Skip to content

Bump the actions group across 1 directory with 8 updates#119

Merged
robzolkos merged 2 commits into
mainfrom
dependabot/github_actions/actions-5728d73948
Jul 10, 2026
Merged

Bump the actions group across 1 directory with 8 updates#119
robzolkos merged 2 commits into
mainfrom
dependabot/github_actions/actions-5728d73948

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 9, 2026

Copy link
Copy Markdown
Contributor

Bumps the actions group with 8 updates in the / directory:

Package From To
actions/checkout 6.0.3 7.0.0
softprops/action-gh-release 3.0.0 3.0.1
actions/setup-go 6.4.0 6.5.0
actions/setup-java 5.2.0 5.4.0
ruby/setup-ruby 1.312.0 1.314.0
rubygems/configure-rubygems-credentials 2.0.0 2.1.0
golangci/golangci-lint-action 9.2.1 9.3.0
zizmorcore/zizmor-action 0.5.6 0.5.7

Updates actions/checkout from 6.0.3 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Updates softprops/action-gh-release from 3.0.0 to 3.0.1

Release notes

Sourced from softprops/action-gh-release's releases.

v3.0.1

3.0.1

  • maintenance release with updated dependencies
Changelog

Sourced from softprops/action-gh-release's changelog.

3.0.1

  • maintenance release with updated dependencies

3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

  • Move the action runtime and bundle target to Node 24
  • Update @types/node to the Node 24 line and allow future Dependabot updates
  • Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

2.6.2

What's Changed

Other Changes 🔄

2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

... (truncated)

Commits
  • 718ea10 release 3.0.1
  • f1a938b chore(deps): bump esbuild from 0.28.0 to 0.28.1 (#802)
  • 0066ead chore(deps): bump vite from 8.0.14 to 8.0.16 (#806)
  • dc643ca chore(deps): bump the npm group with 3 updates (#805)
  • 85ee99b chore(deps): bump actions/checkout in the github-actions group (#804)
  • 9ed3cf9 chore(deps): bump the npm group with 2 updates (#800)
  • 3efcac8 chore(deps): bump the npm group with 3 updates (#798)
  • 05d6b91 chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 (#797)
  • 403a524 chore(deps): bump @​types/node from 24.12.2 to 24.12.3 in the npm group (#796)
  • 437e073 chore(deps): bump the npm group with 4 updates (#792)
  • Additional commits viewable in compare view

Updates actions/setup-go from 6.4.0 to 6.5.0

Release notes

Sourced from actions/setup-go's releases.

v6.5.0

What's Changed

Dependency update

New Contributors

Full Changelog: actions/setup-go@v6...v6.5.0

Commits

Updates actions/setup-java from 5.2.0 to 5.4.0

Release notes

Sourced from actions/setup-java's releases.

v5.4.0

What's Changed

New Contributors

Full Changelog: actions/setup-java@v5...v5.4.0

v5.3.0

What's Changed

... (truncated)

Commits
  • 1bcf9fb dist: Address Copilot review suggestions from PR #1042 (GraalVM Community) (#...
  • fa2c650 docs: note jdkfile approach for Early Access / unreleased JDK builds (#1058)
  • 1d56e31 dist: Add GraalVM Community distribution support (#1042)
  • 1d25252 chore: Harden workflows: least-privilege permissions + zizmor integration (#1...
  • 668c1ea docs: add post-install keytool import for the JDK cacerts trust store (#1051)
  • a9a46fb docs: document self-signed certificate / internal CA handling for GitHub Ente...
  • 5431e71 docs: add JavaFX Maven project configuration instructions (#1044)
  • 4baa9b4 docs: replace non-existent HelloWorldApp references with java --version (#1043)
  • eab4b08 Bump @​types/node from 25.9.3 to 26.0.0 (#1031)
  • bf0c0e6 Bump actions/checkout from 6 to 7 (#1032)
  • Additional commits viewable in compare view

Updates ruby/setup-ruby from 1.312.0 to 1.314.0

Release notes

Sourced from ruby/setup-ruby's releases.

v1.314.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.313.0...v1.314.0

v1.313.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.312.0...v1.313.0

Commits
  • 9eb537c Add support for ubuntu-26.04 and ubuntu-26.04-arm
  • e1a3b10 Improve versions-strings-for-builder.rb
  • 0df5288 Remove gem install sassc on Windows JRuby
  • 89f9052 Add jruby-10.0.6.0
  • See full diff in compare view

Updates rubygems/configure-rubygems-credentials from 2.0.0 to 2.1.0

Release notes

Sourced from rubygems/configure-rubygems-credentials's releases.

v2.1.0

This release switches the action runtime from Node 20 to Node 24. The node24 declaration in action.yml removes the deprecation warning that every consumer — most visibly through rubygems/release-gem — has seen since GitHub announced the Node 20 deprecation, and gets ahead of runners switching JavaScript actions to Node 24 by default on June 16, 2026.

Note for self-hosted runners: the node24 runtime requires actions/runner 2.327.1 or later. GitHub-hosted runners are unaffected.

The pending major dependency updates are included as well: zod 4, @​actions/core 3, and @​actions/http-client 4. The actions toolkit majors ship only ES module builds now, so the build pipeline emits ES modules internally, while the bundled dist/index.js the runner executes remains CommonJS. The action's inputs, outputs, and behavior are unchanged.

Thanks to @​dduugg for first proposing the runtime switch in #413.

What's Changed

Full Changelog: rubygems/configure-rubygems-credentials@v2.0.0...v2.1.0

Commits
  • dc5a8d8 Merge pull request #421 from rubygems/claude/dreamy-albattani-d69d88
  • d6f98c9 Bump @​actions/http-client from 3.0.2 to 4.0.1
  • 96335c2 Bump @​actions/core from 2.0.3 to 3.0.1
  • 8e3b799 Emit ES modules and run Jest in ESM mode
  • 2df41ce Bump zod from 3.23.8 to 4.4.3
  • 1d21f26 Align @​types/node with the Node 24 runtime
  • 4adc9f5 Raise the TypeScript target to es2024
  • 0ce8f7b Build and test with Node 24 in CI
  • ae2cae9 Declare node24 as the action runtime
  • 2af1e88 Merge pull request #417 from rubygems/dependabot/github_actions/actions/check...
  • Additional commits viewable in compare view

Updates golangci/golangci-lint-action from 9.2.1 to 9.3.0

Release notes

Sourced from golangci/golangci-lint-action's releases.

v9.3.0

What's Changed

Changes

Dependencies

Full Changelog: golangci/golangci-lint-action@v9.2.1...v9.3.0

Commits
  • ba0d7d2 chore: prepare release v9.3.0
  • efd0857 feat: add no-run-logs-group as experimental option (#1403)
  • ed485de build(deps): bump undici from 6.24.0 to 6.27.0
  • 8872e8d build(deps-dev): bump js-yaml from 4.1.1 to 4.2.0 (#1400)
  • b163415 build(deps): bump tmp from 0.2.6 to 0.2.7 (#1399)
  • e52a9f8 build(deps): bump github/codeql-action from 4.35.5 to 4.36.0 in the github-ac...
  • 8182aa3 build(deps): bump tmp from 0.2.5 to 0.2.6 (#1397)
  • 5403a41 build(deps): bump github/codeql-action from 4.35.4 to 4.35.5 in the github-ac...
  • See full diff in compare view

Updates zizmorcore/zizmor-action from 0.5.6 to 0.5.7

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.5.7

1.26.1 is now available via the action 1.26.1 is now the default version of zizmor used by the action

Commits
  • 192e21d Sync zizmor versions (#127)
  • 2720f26 Update README.md with new actions/checkout version (#126)
  • 40b41b8 chore(deps): bump the github-actions group with 2 updates (#123)
  • a687b25 chore(deps): bump github/codeql-action from 4.35.5 to 4.36.0 in the github-ac...
  • 64a6900 add note to explain that the default value for online-checks is different t...
  • 14050ab chore(deps): bump the github-actions group with 2 updates (#118)
  • ee9b419 chore(deps): bump github/codeql-action in the github-actions group (#116)
  • fddf2b4 Bump pins in README (#115)
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Summary by cubic

Update CI workflows to the latest GitHub Actions, highlighted by actions/checkout@v7 and Node 24–compatible actions. This removes Node 20 deprecation warnings, adds security hardening, and brings small fixes across languages.

  • Dependencies

    • Core: actions/checkout 7.0.0
    • Language setup: actions/setup-go 6.5.0, actions/setup-java 5.4.0, ruby/setup-ruby 1.314.0
    • Release/credentials: softprops/action-gh-release 3.0.1, rubygems/configure-rubygems-credentials 2.1.0
    • Lint/security: golangci/golangci-lint-action 9.3.0, zizmorcore/zizmor-action 0.5.7
  • Migration

    • Self-hosted runners using rubygems/configure-rubygems-credentials: ensure actions/runner is 2.327.1+ for the Node 24 runtime.
    • actions/checkout@v7 blocks checking out fork PRs in pull_request_target and workflow_run; verify workflows don’t rely on that behavior.

Written for commit 578638f. Summary will update on new commits.

Review in cubic

Bumps the actions group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.3` | `7.0.0` |
| [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `3.0.0` | `3.0.1` |
| [actions/setup-go](https://github.com/actions/setup-go) | `6.4.0` | `6.5.0` |
| [actions/setup-java](https://github.com/actions/setup-java) | `5.2.0` | `5.4.0` |
| [ruby/setup-ruby](https://github.com/ruby/setup-ruby) | `1.312.0` | `1.314.0` |
| [rubygems/configure-rubygems-credentials](https://github.com/rubygems/configure-rubygems-credentials) | `2.0.0` | `2.1.0` |
| [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) | `9.2.1` | `9.3.0` |
| [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.6` | `0.5.7` |



Updates `actions/checkout` from 6.0.3 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)

Updates `softprops/action-gh-release` from 3.0.0 to 3.0.1
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@b430933...718ea10)

Updates `actions/setup-go` from 6.4.0 to 6.5.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@4a36011...924ae3a)

Updates `actions/setup-java` from 5.2.0 to 5.4.0
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](actions/setup-java@be666c2...1bcf9fb)

Updates `ruby/setup-ruby` from 1.312.0 to 1.314.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](ruby/setup-ruby@12fd324...9eb537c)

Updates `rubygems/configure-rubygems-credentials` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/rubygems/configure-rubygems-credentials/releases)
- [Commits](rubygems/configure-rubygems-credentials@762a4b7...dc5a8d8)

Updates `golangci/golangci-lint-action` from 9.2.1 to 9.3.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@82606bf...ba0d7d2)

Updates `zizmorcore/zizmor-action` from 0.5.6 to 0.5.7
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: softprops/action-gh-release
  dependency-version: 3.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: actions/setup-go
  dependency-version: 6.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: actions/setup-java
  dependency-version: 5.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: ruby/setup-ruby
  dependency-version: 1.314.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: rubygems/configure-rubygems-credentials
  dependency-version: 2.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: golangci/golangci-lint-action
  dependency-version: 9.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 9, 2026
Copilot AI review requested due to automatic review settings July 9, 2026 09:27
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 9, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

# Conflicts:
#	.github/workflows/test.yml
Copilot AI review requested due to automatic review settings July 10, 2026 03:57

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.


- name: Set up Ruby
uses: ruby/setup-ruby@12fd324f1d0b43274fdc8130f6980590a667c455 # v1.312.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation
uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.312.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation

- name: Set up Ruby
uses: ruby/setup-ruby@12fd324f1d0b43274fdc8130f6980590a667c455 # v1.312.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache
uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.312.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache

- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.4.0 # zizmor: ignore[cache-poisoning] -- cached deps are for testing, not release artifact generation
contents: write
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # zizmor: ignore[artipacked] -- credentials needed for git push
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6.0.3 # zizmor: ignore[artipacked] -- credentials needed for git push
actions: write
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 # zizmor: ignore[artipacked] -- credentials needed for git push
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6.0.3 # zizmor: ignore[artipacked] -- credentials needed for git push

- name: Create GitHub Release
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 # zizmor: ignore[superfluous-actions] -- consider removal
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.0 # zizmor: ignore[superfluous-actions] -- consider removal
@robzolkos robzolkos merged commit 4adb596 into main Jul 10, 2026
41 checks passed
@robzolkos robzolkos deleted the dependabot/github_actions/actions-5728d73948 branch July 10, 2026 04:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants