Skip to content

ci: bump the github-actions group with 4 updates#464

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github-actions-e4f46d90e6
Open

ci: bump the github-actions group with 4 updates#464
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github-actions-e4f46d90e6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 4, 2026
edited by cubic-dev-ai Bot
Loading

Bumps the github-actions group with 4 updates: dependabot/fetch-metadata, goreleaser/goreleaser-action, aquasecurity/trivy-action and ruby/setup-ruby.

Updates dependabot/fetch-metadata from 3.0.0 to 3.1.0

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.1.0

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

Commits
  • 25dd0e3 v3.1.0 (#692)
  • e073f50 Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.14
  • 0670e16 build(deps-dev): bump hono from 4.12.12 to 4.12.14
  • 7a7fe10 Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...
  • 5168191 Updating dist build
  • 23882e1 build(deps): bump @​actions/github in the dependencies group
  • 1072469 Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...
  • 43f8a00 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
  • b4d904a Merge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0
  • c8046bb build(deps-dev): bump globals from 17.4.0 to 17.5.0
  • Additional commits viewable in compare view

Updates goreleaser/goreleaser-action from 7.0.0 to 7.1.0

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v7.1.0

What's Changed

New Contributors

Full Changelog: goreleaser/goreleaser-action@v7...v7.1.0

Commits
  • e24998b ci: drop pre-cosign-v3 goreleaser versions from tests (#554)
  • be2e8a3 docs: document cosign verification in README (#553)
  • 5e53f8e ci: add release-major-tag workflow (#552)
  • 4068afa build: drop docker-bake in favor of plain npm (#551)
  • 213ec80 docs: add CONTRIBUTING with pre-commit workflow
  • 4b462d3 feat: verify release checksum and cosign signature (#550)
  • 01cbe07 docs: Upgrade import GPG action version (#547)
  • 2a473d7 ci(deps): bump the actions group with 5 updates (#546)
  • fdcf0b9 clean: leftover files from node 22(?)
  • 9881cc5 fix: use new static URL
  • Additional commits viewable in compare view

Updates aquasecurity/trivy-action from 0.35.0 to 0.36.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.36.0

What's Changed

New Contributors

Full Changelog: aquasecurity/trivy-action@v0.35.0...v0.36.0

Commits
  • ed142fd chore: update action version to v0.36.0 in examples (#563)
  • dea62cf chore(deps): Update trivy to v0.70.0 (#559)
  • 128d9a8 chore: use GitHub Actions as git commit author in bump-trivy workflow (#561)
  • 876cf04 Upgrade Trivy action version from 0.33.1 to 0.35.0 fixes #549 (#548)
  • dada784 Fix typo in GOOGLE_APPLICATION_CREDENTIALS env var name (#547)
  • 4a2deec fix: use portable shebang in entrypoint.sh (#545)
  • 1994662 chore(deps): bump the actions group with 5 updates (#558)
  • 6b36659 chore: add zizmor config (#557)
  • 316aa5a ci: add dependabot config (#556)
  • 264c9c5 test: use pinned digests for trivy-db, trivy-java-db and trivy-checks (#555)
  • Additional commits viewable in compare view

Updates ruby/setup-ruby from 1.302.0 to 1.305.0

Release notes

Sourced from ruby/setup-ruby's releases.

v1.305.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.304.0...v1.305.0

v1.304.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.303.0...v1.304.0

v1.303.0

What's Changed

Full Changelog: ruby/setup-ruby@v1.302.0...v1.303.0

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Summary by cubic

Bump pinned GitHub Actions in CI to newer minor versions for better security, reliability, and release verification. Updates cover Dependabot metadata, GoReleaser, Trivy scanning, and Ruby setup across workflows.

  • Dependencies
    • dependabot/fetch-metadata 3.0.0 → 3.1.0: permissions clarifications and metadata parsing fixes.
    • goreleaser/goreleaser-action 7.0.0 → 7.1.0: adds checksum and cosign signature verification.
    • aquasecurity/trivy-action 0.35.0 → 0.36.0: updates Trivy to v0.70.0 and improves portability.
    • ruby/setup-ruby 1.302.0 → 1.305.0: adds Ruby 4.0.3/JRuby 10.1.0.0 and updates Windows releases.

Written for commit 5637806. Summary will update on new commits.

@dependabot
ci: bump the github-actions group with 4 updates
5637806 
Bumps the github-actions group with 4 updates: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action), [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) and [ruby/setup-ruby](https://github.com/ruby/setup-ruby).


Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0
- [Release notes](https://github.com/dependabot/fetch-metadata/releases)
- [Commits](dependabot/fetch-metadata@ffa630c...25dd0e3)

Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.1.0
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@ec59f47...e24998b)

Updates `aquasecurity/trivy-action` from 0.35.0 to 0.36.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@57a97c7...ed142fd)

Updates `ruby/setup-ruby` from 1.302.0 to 1.305.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](ruby/setup-ruby@7372622...0cb964f)

---
updated-dependencies:
- dependency-name: dependabot/fetch-metadata
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: goreleaser/goreleaser-action
  dependency-version: 7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: ruby/setup-ruby
  dependency-version: 1.305.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 4, 2026
Copilot AI review requested due to automatic review settings May 4, 2026 13:44
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 4, 2026
@dependabot dependabot Bot review requested due to automatic review settings May 4, 2026 13:44
@dependabot dependabot Bot added the github_actions Pull requests that update GitHub Actions code label May 4, 2026
@github-actions github-actions Bot added the ci CI/CD workflows label May 4, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 4, 2026

Sensitive Change Detection (shadow mode)

This PR modifies control-plane files:

  • .github/workflows/dependabot-auto-merge.yml
  • .github/workflows/release.yml
  • .github/workflows/security.yml
  • .github/workflows/test.yml

Shadow mode — this check is informational only. When activated, changes to these paths will require approval from a maintainer.

@github-actions github-actions Bot added the enhancement New feature or request label May 4, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

ci CI/CD workflows dependencies Pull requests that update a dependency file enhancement New feature or request github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants