Skip to content

chore(deps): Update GitHub Actions#44

Open
williaby wants to merge 1 commit into
mainfrom
renovate/github-actions
Open

chore(deps): Update GitHub Actions#44
williaby wants to merge 1 commit into
mainfrom
renovate/github-actions

Conversation

@williaby
Copy link
Copy Markdown
Contributor

@williaby williaby commented May 28, 2026
edited
Loading

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Type Update Change OpenSSF
ByronWilliamsCPA/.github (changelog) action digest e8fc83c40ff5b5 OpenSSF Scorecard
actions/checkout action minor v4.2.2v4.3.1 OpenSSF Scorecard
github/codeql-action action minor v3.35.3v3.36.0 OpenSSF Scorecard
step-security/harden-runner action patch v2.19.1v2.19.4 OpenSSF Scorecard

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes

Release Notes

actions/checkout (actions/checkout)

v4.3.1

Compare Source

v4.3.0

Compare Source

github/codeql-action (github/codeql-action)

v3.36.0

Compare Source

  • Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #​3894
  • Add support for SHA-256 Git object IDs. #​3893
  • Update default CodeQL bundle version to 2.25.5. #​3926

v3.35.5

Compare Source

  • We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #​3899
  • For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #​3791
  • If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #​3892
  • Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #​3880

v3.35.4

Compare Source

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed
  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

Compare Source

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed
  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "after 10pm every weekday,before 5am every weekday,every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings May 28, 2026 04:41
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 28, 2026
edited
Loading

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 6 minutes and 31 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c08bf5c0-695f-4915-8756-d16a127df83a

📥 Commits

Reviewing files that changed from the base of the PR and between c0eb24a and 6eab07b.

📒 Files selected for processing (16)
  • .github/workflows/codecov.yml
  • .github/workflows/codeql.yml
  • .github/workflows/coverage.yml
  • .github/workflows/dependency-review.yml
  • .github/workflows/docs.yml
  • .github/workflows/fips-compatibility.yml
  • .github/workflows/mutation-testing.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/python-compatibility.yml
  • .github/workflows/qlty.yml
  • .github/workflows/reuse.yml
  • .github/workflows/sbom.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/security-analysis.yml
  • .github/workflows/slsa-provenance.yml
  • .github/workflows/sonarcloud.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 28, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates pinned versions/digests for GitHub Actions and org-level reusable workflows used across this repo’s CI/security automation.

Changes:

  • Bump ByronWilliamsCPA/.github reusable workflow references to a newer pinned digest across multiple workflows.
  • Update actions/checkout to v4.3.1 (pinned by commit SHA).
  • Update github/codeql-action to v3.36.0 and step-security/harden-runner to v2.19.4 (both pinned by commit SHA).

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/sonarcloud.yml Pins SonarCloud reusable workflow to updated .github digest.
.github/workflows/slsa-provenance.yml Updates harden-runner SHA and pins SLSA reusable workflow to updated .github digest.
.github/workflows/security-analysis.yml Pins security analysis reusable workflow to updated .github digest.
.github/workflows/scorecard.yml Pins scorecard reusable workflow to updated .github digest.
.github/workflows/sbom.yml Pins SBOM reusable workflow to updated .github digest.
.github/workflows/reuse.yml Pins REUSE reusable workflow to updated .github digest.
.github/workflows/qlty.yml Pins Qlty coverage reusable workflow to updated .github digest.
.github/workflows/python-compatibility.yml Pins compatibility reusable workflow to updated .github digest.
.github/workflows/pr-validation.yml Pins supplemental checks reusable workflow and updates harden-runner SHA.
.github/workflows/mutation-testing.yml Pins mutation testing reusable workflow to updated .github digest.
.github/workflows/docs.yml Pins docs reusable workflow to updated .github digest.
.github/workflows/dependency-review.yml Updates actions/checkout to v4.3.1 (pinned SHA).
.github/workflows/coverage.yml Pins Qlty coverage reusable workflow to updated .github digest.
.github/workflows/codeql.yml Updates harden-runner SHA and bumps CodeQL action to v3.36.0 (pinned SHA).
.github/workflows/codecov.yml Pins codecov reusable workflow to updated .github digest.
.github/workflows/fips-compatibility.yml Pins FIPS reusable workflow to updated .github digest.

Comment thread .github/workflows/codeql.yml
Comment on lines 59 to 61
- name: Initialize CodeQL
uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0
with:
@williaby williaby force-pushed the renovate/github-actions branch 2 times, most recently from 3cbc91f to d7a5905 Compare May 28, 2026 20:12
@williaby williaby force-pushed the renovate/github-actions branch from d7a5905 to 6eab07b Compare May 30, 2026 23:13
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 30, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

automated dependencies digest-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@williaby