Bump the actions group across 1 directory with 6 updates #454

dependabot · 2025-09-15T13:23:07Z

Bumps the actions group with 6 updates in the / directory:

Package	From	To
step-security/harden-runner	`2.13.0`	`2.13.1`
actions/github-script	`7.0.1`	`8.0.0`
actions/setup-python	`5.6.0`	`6.0.0`
mamba-org/setup-micromamba	`2.0.5`	`2.0.6`
softprops/action-gh-release	`2.3.2`	`2.3.3`
pypa/gh-action-pypi-publish	`1.12.4`	`1.13.0`

Updates step-security/harden-runner from 2.13.0 to 2.13.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.13.1

What's Changed

Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

Commits

f4a75cf Merge pull request #588 from step-security/rc-26
95503d0 ci: remove code-review workflow
4b250a0 ci: add job to confirm dist is as expected
5b0ab6a update dependencies
d11f2c1 fix bug where status code was not being preserved
b3fc98e improve error handling for policy store sceanrio
92fc5d4 update error message
b61b0a4 policy store improvements
e3d3f2b use GitHub release instead of packages
646ac01 update agent
Additional commits viewable in compare view

Updates actions/github-script from 7.0.1 to 8.0.0

Release notes

Sourced from actions/github-script's releases.

v8.0.0

What's Changed

Update Node.js version support to 24.x by @salmanmkc in actions/github-script#637

README for updating actions/github-script from v7 to v8 by @sneha-krip in actions/github-script#653

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

@salmanmkc made their first contribution in actions/github-script#637

@sneha-krip made their first contribution in actions/github-script#653

Full Changelog: actions/github-script@v7.1.0...v8.0.0

v7.1.0

What's Changed

Upgrade husky to v9 by @benelan in actions/github-script#482

Add workflow file for publishing releases to immutable action package by @Jcambass in actions/github-script#485

Upgrade IA Publish by @Jcambass in actions/github-script#486

Fix workflow status badges by @joshmgross in actions/github-script#497

Update usage of actions/upload-artifact by @joshmgross in actions/github-script#512

Clear up package name confusion by @joshmgross in actions/github-script#514

Update dependencies with npm audit fix by @joshmgross in actions/github-script#515

Specify that the used script is JavaScript by @timotk in actions/github-script#478

chore: Add Dependabot for NPM and Actions by @nschonni in actions/github-script#472

Define permissions in workflows and update actions by @joshmgross in actions/github-script#531

chore: Add Dependabot for .github/actions/install-dependencies by @nschonni in actions/github-script#532

chore: Remove .vscode settings by @nschonni in actions/github-script#533

ci: Use github/setup-licensed by @nschonni in actions/github-script#473

make octokit instance available as octokit on top of github, to make it easier to seamlessly copy examples from GitHub rest api or octokit documentations by @iamstarkov in actions/github-script#508

Remove octokit README updates for v7 by @joshmgross in actions/github-script#557

docs: add "exec" usage examples by @neilime in actions/github-script#546

Bump ruby/setup-ruby from 1.213.0 to 1.222.0 by @dependabot[bot] in actions/github-script#563

Bump ruby/setup-ruby from 1.222.0 to 1.229.0 by @dependabot[bot] in actions/github-script#575

Clearly document passing inputs to the script by @joshmgross in actions/github-script#603

Update README.md by @nebuk89 in actions/github-script#610

New Contributors

@benelan made their first contribution in actions/github-script#482

@Jcambass made their first contribution in actions/github-script#485

@timotk made their first contribution in actions/github-script#478

@iamstarkov made their first contribution in actions/github-script#508

@neilime made their first contribution in actions/github-script#546

@nebuk89 made their first contribution in actions/github-script#610

Full Changelog: actions/github-script@v7...v7.1.0

Commits

ed59741 Merge pull request #653 from actions/sneha-krip/readme-for-v8
2dc352e Bold minimum Actions Runner version in README
01e118c Update README for Node 24 runtime requirements
8b222ac Apply suggestion from @salmanmkc
adc0eea README for updating actions/github-script from v7 to v8
20fe497 Merge pull request #637 from actions/node24
e7b7f22 update licenses
2c81ba0 Update Node.js version support to 24.x
f28e40c Merge pull request #610 from actions/nebuk89-patch-1
1ae9958 Update README.md
Additional commits viewable in compare view

Updates actions/setup-python from 5.6.0 to 6.0.0

Release notes

Sourced from actions/setup-python's releases.

v6.0.0

What's Changed

Breaking Changes

Upgrade to node 24 by @salmanmkc in actions/setup-python#1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Add support for pip-version by @priyagupta108 in actions/setup-python#1129

Enhance reading from .python-version by @krystof-k in actions/setup-python#787

Add version parsing from Pipfile by @aradkdj in actions/setup-python#1067

Bug fixes:

Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @aparnajyothi-y in actions/setup-python#1183

Change missing cache directory error to warning by @aparnajyothi-y in actions/setup-python#1182

Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @aparnajyothi-y in actions/setup-python#1122

Include python version in PyPy python-version output by @cdce8p in actions/setup-python#1110

Update docs: clarification on pip authentication with setup-python by @priya-kinthali in actions/setup-python#1156

Dependency updates:

Upgrade idna from 2.9 to 3.7 in /tests/data by @dependabot[bot] in actions/setup-python#843

Upgrade form-data to fix critical vulnerabilities #182 & #183 by @aparnajyothi-y in actions/setup-python#1163

Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @aparnajyothi-y in actions/setup-python#1165

Upgrade actions/checkout from 4 to 5 by @dependabot[bot] in actions/setup-python#1181

Upgrade @actions/tool-cache from 2.0.1 to 2.0.2 by @dependabot[bot] in actions/setup-python#1095

New Contributors

@krystof-k made their first contribution in actions/setup-python#787

@cdce8p made their first contribution in actions/setup-python#1110

@aradkdj made their first contribution in actions/setup-python#1067

Full Changelog: actions/setup-python@v5...v6.0.0

Commits

e797f83 Upgrade to node 24 (#1164)
3d1e2d2 Revert "Enhance cache-dependency-path handling to support files outside the w...
65b0712 Clarify pythonLocation behavior for PyPy and GraalPy in environment variables...
5b668cf Bump actions/checkout from 4 to 5 (#1181)
f62a0e2 Change missing cache directory error to warning (#1182)
9322b3c Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIn...
fbeb884 Bump form-data to fix critical vulnerabilities #182 & #183 (#1163)
03bb615 Bump idna from 2.9 to 3.7 in /tests/data (#843)
36da51d Add version parsing from Pipfile (#1067)
3c6f142 update documentation (#1156)
Additional commits viewable in compare view

Updates mamba-org/setup-micromamba from 2.0.5 to 2.0.6

Release notes

Sourced from mamba-org/setup-micromamba's releases.

v2.0.6

What's Changed

New features

v2.0.6 by @jjerphan in mamba-org/setup-micromamba#283

Dependency updates

Bump the node group with 9 updates by @dependabot[bot] in mamba-org/setup-micromamba#276

Bump softprops/action-gh-release from 2.2.2 to 2.3.2 in the actions group by @dependabot[bot] in mamba-org/setup-micromamba#277

Update dependencies and rebuild dist by @jjerphan in mamba-org/setup-micromamba#278

Bump actions/checkout from 4 to 5 in the actions group by @dependabot[bot] in mamba-org/setup-micromamba#281

Bump the node group across 1 directory with 10 updates by @dependabot[bot] in mamba-org/setup-micromamba#282

Full Changelog: mamba-org/setup-micromamba@v2.0.5...v2.0.6

Commits

7f29b8b v2.0.6 (#283)
629f8b3 Bump the node group across 1 directory with 10 updates (#282)
e407f0d Bump actions/checkout from 4 to 5 in the actions group (#281)
75eb614 Update dependencies and rebuild dist (#278)
feb7656 Bump softprops/action-gh-release from 2.2.2 to 2.3.2 in the actions group (#277)
9c8284c Bump the node group with 9 updates (#276)
See full diff in compare view

Updates softprops/action-gh-release from 2.3.2 to 2.3.3

Release notes

Sourced from softprops/action-gh-release's releases.

v2.3.3

What's Changed

Exciting New Features 🎉

feat: add input option overwrite_files by @asfernandes in softprops/action-gh-release#343

Other Changes 🔄

dependency updates

New Contributors

@asfernandes made their first contribution in softprops/action-gh-release#343

Full Changelog: softprops/action-gh-release@v2...v2.3.3

Changelog

Sourced from softprops/action-gh-release's changelog.

2.3.3

What's Changed

Exciting New Features 🎉

feat: add input option overwrite_files by @asfernandes in softprops/action-gh-release#343

Other Changes 🔄

dependency updates

2.3.2

fix: revert fs readableWebStream change

2.3.1

Bug fixes 🐛

fix: fix file closing issue by @WailGree in softprops/action-gh-release#629

2.3.0

Migrate from jest to vitest

Replace mime with mime-types

Bump to use node 24

Dependency updates

2.2.2

What's Changed

Bug fixes 🐛

fix: updating release draft status from true to false by @galargh in softprops/action-gh-release#316

Other Changes 🔄

chore: simplify ref_type test by @steinybot in softprops/action-gh-release#598

fix(docs): clarify the default for tag_name by @muzimuzhi in softprops/action-gh-release#599

test(release): add unit tests when searching for a release by @rwaskiewicz in softprops/action-gh-release#603

dependency updates

2.2.1

What's Changed

Bug fixes 🐛

... (truncated)

Commits

6cbd405 release 2.3.3
fbadcc9 update to use actions/checkout@v5
4a84006 chore(deps): bump @types/node from 20.19.10 to 20.19.11 in the npm group (#648)
7191749 chore(deps): bump actions/checkout in the github-actions group (#649)
126b1e7 chore(deps): bump @types/node from 20.19.9 to 20.19.10 in the npm group (#647)
f82d31e chore(deps): bump the npm group with 3 updates (#643)
f2352b9 chore(deps): bump @types/node from 20.19.2 to 20.19.7 in the npm group (#640)
f0b3259 chore(deps): bump the npm group across 1 directory with 4 updates (#638)
f37a2f9 chore(deps): bump the npm group with 2 updates (#635)
db56014 chore(deps): bump brace-expansion from 2.0.1 to 2.0.2 (#634)
Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.13.0

[!important] 🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @woodruffw💰. We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #347: it's been rather stable for a year already 🎉 He also added more diagnostic output which includes printing out the GitHub Environment claim via #371 and warning about the unsupported reusable workflows configurations #306, when using Trusted Publishing.

[!tip] The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #166. At PyCon US 2025 Sprints, @facutuesca💰, @miketheman💰, @woodruffw💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident. The result of that discussion is posted @ pypi/warehouse#11096. Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @konstin💰 sent #378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@webknjaz💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#332). Some related bumps were contributed by @woodruffw💰 (#359) and @kurtmckee💰 sent a contributor-facing PR, bumping the linting configuration via #335.

💪 New Contributors

@kurtmckee made their first contribution in #335

@konstin made their first contribution in #378

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

Commits

ed0c539 📦📌 Bump the pinned dependency tree
77db1b7 Merge branch PR #306, GHSA-vxmw-7h4f-hqxh fix and PR #378 into unstable/v1
280b3a1 Alias typing as t in imports
e380240 Use object in place of typing.Any in annotations
e50bff6 Deduplicate claim ref lookup
decbc9a Hint people to subscribe to #166 for notifications
8208ad3 Ask not to report bugs with reusable workflow
ff0fef5 🧪 Scope WPS202 suppression to specific files
1293b8c Use yamllint disable line length lint
ed01280 Linter (different rule)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the actions group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.13.0` | `2.13.1` | | [actions/github-script](https://github.com/actions/github-script) | `7.0.1` | `8.0.0` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.0.0` | | [mamba-org/setup-micromamba](https://github.com/mamba-org/setup-micromamba) | `2.0.5` | `2.0.6` | | [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.3.2` | `2.3.3` | | [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) | `1.12.4` | `1.13.0` | Updates `step-security/harden-runner` from 2.13.0 to 2.13.1 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@ec9f2d5...f4a75cf) Updates `actions/github-script` from 7.0.1 to 8.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@60a0d83...ed59741) Updates `actions/setup-python` from 5.6.0 to 6.0.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...e797f83) Updates `mamba-org/setup-micromamba` from 2.0.5 to 2.0.6 - [Release notes](https://github.com/mamba-org/setup-micromamba/releases) - [Commits](mamba-org/setup-micromamba@b09ef9b...7f29b8b) Updates `softprops/action-gh-release` from 2.3.2 to 2.3.3 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@72f2c25...6cbd405) Updates `pypa/gh-action-pypi-publish` from 1.12.4 to 1.13.0 - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](pypa/gh-action-pypi-publish@76f52bc...ed0c539) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.13.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/github-script dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-python dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: mamba-org/setup-micromamba dependency-version: 2.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: softprops/action-gh-release dependency-version: 2.3.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: pypa/gh-action-pypi-publish dependency-version: 1.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>

coveralls · 2025-09-15T13:33:19Z

Pull Request Test Coverage Report for Build 17734581488

Details

0 of 0 changed or added relevant lines in 0 files are covered.
No unchanged relevant lines lost coverage.
Overall first build on dependabot/github_actions/actions-c7b624ec4b at 86.432%

Totals
Change from base Build 16940463822:	86.4%
Covered Lines:	3096
Relevant Lines:	3582

💛 - Coveralls

dependabot · 2025-09-29T12:54:07Z

Looks like these dependencies are updatable in another way, so this is no longer needed.

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Sep 15, 2025

dependabot bot closed this Sep 29, 2025

dependabot bot deleted the dependabot/github_actions/actions-c7b624ec4b branch September 29, 2025 12:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump the actions group across 1 directory with 6 updates #454

Bump the actions group across 1 directory with 6 updates #454

Uh oh!

dependabot bot commented on behalf of github Sep 15, 2025 •

edited

Loading

Uh oh!

coveralls commented Sep 15, 2025

Uh oh!

dependabot bot commented on behalf of github Sep 29, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Bump the actions group across 1 directory with 6 updates #454

Bump the actions group across 1 directory with 6 updates #454

Uh oh!

Conversation

dependabot bot commented on behalf of github Sep 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v2.13.1

What's Changed

v8.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

New Contributors

v7.1.0

What's Changed

New Contributors

v6.0.0

What's Changed

Breaking Changes

Enhancements:

Bug fixes:

Dependency updates:

New Contributors

v2.0.6

What's Changed

New features

Dependency updates

v2.3.3

What's Changed

Exciting New Features 🎉

Other Changes 🔄

New Contributors

2.3.3

What's Changed

Exciting New Features 🎉

Other Changes 🔄

2.3.2

2.3.1

Bug fixes 🐛

2.3.0

2.2.2

What's Changed

Bug fixes 🐛

Other Changes 🔄

2.2.1

What's Changed

Bug fixes 🐛

v1.13.0

✨ New Stuff

🛠️ Internal Dependencies

💪 New Contributors

Uh oh!

coveralls commented Sep 15, 2025

Pull Request Test Coverage Report for Build 17734581488

Details

💛 - Coveralls

Uh oh!

dependabot bot commented on behalf of github Sep 29, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot bot commented on behalf of github Sep 15, 2025 •

edited

Loading