chore(deps): update github actions

[agntcy-automation]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/cache	action	patch	v5.0.4 → v5.0.5
actions/checkout	action	minor	v4.1.7 → v4.3.1
actions/checkout	action	minor	v4 → v4.3.1
actions/create-github-app-token	action	minor	v3.0.0 → v3.1.1
actions/dependency-review-action	action	minor	v4.5.0 → v4.9.0
github/codeql-action	action	patch	v4.35.1 → v4.35.2
step-security/harden-runner	action	minor	v2.11.0 → v2.18.0	v2.19.0
super-linter/super-linter	action	minor	v7.2.1 → v7.4.0
webiny/action-conventional-commits	action	patch	v1.3.0 → v1.3.1

---

Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in #​1747

Full Changelog: actions/cache@v5...v5.0.5

actions/checkout (actions/checkout)

v4.3.1

Compare Source

• Port v6 cleanup to v4 by @​ericsciple in #​2305

v4.3.0

Compare Source

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in #​1941
• Expand unit test coverage for isGhes by @​jww3 in #​1946

v4.2.1

Compare Source

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in #​1924

v4.2.0

Compare Source

• Add Ref and Commit outputs by @​lucacome in #​1180
• Dependency updates by @​dependabot- #​1777, #​1872

actions/create-github-app-token (actions/create-github-app-token)

v3.1.1

Compare Source

Bug Fixes

• improve error message when app identifier is empty (#​362) (07e2b76), closes #​249

v3.1.0

Compare Source

Bug Fixes

• deps: bump p-retry from 7.1.1 to 8.0.0 (#​357) (3bbe07d)

Features

• add client-id input and deprecate app-id (#​353) (e6bd4e6)
• update permission inputs (#​358) (076e948)

actions/dependency-review-action (actions/dependency-review-action)

v4.9.0: Dependency Review Action 4.9.0

Compare Source

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in #​1056
• Make purl comparisons case insensitive by @​juxtin in #​1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in #​1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in #​1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in #​1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​1021
• Updates for release 4.9.0 by @​ahpook in #​1064

New Contributors

• @​jantiebot made their first contribution in #​1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

v4.8.3: 4.8.3

Compare Source

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in #​1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in #​995
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in #​1003
• Bump actions/setup-node from 4 to 6 by @​dependabot[bot] in #​1005
• Upgrade glob to address a vulnerability by @​brrygrdn in #​1024
• Bump js-yaml by @​dependabot[bot] in #​1020
• Addressing vulnerabilities by @​Ahmed3lmallah in #​1036
• Bump fast-xml-parser from 5.3.3 to 5.3.5 by @​dependabot[bot] in #​1050
• Bump fast-xml-parser from 5.3.5 to 5.3.6 by @​dependabot[bot] in #​1053
• Properly truncate long summaries and catch errors by @​juxtin in #​1052
• Bump spdx-expression-parse from 3.0.1 to 4.0.0 in the spdx-licenses group across 1 directory by @​dependabot[bot] in #​931
• Changes for Release 4.8.3 by @​ahpook in #​1054

Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3

v4.8.2

Compare Source

Minor fixes:

• Fix PURL parsing for scoped packages (#​1008 from @​danielhardej)
• Fix for large summaries (#​1007 from @​gitulisca)
• README includes a working example for allow-dependencies-licenses (#​1009 from @​danielhardej)

v4.8.1: Dependency Review Action v4.8.1

Compare Source

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in #​1000
• Bump version for 4.8.1 release by @​ahpook in #​1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

Compare Source

What's Changed

• Make Ruby Code Scannable by @​ljones140 in #​978
• Batch some contributions for release by @​brrygrdn in #​986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in #​978
• @​jasperkamerling made their first contribution in #​986
• @​MattMencel made their first contribution in #​986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

v4.7.4

Compare Source

v4.7.3: 4.7.3

Compare Source

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in #​966
• Claire153/fix spamming mentioned issue by @​claire153 in #​974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

v4.7.2: 4.7.2

Compare Source

What's Changed

• Add Missing Languages to CodeQL Advanced Configuration by @​KyFaSt in #​945
• Deprecate deny lists by @​claire153 in #​958
• Address discrepancy between docs and reality by @​ahpook in #​960

New Contributors

• @​KyFaSt made their first contribution in #​945
• @​claire153 made their first contribution in #​958
• @​ahpook made their first contribution in #​960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

v4.7.1

Compare Source

• Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #​889
• License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

Compare Source

• Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #​809 and probably others)
• Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

v4.6.0

Compare Source

What's Changed

• Updating multiple dependency versions by @​Ahmed3lmallah in #​870
• Grouping minor and patch dependabot updates to lessen the number of PRs by @​Ahmed3lmallah in #​876
• Bump actions/stale from 9.0.0 to 9.1.0 by @​dependabot in #​878
• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in #​877
• DR Action should link to the proxima stamp when appropriate in error messages by @​AshelyTC in #​891
• Allow deny package removal by @​ellenfieldn in #​888
• Fix typos by @​omahs in #​893
• Bump esbuild from 0.19.5 to 0.25.0 by @​dependabot in #​900
• Bump octokit and related dependencies by @​RomanIakovlev in #​904
• Bump @​babel/helpers from 7.23.2 to 7.26.10 by @​dependabot in #​905
• Bump @​octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @​dependabot in #​899
• Update transitive dependency spdx-license-ids by @​ailox in #​855
• To not print OpenSSF Scorecard section if no dependencies scanned by @​fabasoad in #​884
• Improve usage of this action in dependency-review.yml by @​fabasoad in #​883
• Clarify comment-summary-in-pr behaviour by @​Pantelis-Santorinios in #​902
• Prepare 4.6.0 Release candidate by @​brrygrdn in #​910

New Contributors

• @​AshelyTC made their first contribution in #​891
• @​ellenfieldn made their first contribution in #​888
• @​omahs made their first contribution in #​893
• @​RomanIakovlev made their first contribution in #​904
• @​ailox made their first contribution in #​855
• @​fabasoad made their first contribution in #​884
• @​Pantelis-Santorinios made their first contribution in #​902
• @​brrygrdn made their first contribution in #​910

Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0

github/codeql-action (github/codeql-action)

v4.35.2

Compare Source

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #​3807
• Update default CodeQL bundle version to 2.25.2. #​3823

step-security/harden-runner (step-security/harden-runner)

v2.18.0

Compare Source

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

Compare Source

What's Changed

Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

Compare Source

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list
Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

v2.16.0

Compare Source

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

Compare Source

What's Changed

• Fixes #​642 bug due to which post step was failing on Windows ARM runners
• Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

v2.15.0

Compare Source

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

Compare Source

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

Compare Source

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed

• Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
• Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

Compare Source

What's Changed

• Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

Compare Source

What's Changed

• Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
• Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

v2.13.1

Compare Source

What's Changed

• Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

• Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

• Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

v2.13.0

Compare Source

What's Changed

• Improved job markdown summary
• Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

Compare Source

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:

• Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
• Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

Compare Source

What's Changed

• Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
• Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

v2.12.0

Compare Source

What's Changed

1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

v2.11.1

Compare Source

What's Changed

• cache: add support for GitHub Actions cache v2 by @​h0x0er in #​529

Full Changelog: step-security/harden-runner@v2...v2.11.1

super-linter/super-linter (super-linter/super-linter)

v7.4.0

Compare Source

🚀 Features

• add env var for npm-groovy-lint failon level (#​6530) (418c922)
• check in-progress commit msg with commitlint (#​6757) (57345c5), closes #​6411
• disable xmllint verbose output if debuging (#​6747) (e6c42ca), closes #​6653
• do not hide php composer output (#​6637) (1c62141)
• pass optional arguments to gitleaks (#​6756) (109384b), closes #​6601
• set github_before_sha on pull requests (#​6687) (d7f5222)
• support eslint flat config files (#​6619) (d349d57)
• support ktlint format fix (#​6748) (5cb5915), closes #​6618
• warn the user on conflicting tools (#​6759) (b4aaae9)

🐛 Bugfixes

• check if commit count is defined before using (#​6733) (d007229)
• check return code and misc test improvements (#​6697) (7f46ec3)
• configure nbqa tools (#​6761) (e31adf9), closes #​6736
• consider git dirs safe (#​6675) (101d5a6)
• do not use a pager on git log (#​6765) (f5bae0c)
• emit prettier verbose output when debugging (#​6636) (4e1eb5f)
• export github_before_sha (#​6714) (6401906)
• fix default values for prettier fix vars (#​6769) (4230ecc), closes #​6768
• more robust error checking and test fixes (#​6693) (1c70566)
• skip symbolic links when passing files to prettier (#​6620) (417a58a)
• update editorconfig-checker config file name (#​6730) (72f02f0)

⬆️ Dependency updates

• bundler: bump the rubocop group in /dependencies with 10 updates (#​6661) (2757a99)
• bundler: bump the rubocop group in /dependencies with 4 updates (#​6782) (17cf935)
• docker: bump python in the docker-base-images group (#​6723) (960298b)
• docker: bump the docker group across 1 directory with 17 updates (#​6776) (8b602a4)
• java: bump com.google.googlejavaformat:google-java-format (#​6780) (aa3f3f8)
• java: bump com.puppycrawl.tools:checkstyle (#​6639) (59f2b6b)
• npm: bump @​babel/eslint-parser in /dependencies (#​6762) (fd53895)
• npm: bump @​babel/runtime-corejs3 (#​6651) (8fbf79e)
• npm: bump @​stoplight/spectral-cli in /dependencies (#​6742) (56355b5)
• npm: bump asl-validator from 3.13.0 to 3.14.0 in /dependencies (#​6631) (30aa4b3)
• npm: bump asl-validator from 3.14.0 to 3.15.0 in /dependencies (#​6777) (660f7dc)
• npm: bump next (#​6676) (f171ee5)
• npm: bump next (#​6708) (43faf95)
• npm: bump next (#​6729) (536538a)
• npm: bump npm-groovy-lint from 15.1.0 to 15.2.0 in /dependencies (#​6779) (c19a3da)
• npm: bump prettier from 3.5.2 to 3.5.3 in /dependencies (#​6629) (6864c8c)
• npm: bump renovate from 39.179.1 to 40.3.4 in /dependencies (#​6763) (5e7e921)
• npm: bump renovate from 40.10.4 to 40.11.8 in /dependencies (#​6778) (25d4ced)
• npm: bump textlint (#​6658) (1a148c6)
• npm: bump the commitlint group across 1 directory with 2 updates (#​6640) (52c90a9)
• npm: bump the npm_and_yarn group across 1 directory with 2 updates (#​6735) (0970742)
• npm: bump the stylelint group across 1 directory with 2 updates (#​6717) (edf5fa5)
• npm: bump the stylelint group across 1 directory with 3 updates (#​6775) (f8df7f6)
• python: bump the pip group across 1 directory with 10 updates (#​6727) (e9188d1)
• python: bump the pip group across 1 directory with 3 updates (#​6781) (e154957)

🧰 Maintenance

• cache multi-stage build (#​6678) (945b682)
• cache the base image stage (#​6689) (920b5da)
• dedicated ruby install stage (#​6760) (d8d8307)
• deps: bump the go_modules group across 2 directories with 1 update (#​6652) (df21f1f)
• deps: bump the go_modules group across 2 directories with 1 update (#​6725) (f363113)
• dev-docker: bump node in /dev-dependencies (#​6718) (28777a1)
• dev-npm: bump the npm_and_yarn group across 1 directory with 4 updates (#​6745) (a125e97)
• free disk space (#​6732) (befeed0)
• github-actions: bump actions/download-artifact (#​6741) (cb670ef)
• github-actions: bump the dev-ci-tools group across 1 directory with 4 updates (#​6683) (135f511)
• login to container registry (#​6686) (2e48f55)
• reduce container image size (#​5630) (1139f5c)
• retry when cloning chktex (#​6774) (433401e)
• update dependencies (#​6758) (e926803)
• update deps and fix devcontainer mounts (#​6677) (f555b63)
• update gitlab documentation (#​6617) (8a9bf8f)
• update go modules test to use deps (#​6670) (8eeba78)
• update readme (#​6746) (13b6e8e), closes #​6713
• use python venv instead of virtualenv (#​6669) (b7dd3fc)

v7.3.0

Compare Source

🚀 Features

• add nbqa linter for jupyter notebooks (#​6240) (469f30e)
• composer install with any php linters (#​6599) (9f7f83b), closes #​6336 #​6598 #​6597
• enable scss linting by default (#​6408) (ff470a9)
• golangci-lint: add possibility to specify custom config file (#​6558) (4a4ab1e)
• update eslint configuration (#​6590) (d0b304a)

🐛 Bugfixes

• handle push tag events on merge commits (#​6204) (36971e1), closes #​6193

⬆️ Dependency updates

• bundler: bump the rubocop group across 1 directory with 4 updates (#​6567) (e6340f4)
• bundler: bump the rubocop group in /dependencies with 2 updates (#​6602) (d85ded7)
• docker: bump the docker group across 1 directory with 16 updates (#​6591) (1da80af)
• java: bump com.google.googlejavaformat:google-java-format (#​6442) (a819ff6)
• java: bump the java-gradle group acr