Skip to content

chore(deps): update github-actions#479

Open
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/github-actions
Open

chore(deps): update github-actions#479
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/github-actions

Conversation

@renovate

@renovate renovate Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change Pending
actions/cache action patch v5.0.4v5.0.5 v5.1.0
actions/checkout action patch v6.0.2v6.0.3
crowdin/github-action action patch v2.16.2v2.16.3
github/codeql-action action patch v4.36.0v4.36.2 v4.36.3
projectdiscovery/nuclei-action action patch v3.1.0v3.1.1
qltysh/qlty-action action patch v2.2.0v2.2.1
zizmorcore/zizmor-action action patch v0.5.6v0.5.7

Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

actions/checkout (actions/checkout)

v6.0.3

Compare Source

crowdin/github-action (crowdin/github-action)

v2.16.3

Compare Source

What's Changed

Full Changelog: crowdin/github-action@v2.16.2...v2.16.3

github/codeql-action (github/codeql-action)

v4.36.2

Compare Source

  • Cache CodeQL CLI version information across Actions steps. #​3943
  • Reduce requests while waiting for analysis processing by using exponential backoff when polling SARIF processing status. #​3937
  • Update default CodeQL bundle version to 2.25.6. #​3948

v4.36.1

Compare Source

No user facing changes.

projectdiscovery/nuclei-action (projectdiscovery/nuclei-action)

v3.1.1

Compare Source

qltysh/qlty-action (qltysh/qlty-action)

v2.2.1

Compare Source

  • Bump action runtime to node24
zizmorcore/zizmor-action (zizmorcore/zizmor-action)

v0.5.7

Compare Source

1.26.1 is now available via the action
1.26.1 is now the default version of zizmor used by the action


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "before 6am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

🔒 Security

  • Bumped pinned GitHub Actions across workflow files:
    • actions/cache v5.0.4v5.0.5
    • actions/checkout v6.0.2v6.0.3
    • crowdin/github-action v2.16.2v2.16.3
    • github/codeql-action v4.36.0v4.36.2
    • projectdiscovery/nuclei-action v3.1.0v3.1.1
    • qltysh/qlty-action v2.2.0v2.2.1
    • zizmorcore/zizmor-action v0.5.6v0.5.7

🔧 Changed

  • Updated workflow pins in CI, E2E, i18n, release, security, and quality mutation jobs.
  • Aligned .github/tests/crowdin-workflow.test.ts with the new immutable Crowdin action pin.
  • Aligned .github/tests/github-action-pins.ts with the new cached actions/cache and actions/checkout SHAs.

🐛 Fixed

  • Kept workflow self-tests in sync with Renovate-driven action pin updates.

  • Verify the updated pinned SHAs still match the intended immutable releases in all workflows.

  • Confirm no additional workflow files still reference the old action versions.

  • Ensure the CodeQL/Crowdin/Nuclei/Zizmor updates do not require any follow-up config changes.

@renovate renovate Bot requested a review from scttbnsn as a code owner July 6, 2026 00:01
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jul 6, 2026
@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
drydock-website Ready Ready Preview, Comment Jul 6, 2026 2:57pm
drydockdemo-website Ready Ready Preview, Comment Jul 6, 2026 2:57pm

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: ef4456bd-21b6-4f8b-b954-1b99cf6685c3

📥 Commits

Reviewing files that changed from the base of the PR and between 1badc49 and aeefc98.

📒 Files selected for processing (9)
  • .github/tests/crowdin-workflow.test.ts
  • .github/tests/github-action-pins.ts
  • .github/workflows/ci-verify.yml
  • .github/workflows/e2e-playwright.yml
  • .github/workflows/i18n-crowdin.yml
  • .github/workflows/quality-mutation-monthly.yml
  • .github/workflows/release-cut.yml
  • .github/workflows/security-grype.yml
  • .github/workflows/security-scorecard.yml

📝 Walkthrough

Walkthrough

Changes

Updates pinned GitHub Actions commit SHAs across CI/CD workflow files: actions/checkout (v6.0.2→v6.0.3), actions/cache (v5.0.4→v5.0.5), github/codeql-action (v4.36.0→v4.36.2), crowdin/github-action (v2.16.2→v2.16.3), zizmorcore/zizmor-action (v0.5.6→v0.5.7), qltysh/qlty-action/install (v2.2.0→v2.2.1), and projectdiscovery/nuclei-action (v3.1.0→v3.1.1). Corresponding test fixtures in crowdin-workflow.test.ts and github-action-pins.ts are updated with new expected pin values.

Related PRs: none identified.

Suggested labels: dependencies, ci, github-actions

Suggested reviewers: none identified.

No source code logic reviewed here—just SHA bumps. Verify each new SHA actually resolves to the claimed tag before merge; a mismatched SHA-to-tag comment is a silent supply-chain risk, not a typo.

git ls-remote --tags https://github.com/actions/checkout v6.0.3

Confirm output SHA matches the pinned hash in every file before approving.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/github-actions

Comment @coderabbitai help to get the list of available commands.

@renovate

renovate Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

scttbnsn added a commit that referenced this pull request Jul 6, 2026
Ports renovate/github-actions c1c407f + our follow-up test-alignment
fix aeefc98.
scttbnsn added a commit that referenced this pull request Jul 6, 2026
Ports renovate/playwright 68af428 + our follow-up fix 6776c65
bumping PLAYWRIGHT_IMAGE to v1.61.1-noble with its verified digest.
Reconciled with #479's action-SHA bump on the same workflow file so
both changes hold.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant