chore(deps)(deps): bump the github-actions-all group across 1 directory with 16 updates

[dependabot]

Bumps the github-actions-all group with 16 updates in the / directory:

Package	From	To
actions/checkout	4	6
dataaxiom/ghcr-cleanup-action	1.0.16	1.2.2
actions/create-github-app-token	3.1.1	3.2.0
actions/setup-dotnet	4	5
docker/setup-buildx-action	4.0.0	4.1.0
docker/login-action	4.1.0	4.2.0
docker/build-push-action	7.1.0	7.2.0
codecov/codecov-action	6.0.0	7.0.0
dependabot/fetch-metadata	3.0.0	3.1.0
actions/dependency-review-action	4.9.0	5.0.0
docker/metadata-action	6.0.0	6.1.0
aquasecurity/trivy-action	0.35.0	0.36.0
github/codeql-action	4.35.2	4.36.2
anchore/sbom-action	0.23.1	0.24.0
sigstore/cosign-installer	4.1.1	4.1.2
gitleaks/gitleaks-action	2.3.9	3.0.0

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Commits

• df4cb1c Update changelog for v6.0.3 (#2446)
• 1cce339 Fix checkout init for SHA-256 repositories (#2439)
• 900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
• 0c366fd Update changelog (#2357)
• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• Additional commits viewable in compare view

Updates dataaxiom/ghcr-cleanup-action from 1.0.16 to 1.2.2

Release notes

Sourced from dataaxiom/ghcr-cleanup-action's releases.

v1.2.2

• feature: skip-regex-checks input bypasses regex length/ReDoS guards for intentionally large patterns (fix #128)

v1.2.1

• fix: tolerate every 404 on package version delete (was: fail on the second) (fix #121)
• fix: eliminate spurious "wasn't found" warnings from cosign signature dual-cascade race
• fix: per-image log buffer flushes audit trail even when a cascade errors mid-flight

v1.2.0

• feature: cross-run manifest cache; warm runs only fetch newly-published manifests (hit rate logged)
• perf: parallel API throughout — package pagination, manifest fetches, untag PUTs, child/referrer deletes
• perf: batched untagging — one reload per batch instead of one per tag
• perf: push token reuse across untag PUTs + 429/secondary rate-limit retries on registry auth
• fix: repository input is now informational; cleanup uses owner + package directly (supports unlinked / cross-account packages)
• log volume cap at 1000 lines per group (info); per-image log output buffered to avoid interleaving under concurrent deletes
• package version upgrades

v1.1.0

• fix: preserve OCI 1.1 subject-bearing referrers (cosign sigstore-bundles, attestations) during cleanup — were silently deleted as untagged #71
• fix: keep-n-tagged now gates untag operations; a matched tag is not stripped from an image that keep-n-tagged would protect (#99, #101)
• fix: shared multi-arch platform digests no longer cascade-deleted when one of multiple parent indexes is removed (#91)
• fix: delete-partial-images excludes fully ghost images #112
• fix: Octokit error output visible at all log levels (was suppressed when log-level was error or warn)
• fix: expand-packages rejects fine-grained PATs upfront with a clear message
• fix: setFailed message no longer overwritten by an empty Error in early-failure paths
• feat: ReDoS guard on user-supplied regex (delete-tags, exclude-tags, package) when use-regex: true
• feat: code refactor/split, removal of anys where possible using typed classes
• chore(deps): Node.js 24
• docs: README rewrite + Limitations section (5,000-download undeletable policy, nested-manifest non-support)

Commits

• d52806a Merge pull request #129 from rohanmars/main
• 7f28f9d feat: add skip-regex-checks input to opt out of regex safety guards
• f092b48 Merge pull request #122 from rohanmars/main
• fa3daf5 ci: hoist fork-PR approval gate to a single job (was per matrix entry)
• c1ba289 fix: synchronously claim digests before delete to prevent concurrent duplicat...
• f5e37e7 fix: tolerate all 404s on package version delete; always flush per-tree log b...
• 374e202 Merge pull request #120 from rohanmars/code-review
• e1e6176 perf: cap per-listing log volume at 1000 lines (truncate at INFO)
• 6516895 fix: drop the post-reload untag-ops invariant assertion (3.1.5 retraction)
• 5a020af feat: buffer deleteImage logs per top-level tree, flush atomically
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 3.1.1 to 3.2.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.2.0

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

Changelog

Sourced from actions/create-github-app-token's changelog.

Changelog

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

Commits

• bcd2ba4 chore(main): release 3.2.0 (#370)
• f24bbd8 fix: validate private-key input (#376)
• 363531b docs: capitalize Git as a proper noun in README (#374)
• fd28011 docs: update procedure to configure Git (#287)
• 85eb8dd feat: support full repository names in repositories input (#372)
• c9aabb8 build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...
• e02e816 build(deps-dev): bump undici from 7.24.6 to 8.2.0 (#366)
• 8d835bf build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...
• 952a2a7 feat: add support for enterprise-level GitHub Apps (#263)
• 43e5c34 fix(deps): bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependenc...
• Additional commits viewable in compare view

Updates actions/setup-dotnet from 4 to 5

Release notes

Sourced from actions/setup-dotnet's releases.

v5.0.0

What's Changed

Breaking Changes

• Upgrade to Node.js 24 and modernize async usage by @​salmanmkc in actions/setup-dotnet#654

Make sure your runner is updated to this version or newer to use this release. v2.327.1 Release Notes

Dependency Updates

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in actions/setup-dotnet#622
• Upgrade husky from 8.0.3 to 9.1.7 by @​dependabot[bot] in actions/setup-dotnet#591
• Upgrade @​actions/glob from 0.4.0 to 0.5.0 by @​dependabot[bot] in actions/setup-dotnet#594
• Upgrade eslint-config-prettier from 9.1.0 to 10.1.5 by @​dependabot[bot] in actions/setup-dotnet#639
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in actions/setup-dotnet#641
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in actions/setup-dotnet#652
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-dotnet#662

Bug Fixes

• Remove Support for older .NET Versions and Update installers scripts by @​gowridurgad in actions/setup-dotnet#647

New Contributors

• @​gowridurgad made their first contribution in actions/setup-dotnet#647
• @​salmanmkc made their first contribution in actions/setup-dotnet#654

Full Changelog: actions/setup-dotnet@v4...v5.0.0

v4.3.1

What's Changed

• v4 - Remove azureedge.net fallback logic and update install scripts by @​zaataylor in actions/setup-dotnet#572 As outlined in Critical .NET Install Links Are Changing, remove the storage account fallback logic added for v4 in actions/setup-dotnet#566 and update the install scripts accordingly. Related issue: dotnet/install-scripts#559
• upgrade @​actions/cache to 4.0.2 by @​HarithaVattikuti in actions/setup-dotnet#615

Full Changelog: actions/setup-dotnet@v4...v4.3.1

v4.3.0

What's Changed

• README update - add permissions section by @​benwells in actions/setup-dotnet#587
• Configure Dependabot settings by @​HarithaVattikuti in actions/setup-dotnet#585
• Upgrade cache from 3.2.4 to 4.0.0 by @​aparnajyothi-y in actions/setup-dotnet#586
• Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot in actions/setup-dotnet#590
• Upgrade @​actions/http-client from 2.2.1 to 2.2.3 by @​dependabot in actions/setup-dotnet#592
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot in actions/setup-dotnet#596

New Contributors

• @​benwells made their first contribution in actions/setup-dotnet#587
• @​aparnajyothi-y made their first contribution in actions/setup-dotnet#586

... (truncated)

Commits

• 9a946fd Add rollForward note in README, improve proxy health check in e2e tests and b...
• 98af08b Support global.json's rollForward latest* variants (#538)
• 8404272 Update install scripts to v2026.05.19 (#736)
• f1970f5 Don't download releases-index.json to resolve major version (#560)
• af9211b Add dotnet-version: latest support with dotnet-channel input (#730)
• df991ae chore: bump @actions/* and fast-xml-parser dependencies (#728)
• a66eefa CI: remove manual PowerShell install from test-proxy job (e2e-tests.yml) (#703)
• c2fa09f Bump minimatch from 3.1.2 to 3.1.5 (#705)
• 02574b1 Add support for optional architecture input for cross-architecture .NET insta...
• 16c7b3c Bump fast-xml-parser from 4.4.1 to 5.3.6 (#671)
• Additional commits viewable in compare view

Updates docker/setup-buildx-action from 4.0.0 to 4.1.0

Release notes

Sourced from docker/setup-buildx-action's releases.

v4.1.0

• Bump @​docker/actions-toolkit from 0.79.0 to 0.90.0 in docker/setup-buildx-action#489
• Bump brace-expansion from 1.1.12 to 5.0.6 in docker/setup-buildx-action#547 docker/setup-buildx-action#508
• Bump fast-xml-builder from 1.0.0 to 1.2.0 in docker/setup-buildx-action#540
• Bump fast-xml-parser from 5.4.2 to 5.8.0 in docker/setup-buildx-action#496
• Bump flatted from 3.3.3 to 3.4.2 in docker/setup-buildx-action#499
• Bump glob from 10.3.12 to 13.0.6 in docker/setup-buildx-action#495
• Bump handlebars from 4.7.8 to 4.7.9 in docker/setup-buildx-action#504
• Bump lodash from 4.17.23 to 4.18.1 in docker/setup-buildx-action#523
• Bump picomatch from 4.0.3 to 4.0.4 in docker/setup-buildx-action#503
• Bump postcss from 8.5.6 to 8.5.10 in docker/setup-buildx-action#537
• Bump tar from 6.2.1 to 7.5.15 in docker/setup-buildx-action#545
• Bump undici from 6.23.0 to 6.25.0 in docker/setup-buildx-action#492
• Bump vite from 7.3.1 to 7.3.2 in docker/setup-buildx-action#520

Full Changelog: docker/setup-buildx-action@v4.0.0...v4.1.0

Commits

• d7f5e7f Merge pull request #489 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 92bc5c9 chore: update generated content
• da11e35 build(deps): bump @​docker/actions-toolkit from 0.79.0 to 0.90.0
• f021e16 Merge pull request #492 from docker/dependabot/npm_and_yarn/undici-6.24.1
• b5af94f chore: update generated content
• 16ad977 build(deps): bump undici from 6.23.0 to 6.25.0
• d7a12d7 Merge pull request #495 from docker/dependabot/npm_and_yarn/glob-10.5.0
• 28ff27d build(deps): bump glob from 10.3.12 to 13.0.6
• daf436b Merge pull request #496 from docker/dependabot/npm_and_yarn/fast-xml-parser-5...
• 9725348 chore: update generated content
• Additional commits viewable in compare view

Updates docker/login-action from 4.1.0 to 4.2.0

Release notes

Sourced from docker/login-action's releases.

v4.2.0

• Bump @​actions/core from 3.0.0 to 3.0.1 in docker/login-action#976
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.1050.0 in docker/login-action#960
• Bump @​docker/actions-toolkit from 0.86.0 to 0.90.0 in docker/login-action#970
• Bump brace-expansion from 2.0.1 to 5.0.6 in docker/login-action#993
• Bump fast-xml-builder from 1.1.4 to 1.2.0 in docker/login-action#985
• Bump fast-xml-parser from 5.3.6 to 5.8.0 in docker/login-action#963
• Bump http-proxy-agent and https-proxy-agent to 9.0.0 in docker/login-action#961
• Bump postcss from 8.5.6 to 8.5.10 in docker/login-action#979
• Bump tar from 6.2.1 to 7.5.15 in docker/login-action#991
• Bump vite from 7.3.1 to 7.3.3 in docker/login-action#986

Full Changelog: docker/login-action@v4.1.0...v4.2.0

Commits

• 650006c Merge pull request #960 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• 99df1a3 chore: update generated content
• 3ab375f build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...
• 39d8580 Merge pull request #970 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 4eefcd3 chore: update generated content
• 56d092c build(deps): bump @​docker/actions-toolkit from 0.86.0 to 0.90.0
• e2e31ca Merge pull request #976 from docker/dependabot/npm_and_yarn/actions/core-3.0.1
• 0bced94 chore: update generated content
• 3e75a0f build(deps): bump @​actions/core from 3.0.0 to 3.0.1
• 365bebd Merge pull request #984 from docker/dependabot/github_actions/aws-actions/con...
• Additional commits viewable in compare view

Updates docker/build-push-action from 7.1.0 to 7.2.0

Release notes

Sourced from docker/build-push-action's releases.

v7.2.0

• Bump @​actions/core from 3.0.0 to 3.0.1 in docker/build-push-action#1525
• Bump @​docker/actions-toolkit from 0.87.0 to 0.90.0 in docker/build-push-action#1517
• Bump brace-expansion from 2.0.2 to 5.0.6 in docker/build-push-action#1534
• Bump fast-xml-builder from 1.1.4 to 1.2.0 in docker/build-push-action#1529
• Bump fast-xml-parser from 5.5.7 to 5.8.0 in docker/build-push-action#1521
• Bump postcss from 8.5.6 to 8.5.10 in docker/build-push-action#1526
• Bump tar from 6.2.1 to 7.5.15 in docker/build-push-action#1533

Full Changelog: docker/build-push-action@v7.1.0...v7.2.0

Commits

• f9f3042 Merge pull request #1517 from docker/dependabot/npm_and_yarn/docker/actions-t...
• 812d5fd chore: update generated content
• b6f6693 chore(deps): Bump @​docker/actions-toolkit from 0.87.0 to 0.90.0
• c1c626e Merge pull request #1525 from docker/dependabot/npm_and_yarn/actions/core-3.0.1
• 51bb284 chore: update generated content
• 5f7884d chore(deps): Bump @​actions/core from 3.0.0 to 3.0.1
• e01deff Merge pull request #1521 from docker/dependabot/npm_and_yarn/fast-xml-parser-...
• 3804d49 chore: update generated content
• 71e8947 chore(deps): Bump fast-xml-parser from 5.5.7 to 5.8.0
• 4925ad2 Merge pull request #1526 from docker/dependabot/npm_and_yarn/postcss-8.5.10
• Additional commits viewable in compare view

Updates codecov/codecov-action from 6.0.0 to 7.0.0

Release notes

Sourced from codecov/codecov-action's releases.

v7.0.0

⚠️ Due to migration issues with keybase, we are unable to update our keys under the codecovsecurity account. We have deleted the account and are using codecovsecops with the original gpg key

What's Changed

• ci: remove Enforce License Compliance workflow by @​thomasrockhu-codecov in codecov/codecov-action#1950
• chore(release): 7.0.0 by @​thomasrockhu-codecov in codecov/codecov-action#1957

Full Changelog: codecov/codecov-action@v6.0.1...v7.0.0

v6.0.2

This is a copy of the v7.0.0 release to make updates easier

What's Changed

• ci: remove Enforce License Compliance workflow by @​thomasrockhu-codecov in codecov/codecov-action#1950
• chore(release): 7.0.0 by @​thomasrockhu-codecov in codecov/codecov-action#1957

Full Changelog: codecov/codecov-action@v6.0.1...v6.0.2

v6.0.1

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in codecov/codecov-action#1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in codecov/codecov-action#1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in codecov/codecov-action#1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in codecov/codecov-action#1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• docs: fix typo in README by @​datalater in codecov/codecov-action#1866
• Document a codecov-cli version reference example by @​webknjaz in codecov/codecov-action#1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in codecov/codecov-action#1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in codecov/codecov-action#1864
• Pin actions/github-script by Git SHA by @​martincostello in codecov/codecov-action#1859
• fix: check reqs exist by @​joseph-sentry in codecov/codecov-action#1835
• fix: Typo in README by @​spalmurray in codecov/codecov-action#1838
• docs: Refine OIDC docs by @​spalmurray in codecov/codecov-action#1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in codecov/codecov-action#1822
• fix: OIDC on forks by @​joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

• fb8b358 chore(release): 7.0.0 (#1957)
• ca0a928 ci: remove Enforce License Compliance workflow (#1950)
• e79a696 chore(release): 6.0.1 (#1949)
• 51e6422 fix: prevent template injection in run: steps (VULN-1652) (#1947)
• See full diff in compare view

Updates dependabot/fetch-metadata from 3.0.0 to 3.1.0

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.1.0

What's Changed

• Add permissions to all workflows by @​truggeri in dependabot/fetch-metadata#687
• build(deps-dev): bump globals from 16.0.0 to 17.4.0 by @​dependabot[bot] in dependabot/fetch-metadata#690
• build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 by @​dependabot[bot] in dependabot/fetch-metadata#693
• build(deps-dev): bump @​hono/node-server from 1.19.10 to 1.19.13 by @​dependabot[bot] in dependabot/fetch-metadata#694
• build(deps-dev): bump hono from 4.12.7 to 4.12.12 by @​dependabot[bot] in dependabot/fetch-metadata#695
• Dynamically update the tracking tag in action by @​truggeri in dependabot/fetch-metadata#696
• fix: handle duplicate dependency names in parseMetadataLinks by @​devantler in dependabot/fetch-metadata#700
• fix: remove $ anchor from updateFragment regex to handle pip directory suffixes by @​devantler in dependabot/fetch-metadata#698
• Updates to README for permissions clarification by @​truggeri in dependabot/fetch-metadata#697
• fix: resolve update-type null for Python, Composer, and Terraform PRs by @​vitorsdcs in dependabot/fetch-metadata#704
• build(deps-dev): bump globals from 17.4.0 to 17.5.0 by @​dependabot[bot] in dependabot/fetch-metadata#703
• build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @​dependabot[bot] in dependabot/fetch-metadata#701
• build(deps): bump @​actions/github from 9.0.0 to 9.1.0 in the dependencies group across 1 directory by @​dependabot[bot] in dependabot/fetch-metadata#702
• build(deps-dev): bump hono from 4.12.12 to 4.12.14 by @​dependabot[bot] in dependabot/fetch-metadata#705
• v3.1.0 by @​fetch-metadata-action-automation[bot] in dependabot/fetch-metadata#692

New Contributors

• @​devantler made their first contribution in dependabot/fetch-metadata#700
• @​vitorsdcs made their first contribution in dependabot/fetch-metadata#704

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

Commits

• 25dd0e3 v3.1.0 (#692)
• e073f50 Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.14
• 0670e16 build(deps-dev): bump hono from 4.12.12 to 4.12.14
• 7a7fe10 Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...
• 5168191 Updating dist build
• 23882e1 build(deps): bump @​actions/github in the dependencies group
• 1072469 Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...
• 43f8a00 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
• b4d904a Merge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0
• c8046bb build(deps-dev): bump globals from 17.4.0 to 17.5.0
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.9.0 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request

[dependabot]

Labels

The following labels could not be found: github-actions, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 3 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 20fda56.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/reusable-build-sign-sbom.yml

Package	Version	License	Issue Type
aquasecurity/trivy-action	ed142fd0673e97e23eac54620cfb913e5ce36c25	Null	Unknown License

.github/workflows/security-gap-scans.yml

Package	Version	License	Issue Type
aquasecurity/trivy-action	ed142fd0673e97e23eac54620cfb913e5ce36c25	Null	Unknown License
gitleaks/gitleaks-action	e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e	Null	Unknown License

Denied Licenses:

GPL-2.0, GPL-3.0

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/checkout	df4cb1c069e1874edd31b4311f1884172cec0e10	🟢 5.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/checkout	df4cb1c069e1874edd31b4311f1884172cec0e10	🟢 5.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-dotnet	9a946fdbd5fb07b82b2f5a4466058b876ab72bb2	🟢 5.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8
actions/anchore/sbom-action	e22c389904149dbc22b58101806040fa8d37a610	🟢 7.3	Details Check Score Reason Maintained 🟢 10 29 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 9 binaries present in source code Code-Review ⚠️ 1 Found 2/11 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8 Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches
actions/aquasecurity/trivy-action	ed142fd0673e97e23eac54620cfb913e5ce36c25	🟢 6.7	Details Check Score Reason Code-Review 🟢 9 Found 15/16 approved changesets -- score normalized to 9 Maintained 🟢 10 14 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 7 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/build-push-action	f9f3042f7e2789586610d6e8b85c8f03e5195baf	🟢 8.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 SAST 🟢 10 SAST tool is run on all commits
actions/docker/login-action	650006c6eb7dba73a995cc03b0b2d7f5ca915bee	🟢 8.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 10 SAST tool is run on all commits
actions/docker/metadata-action	80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9	🟢 8.6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 SAST 🟢 10 SAST tool is run on all commits
actions/docker/setup-buildx-action	d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5	🟢 8.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 SAST 🟢 10 SAST tool is run on all commits
actions/github/codeql-action/upload-sarif	8aad20d150bbac5944a9f9d289da16a4b0d87c1e	Unknown	Unknown
actions/sigstore/cosign-installer	6f9f17788090df1f26f669e9d70d6ae9567deba6	🟢 7.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 8 8 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 10 all dependencies are pinned Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	df4cb1c069e1874edd31b4311f1884172cec0e10	🟢 5.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/aquasecurity/trivy-action	ed142fd0673e97e23eac54620cfb913e5ce36c25	🟢 6.7	Details Check Score Reason Code-Review 🟢 9 Found 15/16 approved changesets -- score normalized to 9 Maintained 🟢 10 14 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 7 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/github/codeql-action/upload-sarif	8aad20d150bbac5944a9f9d289da16a4b0d87c1e	Unknown	Unknown
actions/gitleaks/gitleaks-action	e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e	🟢 5.4	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Code-Review 🟢 4 Found 8/19 approved changesets -- score normalized to 4 Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 10 all dependencies are pinned License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/docker-publish-auth.yaml
• .github/workflows/reusable-build-sign-sbom.yml
• .github/workflows/security-gap-scans.yml

[github-actions]

Package	Line Rate	Branch Rate	Complexity	Health
Basket.Api	31%	17%	38	✔
Basket.Application	100%	88%	102	✔
Basket.Domain	100%	100%	27	✔
Basket.Infrastructure	0%	0%	191	❌
Billing.Api	39%	50%	21	✔
Billing.Application	100%	100%	92	✔
Billing.Domain	100%	100%	39	✔
Billing.Infrastructure	0%	0%	30	❌
Catalog.Api	45%	43%	176	✔
Catalog.Application	96%	89%	625	✔
Catalog.Domain	100%	100%	574	✔
Catalog.Infrastructure	89%	54%	328	✔
Customer.Api	70%	75%	168	✔
Customer.Application	97%	84%	624	✔
Customer.Domain	96%	90%	269	✔
Customer.Infrastructure	28%	19%	557	➖
Device.Api	71%	49%	93	✔
Device.Application	95%	77%	944	✔
Device.Domain	99%	95%	241	✔
Device.Infrastructure	72%	38%	328	✔
Image.Generator.Api	31%	46%	25	✔
Image.Generator.Application	51%	29%	2555	✔
Location.Api	61%	64%	134	✔
Location.Application	53%	33%	420	✔
Location.Infrastructure	56%	56%	469	✔
Order.Api	23%	14%	16	➖
Order.Application	96%	82%	102	✔
Order.Domain	100%	100%	18	✔
Order.Infrastructure	0%	0%	179	❌
Product.Api	0%	0%	25	❌
Product.Application	21%	10%	94	➖
Product.Domain	95%	100%	56	✔
Product.Infrastructure	23%	14%	148	➖
SharedKernel.Core	29%	11%	635	➖
SharedKernel.Events	66%	100%	415	✔
SharedKernel.Grpc.Contracts	67%	100%	152	✔
SharedKernel.Infrastructure	28%	24%	1299	➖
SharedKernel.Persistence	55%	40%	995	✔
Statistic.Api	0%	0%	18	❌
Statistic.Application	100%	100%	3	✔
Statistic.Domain	83%	100%	96	✔
Statistic.Infrastructure	69%	62%	129	✔
Teck.Cloud.Migrations.PostgreSQL	36%	28%	59	✔
Teck.Cloud.ServiceDefaults	0%	0%	9	❌
Web.Admin.Gateway	10%	11%	111	❌
Web.Public.Gateway	39%	34%	305	✔
Summary	53% (14914 / 28163)	39% (2652 / 6721)	13934	✔