chore(deps): update github actions

[ov-renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/create-github-app-token	action	minor	v3.1.1 → v3.2.0
actions/dependency-review-action	action	major	v4.9.0 → v5.0.0
actions/download-artifact	action	major	v5.0.0 → v8.0.1
actions/upload-artifact	action	major	v4.6.2 → v7.0.1
github/codeql-action	action	minor	v4.35.4 → v4.36.0
github/codeql-action	action	minor	v4.35.2 → v4.36.0
open-edge-platform/geti-ci	action	patch	bandit/v0.1.0 → zizmor/v0.1.2
open-edge-platform/geti-ci	action	patch	zizmor/v0.1.1 → zizmor/v0.1.2
renovatebot/github-action	action	patch	v46.1.13 → v46.1.14
renovatebot/renovate		minor	43.179.1 → 43.195.6	43.207.4 (+33)
trufflesecurity/trufflehog	action	patch	v3.95.2 → v3.95.3

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

actions/dependency-review-action (actions/dependency-review-action)

v5.0.0: 5.0.0

Compare Source

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in #​1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in #​1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in #​1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in #​1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in #​1076
• Resolve security findings by @​AshelyTC in #​1094
• v5.0.0 release branch by @​ahpook in #​1098

New Contributors

• @​scottschreckengaust made their first contribution in #​1084
• @​mongolyy made their first contribution in #​1091
• @​Marukome0743 made their first contribution in #​1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

[!IMPORTANT]
actions/download-artifact@​v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT]
Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

v7.0.0

Compare Source

v7 - What's new

[!IMPORTANT]
actions/download-artifact@​v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​440
• Download Artifact Node24 support by @​salmanmkc in #​415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in #​451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in #​452

New Contributors

• @​patrikpolyak made their first contribution in #​440
• @​salmanmkc made their first contribution in #​415

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v7

Compare Source

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in #​417
• Update README with artifact extraction details by @​yacaovsnc in #​424
• Readme: spell out the first use of GHES by @​danwkennedy in #​431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in #​438

New Contributors

• @​danwkennedy made their first contribution in #​431

Full Changelog: actions/download-artifact@v5...v6.0.0

v6

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

v6.0.0

Compare Source

v6 - What's new

[!IMPORTANT]
actions/upload-artifact@​v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in #​719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in #​744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in #​745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v6

Compare Source

v5.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in #​681
• Update README.md by @​nebuk89 in #​712
• Readme: spell out the first use of GHES by @​danwkennedy in #​727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in #​734

New Contributors

• @​GhadimiR made their first contribution in #​681
• @​nebuk89 made their first contribution in #​712
• @​danwkennedy made their first contribution in #​727
• @​patrikpolyak made their first contribution in #​725

Full Changelog: actions/upload-artifact@v4...v5.0.0

v5

Compare Source

github/codeql-action (github/codeql-action)

v4.36.0

Compare Source

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
• Add support for SHA-256 Git object IDs. #​3893
• Update default CodeQL bundle version to 2.25.5. #​3926

v4.35.5

Compare Source

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

open-edge-platform/geti-ci (open-edge-platform/geti-ci)

vzizmor/v0.1.2

Compare Source

vzizmor/v0.1.1

Compare Source

vbandit/v0.1.1

Compare Source

renovatebot/github-action (renovatebot/github-action)

v46.1.14

Compare Source

Documentation

• Revise Fine-grained Personal Access Tokens section (#​1030) (fef7882)
• set RENOVATE_PLATFORM_COMMIT to enabled (#​1029) (9d07dfa)
• update references to renovatebot/github-action to v46.1.13 (9a41b99)

Miscellaneous Chores

• cleanup (8abcd0e)
• deps: update commitlint monorepo to v20.5.3 (a4e124d)
• deps: update dependency globals to v17.6.0 (d5ca6d4)
• deps: update dependency typescript-eslint to v8.59.1 (1dd2319)
• enable pnpm minimumReleaseAge (00a8327)

Build System

• deps: lock file maintenance (f6821a2)

