chore: bump the all group across 1 directory with 16 updates #1162

dependabot · 2025-08-18T06:15:04Z

Bumps the all group with 16 updates in the / directory:

Package	From	To
step-security/harden-runner	`2.10.4`	`2.13.0`
actions/checkout	`4.2.2`	`5.0.0`
github/codeql-action	`3.28.9`	`3.29.9`
actions/setup-node	`4.2.0`	`4.4.0`
actions/cache	`4.2.0`	`4.2.4`
actions/setup-go	`5.3.0`	`5.5.0`
docker/setup-buildx-action	`3.9.0`	`3.11.1`
crazy-max/ghaction-github-runtime	`3.0.0`	`3.1.0`
actions/upload-artifact	`4.6.0`	`4.6.2`
actions/download-artifact	`4.1.8`	`5.0.0`
peter-evans/create-pull-request	`7.0.6`	`7.0.8`
docker/login-action	`3.3.0`	`3.5.0`
aquasecurity/trivy-action	`0.29.0`	`0.32.0`
ossf/scorecard-action	`2.4.0`	`2.4.2`
golangci/golangci-lint-action	`6.3.1`	`8.0.0`
codecov/codecov-action	`5.3.1`	`5.4.3`

Updates step-security/harden-runner from 2.10.4 to 2.13.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.13.0

What's Changed

Improved job markdown summary

Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com Bug fixes:

Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode

Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

What's Changed

Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.

Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

v2.12.0

What's Changed

A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

v2.11.1

What's Changed

cache: add support for GitHub Actions cache v2 by @h0x0er in step-security/harden-runner#529

Full Changelog: step-security/harden-runner@v2...v2.11.1

v2.11.0

What's Changed

Release v2.11.0 in #498 Harden-Runner Enterprise tier now supports the use of eBPF for DNS resolution and network call monitoring

Full Changelog: step-security/harden-runner@v2...v2.11.0

Commits

ec9f2d5 Merge pull request #565 from step-security/rc-24
04bcbc3 update agent
7c7a56f feat: get job summary from API
6c439dc Merge pull request #562 from step-security/rc-22
bf56886 update agent
5436dac update agent
88d305a update agent
b976878 update agent
875cc92 Update agent
002fdce Merge pull request #544 from step-security/rc-21
Additional commits viewable in compare view

Updates actions/checkout from 4.2.2 to 5.0.0

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

Update actions checkout to use node 24 by @salmanmkc in actions/checkout#2226

Prepare v5.0.0 release by @salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

docs: update README.md by @motss in actions/checkout#1971

Add internal repos for checking out multiple repositories by @mouismail in actions/checkout#1977

Documentation update - add recommended permissions to Readme by @benwells in actions/checkout#2043

Adjust positioning of user email note and permissions heading by @joshmgross in actions/checkout#2044

Update README.md by @nebuk89 in actions/checkout#2194

Update CODEOWNERS for actions by @TingluoHuang in actions/checkout#2224

Update package dependencies by @salmanmkc in actions/checkout#2236

Prepare release v4.3.0 by @salmanmkc in actions/checkout#2237

New Contributors

@motss made their first contribution in actions/checkout#1971

@mouismail made their first contribution in actions/checkout#1977

@benwells made their first contribution in actions/checkout#2043

@nebuk89 made their first contribution in actions/checkout#2194

@salmanmkc made their first contribution in actions/checkout#2236

Full Changelog: actions/checkout@v4...v4.3.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

Update actions checkout to use node 24 by @salmanmkc in actions/checkout#2226

V4.3.0

docs: update README.md by @motss in actions/checkout#1971

Add internal repos for checking out multiple repositories by @mouismail in actions/checkout#1977

Documentation update - add recommended permissions to Readme by @benwells in actions/checkout#2043

Adjust positioning of user email note and permissions heading by @joshmgross in actions/checkout#2044

Update README.md by @nebuk89 in actions/checkout#2194

Update CODEOWNERS for actions by @TingluoHuang in actions/checkout#2224

Update package dependencies by @salmanmkc in actions/checkout#2236

v4.2.2

url-helper.ts now leverages well-known environment variables by @jww3 in actions/checkout#1941

Expand unit test coverage for isGhes by @jww3 in actions/checkout#1946

v4.2.1

Check out other refs/* by commit if provided, fall back to ref by @orhantoy in actions/checkout#1924

v4.2.0

Add Ref and Commit outputs by @lucacome in actions/checkout#1180

Dependency updates by @dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in actions/checkout#1739

Bump actions/checkout from 3 to 4 by @dependabot in actions/checkout#1697

Check out other refs/* by commit by @orhantoy in actions/checkout#1774

Pin actions/checkout's own workflows to a known, good, stable version. by @jww3 in actions/checkout#1776

v4.1.6

Check platform to set archive extension appropriately by @cory-miller in actions/checkout#1732

v4.1.5

Update NPM dependencies by @cory-miller in actions/checkout#1703

Bump github/codeql-action from 2 to 3 by @dependabot in actions/checkout#1694

Bump actions/setup-node from 1 to 4 by @dependabot in actions/checkout#1696

Bump actions/upload-artifact from 2 to 4 by @dependabot in actions/checkout#1695

README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @cory-miller in actions/checkout#1707

v4.1.4

Disable extensions.worktreeConfig when disabling sparse-checkout by @jww3 in actions/checkout#1692

Add dependabot config by @cory-miller in actions/checkout#1688

Bump the minor-actions-dependencies group with 2 updates by @dependabot in actions/checkout#1693

Bump word-wrap from 1.2.3 to 1.2.5 by @dependabot in actions/checkout#1643

v4.1.3

... (truncated)

Commits

08c6903 Prepare v5.0.0 release (#2238)
9f26565 Update actions checkout to use node 24 (#2226)
08eba0b Prepare release v4.3.0 (#2237)
631c7dc Update package dependencies (#2236)
8edcb1b Update CODEOWNERS for actions (#2224)
09d2aca Update README.md (#2194)
85e6279 Adjust positioning of user email note and permissions heading (#2044)
009b9ae Documentation update - add recommended permissions to Readme (#2043)
cbb7224 Update README.md (#1977)
3b9b8c8 docs: update README.md (#1971)
See full diff in compare view

Updates github/codeql-action from 3.28.9 to 3.29.9

Release notes

Sourced from github/codeql-action's releases.

v3.29.9

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.9 - 12 Aug 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.29.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.8 - 08 Aug 2025

Fix an issue where the Action would autodetect unsupported languages such as HTML. #3015

See the full CHANGELOG.md for more information.

v3.29.7

This is a re-release of v3.29.5 to mitigate an issue that was discovered with v3.29.6.

v3.29.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.6 - 07 Aug 2025

The cleanup-level input to the analyze Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #2999

Update default CodeQL bundle version to 2.22.3. #3000

See the full CHANGELOG.md for more information.

v3.29.5

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.5 - 29 Jul 2025

Update default CodeQL bundle version to 2.22.2. #2986

See the full CHANGELOG.md for more information.

v3.29.4

CodeQL Action Changelog

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.29.9 - 12 Aug 2025

No user facing changes.

3.29.8 - 08 Aug 2025

Fix an issue where the Action would autodetect unsupported languages such as HTML. #3015

3.29.7 - 07 Aug 2025

This release rolls back 3.29.6 to address issues with language autodetection. It is identical to 3.29.5.

3.29.6 - 07 Aug 2025

The cleanup-level input to the analyze Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #2999

Update default CodeQL bundle version to 2.22.3. #3000

3.29.5 - 29 Jul 2025

Update default CodeQL bundle version to 2.22.2. #2986

3.29.4 - 23 Jul 2025

No user facing changes.

3.29.3 - 21 Jul 2025

No user facing changes.

3.29.2 - 30 Jun 2025

Experimental: When the quality-queries input for the init action is provided with an argument, separate .quality.sarif files are produced and uploaded for each language with the results of the specified queries. Do not use this in production as it is part of an internal experiment and subject to change at any time. #2935

3.29.1 - 27 Jun 2025

Fix bug in PR analysis where user-provided include query filter fails to exclude non-included queries. #2938

Update default CodeQL bundle version to 2.22.1. #2950

3.29.0 - 11 Jun 2025

Update default CodeQL bundle version to 2.22.0. #2925

Bump minimum CodeQL bundle version to 2.16.6. #2912

... (truncated)

Commits

df55935 Merge pull request #3026 from github/update-v3.29.9-cc722e476
53f255b Update changelog for v3.29.9
cc722e4 Merge pull request #3023 from github/redsun82/rust-test
a4cd8fd Merge pull request #3024 from github/dependabot/npm_and_yarn/npm-3a4f9bf414
542b274 Update checked-in dependencies
1a376ca Bump the npm group with 6 updates
9f966bb Merge branch 'main' into redsun82/rust-test
c6dcdfa Merge pull request #2993 from github/cklin/overlay-pack-check
821d3bd Merge branch 'main' into cklin/overlay-pack-check
bf1dd69 Move comments up in rust.yml
Additional commits viewable in compare view

Updates actions/setup-node from 4.2.0 to 4.4.0

Release notes

Sourced from actions/setup-node's releases.

v4.4.0

What's Changed

Bug fixes:

Make eslint-compact matcher compatible with Stylelint by @FloEdelmann in actions/setup-node#98

Add support for indented eslint output by @fregante in actions/setup-node#1245

Enhancement:

Support private mirrors by @marco-ippolito in actions/setup-node#1240

Dependency update:

Upgrade @action/cache from 4.0.2 to 4.0.3 by @aparnajyothi-y in actions/setup-node#1262

New Contributors

@FloEdelmann made their first contribution in actions/setup-node#98

@fregante made their first contribution in actions/setup-node#1245

@marco-ippolito made their first contribution in actions/setup-node#1240

Full Changelog: actions/setup-node@v4...v4.4.0

v4.3.0

What's Changed

Dependency updates

Upgrade @actions/glob from 0.4.0 to 0.5.0 by @dependabot in actions/setup-node#1200

Upgrade @action/cache from 4.0.0 to 4.0.2 by @gowridurgad in actions/setup-node#1251

Upgrade @vercel/ncc from 0.38.1 to 0.38.3 by @dependabot in actions/setup-node#1203

Upgrade @actions/tool-cache from 2.0.1 to 2.0.2 by @dependabot in actions/setup-node#1220

New Contributors

@gowridurgad made their first contribution in actions/setup-node#1251

Full Changelog: actions/setup-node@v4...v4.3.0

Commits

49933ea Bump @action/cache from 4.0.2 to 4.0.3 (#1262)
e3ce749 feat: support private mirrors (#1240)
40337cb Add support for indented eslint output (#1245)
1ccdddc Make eslint-compact matcher compatible with Stylelint (#98)
cdca736 Bump @actions/tool-cache from 2.0.1 to 2.0.2 (#1220)
22c0e74 Bump @vercel/ncc from 0.38.1 to 0.38.3 (#1203)
a7c2d94 actions/cache upgrade (#1251)
8026329 Bump @actions/glob from 0.4.0 to 0.5.0 (#1200)
See full diff in compare view

Updates actions/cache from 4.2.0 to 4.2.4

Release notes

Sourced from actions/cache's releases.

v4.2.4

What's Changed

Update README.md by @nebuk89 in actions/cache#1620

Upgrade @actions/cache to 4.0.5 and move @protobuf-ts/plugin to dev depdencies by @Link- in actions/cache#1634

Prepare release 4.2.4 by @Link- in actions/cache#1636

New Contributors

@nebuk89 made their first contribution in actions/cache#1620

Full Changelog: actions/cache@v4...v4.2.4

v4.2.3

What's Changed

Update to use @actions/cache 4.0.3 package & prepare for new release by @salmanmkc in actions/cache#1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

@salmanmkc made their first contribution in actions/cache#1577

Full Changelog: actions/cache@v4.2.2...v4.2.3

v4.2.2

What's Changed

[!IMPORTANT] As a reminder, there were important backend changes to release v4.2.0, see those release notes and the announcement for more details.

