 to 1.76.2 on 2025-06-17
  • lightning-flow-scanner from 3.23.0 to 3.24.0 on 2025-06-17

[v8.8.0] - 2024-06-15

• Core

  • Retrieve SARIF errors and warnings correctly, by @​bdovaz in oxsecurity/megalinter#4837

• Linters enhancements

  • More config file name checks for ansible-lint activation, by @​nvuillam in oxsecurity/megalinter#5590

... (truncated)

Commits

• e08c2b0 Release MegaLinter v8.8.0
• 40a1f8c [automation] Auto-update linters version, help and documentation (#5597)
• 4af6d6a chore(deps): update dependency sfdx-hardis to v5.40.0 (#5596)
• c5a3ea5 chore(deps): update alpine/terragrunt docker tag to v1.12.2 (#5595)
• 8d73938 [automation] Auto-update linters version, help and documentation (#5594)
• 75264cf chore(deps): update secretlint monorepo to v10.1.0 (minor) (#5593)
• 2fbcf66 [automation] Auto-update linters version, help and documentation (#5591)
• cdb1ab0 Add Gherkin descriptor in java flavor (#5592)
• e1363a4 chore(deps): update dependency rq to v2.4.0 (#5588)
• 2f235d4 chore(deps): update secretlint monorepo to v10 (major) (#5589)
• Additional commits viewable in compare view

Updates marocchino/sticky-pull-request-comment from 2.9.2 to 2.9.3

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v2.9.3

What's Changed

• Update deps (including security issues)
• Test with vitest instead of jest
• Use biome

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.2...v2.9.3

Commits

• d2ad0de 📦️ Build
• c6b90f9 Merge pull request #1553 from marocchino/dependabot/npm_and_yarn/brace-expans...
• 20665dd Merge pull request #1550 from marocchino/dependabot/npm_and_yarn/types/node-2...
• 8a03a65 build(deps): Bump brace-expansion from 1.1.11 to 1.1.12
• 8d4420a build(deps-dev): Bump @​types/node from 22.15.30 to 24.0.3
• 14ca6a4 📦️ Build
• 283f17c 🔧 Update biome setting
• 0607099 Merge pull request #1552 from marocchino/dependabot/npm_and_yarn/vitest-3.2.4
• 9bff39e Merge pull request #1551 from marocchino/dependabot/npm_and_yarn/biomejs/biom...
• f02e40f build(deps-dev): Bump vitest from 3.2.2 to 3.2.4
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

🦙 MegaLinter status: ⚠️ WARNING

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5		0	0	0.26s
✅ DOCKERFILE	hadolint	1		0	0	0.31s
✅ JSON	prettier	6	1	0	0	0.62s
✅ JSON	v8r	6		0	0	3.91s
⚠️ MARKDOWN	markdownlint	8	1	3	0	0.76s
⚠️ MARKDOWN	markdown-link-check	8		7	0	3.37s
✅ MARKDOWN	markdown-table-formatter	8	1	0	0	0.46s
⚠️ REPOSITORY	checkov	yes		no	1	14.36s
✅ REPOSITORY	git_diff	yes		no	no	0.09s
✅ REPOSITORY	grype	yes		no	no	22.1s
✅ REPOSITORY	secretlint	yes		no	no	1.27s
✅ REPOSITORY	syft	yes		no	no	1.15s
✅ REPOSITORY	trivy	yes		no	no	5.46s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.19s
✅ REPOSITORY	trufflehog	yes		no	no	2.21s
⚠️ SPELL	lychee	38		10	0	1.29s
✅ YAML	prettier	9	0	0	0	0.66s
✅ YAML	v8r	9		0	0	4.99s
✅ YAML	yamllint	9		0	0	0.37s

See detailed report in MegaLinter reports