chore(ci): bump the ci-deps group across 1 directory with 8 updates

[dependabot]

Bumps the ci-deps group with 8 updates in the / directory:

Package	From	To
step-security/harden-runner	2.13.1	2.13.3
actions/setup-java	5.0.0	5.1.0
actions/cache	4.2.4	4.3.0
actions/dependency-review-action	4.7.3	4.8.2
cachix/install-nix-action	31.6.1	31.8.4
softprops/action-gh-release	2.3.3	2.5.0
EmbarkStudios/cargo-deny-action	2.0.13	2.0.14
ossf/scorecard-action	2.4.2	2.4.3

Updates step-security/harden-runner from 2.13.1 to 2.13.3

Release notes

Sourced from step-security/harden-runner's releases.

v2.13.3

What's Changed

• Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

What's Changed

• Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
• Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

Commits

• df199fb Merge pull request #620 from step-security/rc-29
• 03d096a update agent
• 4090107 fix: update agent
• 95d9a5d Merge pull request #606 from step-security/rc-28
• 87e429d Update limitations.md
• ef891c3 feat: add support for custom vm image
• 1fa8c8a update agent
• 92c522a Merge pull request #593 from step-security/ak-readme-updates
• 4719ad5 README updates
• 4fde639 Merge pull request #591 from eromosele-stepsecurity/Upd
• Additional commits viewable in compare view

Updates actions/setup-java from 5.0.0 to 5.1.0

Release notes

Sourced from actions/setup-java's releases.

v5.1.0

What's Changed

New Features

• Add support for .sdkmanrc file in java-version-file parameter by @​guicamest in actions/setup-java#736
• Add support for Microsoft OpenJDK 25 builds by @​the-mod in actions/setup-java#927

Bug Fixes & Improvements

• Update Regex to Support All ASDF Versions for the supported distributions in tool-versions File by @​aparnajyothi-y in actions/setup-java#767
• Enhance error logging for network failures to include endpoint/IP details, add retry mechanism and update workflows to use macos-15-intel by @​priya-kinthali in actions/setup-java#946
• Update SapMachine URLs by @​RealCLanger in actions/setup-java#955
• Add GitHub Token Support for GraalVM and Refactor Code by @​mahabaleshwars in actions/setup-java#849

Documentation changes

• Update documentation to use checkout and Java v5 by @​lmvysakh in actions/setup-java#903
• Clarify JAVA_HOME and PATH setup in README by @​chiranjib-swain in actions/setup-java#841

Dependency updates

• Upgrade prettier from 2.8.8 to 3.6.2 and document breaking changes in v5 by @​dependabot in actions/setup-java#873
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in actions/setup-java#912

New Contributors

• @​lmvysakh made their first contribution in actions/setup-java#903
• @​chiranjib-swain made their first contribution in actions/setup-java#841
• @​the-mod made their first contribution in actions/setup-java#927
• @​priya-kinthali made their first contribution in actions/setup-java#946
• @​guicamest made their first contribution in actions/setup-java#736

Full Changelog: actions/setup-java@v5...v5.1.0

Commits

• f2beeb2 Bump actions/publish-action from 0.3.0 to 0.4.0 (#912)
• 4e7e684 feat: Add support for .sdkmanrc file in java-version-file parameter (#736)
• 46c56d6 Add GitHub Token Support for GraalVM and Refactor Code (#849)
• 66b9457 Update SapMachine URLs (#955)
• 6ba5449 Enhance error logging for network failures to include endpoint/IP details, ad...
• de5a937 adds microsoft openjdk25 builds (#927)
• ead9eaa Update Regex to Support All ASDF Versions for the supported distributions in ...
• 8c57fa3 Clarify JAVA_HOME and PATH setup in README (#841)
• a7ab372 Bump prettier from 2.8.8 to 3.6.2 (#873)
• d0351b4 Update documentation to use checkout and Java v5 (#903)
• See full diff in compare view

Updates actions/cache from 4.2.4 to 4.3.0

Release notes

Sourced from actions/cache's releases.

v4.3.0

What's Changed

• Add note on runner versions by @​GhadimiR in actions/cache#1642
• Prepare v4.3.0 release by @​Link- in actions/cache#1655

New Contributors

• @​GhadimiR made their first contribution in actions/cache#1642

Full Changelog: actions/cache@v4...v4.3.0

Changelog

Sourced from actions/cache's changelog.

Releases

4.3.0

• Bump @actions/cache to v4.1.0

4.2.4

• Bump @actions/cache to v4.0.5

4.2.3

• Bump @actions/cache to v4.0.3 (obfuscates SAS token in debug logs for cache entries)

4.2.2

• Bump @actions/cache to v4.0.2

4.2.1

• Bump @actions/cache to v4.0.1

4.2.0

TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

We are deprecating some versions of this action. We recommend upgrading to version v4 or v3 as soon as possible before February 1st, 2025. (Upgrade instructions below).

If you are using pinned SHAs, please use the SHAs of versions v4.2.0 or v3.4.0

If you do not upgrade, all workflow runs using any of the deprecated actions/cache will fail.

Upgrading to the recommended versions will not break your workflows.

4.1.2

• Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - #1474
• Security fix: Bump braces from 3.0.2 to 3.0.3 - #1475

4.1.1

• Restore original behavior of cache-hit output - #1467

4.1.0

• Ensure cache-hit output is set when a cache is missed - #1404
• Deprecate save-always input - #1452

... (truncated)

Commits

• 0057852 Merge pull request #1655 from actions/Link-/prepare-4.3.0
• 4f5ea67 Update licensed cache
• 9fcad95 Upgrade actions/cache to 4.1.0 and prepare 4.3.0 release
• 638ed79 Merge pull request #1642 from actions/GhadimiR-patch-1
• 3862dcc Add note on runner versions
• See full diff in compare view

Updates actions/dependency-review-action from 4.7.3 to 4.8.2

Release notes

Sourced from actions/dependency-review-action's releases.

v4.8.2

Minor fixes:

• Fix PURL parsing for scoped packages (#1008 from @​danielhardej)
• Fix for large summaries (#1007 from @​gitulisca)
• README includes a working example for allow-dependencies-licenses (#1009 from @​danielhardej)

Dependency Review Action v4.8.1

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in actions/dependency-review-action#1000
• Bump version for 4.8.1 release by @​ahpook in actions/dependency-review-action#1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

What's Changed

• Make Ruby Code Scannable by @​ljones140 in actions/dependency-review-action#978
• Batch some contributions for release by @​brrygrdn in actions/dependency-review-action#986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in actions/dependency-review-action#978
• @​jasperkamerling made their first contribution in actions/dependency-review-action#986
• @​MattMencel made their first contribution in actions/dependency-review-action#986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

Commits

• 3c4e3dc Merge pull request #1016 from actions/dra-release
• 02930b2 Update CONTRIBUTING to reflect new guidelines
• 49ffd9f Update CONTRIBUTING to reflect the need to build
• 70cb25e 4.8.2 release
• ebabd31 Merge pull request #1008 from danielhardej/danielhardej-patch-20251023
• 19f9360 Update package-lock.json
• 5fd2f98 Bump @​types/jest to version 29.5.14
• 28647f4 Fix PURL parsing by removing encodeURI
• f620fd1 Merge pull request #1013 from actions/dangoor/token-fix
• 9b42b7e Remove bad token reference
• Additional commits viewable in compare view

Updates cachix/install-nix-action from 31.6.1 to 31.8.4

Release notes

Sourced from cachix/install-nix-action's releases.

v31.8.4

What's Changed

• nix: 2.32.3 -> 2.32.4 by @​github-actions[bot] in cachix/install-nix-action#261

Full Changelog: cachix/install-nix-action@v31.8.3...v31.8.4

v31.8.3

What's Changed

• nix: 2.32.2 -> 2.32.3 by @​github-actions[bot] in cachix/install-nix-action#260

Full Changelog: cachix/install-nix-action@v31.8.2...v31.8.3

v31.8.2

What's Changed

• nix: 2.32.1 -> 2.32.2 by @​github-actions[bot] in cachix/install-nix-action#259

Full Changelog: cachix/install-nix-action@v31.8.1...v31.8.2

v31.8.1

What's Changed

• nix: 2.32.0 -> 2.32.1 by @​github-actions[bot] in cachix/install-nix-action#258

Full Changelog: cachix/install-nix-action@v31...v31.8.1

v31.8.0

What's Changed

• nix: 2.31.2 -> 2.32.0 by @​github-actions[bot] in cachix/install-nix-action#257 Release notes: https://discourse.nixos.org/t/nix-2-32-0-released/70528

Full Changelog: cachix/install-nix-action@v31.7.0...v31.8.0

v31.7.0

What's Changed

• feat: set up the environment based on the installer shell scripts by @​sandydoo in cachix/install-nix-action#251

  Configures the following environment variables:

  • NIX_PROFILES
  • NIX_SSL_CERT_FILE (if not set)

  Adds the bin directory from the user's profile to $PATH.

Full Changelog: cachix/install-nix-action@v31.6.2...v31.7.0

v31.6.2

What's Changed

... (truncated)

Commits

• 0b0e072 Merge pull request #261 from cachix/create-pull-request/patch
• 16d2e32 nix: 2.32.3 -> 2.32.4
• 7ec16f2 Merge pull request #260 from cachix/create-pull-request/patch
• 5afc2ac nix: 2.32.2 -> 2.32.3
• 456688f Merge pull request #259 from cachix/create-pull-request/patch
• 0cacfe0 nix: 2.32.1 -> 2.32.2
• fd24c48 Merge pull request #258 from cachix/create-pull-request/patch
• a55fd2d nix: 2.32.0 -> 2.32.1
• 7ab6e7f Merge pull request #257 from cachix/create-pull-request/patch
• a851831 nix: 2.31.2 -> 2.32.0
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.3.3 to 2.5.0

Release notes

Sourced from softprops/action-gh-release's releases.

v2.5.0

What's Changed

Exciting New Features 🎉

• feat: mark release as draft until all artifacts are uploaded by @​dumbmoron in softprops/action-gh-release#692

Other Changes 🔄

• chore(deps): bump the npm group across 1 directory with 5 updates by @​dependabot[bot] in softprops/action-gh-release#697
• chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 in the github-actions group by @​dependabot[bot] in softprops/action-gh-release#689

New Contributors

• @​dumbmoron made their first contribution in softprops/action-gh-release#692

Full Changelog: softprops/action-gh-release@v2.4.2...v2.5.0

v2.4.2

What's Changed

Exciting New Features 🎉

• feat: Ensure generated release notes cannot be over 125000 characters by @​BeryJu in softprops/action-gh-release#684

Other Changes 🔄

• dependency updates

New Contributors

• @​BeryJu made their first contribution in softprops/action-gh-release#684

Full Changelog: softprops/action-gh-release@v2.4.1...v2.4.2

v2.4.1

What's Changed

Other Changes 🔄

• fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in softprops/action-gh-release#672
• fix: gracefully fallback to body when body_path cannot be read by @​Copilot in softprops/action-gh-release#671

Full Changelog: softprops/action-gh-release@v2...v2.4.1

v2.4.0

What's Changed

Exciting New Features 🎉

• feat(action): respect working_directory for files globs by @​stephenway in softprops/action-gh-release#667

Other Changes 🔄

• chore(deps): bump the npm group with 2 updates by @​dependabot[bot] in softprops/action-gh-release#668

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

2.5.0

What's Changed

Exciting New Features 🎉

• feat: mark release as draft until all artifacts are uploaded by @​dumbmoron in softprops/action-gh-release#692

Other Changes 🔄

• dependency updates

2.4.2

What's Changed

Exciting New Features 🎉

• feat: Ensure generated release notes cannot be over 125000 characters by @​BeryJu in softprops/action-gh-release#684

Other Changes 🔄

• dependency updates

2.4.1

What's Changed

Other Changes 🔄

• fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in softprops/action-gh-release#672
• fix: gracefully fallback to body when body_path cannot be read by @​Copilot in softprops/action-gh-release#671

2.4.0

What's Changed

Exciting New Features 🎉

• feat(action): respect working_directory for files globs by @​stephenway in softprops/action-gh-release#667

2.3.4

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in softprops/action-gh-release#665

Other Changes 🔄

... (truncated)

Commits

• a06a81a release 2.5.0
• 7da8983 feat: mark release as draft until all artifacts are uploaded (#692)
• 8797328 chore(deps): bump actions/checkout in the github-actions group (#689)
• 1bfc62a chore(deps): bump the npm group across 1 directory with 5 updates (#697)
• 5be0e66 release 2.4.2
• af658b4 feat: Ensure generated release notes cannot be over 125000 characters (#684)
• 237aacc chore: bump node to 24.11.0
• 00362be chore(deps): bump the npm group with 5 updates (#687)
• 0adea5a chore(deps): bump the npm group with 3 updates (#686)
• aa05f9d chore(deps): bump actions/setup-node from 5.0.0 to 6.0.0 in the github-action...
• Additional commits viewable in compare view

Updates EmbarkStudios/cargo-deny-action from 2.0.13 to 2.0.14

Commits

• 76cd80e Bump to 0.18.6
• See full diff in compare view

Updates ossf/scorecard-action from 2.4.2 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in ossf/scorecard-action#1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in ossf/scorecard-action#1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in ossf/scorecard-action#1566
• setup codeowners for requesting reviews by @​spencerschrock in ossf/scorecard-action#1576
• 🌱 Improve printing options by @​deivid-rodriguez in ossf/scorecard-action#1584

New Contributors

• @​timothyklee made their first contribution in ossf/scorecard-action#1566
• @​pankajtaneja5 made their first contribution in ossf/scorecard-action#1574
• @​deivid-rodriguez made their first contribution in ossf/scorecard-action#1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

Commits

• 4eaacf0 bump docker to ghcr v2.4.3 (#1587)
• 42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
• 88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
• 6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
• 92083b5 📖 Fix recommended command to test the image in development (#1583)
• 7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
• 0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
• 46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
• c3f1350 🌱 Improve printing options (#1584)
• 43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.