GoogleCloudPlatform
chore(deps): update all non-major dependencies
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| GoogleCloudPlatform/functions-framework-conformance | action | patch | v1.8.6 -> v1.8.7 |
| actions/checkout | action | minor | v4.2.2 -> v4.3.1 |
| actions/dependency-review-action | action | minor | v4.7.1 -> v4.8.2 |
| github/codeql-action | action | minor | v3.29.0 -> v3.31.8 |
| go | uses-with | minor | 1.24 -> 1.25 |
| ossf/scorecard-action | action | patch | v2.4.2 -> v2.4.3 |
| step-security/harden-runner | action | minor | v2.12.1 -> v2.14.0 |
Release Notes
GoogleCloudPlatform/functions-framework-conformance (GoogleCloudPlatform/functions-framework-conformance)
v1.8.7
What's Changed
- build(deps): bump github.com/go-git/go-git/v5 from 5.8.1 to 5.11.0 by @dependabot[bot] in #133
- build(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 by @dependabot[bot] in #134
- build(deps): bump @actions/core from 1.2.6 to 1.9.1 in /action by @dependabot[bot] in #116
- build(deps-dev): bump word-wrap from 1.2.3 to 1.2.4 in /action by @dependabot[bot] in #127
- build(deps): bump github.com/containerd/containerd from 1.7.2 to 1.7.11 by @dependabot[bot] in #132
- build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by @dependabot[bot] in #139
- build(deps): bump github.com/opencontainers/runc from 1.1.7 to 1.1.14 by @dependabot[bot] in #145
- build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 by @dependabot[bot] in #146
- build(deps): bump golang.org/x/net from 0.19.0 to 0.33.0 by @dependabot[bot] in #148
- build(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.13.0 by @dependabot[bot] in #149
- chore: Configure Renovate by @renovate-bot in #142
- fix(deps): update module github.com/cloudevents/sdk-go/v2 to v2.15.2 [security] by @renovate-bot in #150
- chore(deps): update dependency @types/node to v14.18.63 by @renovate-bot in #151
- chore: Update go.mod to use 1.21.13 by @akerekes in #153
- chore(deps): update actions/cache action to v4 by @renovate-bot in #158
- chore(deps): update actions/upload-artifact action to v4 by @renovate-bot in #162
- fix: Update buildpack-integration-test.yml by @akerekes in #165
- fix: update builer image url by @akerekes in #177
New Contributors
- @renovate-bot made their first contribution in #142
- @akerekes made their first contribution in #153
Full Changelog: https://github.com/GoogleCloudPlatform/functions-framework-conformance/compare/v1.8.6...v1.8.7
actions/checkout (actions/checkout)
v4.3.1
What's Changed
- Port v6 cleanup to v4 by @ericsciple in #2305
Full Changelog: https://github.com/actions/checkout/compare/v4...v4.3.1
v4.3.0
What's Changed
- docs: update README.md by @motss in #1971
- Add internal repos for checking out multiple repositories by @mouismail in #1977
- Documentation update - add recommended permissions to Readme by @benwells in #2043
- Adjust positioning of user email note and permissions heading by @joshmgross in #2044
- Update README.md by @nebuk89 in #2194
- Update CODEOWNERS for actions by @TingluoHuang in #2224
- Update package dependencies by @salmanmkc in #2236
- Prepare release v4.3.0 by @salmanmkc in #2237
New Contributors
- @motss made their first contribution in #1971
- @mouismail made their first contribution in #1977
- @benwells made their first contribution in #2043
- @nebuk89 made their first contribution in #2194
- @salmanmkc made their first contribution in #2236
Full Changelog: https://github.com/actions/checkout/compare/v4...v4.3.0
actions/dependency-review-action (actions/dependency-review-action)
v4.8.2
Minor fixes:
- Fix PURL parsing for scoped packages (#1008 from @danielhardej)
- Fix for large summaries (#1007 from @gitulisca)
- README includes a working example for allow-dependencies-licenses (#1009 from @danielhardej)
v4.8.1: Dependency Review Action v4.8.1
What's Changed
- (bug) Fix spamming link test in deprecation warning (again) by @ahpook in #1000
- Bump version for 4.8.1 release by @ahpook in #1001
Full Changelog: https://github.com/actions/dependency-review-action/compare/v4...v4.8.1
v4.8.0
What's Changed
- Make Ruby Code Scannable by @ljones140 in #978
- Batch some contributions for release by @brrygrdn in #986
- Make license lists collapsable by @jasperkamerling
- feat: add large summary handling with artifact upload by @MattMencel
New Contributors
- @ljones140 made their first contribution in #978
- @jasperkamerling made their first contribution in #986
- @MattMencel made their first contribution in #986
Full Changelog: https://github.com/actions/dependency-review-action/compare/v4...v4.8.0
v4.7.4
v4.7.3: 4.7.3
What's Changed
- Add explicit permissions to workflow files by @AshelyTC in #966
- Claire153/fix spamming mentioned issue by @claire153 in #974
Full Changelog: https://github.com/actions/dependency-review-action/compare/v4...v4.7.3
v4.7.2: 4.7.2
What's Changed
- Add Missing Languages to CodeQL Advanced Configuration by @KyFaSt in #945
- Deprecate deny lists by @claire153 in #958
- Address discrepancy between docs and reality by @ahpook in #960
New Contributors
- @KyFaSt made their first contribution in #945
- @claire153 made their first contribution in #958
- @ahpook made their first contribution in #960
Full Changelog: https://github.com/actions/dependency-review-action/compare/v4...v4.7.2
github/codeql-action (github/codeql-action)
v3.31.8
v3.31.7
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.31.7 - 05 Dec 2025
- Update default CodeQL bundle version to 2.23.7. #3343
See the full CHANGELOG.md for more information.
v3.31.6
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.31.6 - 01 Dec 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v3.31.5
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.31.5 - 24 Nov 2025
- Update default CodeQL bundle version to 2.23.6. #3321
See the full CHANGELOG.md for more information.
v3.31.4
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.31.4 - 18 Nov 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v3.31.3
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.31.3 - 13 Nov 2025
- CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.
- Update default CodeQL bundle version to 2.23.5. #3288
See the full CHANGELOG.md for more information.
v3.31.2
v3.31.1
v3.31.0
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.31.0 - 24 Oct 2025
- Bump minimum CodeQL bundle version to 2.17.6. #3223
- When SARIF files are uploaded by the
analyzeorupload-sarifactions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for theupload-sarifaction. Foranalyze, this may affect Advanced Setup for CodeQL users who specify a value other thanalwaysfor theuploadinput. #3222
See the full CHANGELOG.md for more information.
v3.30.9
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.9 - 17 Oct 2025
- Update default CodeQL bundle version to 2.23.3. #3205
- Experimental: A new
setup-codeqlaction has been added which is similar toinit, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #3204
See the full CHANGELOG.md for more information.
v3.30.8
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.8 - 10 Oct 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v3.30.7
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.7 - 06 Oct 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v3.30.6
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.6 - 02 Oct 2025
- Update default CodeQL bundle version to 2.23.2. #3168
See the full CHANGELOG.md for more information.
v3.30.5
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.5 - 26 Sep 2025
- We fixed a bug that was introduced in
3.30.4withupload-sarifwhich resulted in files without a.sarifextension not getting uploaded. #3160
See the full CHANGELOG.md for more information.
v3.30.4
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.4 - 25 Sep 2025
- We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the
codeql-action/initstep if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of thecodeql-action/initstep. #3099 and #3100 - We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. #3107
- You can now run the latest CodeQL nightly bundle by passing
tools: nightlyto theinitaction. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. #3130 - Update default CodeQL bundle version to 2.23.1. #3118
See the full CHANGELOG.md for more information.
v3.30.3
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.3 - 10 Sep 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v3.30.2
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.2 - 09 Sep 2025
- Fixed a bug which could cause language autodetection to fail. #3084
- Experimental: The
quality-queriesinput that was added in3.29.2as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a newanalysis-kindsinput, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #3064
See the full CHANGELOG.md for more information.
v3.30.1
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.1 - 05 Sep 2025
- Update default CodeQL bundle version to 2.23.0. #3077
See the full CHANGELOG.md for more information.
v3.30.0
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.30.0 - 01 Sep 2025
- Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #3054
See the full CHANGELOG.md for more information.
v3.29.11
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.11 - 21 Aug 2025
- Update default CodeQL bundle version to 2.22.4. #3044
See the full CHANGELOG.md for more information.
v3.29.10
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.10 - 18 Aug 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v3.29.9
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.9 - 12 Aug 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v3.29.8
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.8 - 08 Aug 2025
- Fix an issue where the Action would autodetect unsupported languages such as HTML. #3015
See the full CHANGELOG.md for more information.
v3.29.7
This is a re-release of v3.29.5 to mitigate an issue that was discovered with v3.29.6.
v3.29.6
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.6 - 07 Aug 2025
- The
cleanup-levelinput to theanalyzeAction is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #2999 - Update default CodeQL bundle version to 2.22.3. #3000
See the full CHANGELOG.md for more information.
v3.29.5
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.5 - 29 Jul 2025
- Update default CodeQL bundle version to 2.22.2. #2986
See the full CHANGELOG.md for more information.
v3.29.4
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.4 - 23 Jul 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v3.29.3
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.3 - 21 Jul 2025
No user facing changes.
See the full CHANGELOG.md for more information.
v3.29.2
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.2 - 30 Jun 2025
- Experimental: When the
quality-queriesinput for theinitaction is provided with an argument, separate.quality.sariffiles are produced and uploaded for each language with the results of the specified queries. Do not use this in production as it is part of an internal experiment and subject to change at any time. #2935
See the full CHANGELOG.md for more information.
v3.29.1
CodeQL Action Changelog
See the releases page for the relevant changes to the CodeQL CLI and language packs.
3.29.1 - 27 Jun 2025
- Fix bug in PR analysis where user-provided
includequery filter fails to exclude non-included queries. #2938 - Update default CodeQL bundle version to 2.22.1. #2950
See the full CHANGELOG.md for more information.
actions/go-versions (go)
v1.25.5: 1.25.5
Go 1.25.5
v1.25.4: 1.25.4
Go 1.25.4
v1.25.3: 1.25.3
Go 1.25.3
v1.25.2: 1.25.2
Go 1.25.2
v1.25.1: 1.25.1
Go 1.25.1
v1.25.0: 1.25.0
Go 1.25.0
ossf/scorecard-action (ossf/scorecard-action)
v2.4.3
What's Changed
This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.
Documentation
- docs: clarify
GITHUB_TOKENpermissions needed for private repos by @pankajtaneja5 in #1574 - :book: Fix recommended command to test the image in development by @deivid-rodriguez in #1583
Other
- add missing top-level token permissions to workflows by @timothyklee in #1566
- setup codeowners for requesting reviews by @spencerschrock in #1576
- :seedling: Improve printing options by @deivid-rodriguez in #1584
New Contributors
- @timothyklee made their first contribution in #1566
- @pankajtaneja5 made their first contribution in #1574
- @deivid-rodriguez made their first contribution in #1584
Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.4.2...v2.4.3
step-security/harden-runner (step-security/harden-runner)
v2.14.0
What's Changed
- Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
- Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.
Full Changelog: https://github.com/step-security/harden-runner/compare/v2.13.3...v2.14.0
v2.13.3
What's Changed
- Fixed an issue where process events were not uploaded in certain edge cases.
Full Changelog: https://github.com/step-security/harden-runner/compare/v2.13.2...v2.13.3
v2.13.2
What's Changed
- Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
- Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.
Full Changelog: https://github.com/step-security/harden-runner/compare/v2.13.1...v2.13.2
v2.13.1
What's Changed
-
Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.
-
Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.
-
Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.
Full Changelog: https://github.com/step-security/harden-runner/compare/v2.13.0...v2.13.1
v2.13.0
What's Changed
- Improved job markdown summary
- Https monitoring for all domains (included with the enterprise tier)
Full Changelog: https://github.com/step-security/harden-runner/compare/v2...v2.13.0
v2.12.2
What's Changed
Added HTTPS Monitoring for additional destinations - *.githubusercontent.com Bug fixes:
- Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
- Increased policy map size for block mode
Full Changelog: https://github.com/step-security/harden-runner/compare/v2...v2.12.2
Configuration
📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
