build(deps): bump the github-actions group across 1 directory with 4 updates

[dependabot]

Bumps the github-actions group with 4 updates in the / directory: step-security/harden-runner, actions/checkout, oxsecurity/megalinter and actions/cache.

Updates step-security/harden-runner from 2.14.0 to 2.15.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.15.1

What's Changed

• Fixes step-security/harden-runner#642 bug due to which post step was failing on Windows ARM runners
• Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

v2.15.0

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

Commits

• 58077d3 Release v2.15.1 (#641)
• a90bcbc Update readme (#637)
• f0a59d8 Release v2.15.0 (#639)
• 5ef0c07 Merge pull request #635 from step-security/rc-34
• eb43c7b update agent
• e3f713f Merge pull request #631 from step-security/rc-31
• 423acdd chore: fix npm audit vulnerabilities
• 0ddb86c update agent
• See full diff in compare view

Updates actions/checkout from 6.0.1 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• See full diff in compare view

Updates oxsecurity/megalinter from 9.2.0 to 9.4.0

Release notes

Sourced from oxsecurity/megalinter's releases.

v9.4.0

What's Changed

• Core

  • Improve files browsing performances (2 PRs)
  • Optimize parallel linter processing and improve grouping logic
  • Improve performance of listing .gitignored files by sending excluded directories to git ls-files
  • If there are more than 500 .gitignored files, advise to add more excluded directories using variable ADDITIONAL_EXCLUDED_DIRECTORIES, to improve performances
  • Reduce redundant config lookups, environment copies, and dict rebuilds across config, linter, and utils modules
  • Cache subprocess environment per linter run and excluded directories per request
  • Optimize parallel linter result update from O(n²) to O(n)
  • Add support in the build of Docker images for linux/arm64 in compatible linters

• New linters

  • Add PYTHON_NBQA_MYPY for type-checking Jupyter notebooks using nbqa + mypy

• Disabled linters

  • LUA_SELENE: Kampfkarren/selene#662

• Linters enhancements

  • Use the official checkmake image by @​bdovaz
  • Spectral: Add sarif support to spectral by @​bdovaz
  • Spectral: Change cli_lint_mode to list_of_files to improve performances

• Fixes

  • Add support for SSH remote origins when building custom flavors (fixes: #6511)
  • Fix issue with plugins ignored when FLAVOR_SUGGESTIONS=false
  • Fix wrong tagging apply_fixes=True when linter has no fix options configured
  • Python mypy: Remove .ipynb from file extensions (mypy doesn't support notebooks directly) - fixes #6904
  • Fix operator precedence bug in pre_post_factory pre/post command logic
  • Fix file handle leak in GitleaksLinter
  • Fix variable name bug in utils.get_git_context_info
  • Minor fixes in logger, SqlFluffLinter, PowershellLinter, TrivyLinter

• Reporters

  • Add a link inviting to star MegaLinter
  • Display in the console reporter the working directory from which the commands are executed by @​bdovaz
  • Update WebHook reporter so it can send more events for a better integration with UI
  • When truncating long comments in markdown reports, keep the end of the text instead of the beginning (which usually contains less useful information)
  • In case GitHub Api returns 500, do not make the whole MegaLinter fail, display a warning instead
  • Azure Reporter: Use Azure DevOps Services REST API instead of unmaintained python wrapper lib

• Flavors

  • Custom flavor builder:
    • Add support for SSH remotes
    • Allow selection of platforms to build the custom flavor on (ex: linux/amd64, linux/arm64) and build compatible linters on these platforms
    • Build & release custom flavor builder image for linux/arm64

• Doc

  • JSON Schema: Add default values for file extensions and file names variables + improve descriptions

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased] (beta, main branch content)

Note: Can be used with oxsecurity/megalinter@beta in your GitHub Action mega-linter.yml file, or with oxsecurity/megalinter:beta docker image

• Core

• New linters

• Disabled linters

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

• Fixes

• Reporters

• Flavors

• Doc

• CI

• mega-linter-runner

• Linter versions upgrades (N)

  • isort from 8.0.0 to 8.0.1 on 2026-02-28
  • rumdl from 0.1.32 to 0.1.33 on 2026-03-04
  • trivy-sbom from 0.69.1 to 0.69.2 on 2026-03-04
  • trivy from 0.69.1 to 0.69.2 on 2026-03-04
  • cfn-lint from 1.45.0 to 1.46.0 on 2026-03-09
  • rumdl from 0.1.33 to 0.1.42 on 2026-03-09
  • black from 26.1.0 to 26.3.0 on 2026-03-09
  • grype from 0.109.0 to 0.109.1 on 2026-03-09
  • syft from 1.42.1 to 1.42.2 on 2026-03-09
  • clippy from 0.1.93 to 0.1.94 on 2026-03-09
  • npm-groovy-lint from 16.2.0 to 17.0.0 on 2026-03-10
  • dotnet-format from 9.0.114 to 10.0.103 on 2026-03-10
  • htmlhint from 1.9.1 to 1.9.2 on 2026-03-10

... (truncated)

Commits

• 8fbdead Release MegaLinter v9.4.0
• 9f605c4 Fix custom flavor builder workflow (#7306)
• b7dcb60 Update changelog to prepare release (#7304)
• 3077b04 chore(deps): update dependency regex to v2026.2.28 (#7303)
• edba876 [automation] Auto-update linters version, help and documentation (#7299)
• 07fb84d chore(deps): update dependency python-gitlab to v8.1.0 (#7302)
• 4d42e33 chore(deps): update dependency fastapi to v0.134.0 (#7301)
• 649726c chore(deps): update dependency rumdl to v0.1.32 (#7300)
• 768b5a3 chore(deps): update dependency virtualenv to v21.1.0 (#7298)
• 7e73a76 chore(deps): update dependency eslint-plugin-jsonc to v3 (#7260)
• Additional commits viewable in compare view

Updates actions/cache from 5.0.1 to 5.0.3

Release notes

Sourced from actions/cache's releases.

v5.0.3

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

4.3.0

• Bump @actions/cache to v4.1.0

... (truncated)

Commits

• cdf6c1f Merge pull request #1695 from actions/Link-/prepare-5.0.3
• a1bee22 Add review for the @​actions/http-client license
• 4695763 Add licensed output
• dc73bb9 Upgrade dependencies and address security warnings
• 345d5c2 Add 5.0.3 builds
• 8b402f5 Merge pull request #1692 from GhadimiR/main
• 304ab5a license for httpclient
• 609fc19 Update licensed record for cache
• b22231e Build
• 93150cd Add PR link to releases
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	8		0	0	0.11s
✅ DOCKERFILE	hadolint	1		0	0	0.13s
✅ JSON	prettier	6	1	0	0	0.65s
✅ JSON	v8r	6		0	0	3.75s
⚠️ MARKDOWN	markdownlint	9	1	11	0	1.29s
✅ MARKDOWN	markdown-table-formatter	9	1	0	0	0.5s
⚠️ REPOSITORY	checkov	yes		no	1	23.95s
✅ REPOSITORY	git_diff	yes		no	no	0.19s
✅ REPOSITORY	grype	yes		no	no	39.48s
✅ REPOSITORY	secretlint	yes		no	no	2.64s
✅ REPOSITORY	syft	yes		no	no	4.5s
✅ REPOSITORY	trivy	yes		no	no	10.48s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.64s
✅ REPOSITORY	trufflehog	yes		no	no	5.2s
⚠️ SPELL	lychee	43		10	0	1.9s
✅ YAML	prettier	12	0	0	0	1.04s
✅ YAML	v8r	12		0	0	7.26s
✅ YAML	yamllint	12		0	0	0.78s

Detailed Issues

⚠️ REPOSITORY / checkov - 1 warning

warning: Ensure that a user for the container has been created
   ┌─ Dockerfile.flex:1:1
   │  
 1 │ ╭ FROM ghcr.io/philips-software/amp-devcontainer-cpp:v6.0.2@sha256:36afaaa5ba4bc4e9bb471012db9733c26a210e315ddb33600f73bb9532b02a25 AS builder
 2 │ │ 
 3 │ │ HEALTHCHECK NONE
 4 │ │ 
   · │
29 │ │ ENTRYPOINT ["/flex/postmaster.flex"]
30 │ │ CMD ["--help"]
   │ ╰──────────────^
   │  
   = Ensure that a user for the container has been created
   = Ensure that a user for the container has been created

warning: 1 warnings emitted

⚠️ SPELL / lychee - 10 errors

[403] https://share.philips.com/sites/SWCoE/Lists/List%20of%20Business%20Categories/AllItems.aspx | Network error: Forbidden
[403] https://share.philips.com/sites/SWCoE/Lists/List%20of%20Business%20Categories/DispForm.aspx?ID=52 | Network error: Forbidden
[404] https://github.com/philips-internal/amp-postmaster/releases/latest | Network error: Not Found
[404] https://github.com/philips-internal/amp-postmaster/security | Network error: Not Found
[ERROR] https://confluence.atlas.philips.com/display/GITHUB/Contribution+Models | Network error: error sending request for url (https://confluence.atlas.philips.com/display/GITHUB/Contribution+Models) Maybe a certificate error?
[404] https://philips-software.github.io/amp-embedded-infra-lib/embedded_infrastructure_library/7.0.0/Echo.html | Network error: Not Found
[404] https://github.com/philips-internal/amp-postmaster/workflows/Continuous%20Integration/badge.svg | Network error: Not Found
[404] https://github.com/philips-internal/amp-postmaster/actions | Network error: Not Found
[404] https://github.com/philips-internal/amp-postmaster/actions/workflows/linting-formatting.yml/badge.svg | Network error: Not Found
[404] https://github.com/philips-internal/amp-postmaster/actions/workflows/linting-formatting.yml | Network error: Not Found
📝 Summary
---------------------
🔍 Total...........94
✅ Successful......84
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors..........10

Errors in README.md
[404] https://github.com/philips-internal/amp-postmaster/actions/workflows/linting-formatting.yml/badge.svg | Network error: Not Found
[404] https://github.com/philips-internal/amp-postmaster/actions/workflows/linting-formatting.yml | Network error: Not Found
[404] https://github.com/philips-internal/amp-postmaster/actions | Network error: Not Found
[404] https://philips-software.github.io/amp-embedded-infra-lib/embedded_infrastructure_library/7.0.0/Echo.html | Network error: Not Found
[404] https://github.com/philips-internal/amp-postmaster/workflows/Continuous%20Integration/badge.svg | Network error: Not Found

Errors in CONTRIBUTING.md
[ERROR] https://confluence.atlas.philips.com/display/GITHUB/Contribution+Models | Network error: error sending request for url (https://confluence.atlas.philips.com/display/GITHUB/Contribution+Models) Maybe a certificate error?

Errors in .github/philips-repo.yaml
[403] https://share.philips.com/sites/SWCoE/Lists/List%20of%20Business%20Categories/DispForm.aspx?ID=52 | Network error: Forbidden
[403] https://share.philips.com/sites/SWCoE/Lists/List%20of%20Business%20Categories/AllItems.aspx | Network error: Forbidden

Errors in .github/SECURITY.md
[404] https://github.com/philips-internal/amp-postmaster/security | Network error: Not Found
[404] https://github.com/philips-internal/amp-postmaster/releases/latest | Network error: Not Found

⚠️ MARKDOWN / markdownlint - 11 errors

CHANGELOG.md:28 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:40 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:47 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Features"]
CHANGELOG.md:52 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:59 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
CHANGELOG.md:66 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Features"]
CHANGELOG.md:73 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Features"]
CHANGELOG.md:80 error MD024/no-duplicate-heading Multiple headings with the same content [Context: "Bug Fixes"]
LICENSE.md:1 error MD041/first-line-heading/first-line-h1 First line in a file should be a top-level heading [Context: "The MIT License (MIT) Copyrigh..."]
LICENSE.md:3:401 error MD013/line-length Line length [Expected: 400; Actual: 432]
LICENSE.md:7:401 error MD013/line-length Line length [Expected: 400; Actual: 460]

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository