Skip to content

deps: Bump the github-actions group across 1 directory with 4 updates#134

Closed
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/github_actions/github-actions-f56e83b4ad
Closed

deps: Bump the github-actions group across 1 directory with 4 updates#134
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/github_actions/github-actions-f56e83b4ad

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 25, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 4 updates in the / directory: mindsers/changelog-reader-action, docker/login-action, sigstore/cosign-installer and actions/cache.

Updates mindsers/changelog-reader-action from 2.2.3 to 2.4.0

Release notes

Sourced from mindsers/changelog-reader-action's releases.

v2.4.0

Added

  • New changes_file output: a path to a temporary file containing the matched entry's text, for tools that consume release notes as a file (goreleaser, gh release create --notes-file, etc.). Resolves #68.
  • New version_scheme input (semver default, or pep440) enabling extraction and validation of Python PEP 440 version identifiers like 0.1.0a1. Resolves #38.

Security

  • Harden the reference-link parsing regex against catastrophic backtracking (CodeQL js/redos). The previous pattern had a . character in two overlapping character classes; a hostile CHANGELOG line could in principle trigger exponential matching time. The fix tightens the label character class without changing the regex's accepted inputs.

v2.3.0

Changed

  • Use Node 24 as the action runtime.
  • Refactor the internal entry, validation, and pipeline modules for type safety and easier maintenance. No change in observable behavior for action consumers.
  • Modernize the bundled runtime dependencies: @actions/core 1.x → 2.x and the YAML parser 1.x → 2.x. The action's input/output contract is unchanged.

Fixed

  • Declare semver as a runtime dependency instead of a dev dependency.
  • Stop dumping the full CHANGELOG content to debug logs when parsing entries and links.
  • Detect the Unreleased heading case-insensitively when picking the most recent released entry.
  • Warn (instead of silently degrading) when validation_level or validation_depth inputs are invalid; fall back to safe defaults.
  • Warn (instead of silently using an empty config) when an explicit config_file does not exist.
  • Validate the shape of YAML/JSON config files; warn on per-field type mismatches and reject non-object roots.
  • Recognize bare ## Unreleased headings in addition to the bracketed ## [Unreleased] form.
Changelog

Sourced from mindsers/changelog-reader-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[2.4.0] - 2026-05-20

Added

  • New changes_file output: a path to a temporary file containing the matched entry's text, for tools that consume release notes as a file (goreleaser, gh release create --notes-file, etc.). Resolves #68.
  • New version_scheme input (semver default, or pep440) enabling extraction and validation of Python PEP 440 version identifiers like 0.1.0a1. Resolves #38.

Security

  • Harden the reference-link parsing regex against catastrophic backtracking (CodeQL js/redos). The previous pattern had a . character in two overlapping character classes; a hostile CHANGELOG line could in principle trigger exponential matching time. The fix tightens the label character class without changing the regex's accepted inputs.

[2.3.0] - 2026-05-19

Changed

  • Use Node 24 as the action runtime.
  • Refactor the internal entry, validation, and pipeline modules for type safety and easier maintenance. No change in observable behavior for action consumers.
  • Modernize the bundled runtime dependencies: @actions/core 1.x → 2.x and the YAML parser 1.x → 2.x. The action's input/output contract is unchanged.

Fixed

  • Declare semver as a runtime dependency instead of a dev dependency.
  • Stop dumping the full CHANGELOG content to debug logs when parsing entries and links.
  • Detect the Unreleased heading case-insensitively when picking the most recent released entry.
  • Warn (instead of silently degrading) when validation_level or validation_depth inputs are invalid; fall back to safe defaults.
  • Warn (instead of silently using an empty config) when an explicit config_file does not exist.
  • Validate the shape of YAML/JSON config files; warn on per-field type mismatches and reject non-object roots.
  • Recognize bare ## Unreleased headings in addition to the bracketed ## [Unreleased] form.

[2.2.3] - 2024-03-10

Fixed

  • Upgrade dependencies to solve deprecation issues.
  • Use node v20
  • Remove useless empty line between links in the body of a version

[2.2.2] - 2022-11-23

Fixed

... (truncated)

Commits
  • 1faaf50 chore(release): v2.4.0
  • 5f62f39 feat: support PEP 440 versions via a version_scheme input (#123)
  • c8614b9 feat: add changes_file output (#68) (#122)
  • 6a1d138 fix: harden link-parsing regex against catastrophic backtracking (#121)
  • 695e5c9 chore(ci): use the action itself to extract release notes (#120)
  • 4b39e79 chore(release): v2.3.0
  • 5169600 fix: tighten input and config validation for v2.3.0 (#119)
  • a5d2d13 chore(deps): upgrade toolchain to current (Node 24, @​actions/core 2, yaml 2, ...
  • 5358d0b unify link handling, type rule results, extract pure pipeline (#117)
  • 347fff2 Phase 4: SECURITY.md, code of conduct, issue/PR templates, commitlint (#115)
  • Additional commits viewable in compare view

Updates docker/login-action from 4.0.0 to 4.2.0

Release notes

Sourced from docker/login-action's releases.

v4.2.0

Full Changelog: docker/login-action@v4.1.0...v4.2.0

v4.1.0

Full Changelog: docker/login-action@v4.0.0...v4.1.0

Commits
  • 650006c Merge pull request #960 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
  • 99df1a3 chore: update generated content
  • 3ab375f build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...
  • 39d8580 Merge pull request #970 from docker/dependabot/npm_and_yarn/docker/actions-to...
  • 4eefcd3 chore: update generated content
  • 56d092c build(deps): bump @​docker/actions-toolkit from 0.86.0 to 0.90.0
  • e2e31ca Merge pull request #976 from docker/dependabot/npm_and_yarn/actions/core-3.0.1
  • 0bced94 chore: update generated content
  • 3e75a0f build(deps): bump @​actions/core from 3.0.0 to 3.0.1
  • 365bebd Merge pull request #984 from docker/dependabot/github_actions/aws-actions/con...
  • Additional commits viewable in compare view

Updates sigstore/cosign-installer from 4.1.1 to 4.1.2

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.2

What's Changed

Commits

Updates actions/cache from 5.0.4 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

  • Bump @actions/cache to v5.0.3 #1692

5.0.1

  • Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
deps: Bump the github-actions group across 1 directory with 4 updates
7337a38 
Bumps the github-actions group with 4 updates in the / directory: [mindsers/changelog-reader-action](https://github.com/mindsers/changelog-reader-action), [docker/login-action](https://github.com/docker/login-action), [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [actions/cache](https://github.com/actions/cache).


Updates `mindsers/changelog-reader-action` from 2.2.3 to 2.4.0
- [Release notes](https://github.com/mindsers/changelog-reader-action/releases)
- [Changelog](https://github.com/mindsers/changelog-reader-action/blob/master/CHANGELOG.md)
- [Commits](mindsers/changelog-reader-action@32aa5b4...1faaf50)

Updates `docker/login-action` from 4.0.0 to 4.2.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@b45d80f...650006c)

Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@cad07c2...6f9f177)

Updates `actions/cache` from 5.0.4 to 5.0.5
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@6682284...27d5ce7)

---
updated-dependencies:
- dependency-name: mindsers/changelog-reader-action
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: docker/login-action
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 25, 2026
@dependabot dependabot Bot requested a review from a team as a code owner May 25, 2026 18:30
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 25, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 2, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/github-actions-f56e83b4ad branch June 2, 2026 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants