ci: bump the ci-actions group with 3 updates

[dependabot]

Bumps the ci-actions group with 3 updates: luckyPipewrench/pipelock, github/codeql-action and actions/dependency-review-action.

Updates luckyPipewrench/pipelock from 9b38f69593b24964042dfeb1f13d7088832bf817 to cef4f47eb99ffe00e20fa7d1423bff1a44742dbe

Changelog

Sourced from luckyPipewrench/pipelock's changelog.

Changelog

All notable changes to Pipelock will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[2.4.0] - 2026-05-06

Highlights

The headline feature is learn-and-lock: a policy compiler and activation workflow that watches an agent's real traffic, infers a per-agent behavioral envelope, replays the candidate in shadow against captured traffic, records operator-ratified signed contracts in a content-addressed active manifest chained to a verifiable observation root, and enforces the promoted contract live on every URL-bearing transport plus the MCP tool-call surface. Live enforcement covers forward proxy (absolute-URI and CONNECT), reverse proxy and redirect-refresh chains, intercept proxy, /fetch, WebSocket handshake, MCP HTTP listener and stdio-to-HTTP bridge, and the mcp_tool_call rule kind on every MCP transport mode. Contract verdicts compose under a shared scanner-floor invariant: scanner block always wins over contract allow on every gated path. Contract lifecycle events, shadow evidence, and runtime proxy_decision receipts ship in the new EvidenceReceipt v2 envelope alongside the existing ActionReceipt v1; the Go reference verifies v2 receipts today, and a companion pipelock-verify-python 0.2.0 update is prepared separately for v1 chains plus individual EvidenceReceipt v2 envelopes. Federation plumbing makes inbound mediator envelopes verifiable across organisations: replay-protected verification of envelopes signed by other Pipelock instances, SPIFFE actor identity (with IP-literal trust-domain rejection), and an RFC 9421 well-known signing-key directory. Redaction grows a Gemini parser and a provider plugin shape so third-party LLM providers drop in without code changes. The X-Pipelock-Block-Reason header lets an agent see WHY a request was blocked on every HTTP-capable path (forward / intercept / fetch / reverse / MCP HTTP / WebSocket close-frame), with the same fixed reason vocabulary on the JSON-RPC error metadata for MCP-internal blocks where there is no HTTP response surface. Operators get a wedge-detection watchdog that returns 503 on subsystem stalls, soak observability counters for the capture pipeline and inbound envelope verification, and capture-pipeline race fixes that stamp every record with the active session and policy hash. Plus a tech-debt cleanup that closes the remaining v2.3.0-era TD board (metrics split, reverse-proxy reload hygiene, receipt parity).

New Features

• Learn-and-lock policy compiler. A new four-phase pipeline turns observed agent behaviour into a signed, per-agent behavioural contract. Phase 1 observe records flight-recorder evidence with a 5-dimension observation schema and a write-only observation log per session. Phase 2 compile infers normalised rule shapes (Wilson-lower-bound confidence with conditional-on-opportunity denominators, frequency-weighted entropy path normalisation, per-host cardinality cap with explicit tail-coverage gating) and emits a signed candidate contract plus an operator review markdown. Phase 3 shadow replays captured observations against the candidate without blocking, emitting would_have_blocked and shadow_delta evidence plus replay fidelity gates so non-replayable surfaces stay flagged. Phase 4 activates via two-phase commit: pipelock learn ratify (operator-signed ratification per rule), pipelock learn promote (signed promote-intent then atomic active-manifest swap with monotonic generation + prior_manifest_hash CAS), pipelock learn forget (per-rule withdrawal). Operator workflow includes a content-addressed history under ~/.pipelock/contracts/ with append-only .activation_journal.jsonl, signed monotonic active-manifest, immutable per-manifest blobs, and tombstone markers (no overwrites, no symlinks). New signing key purposes: contract-compile-signing (warm), contract-activation-signing (cold/operator), with deployment-level roster-root and break-glass recovery-root. Configurable per-agent in the learn config block; default-off. (#442, #444, #447, #452, #454, #455, #456, #457, #458, #459, #460, #461, #463)
• Live policy enforcement on promoted contracts. Once a contract is promoted, the active manifest is consumed at request time across every URL-bearing transport plus the MCP tool-call surface. A shared decisionGate helper wires the contract evaluator alongside the existing scanner verdict on each gated path; the runtime evaluator applies kill-switch first, then scanner verdict, then contract verdict, then mode gating, in a single decision sequence. Transports covered: forward proxy (absolute-URI and CONNECT tunneling), reverse proxy and redirect-refresh chains (the redirected leg is re-evaluated against the redirected URL, not the original, so an allowed origin cannot be used as a redirect bridge to an unapproved destination), intercept proxy, /fetch endpoint, WebSocket /ws handshake, MCP HTTP listener (pipelock mcp proxy --listen --upstream), MCP stdio-to-HTTP bridge (pipelock mcp proxy --upstream), and MCP stdio subprocess wrap (pipelock mcp proxy -- COMMAND). MCP tools/call decisions evaluate the new mcp_tool_call rule kind through runtime.EvaluateMCP; denied tool calls return a structured JSON-RPC error with block-reason metadata and never reach the upstream. CONNECT gates evaluate against host:port only by design (CONNECT cannot see paths). Mode gating preserves capture-mode silence (no block, no shadow record), shadow-mode would-have-blocked telemetry (allow + record), and live-mode enforcement (block). The active manifest store reloads on filesystem change via fsnotify with a 100ms debounce and a 2s maximum-debounce cap, fail-closed on initial reload, and the loader recovers a missed promote via the accepted-history chain walk so a crash between promote-intent and promote-committed cannot strand the runtime on a stale manifest. (#482, #483, #485, #486, #487, #488, #489, #490)
• mcp_tool_call rule kind and runtime evaluator. A new schema rule kind matches MCP tool-call requests by tool name and argument shape, with runtime.EvaluateMCP applying the kind on every MCP transport mode. Argument matchers compare type-erased values defensively: nil-on-either-side comparisons short-circuit before stringification so a nil matcher cannot match a request value of literal string "<nil>", closing a display-vs-reality bypass class. The compile pipeline emitting mcp_tool_call rules is sequenced for a follow-up; v2.4 ships the schema and runtime so an operator-authored contract can already gate tool calls. (#485)
• Contract block-reason vocabulary and proxy_decision receipt builder. New canonical block-reason codes (contract_default_deny, contract_rule_deny, mcp_tool_blocked, etc.) extend the existing X-Pipelock-Block-Reason vocabulary so contract-driven blocks emit a structured response header alongside scanner blocks. The runtime.BuildProxyDecisionReceipt builder produces the proxy_decision payload kind for the EvidenceReceipt v2 envelope; v2.4 wires receipt emission across the live-lock arc, with the v1-to-v2 cutover for non-contract decisions sequenced as a follow-up sweep so the existing audit pipeline keeps working unchanged for non-contract-aware deployments. (#484)
• EvidenceReceipt v2 envelope. A new signed receipt envelope covers contract lifecycle, shadow evidence, and runtime contract-aware proxy decisions. The proxy_decision payload kind is built by runtime.BuildProxyDecisionReceipt (#484) and emitted from the live-lock arc; the lifecycle and shadow kinds emit from the activation CLI and replay surfaces. Distinguished from the legacy ActionReceipt v1 by a top-level record_type field; v1 verifiers reject v2 with explicit unsupported version 2 (expected 1) so the existing verifier ecosystem is undisturbed. Payload kinds: proxy_decision, contract_ratified, contract_promote_intent, contract_promote_committed, contract_rollback_authorized, contract_rollback_committed, contract_demoted, contract_expired, contract_drift, shadow_delta, opportunity_missing, key_rotation, contract_redaction_request. RFC 8785 JCS canonicalisation over typed structures (not raw YAML/JSON bytes) with strict unknown-field rejection recursively in every signed object. (#442)
• Inbound mediation envelope verification + replay cache. New mediation_envelope.verify_inbound config block, trust-list of pinned Ed25519 public keys (versioned pipelock-ed25519-public-v1 or raw 64-character hex, each with optional SPIFFE trust_domains restriction), and a nonce-keyed in-process replay cache so envelopes signed by other Pipelock mediators are accepted, verified, and protected against replay. Transport coverage tested across forward / intercept / reverse. When enabled the proxy requires the Pipelock-Mediation header on every body-bearing inbound request: missing or invalid signatures reject with 403 / inbound_verify_failed. Trust-list entries with empty trust_domains accept any actor under that key in v2.4 (migration default); v2.5 will require an explicit pin. (#465)
• SPIFFE actor format on the mediation envelope. Envelope actor field accepts SPIFFE IDs (spiffe://trust-domain/workload) for cross-org interoperability. Schema migration with permissive default: outbound envelopes write SPIFFE format, inbound accepts both unstructured and SPIFFE in v2.4. v2.5 will flip inbound to default-strict (require SPIFFE). (#465)
• /.well-known/http-message-signatures-directory per RFC 9421. Pipelock serves a directory of its current mediation-envelope public verification keys at the standard well-known path so verifiers can fetch key material without out-of-band SHA pinning. The prepared pipelock-verify-python 0.2.0 example switches its key-pinning recipe from a hardcoded SHA to a directory fetch once that verifier release is published. (#465)
• Generic SSE per-event injection detection scaffolding. New internal/mcp/sse_generic.go scanner runs the per-event DLP and injection passes on any text/event-stream response (OpenAI chat completions, Anthropic messages, Kilo Gateway, generic LLM SSE). The cross-event split limitation called out in the v2.3.0 CHANGELOG remains a documented gap in v2.4: a secret split across two consecutive events is still NOT detected for non-A2A streams. A2A's rolling-tail scanner continues to cover that case for A2A protocol traffic. Generalising cross-event detection to any SSE stream is tracked as a follow-up.
• Redaction Gemini parser + provider plugin shape. v1 ships Anthropic + OpenAI body parsers. v1.1 adds Gemini and generalises the parser registration so third-party providers drop in without forking the redact package. New internal/redact/providers.go::DefaultProviderSpecs() registers anthropic, openai, and gemini with shared JSON walker; internal/proxy/redaction_runtime.go wires the registry through forward / intercept / reverse / WebSocket transports. Custom providers ride the same shape. (#462)
• X-Pipelock-Block-Reason response header. Every HTTP-capable block path emits a structured response header naming the rule class that fired (dlp_match, ssrf_private_ip, tool_policy_deny, airlock_active, kill_switch_active, etc.), the severity, and an optional retry hint. Transports with an HTTP response surface — forward, intercept, fetch, reverse, MCP HTTP, and WebSocket close-frame payload — set the header. MCP-internal blocks (stdio JSON-RPC, tool_poisoning, tool_chain_blocked) carry the same fixed reason vocabulary on the JSON-RPC error metadata where no HTTP header surface exists; this is enforced by a static production-path matrix gate so the vocabulary cannot drift from shipped behavior. Lets an agent back off intelligently without parsing the block-body text. (#467, #469, #475)
• pipelock mcp proxy --header flag with strict header hardening. Pass arbitrary request headers on the upstream-MCP connection (forwarded to every tool call). Header names must be RFC 7230 tokens; values are validated before trimming and reject ASCII control bytes, DEL, CRLF, and Unicode whitespace. Transport-managed and connection-critical headers are blocked case-insensitively: Content-Type, Accept, Mcp-Session-Id, Content-Length, Transfer-Encoding, and Host. The CLI flag-parser and the HTTP transport-level guard both enforce the rejection so an attacker-controlled extra header can't shadow Pipelock's session correlation or smuggle a request via header injection. Pairs with the new --exempt-domain wildcard parity (matching every other domain check). (#466, #475)
• MCP HTTP listener SSE upstream parity. pipelock mcp proxy --listen --upstream now routes text/event-stream upstream responses through SSEReader so JSON-RPC messages stream to the listener client without waiting for upstream EOF. Closes a regression where SSE-streaming MCP servers (mcp-server-stripe, mcp-server-lakera, etc.) sat silent until the upstream finished or timed out. (#472)
• Wedge-detection watchdog. health_watchdog defaults enabled; subsystem heartbeats from the proxy hot path, MCP listeners, and the rules-engine reload watcher feed a single watchdog. /health returns 503 with the wedged subsystem name when any heartbeat goes stale, so an external healthcheck or the cluster liveness probe surfaces a wedge automatically. New health_watchdog.expose_subsystems: true adds a per-subsystem map to the health payload for operator dashboards (omitted by default to keep the response opaque to unauthenticated callers). (#473)
• Capture pipeline + race fixes for the learn-and-lock recorder. Capture records now stamp SessionID at every observer call site, preserve caller-side effective_action / config_hash / profile, capture after suppression for forward and reverse parity, add a per-MCP ConfigHashFn so reload-time hash drift is bound to the captured envelope, and fix the canonical-policy-hash race where two reloads could interleave and leave a record stamped with neither hash. Unsafe or overlength session IDs are hashed on disk and session_id_original preserves the raw logical key for offline compile/shadow fidelity (omitted on path-safe keys to avoid leaking client IPs into every record). New validateCaptureSessionDir rejects sibling-session directories whose first JSONL entry attributes traffic to a different agent, preventing poisoned-capture name discovery. End-to-end regression test landed alongside the fix. (#474)
• SPIFFE actor IP-literal rejection, block-reason pairing helpers, tombstone scope. SPIFFE trust domains now reject IPv4 and IPv6 literals at envelope verification AND at config validation so a partner cannot impersonate a domain via a numeric host. blockreason.NewForReason and blockreason.MustNewForReason constructors look up the canonical severity / retry pair from the v1 spec so call sites cannot accidentally emit a mismatched (dlp_match + info + policy) triple. Tombstone records are scoped explicitly as evidence markers, not activation-time enforcement. Conformance fixtures included. (#470)
• Soak observability counters and transport parity. New pipelock_capture_dropped_total, pipelock_capture_session_id_sanitized_total{reason}, pipelock_envelope_verify_total{result}, pipelock_learn_capture_records_total, and pipelock_learn_capture_dropped_total counters let operators watch the capture pipeline and inbound envelope verification at runtime. New TLS-intercept transport capture metadata test and a static production-path block-reason matrix prove every canonical reason has at least one production emit site (or is documented as an intentional exemption). The unified captureSessionKeyMaxLen constant collapses three duplicate definitions into one. (#475)
• Synthetic replay regression harness. A deterministic fixture corpus + golden-snapshot test suite for the learn-and-lock pipeline. Compiles a hand-curated multi-session capture corpus, replays it against a frozen candidate config, and byte-compares the contract YAML, compile manifest, replay diff, review markdown, and the rendered corpus JSONL against checked-in goldens. Wires make test-replay-harness and a dedicated CI step ahead of the broader test job so byte-level drift in compile / inference / signing logic fails fast. Refresh procedure documented in the test file. (#468)
• Live-lock decision matrix harness. A capture-domain test harness that exercises the runtime gate composition end-to-end: kill switch first, then scanner verdict, then contract verdict, then mode gating, across every URL-bearing transport (forward, intercept, reverse, fetch, WebSocket) and the MCP tool-call surface. Closes the verification gap where transport-level gate composition was tested per-transport but never as a unified matrix. (#491)

Internal Refactors (tech-debt sprint)

• TD-6: internal/metrics per-feature bundle split. The 1,171-LOC internal/metrics/metrics.go is split into typed bundles: ProxyMetrics, ScannerMetrics, TLSMetrics, etc. Maintainability index up; no semantic change. Fresh canonical-hash golden fixtures pin the metrics-shape contract. (#441)
• TD-7/8/9: reverse-proxy reload hygiene + receipt parity. Combined PR closes three drift sources: Close() on the reverse-proxy scanner during reload (drains in-flight scan goroutines), toolBaseline rebuild on the detect_drift: false → true rising edge (previously stale state survived the toggle), and reverse-proxy receipt parity for SSE / compressed / oversize blocks (previously a fetch-path-only happy path). (#443)

Fixed

• MCP zombie-reaper drains adopted-descendant subprocesses during long-lived wraps. SIGCHLD-driven goroutine on Linux walks /proc, finds zombies whose PPID == pipelock, and reaps them PID-specifically so stdio MCP wraps that orphan grandchildren no longer accumulate <defunct> entries. Linux-only; non-Linux is a no-op stub. (#449)
• Sentry scrubber adapted to sentry-go 0.46. Compatibility shim for upstream BeforeSend signature change. (#453)
• Python verifier fixture pinned, with CI policy gate. testdata/python_verifier_fixture/ now ships a pinned requirements.txt with hashes plus a CI policy gate that fails any unpinned addition. The reference verifier is a security boundary; pinning prevents transitive supply-chain drift. (#448)
• Capture pipeline classifies learn observations for tech-debt metrics. Soak observability counters now distinguish learn-mode capture records from production decisions, so the debt-metric counters reflect real production traffic rather than inflated learn-mode evidence. (#480)

Deprecated / Removed

• (none in this release)

... (truncated)

Commits

• See full diff in compare view

Updates github/codeql-action from 4.35.3 to 4.35.4

Release notes

Sourced from github/codeql-action's releases.

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

... (truncated)

Commits

• 68bde55 Merge pull request #3885 from github/update-v4.35.4-803d9e8c3
• 9739ad2 Update changelog for v4.35.4
• 803d9e8 Merge pull request #3883 from github/mbg/test/macro-wrapper
• 0fd9c7d Merge pull request #3882 from github/dependabot/github_actions/dot-github/wor...
• 922d6fb Use makeMacro instead of test.macro
• df77e87 Update test macro snippet
• 6e3f985 Add wrapper for test.macro
• e7a347d Merge pull request #3881 from github/update-bundle/codeql-bundle-v2.25.4
• 17eabb2 Rebuild
• aaef09c Bump ruby/setup-ruby
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.9.0 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.