Continuous Integration

• deps: update ghcr.io/renovatebot/renovate docker tag to v43.160.7 (1189f69)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.162.0 (43d0a48)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.163.0 (61a1654)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.163.1 (4226876)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.163.2 (b3318e0)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.163.4 (09fe3e9)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.164.0 (5736585)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.164.1 (8b164cc)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.164.2 (44728cc)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.165.0 (bde1da1)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.166.0 (#​1031) (4b957d1)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.166.2 (499cfeb)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.166.3 (fe8a943)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.167.0 (f8ca6db)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.168.4 (2e15d66)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.168.5 (a87ee3d)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.168.6 (683e7dd)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.169.0 (f6166e7)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.169.4 (f1f81f9)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.0 (5473f54)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.12 (b47aa13)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.13 (7e8834d)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.14 (9b5f9e6)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.15 (98631e8)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.16 (ab997a9)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.17 (24a51e0)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.18 (f82d2cd)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.19 (3d684f2)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.20 (d7afc6b)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.3 (306f0c9)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.8 (f0eea19)
• deps: update ghcr.io/renovatebot/renovate docker tag to v43.170.9 (f3af74e)

renovatebot/renovate (renovatebot/renovate)

v43.195.6

Compare Source

Miscellaneous Chores

• deps: update dependency protobufjs@​8.0.1 to v8.4.0 (main) (#​43588) (1f04d59)

Build System

• deps: update dependency protobufjs to v8.4.0 (main) (#​43587) (8bb8f83)

v43.195.5

Compare Source

Miscellaneous Chores

• deps: update dependency oxlint-tsgolint to v0.23.0 (main) (#​43585) (1be6bbb)

Build System

• deps: update dependency @​renovatebot/pgp to v1.3.12 (main) (#​43586) (98762c4)

v43.195.4

Compare Source

Build System

• deps: update dependency lru-cache to v11.4.0 (main) (#​43584) (8660ed3)

v43.195.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.51.3 (main) (#​43583) (9ac8eed)

Documentation

• update references to renovate/renovate (main) (#​43579) (a579edb)
• update references to renovate/renovate to v43.195.2 (main) (#​43582) (ae90795)

Miscellaneous Chores

• deps: lock file maintenance (main) (#​43580) (5c98111)
• deps: update ghcr.io/containerbase/devcontainer docker tag to v14.10.18 (main) (#​43581) (8474da1)

v43.195.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.51.2 (main) (#​43578) (3f15d2d)

Documentation

• update references to otel/opentelemetry-collector-contrib to v0.152.1 (main) (#​43576) (59face3)
• update references to python to 6928095 (main) (#​43575) (588e536)

Miscellaneous Chores

• deps: update containerbase/internal-tools action to v4.6.34 (main) (#​43557) (c076e06)
• deps: update containerbase/internal-tools action to v4.6.35 (main) (#​43577) (395df6a)
• deps: update ghcr.io/containerbase/devcontainer docker tag to v14.10.17 (main) (#​43574) (012ca22)

v43.195.1

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.51.1 (main) (#​43568) (76cd112)

Miscellaneous Chores

• deps: update dependency @​containerbase/istanbul-reports-html to v2.0.5 (main) (#​43564) (2343f77)
• deps: update dependency lint-staged to v17.0.5 (main) (#​43561) (97031dc)
• deps: update dessant/label-actions action to v5.0.3 (main) (#​43555) (8c8b5e4)
• deps: update ghcr.io/containerbase/devcontainer docker tag to v14.10.16 (main) (#​43567) (bd6388b)

v43.195.0

Compare Source

Features

• datasource/github-runners: stabilize arm64 (#​43538) (8986a79)

Miscellaneous Chores

• deps: update dependency @​smithy/util-stream to v4.6.3 (main) (#​43547) (e31a377)

Tests

• test config.cts with actual TypeScript syntax (#​43526) (2160f82)

v43.194.0

Compare Source

Features

• datasource/github-runners: add windows-11-arm label (#​43539) (a0c9453)

v43.193.0

Compare Source

Features

• pip-compile: support --constraint alias and --overrides for uv (#​43485) (934c01d)

Documentation

• prioritise admonitions in config option listings (#​43532) (59d4006)

Miscellaneous Chores

• deps: update github/codeql-action action to v4.36.0 (main) (#​43541) (ba8c1f7)

v43.192.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.51.0 (main) (#​43525) (cb2faa8)

v43.191.3

Compare Source

Documentation

• development: pnpm rebuild re2 (#​43509) (cbc655a)

Miscellaneous Chores

• tools/mkdocs: support live reload when modifying docs (#​43516) (0190e1c), closes #​40757

Code Refactoring

• cache: support package cache result predicate (#​43519) (6c6a6b7)

Build System

• deps: update dependency node to v24.16.0 (main) (#​43518) (1009eee)

v43.191.2

Compare Source

Miscellaneous Chores

• deps: update dependency vite to v8.0.13 (main) (#​43512) (3f4610b)
• deps: update dessant/lock-threads action to v6.0.1 (main) (#​43514) (46c5702)

Build System

• deps: update dependency jsonata to v2.2.0 (main) (#​43517) (4620116)

v43.191.1

Compare Source

Bug Fixes

• datasource/rust-version: skip blank lines in manifests.txt (#​43499) (6ad2cfc)

v43.191.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.50.0 (main) (#​43507) (0e804c3)

Miscellaneous Chores

• deps: update dependency @​smithy/util-stream to v4.6.2 (main) (#​43501) (2d6635f)
• deps: update dependency pdm to v2.27.0 (main) (#​43506) (a24b9a1)
• renovate: group Zizmor Docker image + Action together (#​43490) (c2607cd), closes #​43361

v43.190.1

Compare Source

Miscellaneous Chores

• deps: update dependency protobufjs@​8.0.1 to v8.3.0 (main) (#​43496) (a1b59a4)

Build System

• deps: update dependency protobufjs to v8.3.0 (main) (#​43495) (67a8025)

v43.190.0

Compare Source

Features

• helmfile: Support release templates (#​42968) (eaf3c81)

v43.189.0

Compare Source

Features

• self-hosted: make user-agent templatable (#​43376) (2d0bd99)

Bug Fixes

• config/validation: validate cacheTtlOverride keys are valid namespaces (#​43478) (321965a)

Miscellaneous Chores

• deps: update ghcr.io/zizmorcore/zizmor docker tag to v1.25.2 (main) (#​43361) (4929140)

v43.188.1

Compare Source

Performance Improvements

• workers/repository: log reconfigure branch cache at TRACE (#​43487) (219f4e9)

v43.188.0

Compare Source

Features

• rust-toolchain: Add rust-toolchain manager (#​38554) (40251b2)

v43.187.0

Compare Source

Features

• monorepo: add vuejs/language-tools to monorepo presets (#​43484) (bc2e194)

v43.186.8

Compare Source

Build System

• deps: update opentelemetry-js-contrib monorepo (main) (#​43479) (818b019)

v43.186.7

Compare Source

Miscellaneous Chores

• deps: update dependency protobufjs@​8.0.1 to v8.2.1 (main) (#​43476) (ccce0f6)

Build System

• deps: update dependency protobufjs to v8.2.1 (main) (#​43475) (245f3db)

v43.186.6

Compare Source

Build System

• deps: update opentelemetry-js monorepo to v0.218.0 (main) (#​43473) (a7bba97)

v43.186.5

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.49.3 (main) (#​43471) (c6304b7)

v43.186.4

Compare Source

Bug Fixes

• Support / as tag joiner (#​43460) (4b37e7f)

v43.186.3

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.49.2 (main) (#​43469) (535ee81)

v43.186.2

Compare Source

Bug Fixes

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.49.1 (main) (#​43468) (4baca60)

Build System

• deps: update dependency re2 to v1.24.1 (main) (#​43465) (de168b7)

v43.186.1

Compare Source

Build System

• deps: update dependency @​opentelemetry/semantic-conventions to v1.41.1 (main) (#​43458) (1113910)

v43.186.0

Compare Source

Features

• mise: add lock file support (#​42591) (a2b9694), closes #​42099

Bug Fixes

• config/validation: skip validation for templated presets (#​43453) (b720cad)

Documentation

• presets: Define presets as reusable bits of JSON (#​43455) (dd08a07)

Code Refactoring

• prefer templates rather than + in test files (#​43441) (0793274)
• remove string concetation for production code (#​43442) (73b90e9)

Continuous Integration

• enforce templates instead of + string concatenation (#​43440) (f5acd42)

v43.185.1

Compare Source

Bug Fixes

• datasource/github-tags: use GitHub Release published_at for releaseTimestamp (#​43451) (5fa2c6a), closes #​43445

Documentation

• manager/mise: note when short tool name is no longer supported (#​43421) (638c884)

Miscellaneous Chores

• deps: update dependency @​types/node to v24.12.4 (main) (#​43448) (b42bb1d)

Build System

• deps: update dependency jsonata to v2.1.1 (main) (#​43452) (cd264f7)

v43.185.0

Compare Source

Features

• deps: update ghcr.io/renovatebot/base-image docker tag to v13.49.0 (main) (#​43446) (6882582)

Miscellaneous Chores

• deps: update codecov/codecov-action action to v6.0.1 (main) (#​43443) (e590ee8)
• deps: update dependency @​smithy/util-stream to v4.6.1 (main) (#​43444) (cb49689)

[v43.184.0](https://redirect.github.com/renovatebot/renovat

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • On day 1 and 15 of the month (* * 1,15 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.