Bump @actions/cache to v4.0.2 by @robherley in actions/cache#1560

Full Changelog: actions/cache@v4.2.1...v4.2.2

v4.2.1

What's Changed

[!IMPORTANT] As a reminder, there were important backend changes to release v4.2.0, see those release notes and the announcement for more details.

docs: GitHub is spelled incorrectly in caching-strategies.md by @janco-absa in actions/cache#1526

docs: Make the "always save prime numbers" example more clear by @Tobbe in actions/cache#1525

Update force deletion docs due a recent deprecation by @sebbalex in actions/cache#1500

Bump @actions/cache to v4.0.1 by @robherley in actions/cache#1554

New Contributors

@janco-absa made their first contribution in actions/cache#1526

@Tobbe made their first contribution in actions/cache#1525

@sebbalex made their first contribution in actions/cache#1500

Full Changelog: actions/cache@v4.2.0...v4.2.1

Changelog

Sourced from actions/cache's changelog.

Releases

4.2.4

Bump @actions/cache to v4.0.5

4.2.3

Bump @actions/cache to v4.0.3 (obfuscates SAS token in debug logs for cache entries)

4.2.2

Bump @actions/cache to v4.0.2

4.2.1

Bump @actions/cache to v4.0.1

4.2.0

TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

We are deprecating some versions of this action. We recommend upgrading to version v4 or v3 as soon as possible before February 1st, 2025. (Upgrade instructions below).

If you are using pinned SHAs, please use the SHAs of versions v4.2.0 or v3.4.0

If you do not upgrade, all workflow runs using any of the deprecated actions/cache will fail.

Upgrading to the recommended versions will not break your workflows.

4.1.2

Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - #1474

Security fix: Bump braces from 3.0.2 to 3.0.3 - #1475

4.1.1

Restore original behavior of cache-hit output - #1467

4.1.0

Ensure cache-hit output is set when a cache is missed - #1404

Deprecate save-always input - #1452

4.0.2

Fixed restore fail-on-cache-miss not working.

... (truncated)

Commits

0400d5f Merge pull request #1636 from actions/Link-/release-4.2.4
374a27f Prepare release 4.2.4
358a730 Merge pull request #1634 from actions/Link-/optimise-deps
2ee706e Fix with another approach
94f7b5d Fix bundle exec
c36116c Fix the workflow to use licensed from source
320fe7d Update the licensed workflow to use the latest version
d81cc47 Add licensed output
de24398 Add licensed output
e7b6a9c @protobuf-ts/plugin to dev dependencies
Additional commits viewable in compare view

Updates actions/setup-go from 5.3.0 to 5.5.0

Release notes

Sourced from actions/setup-go's releases.

v5.5.0

What's Changed

Bug fixes:

Update self-hosted environment validation by @priyagupta108 in actions/setup-go#556

Add manifest validation and improve error handling by @priyagupta108 in actions/setup-go#586

Update template link by @jsoref in actions/setup-go#527

Dependency updates:

Upgrade @action/cache from 4.0.2 to 4.0.3 by @aparnajyothi-y in actions/setup-go#574

Upgrade @actions/glob from 0.4.0 to 0.5.0 by @dependabot in actions/setup-go#573

Upgrade ts-jest from 29.1.2 to 29.3.2 by @dependabot in actions/setup-go#582

Upgrade eslint-plugin-jest from 27.9.0 to 28.11.0 by @dependabot in actions/setup-go#537

New Contributors

@jsoref made their first contribution in actions/setup-go#527

Full Changelog: actions/setup-go@v5...v5.5.0

v5.4.0

What's Changed

Dependency updates :

Upgrade semver from 7.6.0 to 7.6.3 by @dependabot in actions/setup-go#535

Upgrade eslint-config-prettier from 8.10.0 to 10.0.1 by @dependabot in actions/setup-go#536

Upgrade @action/cache from 4.0.0 to 4.0.2 by @aparnajyothi-y in actions/setup-go#568

Upgrade undici from 5.28.4 to 5.28.5 by @dependabot in actions/setup-go#541

New Contributors

@aparnajyothi-y made their first contribution in actions/setup-go#568

Full Changelog: actions/setup-go@v5...v5.4.0

Commits

d35c59a chore: update discussions url (#527)
29694d7 Add manifest validation and improve error handling (#586)
78535dd Bump eslint-plugin-jest from 27.9.0 to 28.11.0 (#537)
bb65d88 Bump ts-jest from 29.1.2 to 29.3.2 (#582)
7f17e83 Bump @actions/glob from 0.4.0 to 0.5.0 (#573)
dca8468 Update self-hosted environment validation and bump undici version (#556)
691cc35 upgrade actions/cache to 4.0.3 (#574)
0aaccfd Bump undici from 5.28.4 to 5.28.5 (#541)
c4c1141 upgrade actions/cache to 4.0.2 (#568)
5a083d0 Bump eslint-config-prettier from 8.10.0 to 10.0.1 (#536)
Additional commits viewable in compare view

Updates docker/setup-buildx-action from 3.9.0 to 3.11.1

Release notes

Sourced from docker/setup-buildx-action's releases.

v3.11.1

Fix keep-state not being respected by @crazy-max in docker/setup-buildx-action#429

Full Changelog: docker/setup-buildx-action@v3.11.0...v3.11.1

v3.11.0

Keep BuildKit state support by @crazy-max in docker/setup-buildx-action#427

Remove aliases created when installing by default by @hashhar in docker/setup-buildx-action#139

Bump @docker/actions-toolkit from 0.56.0 to 0.62.1 in docker/setup-buildx-action#422 docker/setup-buildx-action#425

Full Changelog: docker/setup-buildx-action@v3.10.0...v3.11.0

v3.10.0

Bump @docker/actions-toolkit from 0.54.0 to 0.56.0 in docker/setup-buildx-action#408

Full Changelog: docker/setup-buildx-action@v3.9.0...v3.10.0

Commits

e468171 Merge pull request #429 from crazy-max/fix-keep-state
a3e7502 chore: update generated content
b145473 fix keep-state not being respected
18ce135 Merge pull request #425 from docker/dependabot/npm_and_yarn/docker/actions-to...
0e198e9 chore: update generated content
05f3f3a build(deps): bump @docker/actions-toolkit from 0.61.0 to 0.62.1
6229134 Merge pull request #427 from crazy-max/keep-state
c6f6a07 chore: update generated content
6c5e29d skip builder creation if one already exists with the same name
548b297 ci: keep-state check
Additional commits viewable in compare view

Updates crazy-max/ghaction-github-runtime from 3.0.0 to 3.1.0

Release notes

Sourced from crazy-max/ghaction-github-runtime's releases.

v3.1.0

Bump @actions/core from 1.10.0 to 1.11.1 in crazy-max/ghaction-github-runtime#58

Bump braces from 3.0.2 to 3.0.3 in crazy-max/ghaction-github-runtime#54

Bump cross-spawn from 7.0.3 to 7.0.6 in crazy-max/ghaction-github-runtime#59

Bump ip from 2.0.0 to 2.0.1 in crazy-max/ghaction-github-runtime#50

Bump micromatch from 4.0.5 to 4.0.8 in crazy-max/ghaction-github-runtime#55

Bump tar from 6.1.14 to 6.2.1 in crazy-max/ghaction-github-runtime#51

Full Changelog: crazy-max/ghaction-github-runtime@v3.0.0...v3.1.0

Commits

3cb05d8 Merge pull request #58 from crazy-max/dependabot/npm_and_yarn/actions/core-1....
ef7a149 chore: update generated content
5bfe170 Merge pull request #55 from crazy-max/dependabot/npm_and_yarn/micromatch-4.0.8
58529df Merge pull request #59 from crazy-max/dependabot/npm_and_yarn/cross-spawn-7.0.6
ac1af5a Merge pull request #60 from crazy-max/gha-perms
8ae9a9b ci: set contents read as default workflow permissions
22db7e4 new year
24046ff Bump cross-spawn from 7.0.3 to 7.0.6
c068fc9 Bump @actions/core from 1.10.0 to 1.11.1
0d73af4 Bump micromatch from 4.0.5 to 4.0.8
Additional commits viewable in compare view

Updates actions/upload-artifact from 4.6.0 to 4.6.2

Release notes

Sourced from actions/upload-artifact's releases.

v4.6.2

What's Changed

Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @salmanmkc in actions/upload-artifact#685

New Contributors

@salmanmkc made their first contribution in actions/upload-artifact#685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

What's Changed

Update to use artifact 2.2.2 package by @yacaovsnc in actions/upload-artifact#673

Full Changelog: actions/upload-artifact@v4...v4.6.1

Commits

ea165f8 Merge pull request #685 from salmanmkc/salmanmkc/3-new-upload-artifacts-release
0839620 Prepare for new release of actions/upload-artifact with new toolkit cache ver...
4cec3d8 Merge pull request #673 from actions/yacaovsnc/artifact_2.2.2
e9fad96 license cache update for artifact
b26fd06 Update to use artifact 2.2.2 package
See full diff in compare view

Updates actions/download-artifact from 4.1.8 to 5.0.0

Release notes

Sourced from actions/download-artifact's releases.

v5.0.0

What's Changed

Update README.md by @nebuk89 in actions/download-artifact#407

BREAKING fix: inconsistent path behavior for single artifact downloads by ID by @GrantBirki in actions/download-artifact#416

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

By name: name: my-artifact → extracted to path/ (direct)

By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

By name: name: my-artifact → extracted to path/ (unchanged)

By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:

You download artifacts by name

You download multiple artifacts by ID

You already use merge-multiple: true as a workaround

⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):
- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist
# Files were in: dist/my-artifact/
Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):
</tr></table> 

... (truncated)

Commits

634f93c Merge pull request #416 from actions/single-artifact-id-download-path
b19ff43 refactor: resolve download path correctly in artifact download tests (mainly ...
e262cbe bundle dist
bff23f9 update docs
fff8c14 fix download path logic when downloading a single art...
Description has been truncated

Bumps the all group with 16 updates in the / directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.10.4` | `2.13.0` | | [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `5.0.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.28.9` | `3.29.9` | | [actions/setup-node](https://github.com/actions/setup-node) | `4.2.0` | `4.4.0` | | [actions/cache](https://github.com/actions/cache) | `4.2.0` | `4.2.4` | | [actions/setup-go](https://github.com/actions/setup-go) | `5.3.0` | `5.5.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.9.0` | `3.11.1` | | [crazy-max/ghaction-github-runtime](https://github.com/crazy-max/ghaction-github-runtime) | `3.0.0` | `3.1.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.0` | `4.6.2` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `4.1.8` | `5.0.0` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `7.0.6` | `7.0.8` | | [docker/login-action](https://github.com/docker/login-action) | `3.3.0` | `3.5.0` | | [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.29.0` | `0.32.0` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.0` | `2.4.2` | | [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) | `6.3.1` | `8.0.0` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.3.1` | `5.4.3` | Updates `step-security/harden-runner` from 2.10.4 to 2.13.0 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@cb605e5...ec9f2d5) Updates `actions/checkout` from 4.2.2 to 5.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...08c6903) Updates `github/codeql-action` from 3.28.9 to 3.29.9 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@9e8d078...df55935) Updates `actions/setup-node` from 4.2.0 to 4.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@1d0ff46...49933ea) Updates `actions/cache` from 4.2.0 to 4.2.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@1bd1e32...0400d5f) Updates `actions/setup-go` from 5.3.0 to 5.5.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@f111f33...d35c59a) Updates `docker/setup-buildx-action` from 3.9.0 to 3.11.1 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@f7ce87c...e468171) Updates `crazy-max/ghaction-github-runtime` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/crazy-max/ghaction-github-runtime/releases) - [Commits](crazy-max/ghaction-github-runtime@b3a9207...3cb05d8) Updates `actions/upload-artifact` from 4.6.0 to 4.6.2 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@65c4c4a...ea165f8) Updates `actions/download-artifact` from 4.1.8 to 5.0.0 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@fa0a91b...634f93c) Updates `peter-evans/create-pull-request` from 7.0.6 to 7.0.8 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@67ccf78...271a8d0) Updates `docker/login-action` from 3.3.0 to 3.5.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@9780b0c...184bdaa) Updates `aquasecurity/trivy-action` from 0.29.0 to 0.32.0 - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@18f2510...dc5a429) Updates `ossf/scorecard-action` from 2.4.0 to 2.4.2 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@62b2cac...05b42c6) Updates `golangci/golangci-lint-action` from 6.3.1 to 8.0.0 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@2e78893...4afd733) Updates `codecov/codecov-action` from 5.3.1 to 5.4.3 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@13ce06b...18283e0) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all - dependency-name: github/codeql-action dependency-version: 3.29.9 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: actions/setup-node dependency-version: 4.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: actions/setup-go dependency-version: 5.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: docker/setup-buildx-action dependency-version: 3.11.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: crazy-max/ghaction-github-runtime dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: actions/upload-artifact dependency-version: 4.6.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: actions/download-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all - dependency-name: peter-evans/create-pull-request dependency-version: 7.0.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: docker/login-action dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: aquasecurity/trivy-action dependency-version: 0.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all - dependency-name: ossf/scorecard-action dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all - dependency-name: golangci/golangci-lint-action dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all - dependency-name: codecov/codecov-action dependency-version: 5.4.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Aug 18, 2025

dependabot bot requested review from ashnamehrotra, pmengelbert and sozercan as code owners August 18, 2025 06:15

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Aug 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: bump the all group across 1 directory with 16 updates #1162

chore: bump the all group across 1 directory with 16 updates #1162

Uh oh!

dependabot bot commented on behalf of github Aug 18, 2025 •

edited

Loading

Uh oh!

Uh oh!

chore: bump the all group across 1 directory with 16 updates #1162

Are you sure you want to change the base?

chore: bump the all group across 1 directory with 16 updates #1162

Uh oh!

Conversation

dependabot bot commented on behalf of github Aug 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v2.13.0

What's Changed

v2.12.2

What's Changed

v2.12.1

What's Changed

v2.12.0

What's Changed

v2.11.1

What's Changed

v2.11.0

What's Changed

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v4.3.0

What's Changed

New Contributors

Changelog

V5.0.0

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v3.29.9

CodeQL Action Changelog

3.29.9 - 12 Aug 2025

v3.29.8

CodeQL Action Changelog

3.29.8 - 08 Aug 2025

v3.29.7

v3.29.6

CodeQL Action Changelog

3.29.6 - 07 Aug 2025

v3.29.5

CodeQL Action Changelog

3.29.5 - 29 Jul 2025

v3.29.4

CodeQL Action Changelog

CodeQL Action Changelog

[UNRELEASED]

3.29.9 - 12 Aug 2025

3.29.8 - 08 Aug 2025

3.29.7 - 07 Aug 2025

3.29.6 - 07 Aug 2025

3.29.5 - 29 Jul 2025

3.29.4 - 23 Jul 2025

3.29.3 - 21 Jul 2025

3.29.2 - 30 Jun 2025

3.29.1 - 27 Jun 2025

3.29.0 - 11 Jun 2025

v4.4.0

What's Changed

Bug fixes:

Enhancement:

Dependency update:

New Contributors

v4.3.0

What's Changed

Dependency updates

New Contributors

v4.2.4

What's Changed

New Contributors

v4.2.3

What's Changed

New Contributors

v4.2.2

dependabot bot commented on behalf of github Aug 18, 2025 •

edited

Loading