ci(deps)(deps): bump the github-actions group across 1 directory with 8 updates

[dependabot]

Bumps the github-actions group with 8 updates in the / directory:

Package	From	To
actions/checkout	4	6
actions/github-script	7	9
step-security/harden-runner	2.13.0	2.19.3
actions/cache	4	5
actions/upload-artifact	4	7
dependabot/fetch-metadata	2.4.0	3.1.0
lewagon/wait-on-check-action	1.4.0	1.7.0
actions/create-github-app-token	2	3

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates actions/github-script from 7 to 9

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in actions/github-script#695
• ci: use deployment: false for integration test environments by @​salmanmkc in actions/github-script#712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in actions/github-script#700

New Contributors

• @​Copilot made their first contribution in actions/github-script#695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v8.0.0

What's Changed

• Update Node.js version support to 24.x by @​salmanmkc in actions/github-script#637
• README for updating actions/github-script from v7 to v8 by @​sneha-krip in actions/github-script#653

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

• @​salmanmkc made their first contribution in actions/github-script#637
• @​sneha-krip made their first contribution in actions/github-script#653

Full Changelog: actions/github-script@v7.1.0...v8.0.0

v7.1.0

What's Changed

• Upgrade husky to v9 by @​benelan in actions/github-script#482
• Add workflow file for publishing releases to immutable action package by @​Jcambass in actions/github-script#485
• Upgrade IA Publish by @​Jcambass in actions/github-script#486
• Fix workflow status badges by @​joshmgross in actions/github-script#497
• Update usage of actions/upload-artifact by @​joshmgross in actions/github-script#512
• Clear up package name confusion by @​joshmgross in actions/github-script#514
• Update dependencies with npm audit fix by @​joshmgross in actions/github-script#515
• Specify that the used script is JavaScript by @​timotk in actions/github-script#478
• chore: Add Dependabot for NPM and Actions by @​nschonni in actions/github-script#472

... (truncated)

Commits

• 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
• ca10bbd fix: use @​octokit/core/types import for v7 compatibility
• 86e48e2 merge: incorporate main branch changes
• c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
• afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
• ff8117e ci: fix user-agent test to handle orchestration ID
• 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
• 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
• c17d55b ci: add getOctokit integration test job
• a047196 test: add getOctokit integration tests via callAsyncFunction
• Additional commits viewable in compare view

Updates step-security/harden-runner from 2.13.0 to 2.19.3

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.3

What's Changed

• Default to audit mode when api-key missing with use-policy-store by @​varunsh-coder in step-security/harden-runner#665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in step-security/harden-runner#657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in step-security/harden-runner#657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

• Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
• System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

... (truncated)

Commits

• ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
• ec41b78 Default to audit mode when api-key missing with use-policy-store
• 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
• 1dee3df Update agent to v1.8.5
• a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
• 6e92856 build dist and trim ubuntu-slim message
• 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
• 8d3c67d Release v2.19.0 (#661)
• 6c3c2f2 Feature/deploy on self hosted vm (#658)
• 376d25a fix: detect ubuntu-slim runners early and bail out
• Additional commits viewable in compare view

Updates actions/cache from 4 to 5

Release notes

Sourced from actions/cache's releases.

v5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

What's Changed

• Upgrade to use node24 by @​salmanmkc in actions/cache#1630
• Prepare v5.0.0 release by @​salmanmkc in actions/cache#1684

Full Changelog: actions/cache@v4.3.0...v5.0.0

v4.3.0

What's Changed

• Add note on runner versions by @​GhadimiR in actions/cache#1642
• Prepare v4.3.0 release by @​Link- in actions/cache#1655

New Contributors

• @​GhadimiR made their first contribution in actions/cache#1642

Full Changelog: actions/cache@v4...v4.3.0

v4.2.4

What's Changed

• Update README.md by @​nebuk89 in actions/cache#1620
• Upgrade @actions/cache to 4.0.5 and move @protobuf-ts/plugin to dev depdencies by @​Link- in actions/cache#1634
• Prepare release 4.2.4 by @​Link- in actions/cache#1636

New Contributors

• @​nebuk89 made their first contribution in actions/cache#1620

Full Changelog: actions/cache@v4...v4.2.4

v4.2.3

What's Changed

• Update to use @​actions/cache 4.0.3 package & prepare for new release by @​salmanmkc in actions/cache#1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

• @​salmanmkc made their first contribution in actions/cache#1577

Full Changelog: actions/cache@v4.2.2...v4.2.3

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
• e340396 Update RELEASES
• 8a67110 Add licenses
• 1865903 Update dependencies & patch security vulnerabilities
• 5656298 Merge pull request #1722 from RyPeck/patch-1
• 4e380d1 Fix cache key in examples.md for bun.lock
• Additional commits viewable in compare view

Updates actions/upload-artifact from 4 to 7

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in actions/upload-artifact#719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in actions/upload-artifact#744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

... (truncated)

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
• e516bc8 docs: correct description of Node.js 24 support in README
• Additional commits viewable in compare view

Updates dependabot/fetch-metadata from 2.4.0 to 3.1.0

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.1.0

What's Changed

• Add permissions to all workflows by @​truggeri in dependabot/fetch-metadata#687
• build(deps-dev): bump globals from 16.0.0 to 17.4.0 by @​dependabot[bot] in dependabot/fetch-metadata#690
• build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 by @​dependabot[bot] in dependabot/fetch-metadata#693
• build(deps-dev): bump @​hono/node-server from 1.19.10 to 1.19.13 by @​dependabot[bot] in dependabot/fetch-metadata#694
• build(deps-dev): bump hono from 4.12.7 to 4.12.12 by @​dependabot[bot] in dependabot/fetch-metadata#695
• Dynamically update the tracking tag in action by @​truggeri in dependabot/fetch-metadata#696
• fix: handle duplicate dependency names in parseMetadataLinks by @​devantler in dependabot/fetch-metadata#700
• fix: remove $ anchor from updateFragment regex to handle pip directory suffixes by @​devantler in dependabot/fetch-metadata#698
• Updates to README for permissions clarification by @​truggeri in dependabot/fetch-metadata#697
• fix: resolve update-type null for Python, Composer, and Terraform PRs by @​vitorsdcs in dependabot/fetch-metadata#704
• build(deps-dev): bump globals from 17.4.0 to 17.5.0 by @​dependabot[bot] in dependabot/fetch-metadata#703
• build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @​dependabot[bot] in dependabot/fetch-metadata#701
• build(deps): bump @​actions/github from 9.0.0 to 9.1.0 in the dependencies group across 1 directory by @​dependabot[bot] in dependabot/fetch-metadata#702
• build(deps-dev): bump hono from 4.12.12 to 4.12.14 by @​dependabot[bot] in dependabot/fetch-metadata#705
• v3.1.0 by @​fetch-metadata-action-automation[bot] in dependabot/fetch-metadata#692

New Contributors

• @​devantler made their first contribution in dependabot/fetch-metadata#700
• @​vitorsdcs made their first contribution in dependabot/fetch-metadata#704

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

v3.0.0

The breaking change is requiring Node.js version v24 as the Actions runtime.

What's Changed

• feat: Parse versions from metadata links by @​ppkarwasz in dependabot/fetch-metadata#632
• Upgrade actions core and actions github packages by @​truggeri in dependabot/fetch-metadata#649
• docs: Add notes for using alert-lookup with App Token by @​sue445 in dependabot/fetch-metadata#656
• feat!: update Node.js version to v24 by @​sturman in dependabot/fetch-metadata#671
• Switch build tooling from ncc to esbuild by @​truggeri in dependabot/fetch-metadata#676
• Add --legal-comments=none to esbuild build commands by @​jeffwidman in dependabot/fetch-metadata#679
• Bump tsconfig target from es2022 to es2024 by @​jeffwidman in dependabot/fetch-metadata#680
• Remove vestigial outDir from tsconfig.json by @​jeffwidman in dependabot/fetch-metadata#681
• Switch tsconfig module resolution to bundler by @​jeffwidman in dependabot/fetch-metadata#682
• Remove skipLibCheck from tsconfig.json by @​jeffwidman in dependabot/fetch-metadata#683
• Add typecheck step to CI by @​jeffwidman in dependabot/fetch-metadata#685
• Enable noImplicitAny in tsconfig.json by @​jeffwidman in dependabot/fetch-metadata#684
• Upgrade @​actions/core to ^3.0.0 by @​truggeri in dependabot/fetch-metadata#677
• Upgrade @​actions/github to ^9.0.0 and @​octokit/request-error to ^7.1.0 by @​truggeri in dependabot/fetch-metadata#678
• Bump qs from 6.14.0 to 6.14.1 by @​dependabot[bot] in dependabot/fetch-metadata#651
• Bump hono from 4.11.1 to 4.11.4 by @​dependabot[bot] in dependabot/fetch-metadata#652
• Bump hono from 4.11.4 to 4.11.7 by @​dependabot[bot] in dependabot/fetch-metadata#653
• Bump hono from 4.11.7 to 4.12.0 by @​dependabot[bot] in dependabot/fetch-metadata#657
• Bump qs from 6.14.1 to 6.14.2 by @​dependabot[bot] in dependabot/fetch-metadata#655
• Bump @​modelcontextprotocol/sdk from 1.25.1 to 1.26.0 by @​dependabot[bot] in dependabot/fetch-metadata#654
• Bump @​hono/node-server from 1.19.9 to 1.19.10 by @​dependabot[bot] in dependabot/fetch-metadata#665
• Bump hono from 4.12.2 to 4.12.5 by @​dependabot[bot] in dependabot/fetch-metadata#664

... (truncated)

Commits

• 25dd0e3 v3.1.0 (#692)
• e073f50 Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.14
• 0670e16 build(deps-dev): bump hono from 4.12.12 to 4.12.14
• 7a7fe10 Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...
• 5168191 Updating dist build
• 23882e1 build(deps): bump @​actions/github in the dependencies group
• 1072469 Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...
• 43f8a00 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
• b4d904a Merge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0
• c8046bb build(deps-dev): bump globals from 17.4.0 to 17.5.0
• Additional commits viewable in compare view

Updates lewagon/wait-on-check-action from 1.4.0 to 1.7.0

Release notes

Sourced from lewagon/wait-on-check-action's releases.

v1.7.0

Fixed

• Fix the failure exit codes (#147)

v1.6.1

Added

• Pin the ruby/setup-ruby version (#143)

v1.6.0

Added

• Add checks-discovery-timeout option (#139)

v1.5.0

Added

• Add fail-on-no-checks option (#133)

Fixed

• Bump rexml to 3.4.2 (#128)

v1.4.1

Fixed

• Linux ARM64 support

Changelog

Sourced from lewagon/wait-on-check-action's changelog.

v1.7.0 - 2026-04-14

Fixed

• Fix the failure exit codes

v1.6.1 - 2026-04-06

Added

• Pin the ruby/setup-ruby version

v1.6.0 - 2026-03-29

Added

• Add checks-discovery-timeout option

v1.5.0 - 2026-01-25

Added

• Add fail-on-no-checks option

Fixed

• Bump rexml to 3.4.2

v1.4.1 - 2025-09-21

Fixed

• Linux ARM64 support

Commits

• 9312864 Bump version: 1.6.1 → 1.7.0
• 51f09d0 Add v1.7.0 changelog notes (#148)
• be22c84 fix: exit with non-zero status when check conclusions are disallowed (#147)
• 78dd4dd Bump version: 1.6.0 → 1.6.1
• 0b3a86b Add v1.6.1 changelog notes (#144)
• b6990d0 Pin ruby/setup-ruby to the v1.299.0 sha (#143)
• a08fbe2 Bump version: 1.5.0 → 1.6.0
• 9499267 Add v1.6.0 changelog notes (#141)
• fa9c37b Add checks-discovery-timeout documentation (#140)
• e183d72 fix/wait for check discovery (#139)
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 2 to 3

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#1...

  Description has been truncated

[dependabot]

Labels

The following labels could not be found: ci, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
interviewoptimiser	Ready	Preview, Comment	May 18, 2026 3:38am

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e3a6c842-063d-43e6-9a08-ad7248e8508e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dependabot-github_actions-github-actions-6e6d623b97

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 7 files

[github-actions]

🗄️ Database Migration Check

✅ Migration dry-run successful

Migration Files Found: 13

• 0000_oval_post.sql
• 0001_chubby_wild_pack.sql
• 0002_rich_the_hand.sql
• 0003_sticky_caretaker.sql
• 0004_purple_charles_xavier.sql

...and 8 more

These migrations will be applied automatically when merged to main.

⚠️ Important: Ensure migrations are backwards compatible and test thoroughly in staging first.

[github-actions]

🔒 Security Audit Summary

Security vulnerabilities were detected in the dependency update.

Scan Results

Scanner	Status
Bun Security Check	✅ Passed
Snyk	✅ Passed
OSV Scanner	❌ Failed

Recommended Actions

1. Review the security reports in the workflow artifacts
2. Run bun update locally to get latest patches
3. Check OSV Scanner results for known vulnerabilities
4. Consider using dependency overrides for false positives

For more details, check the workflow run.

[github-actions]

⚖️ License Compliance Alert

Potential license compatibility issues detected.

Issues Found

• Incompatible or unknown licenses detected
• Review the license report in workflow artifacts

Allowed Licenses

MIT, Apache-2.0, BSD-3-Clause, BSD-2-Clause, ISC, 
CC0-1.0, 0BSD, Unlicense, Python-2.0, BlueOak-1.0.0

All other licenses are automatically blocked.

Please review dependencies with incompatible licenses before merging.

[github-actions]

🤖 Dependabot Validation Results

The following checks failed:
⚠️ Security Audit

This PR cannot be auto-merged until all checks pass.

[github-actions]

🔍 Manual Review Required

This Dependabot PR requires manual review and approval.

Reason: version-update:semver-major update for direct:production dependency

Update Details

• Dependency: actions/cache, actions/checkout, actions/create-github-app-token, actions/github-script, actions/upload-artifact, dependabot/fetch-metadata, lewagon/wait-on-check-action, step-security/harden-runner
• Type: direct:production
• Update: version-update:semver-major
• Version: →
• CVSS Score: 0 (High severity)

⚠️ Major Version Update

Please review:

• Breaking changes in the changelog
• Migration guide if available
• Impact on existing code
• Update related dependencies if needed

Next Steps

1. Review the changes and changelog
2. Test locally if needed
3. Approve and merge manually when ready

[github-actions]

🗄️ Database Migration Check

✅ Migration dry-run successful

Migration Files Found: 13

• 0000_oval_post.sql
• 0001_chubby_wild_pack.sql
• 0002_rich_the_hand.sql
• 0003_sticky_caretaker.sql
• 0004_purple_charles_xavier.sql

...and 8 more

These migrations will be applied automatically when merged to main.

⚠️ Important: Ensure migrations are backwards compatible and test thoroughly in staging first.

[github-actions]

🔒 Security Audit Summary

Security vulnerabilities were detected in the dependency update.

Scan Results

Scanner	Status
Bun Security Check	✅ Passed
Snyk	✅ Passed
OSV Scanner	❌ Failed

Recommended Actions

1. Review the security reports in the workflow artifacts
2. Run bun update locally to get latest patches
3. Check OSV Scanner results for known vulnerabilities
4. Consider using dependency overrides for false positives

For more details, check the workflow run.

[github-actions]

⚖️ License Compliance Alert

Potential license compatibility issues detected.

Issues Found

• Incompatible or unknown licenses detected
• Review the license report in workflow artifacts

Allowed Licenses

MIT, Apache-2.0, BSD-3-Clause, BSD-2-Clause, ISC, 
CC0-1.0, 0BSD, Unlicense, Python-2.0, BlueOak-1.0.0

All other licenses are automatically blocked.

Please review dependencies with incompatible licenses before merging.

[github-actions]

🤖 Dependabot Validation Results

The following checks failed:
⚠️ Security Audit

This PR cannot be auto-merged until all checks pass.

[github-actions]

🔍 Manual Review Required

This Dependabot PR requires manual review and approval.

Reason: version-update:semver-major update for direct:production dependency

Update Details

• Dependency: actions/cache, actions/checkout, actions/create-github-app-token, actions/github-script, actions/upload-artifact, dependabot/fetch-metadata, lewagon/wait-on-check-action, step-security/harden-runner
• Type: direct:production
• Update: version-update:semver-major
• Version: →
• CVSS Score: 0 (High severity)

⚠️ Major Version Update

Please review:

• Breaking changes in the changelog
• Migration guide if available
• Impact on existing code
• Update related dependencies if needed

Next Steps

1. Review the changes and changelog
2. Test locally if needed
3. Approve and merge manually when ready