Skip to content

Bump the external-dependencies group in /.github/workflows with 3 updates #8163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Bump the external-dependencies group in /.github/workflows with 3 updates #8163

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2993388
Bump the external-dependencies group
dependabot[bot] May 14, 2026
518d89f
Merge remote-tracking branch 'origin/main' into dependabot/github_act…
Copilot May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/CopilotPRReviewRunner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ jobs:
persist-credentials: true

- name: Setup Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v6.4.0
Copy link
Copy Markdown

@github-actions github-actions Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$\textbf{🟡\ Medium\ Severity\ —\ Security} \quad \color{gray}{\texttt{\small Iteration\ 1}}$

setup-node SHA changed but version unchanged

The SHA for actions/setup-node changed from 60edb5dd... to 48b55a01... while the version comment remains # v6.4.0. A tag that maps to a different commit than before can indicate a force-pushed or mutable tag, which is a supply-chain risk worth verifying.

Recommendation:

  • Confirm via the actions/setup-node release history that the new SHA 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e is the authoritative commit for v6.4.0, or update the comment to reflect the actual release version it corresponds to.
Suggested change
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v6.4.0
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 (verify SHA maps to this tag)

👍 useful · ❤️ especially valuable · 👎 wrong - reply with why

uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/PowerShell.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
uses: step-security/harden-runner@9ca718d3bf646d6534007c269a635b3e54cadf99 # v2.19.2
with:
egress-policy: audit

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/RerunUnstableFailures.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:

- name: Create GitHub App Token
id: app-token
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/SubmitStabilityJobs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
branch: ${{ fromJson(needs.GetBranches.outputs.officialBranches) }}
fail-fast: false
steps:
- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: app-token
with:
app-id: ${{ vars.APP_ID }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/UpdateALGoProjects.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
updateBranches: ${{ steps.getOfficialBranches.outputs.branchesJson }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
uses: step-security/harden-runner@9ca718d3bf646d6534007c269a635b3e54cadf99 # v2.19.2
with:
egress-policy: audit

Expand Down Expand Up @@ -48,7 +48,7 @@ jobs:
with:
ref: ${{ matrix.branch }}

- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: app-token
with:
app-id: ${{ vars.APP_ID }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/UpdateBCArtifactVersion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
updateBranches: ${{ steps.getOfficialBranches.outputs.branchesJson }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
uses: step-security/harden-runner@9ca718d3bf646d6534007c269a635b3e54cadf99 # v2.19.2
with:
egress-policy: audit

Expand Down Expand Up @@ -48,7 +48,7 @@ jobs:
with:
ref: ${{ matrix.branch }}

- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: app-token
with:
app-id: ${{ vars.APP_ID }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/UpdatePackageVersions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
updateBranches: ${{ steps.getOfficialBranches.outputs.branchesJson }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
uses: step-security/harden-runner@9ca718d3bf646d6534007c269a635b3e54cadf99 # v2.19.2
with:
egress-policy: audit

Expand Down Expand Up @@ -48,7 +48,7 @@ jobs:
with:
ref: ${{ matrix.branch }}

- uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: app-token
with:
app-id: ${{ vars.APP_ID }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/WorkitemValidation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
uses: step-security/harden-runner@9ca718d3bf646d6534007c269a635b3e54cadf99 # v2.19.2
with:
egress-policy: audit

Expand All @@ -40,7 +40,7 @@ jobs:
needs: GitHubIssueValidation
steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
uses: step-security/harden-runner@9ca718d3bf646d6534007c269a635b3e54cadf99 # v2.19.2
with:
egress-policy: audit

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecard-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
uses: step-security/harden-runner@9ca718d3bf646d6534007c269a635b3e54cadf99 # v2.19.2
with:
egress-policy: audit

Expand Down
Loading