Skip to content

Bump the "dependencies" group with 2 updates across multiple ecosystems#255

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/dependencies-23cf221d1c
Open

Bump the "dependencies" group with 2 updates across multiple ecosystems#255
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/dependencies-23cf221d1c

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 3, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps the dependencies group with 5 updates:

Package From To
@eslint/eslintrc 3.3.3 3.3.4
@eslint/js 9.39.2 9.39.3
@typescript-eslint/eslint-plugin 8.56.0 8.56.1
eslint 9.39.2 9.39.3
typescript-eslint 8.56.0 8.56.1

Updates @eslint/eslintrc from 3.3.3 to 3.3.4

Release notes

Sourced from @​eslint/eslintrc's releases.

eslintrc: v3.3.4

3.3.4 (2026-02-22)

Bug Fixes

  • update ajv to 6.14.0 to address security vulnerabilities (#221) (9139140)
  • update minimatch to 3.1.3 to address security vulnerabilities (#224) (30339d0)
Changelog

Sourced from @​eslint/eslintrc's changelog.

3.3.4 (2026-02-22)

Bug Fixes

  • update ajv to 6.14.0 to address security vulnerabilities (#221) (9139140)
  • update minimatch to 3.1.3 to address security vulnerabilities (#224) (30339d0)
Commits
  • 4c45e24 chore: release 3.3.4 🚀 (#223)
  • 30339d0 fix: update minimatch to 3.1.3 to address security vulnerabilities (#224)
  • 9139140 fix: update ajv to 6.14.0 to address security vulnerabilities (#221)
  • 245ada5 docs: Update README sponsors
  • 78b1a0e docs: Update README sponsors
  • df32fff docs: Update README sponsors
  • a62f7f5 docs: Update README sponsors
  • 84a32c5 docs: Update README sponsors
  • 7ab5635 docs: Update README sponsors
  • 5e8a153 docs: Update README sponsors
  • Additional commits viewable in compare view

Updates @eslint/js from 9.39.2 to 9.39.3

Release notes

Sourced from @​eslint/js's releases.

v9.39.3

Bug Fixes

  • 791bf8d fix: restore TypeScript 4.0 compatibility in types (#20504) (sethamus)

Chores

  • 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#20529) (Milos Djermanovic)
  • 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
  • af498c6 chore: ignore /docs/v9.x in link checker (#20453) (Milos Djermanovic)
Commits

Updates @typescript-eslint/eslint-plugin from 8.56.0 to 8.56.1

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.56.1

8.56.1 (2026-02-23)

What's Changed

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.56.1 (2026-02-23)

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits
  • 96a04a9 chore(release): publish 8.56.1
  • 958f390 chore(eslint-plugin): add default excludes to vitest (#12067)
  • ffb46ea docs(eslint-plugin): [method-signature-style] clarify autofix impact on type ...
  • See full diff in compare view

Updates eslint from 9.39.2 to 9.39.3

Release notes

Sourced from eslint's releases.

v9.39.3

Bug Fixes

  • 791bf8d fix: restore TypeScript 4.0 compatibility in types (#20504) (sethamus)

Chores

  • 8594a43 chore: upgrade @​eslint/js@​9.39.3 (#20529) (Milos Djermanovic)
  • 9ceef92 chore: package.json update for @​eslint/js release (Jenkins)
  • af498c6 chore: ignore /docs/v9.x in link checker (#20453) (Milos Djermanovic)
Commits

Updates typescript-eslint from 8.56.0 to 8.56.1

Release notes

Sourced from typescript-eslint's releases.

v8.56.1

8.56.1 (2026-02-23)

What's Changed

You can read about our versioning strategy and releases on our website.

Changelog

Sourced from typescript-eslint's changelog.

8.56.1 (2026-02-23)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

Commits

Bumps the dependencies group with 17 updates:

Package From To
actions/upload-artifact 6.0.0 7.0.0
actions/download-artifact 7.0.0 8.0.0
actions/setup-go 6.2.0 6.3.0
anchore/sbom-action 0.22.2 0.23.0
actions/attest-sbom 3.0.0 4.0.0
actions/attest-build-provenance 3.2.0 4.1.0
jdfalk/release-go-action e87e6e57bf1c7089e74c94f789b580d3c5737729 7b73a664a71c92c7cc44453a33a5dcfb898751ef
jdfalk/ghcommon/.github/workflows/reusable-advanced-cache.yml f297c40be781eb288aa902fd87c372c6d72ee911 1a96daebeba7b0f61037be5bc381e3b6794e26b5
jdfalk/ghcommon/.github/workflows/reusable-protobuf.yml f297c40be781eb288aa902fd87c372c6d72ee911 1a96daebeba7b0f61037be5bc381e3b6794e26b5
jdfalk/ghcommon/.github/workflows/release-protobuf.yml 07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769 1a96daebeba7b0f61037be5bc381e3b6794e26b5
jdfalk/ghcommon/.github/workflows/release-go.yml 07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769 1a96daebeba7b0f61037be5bc381e3b6794e26b5
jdfalk/ghcommon/.github/workflows/release-python.yml 07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769 1a96daebeba7b0f61037be5bc381e3b6794e26b5
jdfalk/ghcommon/.github/workflows/release-rust.yml 07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769 1a96daebeba7b0f61037be5bc381e3b6794e26b5
jdfalk/ghcommon/.github/workflows/release-frontend.yml 07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769 1a96daebeba7b0f61037be5bc381e3b6794e26b5
jdfalk/ghcommon/.github/workflows/release-docker.yml 07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769 1a96daebeba7b0f61037be5bc381e3b6794e26b5
github/codeql-action 4.32.3 4.32.5
actions/dependency-review-action 4.8.2 4.8.3

Updates actions/upload-artifact from 6.0.0 to 7.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

Commits

Updates actions/download-artifact from 7.0.0 to 8.0.0

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • 96bf374 One more test fix
  • b8c4819 Fix skip decompress test
  • Additional commits viewable in compare view

Updates actions/setup-go from 6.2.0 to 6.3.0

Release notes

Sourced from actions/setup-go's releases.

v6.3.0

What's Changed

Full Changelog: actions/setup-go@v6...v6.3.0

Commits

Updates anchore/sbom-action from 0.22.2 to 0.23.0

Release notes

Sourced from anchore/sbom-action's releases.

v0.23.0

Commits
  • 17ae174 chore(deps/test): move to es modules, node:test, single dist file (#595)
  • 6d473d3 chore(deps): update Syft to v1.42.1 (#599)
  • 60619e7 fix tests and bump fast-xml-parser (#598)
  • e2bd58a chore(deps-dev): bump the dev-dependencies group with 3 updates (#592)
  • d032d7d ci(syft auto update): npm ci, not npm install (#597)
  • 2d09430 fix(dev): switch to esbuild (#590)
  • 74c5ce9 chore(deps): update Syft to v1.42.0 (#589)
  • 77fae5a chore(deps-dev): bump the dev-dependencies group with 4 updates (#583)
  • debc3ee chore(deps): bump npm-check-updates in the non-major group (#584)
  • fff8762 chore(deps): bump zizmorcore/zizmor-action from 0.4.1 to 0.5.0 (#588)
  • See full diff in compare view

Updates actions/attest-sbom from 3.0.0 to 4.0.0

Release notes

Sourced from actions/attest-sbom's releases.

v4.0.0

[!WARNING] As of version 4.0.0 this action is being deprecated in favor of actions/attest. actions/attest-sbom will continue to function as a wrapper on top of actions/attest for some period of time, but applications should make plans to migrate.

All of the existing action inputs are compatible with the actions/attest interface.

What's Changed

Full Changelog: actions/attest-sbom@v3...v4.0.0

Commits
  • 07e74fc perpare v4 release (#253)
  • b74e951 Bump the actions-minor group with 2 updates (#247)
  • 7d9b9d6 Bump the npm-development group across 1 directory with 4 updates (#245)
  • 35d5f43 Bump @​actions/core from 2.0.1 to 2.0.2 in the npm-production group (#243)
  • 876bb5f Bump the actions-minor group across 1 directory with 3 updates (#246)
  • 6cf30ca Bump the npm-development group with 2 updates (#241)
  • e395115 Bump the actions-minor group with 2 updates (#239)
  • afc801d Bump the npm-development group with 3 updates (#240)
  • 6ec0860 Bump @​actions/core from 1.11.1 to 2.0.1 (#237)
  • 532af8a Bump github/codeql-action in the actions-minor group (#233)
  • Additional commits viewable in compare view

Updates actions/attest-build-provenance from 3.2.0 to 4.1.0

Release notes

Sourced from actions/attest-build-provenance's releases.

v4.1.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

Commits
  • a2bbfa2 bump actions/attest from 4.0.0 to 4.1.0 (#838)
  • 0856891 update RELEASE.md docs (#836)
  • e4d4f7c prepare v4 release (#835)
  • 02a49bd Bump github/codeql-action in the actions-minor group (#824)
  • 7c757df Bump the npm-development group with 2 updates (#825)
  • c44148e Bump github/codeql-action in the actions-minor group (#818)
  • 3234352 Bump @​types/node from 25.0.10 to 25.2.0 in the npm-development group (#819)
  • 18db129 Bump tar from 7.5.6 to 7.5.7 (#816)
  • 90fadfa Bump @​actions/core from 2.0.1 to 2.0.2 in the npm-production group (#799)
  • 57db8ba Bump the npm-development group across 1 directory with 3 updates (#808)
  • Additional commits viewable in compare view

Updates jdfalk/release-go-action from e87e6e57bf1c7089e74c94f789b580d3c5737729 to 7b73a664a71c92c7cc44453a33a5dcfb898751ef

Changelog

Sourced from jdfalk/release-go-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

  • Dockerized execution path controlled by use-docker/docker-image
  • Automated GHCR publish workflow with digest pinning and tag bump
  • README updated with docker usage and input tables

Changed

Fixed

Security

[1.0.0] - 2026-01-02

Added

  • Initial implementation of action functionality
  • Core workflow integration
  • Documentation and usage examples

Format: [version] - YYYY-MM-DD

Commits
  • 7b73a66 chore(sync): sync files from jft-github-actions template
  • See full diff in compare view

Updates jdfalk/ghcommon/.github/workflows/reusable-advanced-cache.yml from f297c40 to 1a96dae

Changelog

Sourced from jdfalk/ghcommon/.github/workflows/reusable-advanced-cache.yml's changelog.

Changelog

[Unreleased]

Completed

January 10, 2026 - Docker Rollout Across Action Repositories

  • Completed Docker support for 11/18 action repositories representing all actions where Docker adds clear value
  • Dockerized actions: detect-languages-action, load-config-action, get-frontend-config-action, package-assets-action, ci-generate-matrices-action, auto-module-tagging-action, generate-version-action, release-docker-action, release-frontend-action, release-go-action, release-protobuf-action
  • Each dockerized action includes:
    • Dockerfile with pinned base image by digest
    • .dockerignore for build optimization
    • publish-docker.yml workflow for GHCR publishing with auto-versioning
    • use-docker/docker-image inputs with docker/host execution branching
    • Updated README, CHANGELOG, TODO with Docker usage instructions
  • Intentionally skipped Docker for 7 actions:
    • Release orchestrators (release-python-action, release-rust-action): Require GitHub Actions ecosystem (setup-python, setup-rust) and external service publishing
    • Embedded Python actions (ci-workflow-helpers-action, pr-auto-label-action, docs-generator-action, security-summary-action, release-strategy-action): Use shell: python with code embedded in action.yml; Docker support would require significant refactoring for marginal benefit

In Progress

(No active Docker rollout work - 11/18 suitable actions completed)

Security

January 2, 2026 - Action Security Hardening

  • Pinned all external GitHub Actions to full-length commit SHAs across 9 action repositories
  • Updated action format to owner/action@FULL_SHA # vX.Y.Z for security + dependabot compatibility
  • Audited and fetched latest versions for 15 external action dependencies:
    • GitHub official actions: checkout v6.0.1, setup-go v5.6.0, setup-node v6.1.0, setup-python v6.1.0, upload-artifact v6.0.0
    • Third-party actions: yamllint v3.1.1, gh-release v2.5.0, rust-toolchain v1.15.2, goreleaser v6.4.0, buf-setup v1.50.0
    • Docker actions: login v3.6.0, setup-buildx v3.12.0, setup-qemu v3.7.0, build-push v6.18.0, metadata v5.10.0
  • Updated 9 repos with pinned hashes: get-frontend-config-action,

... (truncated)

Commits
  • 1a96dae fix: update self-referencing pins for release-go fetch-depth fix
  • 07c1dbb fix: use full git history in release-go for goreleaser changelog
  • 9425960 fix: update self-referencing pins to include pre-build-script
  • 52b5801 feat: add pre-build-script input to release workflows
  • 6df7dc1 fix: update self-referencing workflow pins to include system-packages
  • 593b4f3 feat: add system-packages input to release workflows
  • e94202b feat: add system-packages input to reusable CI workflow
  • 01f85f9 fix(ci): update release-go-action pin and fix E2E quoting
  • 2188a0e deps(deps): bump the dependencies group with 11 updates
  • See full diff in compare view

Updates jdfalk/ghcommon/.github/workflows/reusable-protobuf.yml from f297c40 to 1a96dae

Changelog

Sourced from jdfalk/ghcommon/.github/workflows/reusable-protobuf.yml's changelog.

Changelog

[Unreleased]

Completed

January 10, 2026 - Docker Rollout Across Action Repositories

  • Completed Docker support for 11/18 action repositories representing all actions where Docker adds clear value
  • Dockerized actions: detect-languages-action, load-config-action, get-frontend-config-action, package-assets-action, ci-generate-matrices-action, auto-module-tagging-action, generate-version-action, release-docker-action, release-frontend-action, release-go-action, release-protobuf-action
  • Each dockerized action includes:
    • Dockerfile with pinned base image by digest
    • .dockerignore for build optimization
    • publish-docker.yml workflow for GHCR publishing with auto-versioning
    • use-docker/docker-image inputs with docker/host execution branching
    • Updated README, CHANGELOG, TODO with Docker usage instructions
  • Intentionally skipped Docker for 7 actions:
    • Release orchestrators (release-python-action, release-rust-action): Require GitHub Actions ecosystem (setup-python, setup-rust) and external service publishing
    • Embedded Python actions (ci-workflow-helpers-action, pr-auto-label-action, docs-generator-action, security-summary-action, release-strategy-action): Use shell: python with code embedded in action.yml; Docker support would require significant refactoring for marginal benefit

