Skip to content

chore(deps): bump the github-actions group with 4 updates#186

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github-actions-9b4728fefb
Closed

chore(deps): bump the github-actions group with 4 updates#186
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github-actions-9b4728fefb

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 16, 2026
edited
Loading

Bumps the github-actions group with 4 updates: github/gh-aw, softprops/action-gh-release, taiki-e/install-action and sigstore/cosign-installer.

Updates github/gh-aw from 0.56.2 to 0.58.3

Release notes

Sourced from github/gh-aw's releases.

v0.58.3

🌟 Release Highlights

This release focuses on security hardening, GHES compatibility, and developer experience improvements — with better MCP write protection, a new Copilot pre-flight diagnostic for enterprise environments, and a noticeably improved run details summary.

✨ What's New

  • MCP Write-Sink Guard Policy — All non-GitHub MCP servers configured via the gateway now enforce a write-sink guard policy, preventing unintended writes through third-party MCP tools. This improves the security posture of workflows using custom MCP integrations. (#21005)

  • Copilot Pre-flight Diagnostic for GHES — A new pre-flight check helps diagnose Copilot configuration issues in GitHub Enterprise Server environments before a workflow run fails, saving time when debugging enterprise setups. (#20975)

  • Action Pins Mode with gh-aw-actions v0 — The action-tag step now uses action pins mode, enabling stable and auditable action references via gh-aw-actions at the v0 tag. (#20991)

  • Enhanced Run Details Step Summary — Workflow run summaries now render as structured bullet points, display the gh-aw version, and include full aw_info output for easier post-run inspection. (#20989)

⚡ Performance

  • Faster Workflow Name ExtractionextractWorkflowNameFromFile no longer performs an unnecessary full YAML parse, reducing overhead when processing large workflow collections. (#21012)

🐛 Bug Fixes & Improvements

  • GHES Host Leakage Prevention — The "Install GitHub Copilot CLI" step now explicitly emits GH_HOST: github.com, preventing GHES host values from leaking into the Copilot CLI installation context. (#20992)
  • Workflow Call Artifact Downloads Fixed — Artifact prefix handling in the conclusion job and script step downloads now works correctly in workflow_call contexts. (#21011)
  • TypeScript Type Error Fixed — Resolved a type error in json_object_to_markdown.cjs that could cause runtime failures in certain output scenarios. (#21010)
  • Go Firewall Rule for Shared Workflows — The shared/go-make.md shared workflow now includes go in its firewall allowed set, enabling Go toolchain downloads during builds. (#21014)

📚 Documentation

  • Accessibility: Live Search Results — The docs site search now announces results to screen readers via aria-live, improving accessibility for keyboard and assistive technology users. (#21019)

For complete details, see CHANGELOG.

Generated by Release

What's Changed

... (truncated)

Commits
  • 08a903b docs: add aria-live enhancement for search results accessibility (#issue) (#2...
  • 1cb4a5a Remove copilot-preflight script and associated step generation (#21016)
  • 47ab8dd fix: use artifact prefix in conclusion job and script step downloads for work...
  • c87077e perf: optimize extractWorkflowNameFromFile by eliminating unnecessary YAML ...
  • 1a426d0 Add go firewall allowed set to shared/go-make.md (#21014)
  • 50e4991 feat: add write-sink guard policy to all non-GitHub MCP servers configured by...
  • 4e2b550 docs: condense intro and remove duplicate cross-repo notes in central-repo-op...
  • 1333b4a docs: add action-tag feature flag to github-agentic-workflows.md (#21001)
  • 5a8a60a fix: emit GH_HOST: github.com on Install GitHub Copilot CLI step to prevent G...
  • 4173449 feat: update action-tag to use action pins mode (gh-aw-actions) with v0 (#20991)
  • Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.5.0 to 2.6.1

Release notes

Sourced from softprops/action-gh-release's releases.

v2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

v2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

Bug fixes 🐛

Other Changes 🔄

v2.5.3

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2. It fixes [#639](https://github.com/softprops/action-gh-release/issues/639), [#571](https://github.com/softprops/action-gh-release/issues/571), [#280](https://github.com/softprops/action-gh-release/issues/280), [#614](https://github.com/softprops/action-gh-release/issues/614), [#311](https://github.com/softprops/action-gh-release/issues/311), [#403](https://github.com/softprops/action-gh-release/issues/403), and [#368](https://github.com/softprops/action-gh-release/issues/368). It also adds documentation clarifications for [#541](https://github.com/softprops/action-gh-release/issues/541), [#645](https://github.com/softprops/action-gh-release/issues/645), [#542](https://github.com/softprops/action-gh-release/issues/542), [#393](https://github.com/softprops/action-gh-release/issues/393), and [#411](https://github.com/softprops/action-gh-release/issues/411), where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

Bug fixes 🐛

Other Changes 🔄

2.5.3

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2. It fixes [#639](https://github.com/softprops/action-gh-release/issues/639), [#571](https://github.com/softprops/action-gh-release/issues/571), [#280](https://github.com/softprops/action-gh-release/issues/280), [#614](https://github.com/softprops/action-gh-release/issues/614), [#311](https://github.com/softprops/action-gh-release/issues/311), [#403](https://github.com/softprops/action-gh-release/issues/403), and [#368](https://github.com/softprops/action-gh-release/issues/368). It also adds documentation clarifications for [#541](https://github.com/softprops/action-gh-release/issues/541), [#645](https://github.com/softprops/action-gh-release/issues/645), [#542](https://github.com/softprops/action-gh-release/issues/542), [#393](https://github.com/softprops/action-gh-release/issues/393), and [#411](https://github.com/softprops/action-gh-release/issues/411), where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

... (truncated)

Commits

Updates taiki-e/install-action from 2.68.25 to 2.68.34

Release notes

Sourced from taiki-e/install-action's releases.

2.68.34

  • Update prek@latest to 0.3.6.

  • Update vacuum@latest to 0.25.2.

2.68.33

  • Update dprint@latest to 0.53.0.

2.68.32

  • Update tombi@latest to 0.9.6.

  • Update martin@latest to 1.4.0.

2.68.31

  • Update cargo-shear@latest to 1.11.2.

2.68.30

  • Update just@latest to 1.47.0.

  • Update tombi@latest to 0.9.5.

2.68.29

  • Update cargo-shear@latest to 1.11.1.

2.68.28

  • Update cargo-shear@latest to 1.11.0.

  • Update vacuum@latest to 0.25.1.

  • Update uv@latest to 0.10.10.

  • Update mise@latest to 2026.3.9.

2.68.27

  • Update cargo-cyclonedx@latest to 0.5.8.

  • Update mise@latest to 2026.3.8.

2.68.26

  • Update vacuum@latest to 0.25.0.

  • Update syft@latest to 1.42.2.

  • Update shfmt@latest to 3.13.0.

  • Update prek@latest to 0.3.5.

  • Update mise@latest to 2026.3.7.

  • Update cargo-shear@latest to 1.10.0.

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

[2.68.34] - 2026-03-16

  • Update prek@latest to 0.3.6.

  • Update vacuum@latest to 0.25.2.

[2.68.33] - 2026-03-16

  • Update dprint@latest to 0.53.0.

[2.68.32] - 2026-03-15

  • Update tombi@latest to 0.9.6.

  • Update martin@latest to 1.4.0.

[2.68.31] - 2026-03-15

  • Update cargo-shear@latest to 1.11.2.

[2.68.30] - 2026-03-15

  • Update just@latest to 1.47.0.

  • Update tombi@latest to 0.9.5.

[2.68.29] - 2026-03-14

  • Update cargo-shear@latest to 1.11.1.

[2.68.28] - 2026-03-14

  • Update cargo-shear@latest to 1.11.0.

  • Update vacuum@latest to 0.25.1.

  • Update uv@latest to 0.10.10.

... (truncated)

Commits

Updates sigstore/cosign-installer from 4.0.0 to 4.1.0

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.0

What's Changed

We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing with: cosign-release and strongly discourage using cosign-release unless you have a specific reason to use an older version of Cosign.

Full Changelog: sigstore/cosign-installer@v4.0.0...v4.1.0

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the github-actions group with 4 updates
9acf0a2 
Bumps the github-actions group with 4 updates: [github/gh-aw](https://github.com/github/gh-aw), [softprops/action-gh-release](https://github.com/softprops/action-gh-release), [taiki-e/install-action](https://github.com/taiki-e/install-action) and [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `github/gh-aw` from 0.56.2 to 0.58.3
- [Release notes](https://github.com/github/gh-aw/releases)
- [Commits](github/gh-aw@v0.56.2...v0.58.3)

Updates `softprops/action-gh-release` from 2.5.0 to 2.6.1
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@a06a81a...153bb8e)

Updates `taiki-e/install-action` from 2.68.25 to 2.68.34
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](taiki-e/install-action@a37010d...de6bbd1)

Updates `sigstore/cosign-installer` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@faadad0...ba7bc0a)

---
updated-dependencies:
- dependency-name: github/gh-aw
  dependency-version: 0.58.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: softprops/action-gh-release
  dependency-version: 2.6.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: taiki-e/install-action
  dependency-version: 2.68.34
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 16, 2026

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot requested a review from zircote as a code owner March 16, 2026 14:36
@zircote zircote closed this Mar 19, 2026
@zircote zircote reopened this Mar 19, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 19, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@zircote
Copy link
Copy Markdown
Owner

zircote commented Mar 19, 2026

@dependabot rebase

1 similar comment
@zircote
Copy link
Copy Markdown
Owner

zircote commented Mar 19, 2026

@dependabot rebase

@zircote zircote enabled auto-merge (squash) March 19, 2026 02:58
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 19, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Mar 19, 2026
auto-merge was automatically disabled March 19, 2026 02:59

Pull request was closed

@dependabot dependabot bot deleted the dependabot/github_actions/github-actions-9b4728fefb branch March 19, 2026 02:59
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 19, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.93%. Comparing base (68d824b) to head (9acf0a2).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #186   +/-   ##
=======================================
  Coverage   94.93%   94.93%           
=======================================
  Files          25       25           
  Lines       10183    10183           
=======================================
  Hits         9667     9667           
  Misses        516      516

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zircote zircote zircote approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zircote