Update github actions (main) (minor)#1678
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
c3be1fd to
62cce1e
Compare
4271c4b to
fff92d6
Compare
7ae3ed9 to
aef2fbc
Compare
ea06a28 to
3283487
Compare
f28193b to
9761507
Compare
3ed2d4c to
0490e29
Compare
a049374 to
21e7a37
Compare
Review — commentStandard Renovate dependency update bumping 5 GitHub Actions across 6 workflow files (all minor versions). The version bumps are internally consistent — every occurrence of each action uses the same new SHA, and no stale references remain in the repository. Findings⚠
|
| Dimension | Result |
|---|---|
| Correctness | ✅ No findings — SHAs consistent, no stale references |
| Security | ⚠ 1 medium (pre-existing tag-only pin) |
| Intent & coherence | ✅ Mechanical change, authorization implicit |
| Style & conventions | ✅ Changes follow existing patterns |
| Documentation currency | ✅ No docs impact |
| Cross-repo contracts | ✅ N/A — no exported interfaces modified |
Previous run
Review — Approve
PR: #1678 — Update github actions (main) (minor)
Author: renovate[bot]
Base: main
Summary
Routine Renovate bot PR bumping five GitHub Actions to newer minor versions across six workflow files. All changes are version pin updates only — no workflow logic, permissions, or structural changes.
Changes Reviewed
| Action | From | To | Files |
|---|---|---|---|
step-security/harden-runner |
v2.15.0 | v2.20.0 | codeql.yml, pre-merge-ci.yaml, push-bundles.yaml, release.yaml (×3), scorecards.yml |
github/codeql-action (init/autobuild/analyze/upload-sarif) |
v4.32.4 | v4.36.3 | codeql.yml (×3), scorecards.yml |
actions/setup-go |
v6.2.0 | v6.5.0 | pre-merge-ci.yaml, push-bundles.yaml |
conforma/pr-size-label-action |
v1.0.0 | v1.2.0 | label-pr-size.yaml |
softprops/action-gh-release |
v2.5.0 | v2.6.2 | release.yaml |
Correctness
- All updated actions use consistent commit SHA pins across every usage site within the same workflow and across workflows. Verified:
step-security/harden-runner→bf7454d...used in all 6 occurrences ✓github/codeql-action/*→54f647b...used in all 4 occurrences ✓actions/setup-go→924ae3a...used in both occurrences ✓
- All are minor semver bumps — backward compatible by convention.
- No changes to workflow triggers, permissions, job structure, or step logic.
Security
- Commit SHA pinning is maintained for all third-party actions (supply chain best practice) ✓
step-security/harden-runner(a security hardening action) is being updated, which is positive for security posture.conforma/pr-size-label-actionuses a mutable tag reference (@v1.2.0) rather than SHA pin — this is a pre-existing pattern not introduced by this PR. Lower risk since it's an organization-internal action.- No new permissions requested. No secret exposure changes.
Intent & Coherence
- Standard automated dependency maintenance via Renovate bot.
- Appropriately scoped to a single concern (GitHub Actions version bumps).
- Consistent with project's existing pinning and update practices.
No Findings
No issues identified. This is a clean, well-structured dependency update PR.
Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.Protected files in this PR:
.github/workflows/codeql.yml.github/workflows/label-pr-size.yaml.github/workflows/pre-merge-ci.yaml.github/workflows/push-bundles.yaml.github/workflows/release.yaml.github/workflows/scorecards.yml
Previous run (2)
Review
Findings
High
- [protected-path]
.github/workflows/— All 6 files modified in this PR are under the.github/protected path (codeql.yml, label-pr-size.yaml, pre-merge-ci.yaml, push-bundles.yaml, release.yaml, scorecards.yml). The PR has no linked issue justifying changes to governance/infrastructure files. Human approval is always required for protected-path changes.
Remediation: Link this PR to an issue or provide explicit authorization for modifying CI workflow files.
Medium
- [Supply Chain / Action Pinning]
.github/workflows/label-pr-size.yaml:32—conforma/pr-size-label-actionis referenced by mutable tag (v1.2.0) instead of a pinned commit SHA. This action runs onpull_request_targetwithpull-requests:writeandissues:writepermissions. A mutable tag can be force-pushed to point at arbitrary code, allowing a supply-chain compromise to obtain write access to PRs and issues. All other third-party actions in this repository are properly SHA-pinned.
Remediation: Pinconforma/pr-size-label-actionto the full commit SHA corresponding to v1.2.0, e.g.:uses: conforma/pr-size-label-action@<full-sha> # v1.2.0
Labels: PR updates GitHub Actions workflow files with minor version bumps.
Previous run (3)
Review
Findings
High
- [protected-path]
.github/workflows/— All 6 changed files are under the.github/protected path (.github/workflows/codeql.yml,.github/workflows/label-pr-size.yaml,.github/workflows/pre-merge-ci.yaml,.github/workflows/push-bundles.yaml,.github/workflows/release.yaml,.github/workflows/scorecards.yml). The PR has no linked issue providing authorization for modifying governance/infrastructure files. Human approval is required for protected-path changes.
Remediation: Link an authorizing issue to the PR, or obtain explicit human maintainer approval for these CI workflow changes.
Medium
- [Supply Chain / Action Pinning]
.github/workflows/label-pr-size.yaml:32— Theconforma/pr-size-label-actionis pinned to a mutable tag (v1.2.0) rather than to an immutable SHA hash. All other third-party actions in this repository use SHA pinning with version comments (e.g.,@<sha> # v2.19.4). A mutable tag can be force-pushed to point at a malicious commit, which is particularly concerning here because this workflow uses thepull_request_targettrigger withpull-requests: writeandissues: writepermissions.
Remediation: Pinconforma/pr-size-label-actionto its full commit SHA corresponding to v1.2.0, with a version comment.
Info
- [authorization] — No linked issue provided. Authorization inferred from mechanical nature of change: dependency version bumps only (minor version increments by renovate[bot]).
Previous run (4)
Review
Findings
High
- [protected-path]
.github/workflows/— All 6 modified files are under.github/, a protected path. This PR has no linked issue providing justification for modifying governance/infrastructure files. Human approval is required for protected-path changes.- Affected files:
.github/workflows/codeql.yml,.github/workflows/label-pr-size.yaml,.github/workflows/pre-merge-ci.yaml,.github/workflows/push-bundles.yaml,.github/workflows/release.yaml,.github/workflows/scorecards.yml
Remediation: Link a tracking issue that authorizes these CI workflow changes, or obtain explicit human maintainer approval.
- Affected files:
Info
-
[sub-agent-failure]
N/A— The intent-coherence sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on deployment. Authorization was not verified, but the change is a mechanical Renovate bot version bump. -
[sub-agent-failure]
N/A— The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on deployment. Style review was skipped, but the diff is a mechanical version bump with no style surface area.
Previous run (5)
Review
Findings
High
- [protected-path]
.github/workflows/— All 6 files in this PR are under.github/, a protected path requiring human approval. The PR has no linked issue providing justification for modifying governance/infrastructure files. Affected files:codeql.yml,label-pr-size.yaml,pre-merge-ci.yaml,push-bundles.yaml,release.yaml,scorecards.yml. Human approval is required for all protected-path changes regardless of the mechanical nature of the update.
Low
- [supply-chain integrity]
.github/workflows/label-pr-size.yaml:32—conforma/pr-size-label-actionis pinned to a mutable tag (v1.2.0) rather than a full commit SHA. This action runs onpull_request_targetwith write permissions topull-requestsandissues. The tag was updated in this PR without switching to SHA pinning, unlike all other action updates in this diff which use SHA pinning.
Remediation: Pinconforma/pr-size-label-actionto a full commit SHA with a version comment, consistent with the pinning practice used for all other actions in this repository.
Info
- [sub-agent-failure] — The style-conventions sub-agent did not return findings due to model unavailability. For this mechanical version bump PR, the early exit criteria would apply (no style findings expected).
- [sub-agent-failure] — The intent-coherence sub-agent did not return findings due to model unavailability. For this mechanical Renovate bot PR, scope authorization is implicit from the mechanical nature of the change.
Previous run (6)
Review
Findings
High
- [protected-path]
.github/workflows/— All 6 changed files are under the.github/protected path, which requires human approval for changes regardless of content. This PR has no linked issue providing authorization for modifying governance/infrastructure files. Affected files:codeql.yml,label-pr-size.yaml,pre-merge-ci.yaml,push-bundles.yaml,release.yaml,scorecards.yml.
Medium
- [supply-chain]
.github/workflows/label-pr-size.yaml:32— The actionconforma/pr-size-label-action@v1.2.0is pinned to a mutable version tag instead of an immutable SHA commit hash. Every other action in this repository uses SHA pinning (e.g.,step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4). This is a pre-existing inconsistency, but this PR had an opportunity to fix it. The risk is elevated because this workflow uses thepull_request_targettrigger withpull-requests: writeandissues: writepermissions, meaning a compromised tag could execute with write access to the repository.
Remediation: Pin to the full commit SHA of the v1.2.0 release with a version comment, e.g.,uses: conforma/pr-size-label-action@<full-sha> # v1.2.0.
Info
- [sub-agent-failure] N/A — The style-conventions sub-agent could not be dispatched due to model availability. Style consistency was not evaluated in this review.
21e7a37 to
6342600
Compare
|
🤖 Finished Review · ✅ Success · Started 6:08 PM UTC · Completed 6:16 PM UTC |
6342600 to
be289ea
Compare
|
🤖 Finished Review · ✅ Success · Started 8:51 PM UTC · Completed 8:57 PM UTC |
be289ea to
a96a37f
Compare
|
🤖 Finished Review · ✅ Success · Started 5:56 AM UTC · Completed 6:04 AM UTC |
a96a37f to
cfee7cb
Compare
|
🤖 Finished Review · ✅ Success · Started 3:52 PM UTC · Completed 3:59 PM UTC |
cfee7cb to
8a2536f
Compare
|
🤖 Finished Review · ✅ Success · Started 5:34 PM UTC · Completed 5:37 PM UTC |
Superseded by updated review
8a2536f to
890d1a4
Compare
|
🤖 Finished Review · ✅ Success · Started 1:35 PM UTC · Completed 1:42 PM UTC |
| steps: | ||
| - name: Label PR by size | ||
| uses: conforma/pr-size-label-action@v1.0.0 | ||
| uses: conforma/pr-size-label-action@v1.2.0 |
There was a problem hiding this comment.
[medium] supply-chain
conforma/pr-size-label-action is pinned by mutable tag (@v1.2.0) rather than by immutable commit SHA. This is a pre-existing pattern (was @v1.0.0), not introduced by this PR, but perpetuated here. This action runs under a pull_request_target trigger with pull-requests: write and issues: write permissions, making tag-only pinning a supply-chain risk.
Suggested fix: Pin to the full commit SHA corresponding to v1.2.0, e.g.: uses: conforma/pr-size-label-action@ # v1.2.0
This PR contains the following updates:
v6.2.0→v6.5.0v1.0.0→v1.2.0v4.32.4→v4.37.0v2.5.0→v2.6.2v2.15.0→v2.20.0Release Notes
actions/setup-go (actions/setup-go)
v6.5.0Compare Source
v6.4.0Compare Source
What's Changed
Enhancement
Dependency update
Documentation update
New Contributors
Full Changelog: actions/setup-go@v6...v6.4.0
v6.3.0Compare Source
What's Changed
Full Changelog: actions/setup-go@v6...v6.3.0
conforma/pr-size-label-action (conforma/pr-size-label-action)
v1.2.0Compare Source
What's Changed
Full Changelog: conforma/pr-size-label-action@v1...v1.2.0
v1.1.0Compare Source
Highlights
@actions/corev2 — updated from v1package.jsonsrc/main.jsentrypoint,src/index.jsexportsrun()for testabilitysize:prefix (with trailing space) to avoid collisions.nvmrcandenginesfield addedWhat's Changed
What's Changed
New Contributors
Full Changelog: conforma/pr-size-label-action@v1.0.0...v1.1.0
github/codeql-action (github/codeql-action)
v4.37.0Compare Source
config-fileinput for thecodeql-action/initstep will soon support a new[owner/]repo[@​ref][:path]format. All components except the repository name are optional. If omitted,ownerdefaults to the same owner as the repository the analysis is running for,reftomain, andpathto.github/codeql-action.yaml. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. #3973v4.36.3Compare Source
No user facing changes.
v4.36.2Compare Source
v4.36.1Compare Source
No user facing changes.
v4.36.0Compare Source
v4.35.5Compare Source
analysis-kindsinput, onlycode-scanningwill be enabled. Theanalysis-kindsinput is experimental, for GitHub-internal use only, and may change without notice at any time. #3892v4.35.4Compare Source
v4.35.3Compare Source
GETrequests instead ofHEADfor better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853v4.35.2Compare Source
CODEQL_ACTION_CLEANUP_TRAP_CACHESenvironment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing thetrap-caching: falseinput to theinitAction. #3795v4.35.1Compare Source
v4.35.0Compare Source
v4.34.1Compare Source
v4.34.0Compare Source
none. We expect this rollout to be complete by the end of April 2026. #3584v4.33.0Compare Source
Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562
To opt out of this change:
github-codeql-file-coverage-on-prsand the type "True/false", then set this property totruein the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set theCODEQL_ACTION_FILE_COVERAGE_ON_PRSenvironment variable totruein your workflow.CODEQL_ACTION_FILE_COVERAGE_ON_PRSenvironment variable totruein your workflow.CODEQL_ACTION_FILE_COVERAGE_ON_PRSenvironment variable totruein your workflow.Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557
The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as
github-codeql-disable-overlaythat was previously only available on GitHub.com. #3559Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563
Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564
A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570
v4.32.6Compare Source
v4.32.5Compare Source
github-codeql-disable-overlaycustom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the namegithub-codeql-disable-overlayand the type "True/false" in the organization's settings. Then in the repository's settings, set this property totrueto disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507start-proxyaction to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512softprops/action-gh-release (softprops/action-gh-release)
v2.6.2Compare Source
What's Changed
Other Changes 🔄
Full Changelog: softprops/action-gh-release@v2...v2.6.2
v2.6.1Compare Source
2.6.1is a patch release focused on restoring linked discussion thread creation whendiscussion_category_nameis set. It fixes#764, where the draft-first publish flowstopped carrying the discussion category through the final publish step.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Bug fixes 🐛
v2.6.0Compare Source
2.6.0is a minor release centered onprevious_tagsupport forgenerate_release_notes,which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a
working_directorydocs sync,a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Exciting New Features 🎉
Bug fixes 🐛
Other Changes 🔄
v2.5.3Compare Source
2.5.3is a patch release focused on the remaining path-handling and release-selection bugs uncovered after2.5.2.It fixes
#639,#571,#280,#614,#311,#403, and#368.It also adds documentation clarifications for
#541,#645,#542,#393, and#411,where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Bug fixes 🐛
Other Changes 🔄
preserve_order, and special-character asset filename behaviorFull Changelog: softprops/action-gh-release@v2...v2.5.3
v2.5.2Compare Source
2.5.2is a patch release focused on the remaining release-creation and prerelease regressions in the2.5.xbug-fix cycle.It fixes
#705, fixes#708, fixes#740, fixes#741, and fixes#722.Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.
If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.
What's Changed
Bug fixes 🐛
New Contributors
Full Changelog: softprops/action-gh-release@v2...v2.5.2
v2.5.1Compare Source
2.5.1is a patch release focused on regressions introduced in2.5.0and on release lookup reliability.It fixes
#713, addresses#703, and fixes#724. Regression testing shows thatcurrent
masterno longer reproduces the finalize-race behavior reported in#704and#709.What's Changed
Bug fixes 🐛
Other Changes 🔄
New Contributors
Full Changelog: softprops/action-gh-release@v2...v2.5.1
step-security/harden-runner (step-security/harden-runner)
v2.20.0Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.4...v2.20.0
v2.19.4Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4
v2.19.3Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3
v2.19.2Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2
v2.19.1Compare Source
What's Changed
What the fix changes
ubuntu-slimrunners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.What the fix does not do
ubuntu-slimwill not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of
ubuntu-slimvia workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.New Contributors
Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1
v2.19.0Compare Source
What's Changed
New Runner Support
Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.
Automated Incident Response for Supply Chain Attacks
Bug Fixes
Windows and macOS: stability and reliability fixes
Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0
v2.18.0Compare Source
What's Changed
Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.
Deploy on Self-Hosted VM: Added
deploy-on-self-hosted-vminput that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0
v2.17.0Compare Source
What's Changed
Policy Store Support
Added
use-policy-storeandapi-keyinputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existingpolicyinput which requiresid-token: writepermission. If no policy is found in the store, the action defaults to audit mode.Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0
v2.16.1Compare Source
What's Changed
Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint
Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1
v2.16.0Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0
v2.15.1Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1
Configuration
📅 Schedule: (UTC)
* 0-3 * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.