In Progress

(No active Docker rollout work - 11/18 suitable actions completed)

Security

January 2, 2026 - Action Security Hardening

  • Pinned all external GitHub Actions to full-length commit SHAs across 9 action repositories
  • Updated action format to owner/action@FULL_SHA # vX.Y.Z for security + dependabot compatibility
  • Audited and fetched latest versions for 15 external action dependencies:
    • GitHub official actions: checkout v6.0.1, setup-go v5.6.0, setup-node v6.1.0, setup-python v6.1.0, upload-artifact v6.0.0
    • Third-party actions: yamllint v3.1.1, gh-release v2.5.0, rust-toolchain v1.15.2, goreleaser v6.4.0, buf-setup v1.50.0
    • Docker actions: login v3.6.0, setup-buildx v3.12.0, setup-qemu v3.7.0, build-push v6.18.0, metadata v5.10.0
  • Updated 9 repos with pinned hashes: get-frontend-config-action,

... (truncated)

Commits
  • 1a96dae fix: update self-referencing pins for release-go fetch-depth fix
  • 07c1dbb fix: use full git history in release-go for goreleaser changelog
  • 9425960 fix: update self-referencing pins to include pre-build-script
  • 52b5801 feat: add pre-build-script input to release workflows
  • 6df7dc1 fix: update self-referencing workflow pins to include system-packages
  • 593b4f3 feat: add system-packages input to release workflows
  • e94202b feat: add system-packages input to reusable CI workflow
  • 01f85f9 fix(ci): update release-go-action pin and fix E2E quoting
  • 2188a0e deps(deps): bump the dependencies group with 11 updates
  • See full diff in compare view

Updates jdfalk/ghcommon/.github/workflows/release-protobuf.yml from 07c1dbb to 1a96dae

Changelog

Sourced from jdfalk/ghcommon/.github/workflows/release-protobuf.yml's changelog.

Changelog

[Unreleased]

Completed

January 10, 2026 - Docker Rollout Across Action Repositories

  • Completed Docker support for 11/18 action repositories representing all actions where Docker adds clear value
  • Dockerized actions: detect-languages-action, load-config-action, get-frontend-config-action, package-assets-action, ci-generate-matrices-action, auto-module-tagging-action, generate-version-action, release-docker-action, release-frontend-action, release-go-action, release-protobuf-action
  • Each dockerized action includes:
    • Dockerfile with pinned base image by digest
    • .dockerignore for build optimization
    • publish-docker.yml workflow for GHCR publishing with auto-versioning
    • use-docker/docker-image inputs with docker/host execution branching
    • Updated README, CHANGELOG, TODO with Docker usage instructions
  • Intentionally skipped Docker for 7 actions:
    • Release orchestrators (release-python-action, release-rust-action): Require GitHub Actions ecosystem (setup-python, setup-rust) and external service publishing
    • Embedded Python actions (ci-workflow-helpers-action, pr-auto-label-action, docs-generator-action, security-summary-action, release-strategy-action): Use shell: python with code embedded in action.yml; Docker support would require significant refactoring for marginal benefit

In Progress

(No active Docker rollout work - 11/18 suitable actions completed)

Security

January 2, 2026 - Action Security Hardening

  • Pinned all external GitHub Actions to full-length commit SHAs across 9 action repositories
  • Updated action format to owner/action@FULL_SHA # vX.Y.Z for security + dependabot compatibility
  • Audited and fetched latest versions for 15 external action dependencies:
    • GitHub official actions: checkout v6.0.1, setup-go v5.6.0, setup-node v6.1.0, setup-python v6.1.0, upload-artifact v6.0.0
    • Third-party actions: yamllint v3.1.1, gh-release v2.5.0, rust-toolchain v1.15.2, goreleaser v6.4.0, buf-setup v1.50.0
    • Docker actions: login v3.6.0, setup-buildx v3.12.0, setup-qemu v3.7.0, build-push v6.18.0, metadata v5.10.0
  • Updated 9 repos with pinned hashes: get-frontend-config-action,

... (truncated)

Commits
  • 1a96dae fix: update self-referencing pins for release-go fetch-depth fix
  • See full diff in compare view

Updates jdfalk/ghcommon/.github/workflows/release-go.yml from 07c1dbb to 1a96dae

Changelog

Sourced from jdfalk/ghcommon/.github/workflows/release-go.yml's changelog.

Changelog

[Unreleased]

Completed

January 10, 2026 - Docker Rollout Across Action Repositories

  • Completed Docker support for 11/18 action repositories representing all actions where Docker adds clear value
  • Dockerized actions: detect-languages-action, load-config-action, get-frontend-config-action, package-assets-action, ci-generate-matrices-action, auto-module-tagging-action, generate-version-action, release-docker-action, release-frontend-action, release-go-action, release-protobuf-action
  • Each dockerized action includes:
    • Dockerfile with pinned base image by digest
    • .dockerignore for build optimization
    • publish-docker.yml workflow for GHCR publishing with auto-versioning
    • use-docker/docker-image inputs with docker/host execution branching
    • Updated README, CHANGELOG, TODO with Docker usage instructions
  • Intentionally skipped Docker for 7 actions:
    • Release orchestrators (release-python-action, release-rust-action): Require GitHub Actions ecosystem (setup-python, setup-rust) and external service publishing
    • Embedded Python actions (ci-workflow-helpers-action, pr-auto-label-action, docs-generator-action, security-summary-action, release-strategy-action): Use shell: python with code embedded in action.yml; Docker support would require significant refactoring for marginal benefit

In Progress

(No active Docker rollout work - 11/18 suitable actions completed)

Security

January 2, 2026 - Action Security Hardening

  • Pinned all external GitHub Actions to full-length commit SHAs across 9 action repositories
  • Updated action format to owner/action@FULL_SHA # vX.Y.Z for security + dependabot compatibility
  • Audited and fetched latest versions for 15 external action dependencies:
    • GitHub official actions: checkout v6.0.1, setup-go v5.6.0, setup-node v6.1.0, setup-python v6.1.0, upload-artifact v6.0.0
    • Third-party actions: yamllint v3.1.1, gh-release v2.5.0, rust-toolchain v1.15.2, goreleaser v6.4.0, buf-setup v1.50.0
    • Docker actions: login v3.6.0, setup-buildx v3.12.0, setup-qemu v3.7.0, build-push v6.18.0, metadata v5.10.0
  • Updated 9 repos with pinned hashes: get-frontend-config-action,

... (truncated)

Commits
  • 1a96dae fix: update self-referencing pins for release-go fetch-depth fix
  • See full diff in compare view

Updates jdfalk/ghcommon/.github/workflows/release-python.yml from 07c1dbb to 1a96dae

Changelog

Sourced from jdfalk/ghcommon/.github/workflows/release-python.yml's changelog.

Changelog

[Unreleased]

Completed

January 10, 2026 - Docker Rollout Across Action Repositories

  • Completed Docker support for 11/18 action repositories representing all actions where Docker adds clear value
  • Dockerized actions: detect-languages-action, load-config-action, get-frontend-config-action, package-assets-action, ci-generate-matrices-action, auto-module-tagging-action, generate-version-action, release-docker-action, release-frontend-action, release-go-action, release-protobuf-action
  • Each dockerized action includes:
    • Dockerfile with pinned base image by digest
    • .dockerignore for build optimization
    • publish-docker.yml workflow for GHCR publishing with auto-versioning
    • use-docker/docker-image inputs with docker/host execution branching
    • Updated README, CHANGELOG, TODO with Docker usage instructions
  • Intentionally skipped Docker for 7 actions:
    • Release orchestrators (release-python-action, release-rust-action): Require GitHub Actions ecosystem (setup-python, setup-rust) and external service publishing
    • Embedded Python actions (ci-workflow-helpers-action, pr-auto-label-action, docs-generator-action, security-summary-action, release-strategy-action): Use shell: python with code embedded in action.yml; Docker support would require significant refactoring for marginal benefit

In Progress

(No active Docker rollout work - 11/18 suitable actions completed)

Security

January 2, 2026 - Action Security Hardening

  • Pinned all external GitHub Actions to full-length commit SHAs across 9 action repositories
  • Updated action format to owner/action@FULL_SHA # vX.Y.Z for security + dependabot compatibility
  • Audited and fetched latest versions for 15 external action dependencies:
    • GitHub official actions: checkout v6.0.1, setup-go v5.6.0, setup-node v6.1.0, setup-python v6.1.0, upload-artifact v6.0.0
    • Third-party actions: yamllint v3.1.1, gh-release v2.5.0, rust-toolchain v1.15.2, goreleaser v6.4.0, buf-setup v1.50.0
    • Docker actions: login v3.6.0, setup-buildx v3.12.0, setup-qemu v3.7.0, build-push v6.18.0, metadata v5.10.0
  • Updated 9 repos with pinned hashes: get-frontend-config-action,

... (truncated)

Commits
  • 1a96dae fix: update self-referencing pins for release-go fetch-depth fix
  • See full diff in compare view

Updates jdfalk/ghcommon/.github/workflows/release-rust.yml from 07c1dbb to 1a96dae

Changelog

Sourced from jdfalk/ghcommon/.github/workflows/release-rust.yml's changelog.

Changelog

[Unreleased]

Completed

January 10, 2026 - Docker Rollout Across Action Repositories

  • Completed Docker support for 11/18 action repositories representing all actions where Docker adds clear value
  • Dockerized actions: detect-languages-action, load-config-action, get-frontend-config-action, package-assets-action, ci-generate-matrices-action, auto-module-tagging-action, generate-version-action, release-docker-action, release-frontend-action, release-go-action, release-protobuf-action
  • Each dockerized action includes:
    • Dockerfile with pinned base image by digest
    • .dockerignore for build optimization
    • publish-docker.yml workflow for GHCR publishing with auto-versioning
    • use-docker/docker-image inputs with docker/host execution branching
    • Updated README, CHANGELOG, TODO with Docker usage instructions
  • Intentionally skipped Docker for 7 actions:
    • Release orchestrators (release-python-action, release-rust-action): Require GitHub Actions ecosystem (setup-python, setup-rust) and external service publishing
    • Embedded Python actions (ci-workflow-helpers-action, pr-auto-label-action, docs-generator-action, security-summary-action, release-strategy-action): Use shell: python with code embedded in action.yml; Docker support would require significant refactoring for marginal benefit

In Progress

(No active Docker rollout work - 11/18 suitable actions completed)

Security

January 2, 2026 - Action Security Hardening

  • Pinned all external GitHub Actions to full-length commit SHAs across 9 action repositories
  • Updated action format to owner/action@FULL_SHA # vX.Y.Z for security + dependabot compatibility
  • Audited and fetched latest versions for 15 external action dependencies:
    • GitHub official actions: checkout v6.0.1, setup-go v5.6.0, setup-node v6.1.0, setup-python v6.1.0, upload-artifact v6.0.0
    • Third-party actions: yamllint v3.1.1, gh-release v2.5.0, rust-toolchain v1.15.2, goreleaser v6.4.0, buf-setup v1.50.0
    • Docker actions: login v3.6.0, setup-buildx v3.12.0, setup-qemu v3.7.0, build-push v6.18.0, metadata v5.10.0
  • Updated 9 repos with pinned hashes: get-frontend-config-action,

... (truncated)

Commits
  • 1a96dae fix: update self-referencing pins for release-go fetch-depth fix
  • See full diff in compare view

Updates jdfalk/ghcommon/.github/workflows/release-frontend.yml from 07c1dbb to 1a96dae

Changelog

Sourced from jdfalk/ghcommon/.github/workflows/release-frontend.yml's changelog.

Changelog

[Unreleased]

Completed

January 10, 2026 - Docker Rollout Across Action Repositories

  • Completed Docker support for 11/18 action repositories representing all actions where Docker adds clear value
  • Dockerized actions: detect-languages-action, load-config-action, get-frontend-config-action, package-assets-action, ci-generate-matrices-action, auto-module-tagging-action, generate-version-action, release-docker-action, release-frontend-action, release-go-action, release-protobuf-action
  • Each dockerized action includes:
    • Dockerfile with pinned base image by digest
    • .dockerignore for build optimization
    • publish-docker.yml workflow for GHCR publishing with auto-versioning
    • use-docker/docker-image inputs with docker/host execution branching
    • Updated README, CHANGELOG, TODO with Docker usage instructions
  • Intentionally skipped Docker for 7 actions:
    • Release orchestrators (release-python-action, release-rust-action): Require GitHub Actions ecosystem (setup-python, setup-rust) and external service publishing
      • Description has been truncated

@dependabot
deps(deps-dev): bump the dependencies group with 5 updates
0876c59 
Bumps the dependencies group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [@eslint/eslintrc](https://github.com/eslint/eslintrc) | `3.3.3` | `3.3.4` |
| [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) | `9.39.2` | `9.39.3` |
| [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `8.56.0` | `8.56.1` |
| [eslint](https://github.com/eslint/eslint) | `9.39.2` | `9.39.3` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.56.0` | `8.56.1` |


Updates `@eslint/eslintrc` from 3.3.3 to 3.3.4
- [Release notes](https://github.com/eslint/eslintrc/releases)
- [Changelog](https://github.com/eslint/eslintrc/blob/main/CHANGELOG.md)
- [Commits](eslint/eslintrc@eslintrc-v3.3.3...eslintrc-v3.3.4)

Updates `@eslint/js` from 9.39.2 to 9.39.3
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/commits/v9.39.3/packages/js)

Updates `@typescript-eslint/eslint-plugin` from 8.56.0 to 8.56.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.56.1/packages/eslint-plugin)

Updates `eslint` from 9.39.2 to 9.39.3
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v9.39.2...v9.39.3)

Updates `typescript-eslint` from 8.56.0 to 8.56.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.56.1/packages/typescript-eslint)
deps(deps): bump the dependencies group with 17 updates

Bumps the dependencies group with 17 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `6.0.0` | `7.0.0` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `7.0.0` | `8.0.0` |
| [actions/setup-go](https://github.com/actions/setup-go) | `6.2.0` | `6.3.0` |
| [anchore/sbom-action](https://github.com/anchore/sbom-action) | `0.22.2` | `0.23.0` |
| [actions/attest-sbom](https://github.com/actions/attest-sbom) | `3.0.0` | `4.0.0` |
| [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `3.2.0` | `4.1.0` |
| [jdfalk/release-go-action](https://github.com/jdfalk/release-go-action) | `e87e6e57bf1c7089e74c94f789b580d3c5737729` | `7b73a664a71c92c7cc44453a33a5dcfb898751ef` |
| [jdfalk/ghcommon/.github/workflows/reusable-advanced-cache.yml](https://github.com/jdfalk/ghcommon) | `f297c40be781eb288aa902fd87c372c6d72ee911` | `1a96daebeba7b0f61037be5bc381e3b6794e26b5` |
| [jdfalk/ghcommon/.github/workflows/reusable-protobuf.yml](https://github.com/jdfalk/ghcommon) | `f297c40be781eb288aa902fd87c372c6d72ee911` | `1a96daebeba7b0f61037be5bc381e3b6794e26b5` |
| [jdfalk/ghcommon/.github/workflows/release-protobuf.yml](https://github.com/jdfalk/ghcommon) | `07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769` | `1a96daebeba7b0f61037be5bc381e3b6794e26b5` |
| [jdfalk/ghcommon/.github/workflows/release-go.yml](https://github.com/jdfalk/ghcommon) | `07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769` | `1a96daebeba7b0f61037be5bc381e3b6794e26b5` |
| [jdfalk/ghcommon/.github/workflows/release-python.yml](https://github.com/jdfalk/ghcommon) | `07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769` | `1a96daebeba7b0f61037be5bc381e3b6794e26b5` |
| [jdfalk/ghcommon/.github/workflows/release-rust.yml](https://github.com/jdfalk/ghcommon) | `07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769` | `1a96daebeba7b0f61037be5bc381e3b6794e26b5` |
| [jdfalk/ghcommon/.github/workflows/release-frontend.yml](https://github.com/jdfalk/ghcommon) | `07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769` | `1a96daebeba7b0f61037be5bc381e3b6794e26b5` |
| [jdfalk/ghcommon/.github/workflows/release-docker.yml](https://github.com/jdfalk/ghcommon) | `07c1dbb1c2e2c8ed1b3e1637fd27cba1197f6769` | `1a96daebeba7b0f61037be5bc381e3b6794e26b5` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.32.3` | `4.32.5` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.8.2` | `4.8.3` |


Updates `actions/upload-artifact` from 6.0.0 to 7.0.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@b7c566a...bbbca2d)

Updates `actions/download-artifact` from 7.0.0 to 8.0.0
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@37930b1...70fc10c)

Updates `actions/setup-go` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@7a3fe6c...4b73464)

Updates `anchore/sbom-action` from 0.22.2 to 0.23.0
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](anchore/sbom-action@28d7154...17ae174)

Updates `actions/attest-sbom` from 3.0.0 to 4.0.0
- [Release notes](https://github.com/actions/attest-sbom/releases)
- [Changelog](https://github.com/actions/attest-sbom/blob/main/RELEASE.md)
- [Commits](actions/attest-sbom@4651f80...07e74fc)

Updates `actions/attest-build-provenance` from 3.2.0 to 4.1.0
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](actions/attest-build-provenance@96278af...a2bbfa2)

Updates `jdfalk/release-go-action` from e87e6e57bf1c7089e74c94f789b580d3c5737729 to 7b73a664a71c92c7cc44453a33a5dcfb898751ef
- [Release notes](https://github.com/jdfalk/release-go-action/releases)
- [Changelog](https://github.com/jdfalk/release-go-action/blob/main/CHANGELOG.md)
- [Commits](jdfalk/release-go-action@e87e6e5...7b73a66)

Updates `jdfalk/ghcommon/.github/workflows/reusable-advanced-cache.yml` from f297c40 to 1a96dae
- [Release notes](https://github.com/jdfalk/ghcommon/releases)
- [Changelog](https://github.com/jdfalk/ghcommon/blob/main/CHANGELOG.md)
- [Commits](f297c40...1a96dae)

Updates `jdfalk/ghcommon/.github/workflows/reusable-protobuf.yml` from f297c40 to 1a96dae
- [Release notes](https://github.com/jdfalk/ghcommon/releases)
- [Changelog](https://github.com/jdfalk/ghcommon/blob/main/CHANGELOG.md)
- [Commits](f297c40...1a96dae)

Updates `jdfalk/ghcommon/.github/workflows/release-protobuf.yml` from 07c1dbb to 1a96dae
- [Release notes](https://github.com/jdfalk/ghcommon/releases)
- [Changelog](https://github.com/jdfalk/ghcommon/blob/main/CHANGELOG.md)
- [Commits](07c1dbb...1a96dae)

Updates `jdfalk/ghcommon/.github/workflows/release-go.yml` from 07c1dbb to 1a96dae
- [Release notes](https://github.com/jdfalk/ghcommon/releases)
- [Changelog](https://github.com/jdfalk/ghcommon/blob/main/CHANGELOG.md)
- [Commits](07c1dbb...1a96dae)

Updates `jdfalk/ghcommon/.github/workflows/release-python.yml` from 07c1dbb to 1a96dae
- [Release notes](https://github.com/jdfalk/ghcommon/releases)
- [Changelog](https://github.com/jdfalk/ghcommon/blob/main/CHANGELOG.md)
- [Commits](07c1dbb...1a96dae)

Updates `jdfalk/ghcommon/.github/workflows/release-rust.yml` from 07c1dbb to 1a96dae
- [Release notes](https://github.com/jdfalk/ghcommon/releases)
- [Changelog](https://github.com/jdfalk/ghcommon/blob/main/CHANGELOG.md)
- [Commits](07c1dbb...1a96dae)

Updates `jdfalk/ghcommon/.github/workflows/release-frontend.yml` from 07c1dbb to 1a96dae
- [Release notes](https://github.com/jdfalk/ghcommon/releases)
- [Changelog](https://github.com/jdfalk/ghcommon/blob/main/CHANGELOG.md)
- [Commits](07c1dbb...1a96dae)

Updates `jdfalk/ghcommon/.github/workflows/release-docker.yml` from 07c1dbb to 1a96dae
- [Release notes](https://github.com/jdfalk/ghcommon/releases)
- [Changelog](https://github.com/jdfalk/ghcommon/blob/main/CHANGELOG.md)
- [Commits](07c1dbb...1a96dae)

Updates `github/codeql-action` from 4.32.3 to 4.32.5
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@9e907b5...c793b71)

Updates `actions/dependency-review-action` from 4.8.2 to 4.8.3
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@3c4e3dc...05fe457)

---
updated-dependencies:
- dependency-name: "@eslint/eslintrc"
  dependency-version: 3.3.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: "@eslint/js"
  dependency-version: 9.39.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.56.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: eslint
  dependency-version: 9.39.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: typescript-eslint
  dependency-version: 8.56.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: actions/download-artifact
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: actions/setup-go
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: anchore/sbom-action
  dependency-version: 0.23.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: actions/attest-sbom
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: actions/attest-build-provenance
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dependencies
- dependency-name: jdfalk/release-go-action
  dependency-version: 7b73a664a71c92c7cc44453a33a5dcfb898751ef
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: jdfalk/ghcommon/.github/workflows/reusable-advanced-cache.yml
  dependency-version: 1a96dae
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: jdfalk/ghcommon/.github/workflows/reusable-protobuf.yml
  dependency-version: 1a96dae
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: jdfalk/ghcommon/.github/workflows/release-protobuf.yml
  dependency-version: 1a96dae
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: jdfalk/ghcommon/.github/workflows/release-go.yml
  dependency-version: 1a96dae
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: jdfalk/ghcommon/.github/workflows/release-python.yml
  dependency-version: 1a96dae
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: jdfalk/ghcommon/.github/workflows/release-rust.yml
  dependency-version: 1a96dae
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: jdfalk/ghcommon/.github/workflows/release-frontend.yml
  dependency-version: 1a96dae
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: jdfalk/ghcommon/.github/workflows/release-docker.yml
  dependency-version: 1a96dae
  dependency-type: direct:production
  dependency-group: dependencies
- dependency-name: github/codeql-action
  dependency-version: 4.32.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: actions/dependency-review-action
  dependency-version: 4.8.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from jdfalk as a code owner March 3, 2026 15:33
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 3, 2026

Labels

The following labels could not be found: tech:nodejs. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions github-actions bot added github-actions GitHub Actions related work automation Automation scripts and tools type:testing Testing related work type:maintenance Maintenance and housekeeping module:config Configuration management tech:javascript JavaScript programming language workflow:automation Automation and tooling workflow:github-actions GitHub Actions workflows workflow:ci-cd Continuous integration and deployment workflow:deployment Deployment and release management size/L labels Mar 3, 2026
@jdfalk
Copy link
Owner

jdfalk commented Mar 11, 2026

@dependabot rebase

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdfalk jdfalk jdfalk approved these changes

Assignees

No one assigned

Labels

automation Automation scripts and tools github-actions GitHub Actions related work module:config Configuration management size/L tech:javascript JavaScript programming language type:maintenance Maintenance and housekeeping type:testing Testing related work workflow:automation Automation and tooling workflow:ci-cd Continuous integration and deployment workflow:deployment Deployment and release management workflow:github-actions GitHub Actions workflows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdfalk