chore(deps): bump the actions-deps group across 1 directory with 11 updates

[dependabot]

Bumps the actions-deps group with 11 updates in the / directory:

Package	From	To
step-security/harden-runner	2.15.0	2.19.0
actions/create-github-app-token	2.2.1	3.1.1
pnpm/action-setup	4.2.0	6.0.4
actions/setup-node	6.2.0	6.4.0
codecov/codecov-action	5.5.2	6.0.0
docker/setup-qemu-action	3.7.0	4.0.0
docker/setup-buildx-action	3.12.0	4.0.0
aws-actions/amazon-ecr-login	2.0.1	2.1.4
docker/build-push-action	6.19.2	7.1.0
actions/upload-artifact	7.0.0	7.0.1
github/codeql-action	4.32.4	4.35.3

Updates step-security/harden-runner from 2.15.0 to 2.19.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

• Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
• System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

What's Changed

Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

v2.16.0

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

What's Changed

• Fixes step-security/harden-runner#642 bug due to which post step was failing on Windows ARM runners
• Updates npm packages

... (truncated)

Commits

• 8d3c67d Release v2.19.0 (#661)
• 6c3c2f2 Feature/deploy on self hosted vm (#658)
• f808768 Feature/policy store (#656)
• fe10465 v2.16.1 (#654)
• fa2e9d6 Release v2.16.0 (#646)
• 58077d3 Release v2.15.1 (#641)
• See full diff in compare view

Updates actions/create-github-app-token from 2.2.1 to 3.1.1

Release notes

Sourced from actions/create-github-app-token's releases.

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

• improve error message when app identifier is empty (#362) (07e2b76), closes #249

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

• deps: bump p-retry from 7.1.1 to 8.0.0 (#357) (3bbe07d)

Features

• add client-id input and deprecate app-id (#353) (e6bd4e6)
• update permission inputs (#358) (076e948)

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

... (truncated)

Commits

• 1b10c78 build(release): 3.1.1 [skip ci]
• 07e2b76 fix: improve error message when app identifier is empty (#362)
• ea01216 ci: remove publish-immutable-action workflow (#361)
• 7bd0371 build(release): 3.1.0 [skip ci]
• e6bd4e6 feat: add client-id input and deprecate app-id (#353)
• 076e948 feat: update permission inputs (#358)
• 3bbe07d fix(deps): bump p-retry from 7.1.1 to 8.0.0 (#357)
• 28a99e3 build(deps-dev): bump c8 from 10.1.3 to 11.0.0
• 4df5060 build(deps-dev): bump open-cli from 8.0.0 to 9.0.0
• 4843c53 build(deps-dev): bump the development-dependencies group with 3 updates
• Additional commits viewable in compare view

Updates pnpm/action-setup from 4.2.0 to 6.0.4

Release notes

Sourced from pnpm/action-setup's releases.

v6.0.4

What's Changed

• fix: use npm co-located with the action node binary by @​benquarmby in pnpm/action-setup#239

New Contributors

• @​benquarmby made their first contribution in pnpm/action-setup#239

Full Changelog: pnpm/action-setup@v6.0.3...v6.0.4

v6.0.3

Updated pnpm to v11.0.0-rc.5

Full Changelog: pnpm/action-setup@v6.0.2...v6.0.3

v6.0.2

What's Changed

• fix: pnpm self-update binary shadowed by bootstrap on PATH by @​oniani1 in pnpm/action-setup#230

New Contributors

• @​oniani1 made their first contribution in pnpm/action-setup#230

Full Changelog: pnpm/action-setup@v6.0.1...v6.0.2

v6.0.1

Update pnpm to v11.0.0-rc.2. pnpm-lock.yaml will not be saved with two documents unless the packageManager is set via devEngines.packageManager. Related issue: pnpm/action-setup#228

v6.0.0

Added support for pnpm v11.

v5.0.0

Updated the action to use Node.js 24.

v4.4.0

Updated the action to use Node.js 24.

v4.3.0

What's Changed

• docs: fix the run_install example in the Readme by @​dreyks in pnpm/action-setup#175
• chore: remove unused @types/node-fetch dependency by @​silverwind in pnpm/action-setup#186
• Clarify that package_json_file is relative to GITHUB_WORKSPACE by @​chris-martin in pnpm/action-setup#184
• feat: store caching by @​jrmajor in pnpm/action-setup#188
• refactor: remove star imports by @​KSXGitHub in pnpm/action-setup#196
• fix(ci): exclude macos by @​KSXGitHub in pnpm/action-setup#197

New Contributors

• @​dreyks made their first contribution in pnpm/action-setup#175
• @​silverwind made their first contribution in pnpm/action-setup#186
• @​chris-martin made their first contribution in pnpm/action-setup#184
• @​jrmajor made their first contribution in pnpm/action-setup#188

... (truncated)

Commits

• 26f6d4f fix: use npm co-located with the action node binary (#239)
• 903f9c1 fix: update pnpm to 11.0.0-rc.5
• bdf0af2 test: add strict version-match jobs to reproduce #225 / #227
• 71c9247 fix: pnpm self-update binary shadowed by bootstrap on PATH (#230)
• 078e9d4 fix: update pnpm to 11.0.0-rc.2
• 08c4be7 docs(README): update action-setup version
• 5798914 chore: update .gitignore
• ddffd66 fix: remove accidentally committed file
• b43f991 fix: update pnpm to 11.0.0-rc.0
• 3852509 README.md: bring versions up-to-date (#222)
• Additional commits viewable in compare view

Updates actions/setup-node from 6.2.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in actions/setup-node#1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in actions/setup-node#1533

New Contributors

• @​Copilot made their first contribution in actions/setup-node#1525

Full Changelog: actions/setup-node@v6...v6.4.0

v6.3.0

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in actions/setup-node#1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in actions/setup-node#1491
• Replace uuid with crypto.randomUUID() by @​trivikr in actions/setup-node#1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in actions/setup-node#1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in actions/setup-node#1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in actions/setup-node#1495

New Contributors

• @​susnux made their first contribution in actions/setup-node#1283

Full Changelog: actions/setup-node@v6...v6.3.0

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• 53b8394 Bump minimatch from 3.1.2 to 3.1.5 (#1498)
• 54045ab Scope test lockfiles by package manager and update cache tests (#1495)
• c882bff Replace uuid with crypto.randomUUID() (#1378)
• 774c1d6 feat(node-version-file): support parsing devEngines field (#1283)
• efcb663 fix: remove hardcoded bearer (#1467)
• d02c89d Fix npm audit issues (#1491)
• See full diff in compare view

Updates codecov/codecov-action from 5.5.2 to 6.0.0

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.0

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in codecov/codecov-action#1929
• Th/6.0.0 by @​thomasrockhu-codecov in codecov/codecov-action#1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v5.5.4

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in codecov/codecov-action#1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in codecov/codecov-action#1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in codecov/codecov-action#1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in codecov/codecov-action#1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in codecov/codecov-action#1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in codecov/codecov-action#1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• docs: fix typo in README by @​datalater in codecov/codecov-action#1866
• Document a codecov-cli version reference example by @​webknjaz in codecov/codecov-action#1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in codecov/codecov-action#1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in codecov/codecov-action#1864
• Pin actions/github-script by Git SHA by @​martincostello in codecov/codecov-action#1859
• fix: check reqs exist by @​joseph-sentry in codecov/codecov-action#1835
• fix: Typo in README by @​spalmurray in codecov/codecov-action#1838
• docs: Refine OIDC docs by @​spalmurray in codecov/codecov-action#1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in codecov/codecov-action#1822
• fix: OIDC on forks by @​joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

• 57e3a13 Th/6.0.0 (#1928)
• f67d33d Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0""...
• 75cd116 chore(release): 5.5.4 (#1927)
• 87d39f4 Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" (#1926)
• 1af5884 chore(release): bump to 5.5.3 (#1922)
• c143300 build(deps): bump actions/github-script from 7.0.1 to 8.0.0 (#1874)
• See full diff in compare view

Updates docker/setup-qemu-action from 3.7.0 to 4.0.0

Release notes

Sourced from docker/setup-qemu-action's releases.

v4.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/setup-qemu-action#245
• Switch to ESM and update config/test wiring by @​crazy-max in docker/setup-qemu-action#241
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/setup-qemu-action#244
• Bump @​docker/actions-toolkit from 0.67.0 to 0.77.0 in docker/setup-qemu-action#243
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in docker/setup-qemu-action#240
• Bump js-yaml from 3.14.1 to 3.14.2 in docker/setup-qemu-action#231
• Bump lodash from 4.17.21 to 4.17.23 in docker/setup-qemu-action#238

Full Changelog: docker/setup-qemu-action@v3.7.0...v4.0.0

Commits

• ce36039 Merge pull request #245 from crazy-max/node24
• 6386344 node 24 as default runtime
• 1ea3db7 Merge pull request #243 from docker/dependabot/npm_and_yarn/docker/actions-to...
• b56a002 chore: update generated content
• c43f02d build(deps): bump @​docker/actions-toolkit from 0.67.0 to 0.77.0
• ce10c58 Merge pull request #244 from docker/dependabot/npm_and_yarn/actions/core-3.0.0
• 429fc9d chore: update generated content
• 060e5f8 build(deps): bump @​actions/core from 1.11.1 to 3.0.0
• 44be13e Merge pull request #231 from docker/dependabot/npm_and_yarn/js-yaml-3.14.2
• 1897438 chore: update generated content
• Additional commits viewable in compare view

Updates docker/setup-buildx-action from 3.12.0 to 4.0.0

Release notes

Sourced from docker/setup-buildx-action's releases.

v4.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/setup-buildx-action#483
• Remove deprecated inputs/outputs by @​crazy-max in docker/setup-buildx-action#464
• Switch to ESM and update config/test wiring by @​crazy-max in docker/setup-buildx-action#481
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/setup-buildx-action#475
• Bump @​docker/actions-toolkit from 0.63.0 to 0.79.0 in docker/setup-buildx-action#482 docker/setup-buildx-action#485
• Bump js-yaml from 4.1.0 to 4.1.1 in docker/setup-buildx-action#452
• Bump lodash from 4.17.21 to 4.17.23 in docker/setup-buildx-action#472
• Bump minimatch from 3.1.2 to 3.1.5 in docker/setup-buildx-action#480

Full Changelog: docker/setup-buildx-action@v3.12.0...v4.0.0

Commits

• 4d04d5d Merge pull request #485 from docker/dependabot/npm_and_yarn/docker/actions-to...
• cd74e05 chore: update generated content
• eee38ec build(deps): bump @​docker/actions-toolkit from 0.77.0 to 0.79.0
• 7a83f65 Merge pull request #484 from docker/dependabot/github_actions/docker/setup-qe...
• a5aa967 Merge pull request #464 from crazy-max/rm-deprecated
• e73d53f build(deps): bump docker/setup-qemu-action from 3 to 4
• 28a438e Merge pull request #483 from crazy-max/node24
• 034e9d3 chore: update generated content
• b4664d8 remove deprecated inputs/outputs
• a8257de node 24 as default runtime
• Additional commits viewable in compare view

Updates aws-actions/amazon-ecr-login from 2.0.1 to 2.1.4

Release notes

Sourced from aws-actions/amazon-ecr-login's releases.

v2.1.4

See the changelog for details about the changes included in this release.

v2.1.3

See the changelog for details about the changes included in this release.

v2.1.2

See the changelog for details about the changes included in this release.

v2.1.1

See the changelog for details about the changes included in this release.

v2.1.0

See the changelog for details about the changes included in this release.

v2.0.2

See the changelog for details about the changes included in this release.

Changelog

Sourced from aws-actions/amazon-ecr-login's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.1.4 (2026-04-22)

2.1.3 (2026-04-15)

2.1.2 (2026-04-01)

2.1.1 (2026-03-24)

Bug Fixes

• prefer explicit env var credentials over Pod Identity (#953) (ecbbdc7)

2.1.0 (2026-03-19)

Features

• Add EKS Pod Identity support to Amazon ECR login action (#624, #735) (#740) (dcb4c27)

2.0.2 (2026-03-13)

Bug Fixes

• Upgrade import syntax to ES Modules (#889) (0edf37c)

2.0.1 (2023-10-02)

2.0.0 (2023-10-02)

⚠ BREAKING CHANGES

• The default value of the 'mask-password' input has been updated from false to true.

• Treat maskPassword as false only if explicitly set to false

• Add new-v2-release to README

Features

• release v2 (#520) (d71acaf)

1.7.0 (2023-08-09)

... (truncated)

Commits

• 19d944d chore(release): 2.1.4
• a874b96 chore: Update dist (#1027)
• 6e423b0 chore: Update dist (#1022)
• c5fe167 chore(deps): bump @​aws-sdk/client-ecr-public from 3.1026.0 to 3.1034.0 (#1016)
• fd03857 chore(deps-dev): bump eslint from 10.2.0 to 10.2.1 (#1018)
• 2fefd9c chore(deps): bump @​aws-sdk/client-ecr from 3.1030.0 to 3.1034.0 (#1017)
• 007b62c chore(deps): bump @​aws-sdk/credential-providers (#1014)
• 12d2459 chore(deps): bump @​actions/core from 3.0.0 to 3.0.1 (#1015)
• 376925c chore(release): 2.1.3
• b6d79a7 chore: Update dist (#1012)
• Additional commits viewable in compare view

Updates docker/build-push-action from 6.19.2 to 7.1.0

Release notes

Sourced from docker/build-push-action's releases.

v7.1.0

• Git context query format support by @​crazy-max in docker/build-push-action#1505
• Bump @​docker/actions-toolkit from 0.79.0 to 0.87.0 by @​crazy-max in docker/build-push-action#1505
• Bump brace-expansion from 1.1.12 to 1.1.13 in docker/build-push-action#1500
• Bump fast-xml-parser from 5.4.2 to 5.5.7 in docker/build-push-action#1489
• Bump flatted from 3.3.3 to 3.4.2 in docker/build-push-action#1491
• Bump glob from 10.3.12 to 10.5.0 in docker/build-push-action#1490
• Bump handlebars from 4.7.8 to 4.7.9 in docker/build-push-action#1497
• Bump lodash from 4.17.23 to 4.18.1 in docker/build-push-action#1510
• Bump picomatch from 4.0.3 to 4.0.4 in docker/build-push-action#1496
• Bump undici from 6.23.0 to 6.24.1 in docker/build-push-action#1486
• Bump vite from 7.3.1 to 7.3.2 in docker/build-push-action#1509

Full Changelog: docker/build-push-action@v7.0.0...v7.1.0

v7.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/build-push-action#1470
• Remove deprecated DOCKER_BUILD_NO_SUMMARY and DOCKER_BUILD_EXPORT_RETENTION_DAYS envs by @​crazy-max in docker/build-push-action#1473
• Remove legacy export-build tool support for build summary by @​crazy-max in docker/build-push-action#1474
• Switch to ESM and update config/test wiring by @​crazy-max in docker/build-push-action#1466
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/build-push-action#1454
• Bump @​docker/actions-toolkit from 0.62.1 to 0.79.0 in docker/build-push-action#1453 docker/build-push-action#1472 docker/build-push-action#1479
• Bump minimatch from 3.1.2 to 3.1.5 in docker/build-push-action#1463

Full Changelog: docker/build-push-action@v6.19.2...v7.0.0

Commits

• bcafcac Merge pull request #1509 from docker/dependabot/npm_and_yarn/vite-7.3.2
• 18e62f1 Merge pull request #1510 from docker/dependabot/npm_and_yarn/lodash-4.18.1
• 46580d2 chore: update generated content
• 3f80b25 chore(deps): Bump lodash from 4.17.23 to 4.18.1
• efeec95 Merge pull request #1505 from crazy-max/refactor-git-context
• ddf04b0 Merge pull request #1511 from docker/dependabot/github_actions/crazy-max-dot-...
• db08d97 chore(deps): Bump the crazy-max-dot-github group with 2 updates
• ef1fb96 Merge pull request #1508 from docker/dependabot/github_actions/docker/login-a...
• 2d8f2a1 chore: update generated content
• 919ac7b fix test since secrets are not written to temp path anymore
• Additional commits viewable in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• See full diff in compare view

Updates github/codeql-action from 4.32.4 to 4.35.3

Release notes

Sourced from github/codeql-action's releases.

v4.35.3

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the val...

  Description has been truncated