Skip to content

chore(deps): bump the github-actions group with 4 updates#153

Merged
github-actions[bot] merged 1 commit intomainfrom
dependabot/github_actions/github-actions-f86eb7f71e
Mar 9, 2026
Merged

chore(deps): bump the github-actions group with 4 updates#153
github-actions[bot] merged 1 commit intomainfrom
dependabot/github_actions/github-actions-f86eb7f71e

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 9, 2026

Bumps the github-actions group with 4 updates: github/gh-aw, aquasecurity/trivy-action, actions/setup-node and taiki-e/install-action.

Updates github/gh-aw from 0.51.6 to 0.56.2

Release notes

Sourced from github/gh-aw's releases.

v0.56.2

🌟 Release Highlights

This release focuses on reliability improvements across protected-file handling, setup CLI pinning, and cross-repo workflows — along with an upgrade to GitHub MCP server v0.32.0 and a new strict allowlist feature for protected-file protection.

✨ What's New

  • allowed-files strict allowlist for protected-file PR safe outputs (#20051) — You can now configure an explicit allowlist of files that are permitted in protected-file PRs. Any file outside the allowlist is blocked, giving teams tighter control over what agents can modify in sensitive branches.

🐛 Bug Fixes & Improvements

  • Protected-file fallback-to-issue now works when workflows permission is absent (#20106) — When an agent patch touches .github/workflows/ files and the GitHub App lacks workflows permission, gh-aw now correctly creates a fallback review issue rather than silently failing.
  • Default branch no longer hardcoded to main (#20099) — create_pull_request and related operations now query the repository's actual default branch, fixing failures in repos using master, develop, or any non-main default.
  • add-wizard correctly syncs working tree after PR merge (#20094) — Switching to the default branch after merging a wizard-created PR ensures workflow files are visible immediately, eliminating "workflow file not found" errors.
  • setup-cli action now respects pinned version input (#20081) — The action verifies the installed version matches the requested version after gh extension install, falling back to a manual binary download if there's a mismatch.
  • Safe output handler gracefully handles custom safe output job types (#20114) — Unknown job types no longer surface as unhandled errors; they are now logged and skipped cleanly.

⚡ Performance

  • Compiled regex patterns moved to package-level variables (#20073, #20079) — regexp.MustCompile calls across pkg/cli, pkg/workflow, and the expression-validation hot path are now initialized once at startup rather than on every invocation, reducing allocation pressure in high-frequency compilation paths.

🔧 Dependencies & Infrastructure

  • GitHub MCP server upgraded to v0.32.0 (#20100) — Picks up the latest GitHub MCP tooling improvements and bug fixes.

📚 Documentation

  • New Cost Management reference page (#20078) — Added guidance on understanding and controlling the compute costs associated with running agentic workflows.

🌍 Community Contributions

A huge thank you to the community members who reported issues that were resolved in this release:

For complete details, see CHANGELOG.

Generated by Release

What's Changed

... (truncated)

Commits
  • f1073c5 refactor: simplify generateCustomJobToolDefinition and extractDispatchWorkflo...
  • 984fc7a Fix safe output handler to gracefully ignore custom safe output job types (#2...
  • 5ab3d52 Add allowed-files strict allowlist for protected-file protection on PR safe...
  • 63f1ea4 Upgrade GitHub MCP server to v0.32.0, recompile workflows (#20100)
  • b554e94 Update MCP gateway GitHub guard terminology (#20096)
  • 32c7af7 fix: create protected-file review issue when push fails due to workflows perm...
  • 59d071d fix: switch to default branch before pulling after add-wizard PR merge (#20094)
  • e43b634 chore: remove 9 unreachable dead functions (#20101)
  • cc0d007 fix: query repo default branch instead of hardcoding 'main' (#20098) (#20099)
  • 482aa92 Fix setup-cli action ignoring pinned version input (#20081)
  • Additional commits viewable in compare view

Updates aquasecurity/trivy-action from 0.34.2 to 0.35.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.35.0

What's Changed

Full Changelog: aquasecurity/trivy-action@0.34.2...0.35.0

Commits

Updates actions/setup-node from 6.2.0 to 6.3.0

Release notes

Sourced from actions/setup-node's releases.

v6.3.0

What's Changed

Enhancements:

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

Bug fixes:

New Contributors

Full Changelog: actions/setup-node@v6...v6.3.0

Commits

Updates taiki-e/install-action from 2.68.16 to 2.68.25

Release notes

Sourced from taiki-e/install-action's releases.

2.68.25

  • Update zizmor@latest to 1.23.1.

  • Update tombi@latest to 0.9.4.

  • Update cargo-semver-checks@latest to 0.47.0.

2.68.24

  • Avoid triggering zizmor ref-confusion when using this action in form of uses: taiki-e/install-action@v2 or uses: taiki-e/install-action@<tool_name>.

2.68.23

  • Update zizmor@latest to 1.23.0.

  • Update tombi@latest to 0.9.3.

  • Update mise@latest to 2026.3.5.

2.68.22

  • Update release-plz@latest to 0.3.157.

  • Update cargo-binstall@latest to 1.17.7.

  • Update mise@latest to 2026.3.4.

2.68.21

  • Update tombi@latest to 0.9.2.

  • Update uv@latest to 0.10.9.

  • Update rclone@latest to 1.73.2.

  • Update cargo-sort@latest to 2.1.1.

2.68.20

  • Update tombi@latest to 0.9.1.

  • Update cargo-neat@latest to 0.3.2.

2.68.19

  • Update mise@latest to 2026.3.3.

  • Update cargo-auditable@latest to 0.7.4.

  • Update cargo-sort@latest to 2.1.0.

2.68.18

  • Update uv@latest to 0.10.8.

  • Update grcov@latest to 0.10.7.

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

[2.68.25] - 2026-03-08

  • Update zizmor@latest to 1.23.1.

  • Update tombi@latest to 0.9.4.

  • Update cargo-semver-checks@latest to 0.47.0.

[2.68.24] - 2026-03-08

  • Avoid triggering zizmor ref-confusion when using this action in form of uses: taiki-e/install-action@v2 or uses: taiki-e/install-action@<tool_name>.

[2.68.23] - 2026-03-08

  • Update zizmor@latest to 1.23.0.

  • Update tombi@latest to 0.9.3.

  • Update mise@latest to 2026.3.5.

[2.68.22] - 2026-03-07

  • Update release-plz@latest to 0.3.157.

  • Update cargo-binstall@latest to 1.17.7.

  • Update mise@latest to 2026.3.4.

[2.68.21] - 2026-03-07

  • Update tombi@latest to 0.9.2.

  • Update uv@latest to 0.10.9.

  • Update rclone@latest to 1.73.2.

  • Update cargo-sort@latest to 2.1.1.

... (truncated)

Commits
  • a37010d Release 2.68.25
  • ffc2b1c Update zizmor@latest to 1.23.1
  • 8f3b52a Update tombi@latest to 0.9.4
  • df9c07a Update cargo-semver-checks@latest to 0.47.0
  • 3c19ebd zizmor: Enable ref-confusion
  • b18b9d9 Release 2.68.24
  • 5ccf629 codegen: Avoid allocation in workspace_root()
  • 93ea0b3 Avoid triggering zizmor ref-confusion
  • 7c8485f Update script and CI config
  • fc2a2b3 Release 2.68.23
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the github-actions group with 4 updates
48983c4 
Bumps the github-actions group with 4 updates: [github/gh-aw](https://github.com/github/gh-aw), [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action), [actions/setup-node](https://github.com/actions/setup-node) and [taiki-e/install-action](https://github.com/taiki-e/install-action).


Updates `github/gh-aw` from 0.51.6 to 0.56.2
- [Release notes](https://github.com/github/gh-aw/releases)
- [Changelog](https://github.com/github/gh-aw/blob/main/CHANGELOG.md)
- [Commits](github/gh-aw@33cd6c7...f1073c5)

Updates `aquasecurity/trivy-action` from 0.34.2 to 0.35.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@97e0b38...57a97c7)

Updates `actions/setup-node` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@6044e13...53b8394)

Updates `taiki-e/install-action` from 2.68.16 to 2.68.25
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](taiki-e/install-action@d6e286f...a37010d)

---
updated-dependencies:
- dependency-name: github/gh-aw
  dependency-version: 0.56.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: taiki-e/install-action
  dependency-version: 2.68.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 9, 2026

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot requested a review from zircote as a code owner March 9, 2026 15:28
@github-actions github-actions bot merged commit 9f4b93a into main Mar 9, 2026
13 of 32 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Mar 9, 2026

Benchmark Results

No benchmarks configured. Add benchmarks to benches/ directory.

Full results available in CI artifacts.

@dependabot dependabot bot deleted the dependabot/github_actions/github-actions-f86eb7f71e branch March 9, 2026 15:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zircote zircote Awaiting requested review from zircote zircote is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants