ci: bump the gh-actions group across 1 directory with 7 updates

[dependabot]

Bumps the gh-actions group with 7 updates in the / directory:

Package	From	To
Quantco/ui-actions	1.0.19	1.0.20
actions/upload-artifact	7.0.0	7.0.1
softprops/action-gh-release	2.6.1	3.0.0
marocchino/sticky-pull-request-comment	3.0.2	3.0.4
release-drafter/release-drafter	6.2.0	7.3.1
prefix-dev/setup-pixi	0.9.4	0.9.6
github/codeql-action	4.32.4	4.36.0

Updates Quantco/ui-actions from 1.0.19 to 1.0.20

Commits

• 5bfb8ce Add support for node 24 (#19)
• 2d42bd0 Merge pull request #18 from Quantco/pinact-pin-actions
• e4f3c0c chore: Pin GitHub Actions dependencies with pinact
• See full diff in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• See full diff in compare view

Updates softprops/action-gh-release from 2.6.1 to 3.0.0

Release notes

Sourced from softprops/action-gh-release's releases.

v3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v2.6.2

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in softprops/action-gh-release#775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in softprops/action-gh-release#777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in softprops/action-gh-release#781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

Changelog

Sourced from softprops/action-gh-release's changelog.

3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

2.6.2

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in softprops/action-gh-release#775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in softprops/action-gh-release#777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in softprops/action-gh-release#781

2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in softprops/action-gh-release#765

2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

... (truncated)

Commits

• b430933 release: cut v3.0.0 for Node 24 upgrade (#670)
• c2e35e0 chore(deps): bump the npm group across 1 directory with 7 updates (#783)
• 3bb1273 release 2.6.2
• c34030f chore: bump node to 24.14.1
• 8975bd0 chore(deps): bump vite from 8.0.0 to 8.0.5 (#781)
• f71937f chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 (#777)
• 3f0d239 chore(deps): bump picomatch from 4.0.3 to 4.0.4 (#775)
• See full diff in compare view

Updates marocchino/sticky-pull-request-comment from 3.0.2 to 3.0.4

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v3.0.4

What's Changed

• build(deps-dev): Bump vite from 8.0.3 to 8.0.5 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1679
• build(deps-dev): Bump vitest from 4.1.2 to 4.1.3 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1680
• build(deps-dev): Bump @​types/node from 25.5.2 to 25.6.0 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1684
• build(deps): Bump @​actions/github from 9.0.0 to 9.1.0 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1683
• build(deps-dev): Bump vitest from 4.1.3 to 4.1.4 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1682
• build(deps-dev): Bump @​biomejs/biome from 2.4.10 to 2.4.11 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1681

Full Changelog: marocchino/sticky-pull-request-comment@v3.0.3...v3.0.4

v3.0.3

What's Changed

• Move validateExclusiveModes before getBody for fail-fast validation by @​Copilot in marocchino/sticky-pull-request-comment#1663
• Add number_force that overrides pull_request number by @​rossjrw in marocchino/sticky-pull-request-comment#1652
• build(deps-dev): Bump @​biomejs/biome from 2.4.6 to 2.4.7 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1666
• build(deps): Bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1673
• build(deps-dev): Bump vitest from 4.1.0 to 4.1.2 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1674
• build(deps-dev): Bump rollup from 4.59.0 to 4.60.1 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1676
• build(deps-dev): Bump @​types/node from 25.5.0 to 25.5.2 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1677
• build(deps-dev): Bump @​biomejs/biome from 2.4.7 to 2.4.10 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1675
• build(deps): Bump brace-expansion by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1678
• build(deps-dev): Bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1670

New Contributors

• @​rossjrw made their first contribution in marocchino/sticky-pull-request-comment#1652

Full Changelog: marocchino/sticky-pull-request-comment@v3.0.2...v3.0.3

Commits

• 0ea0beb 📦️ Build
• df6c1bd build(deps-dev): Bump @​biomejs/biome from 2.4.10 to 2.4.11 (#1681)
• 3ad213f build(deps-dev): Bump vitest from 4.1.3 to 4.1.4 (#1682)
• 58072e5 build(deps): Bump @​actions/github from 9.0.0 to 9.1.0 (#1683)
• 313a938 build(deps-dev): Bump @​types/node from 25.5.2 to 25.6.0 (#1684)
• 159c677 build(deps-dev): Bump vitest from 4.1.2 to 4.1.3 (#1680)
• b37c1a1 build(deps-dev): Bump vite from 8.0.3 to 8.0.5 (#1679)
• d4d6b09 📦️ Build
• 3868baa build(deps-dev): Bump typescript from 5.9.3 to 6.0.2 (#1670)
• 26f73b0 build(deps): Bump brace-expansion (#1678)
• Additional commits viewable in compare view

Updates release-drafter/release-drafter from 6.2.0 to 7.3.1

Release notes

Sourced from release-drafter/release-drafter's releases.

v7.3.1

What's Changed

Bug Fixes

• fix: output name and tag_name in dry-run mode (#1625) @​cchanche

Maintenance

• chore(deps): update graphql-codegen to 7.0.0 (#1619) @renovate[bot]
• chore(deps): update dependency nock to 14.0.15 (#1609) @renovate[bot]
• chore(deps): update graphql-codegen (#1615) @renovate[bot]
• chore(deps): update dependency typescript to 6.0.3 (#1610) @renovate[bot]
• ci(deps): update actions/download-artifact action to v8.0.1 (#1620) @renovate[bot]
• chore(deps): update dependency @​types/node to 24.12.3 (#1608) @renovate[bot]
• chore(deps): update vitest to 4.1.5 (#1612) @renovate[bot]
• chore(deps): update dependency @​biomejs/biome to 2.4.15 (#1607) @renovate[bot]
• chore(deps): update dependency vite to 8.0.11 (#1611) @renovate[bot]
• ci(deps): pin dependencies (#1606) @renovate[bot]

Dependency Updates

• chore(deps): update node.js to v24.15.0 (#1616) @renovate[bot]
• chore(deps): update vite to v8.0.13 and vitest to v4.1.6 (#1624) @​cchanche
• fix(deps): update dependency semver to 7.8.0 (#1622) @renovate[bot]
• chore(deps): update npm tool constraint to 11.14.1 (#1617) @renovate[bot]
• fix(deps): update dependency zod to 4.4.3 (#1618) @renovate[bot]
• fix(deps): update actions (#1613) @renovate[bot]
• chore(deps): update dependency @​biomejs/biome to 2.4.15 (#1607) @renovate[bot]
• fix(deps): update dependency yaml to 2.8.4 (#1614) @renovate[bot]

Full Changelog: release-drafter/release-drafter@v7.3.0...v7.3.1

v7.3.0

What's Changed

New

• feat: recover recently merged PRs missed by associated PRs lag (#1604) @​jetersen
• feat: switch release discovery to ref comparison and explicit missing-baseline warnings (#1570) @​jetersen

Bug Fixes

• fix: restore prerelease-identifier on first run when no prior releases exist (#1602) @​jrbeilke
• fix: prevent using commitish like refs/pull (#1598) @​cchanche

... (truncated)

Commits

• 693d20e chore: release v7.3.1
• 8339e41 docs: update contributing docs for release process
• 62d8da4 fix: output name and tag_name in dry-run mode (#1625)
• 2c6d395 chore(deps): update node.js to v24.15.0 (#1616)
• 3b62240 chore(deps): update vite to v8.0.13 and vitest to v4.1.6 (#1624)
• 446e151 fix(deps): adapt to graphql-codegen 7 type changes
• 4cd06dc chore(deps): update graphql-codegen to 7.0.0
• 8045768 fix(deps): update dependency semver to 7.8.0
• 1cf836b ci(release): use local action for publish step
• 485c120 chore(deps): update npm tool constraint to 11.14.1
• Additional commits viewable in compare view

Updates prefix-dev/setup-pixi from 0.9.4 to 0.9.6

Release notes

Sourced from prefix-dev/setup-pixi's releases.

v0.9.6

What's Changed

✨ New features

• feat: Add persist-credentials option by @​AndreasAlbertQC in prefix-dev/setup-pixi#266

⬆️ Dependency updates

• chore(deps): bump the gh-actions group with 4 updates by @​dependabot[bot] in prefix-dev/setup-pixi#261
• chore(deps): bump the gh-actions group with 5 updates by @​dependabot[bot] in prefix-dev/setup-pixi#263
• chore(deps): bump the nodejs group with 6 updates by @​dependabot[bot] in prefix-dev/setup-pixi#264

🤷🏻 Other changes

• add octo-sts by @​pavelzw in prefix-dev/setup-pixi#262

New Contributors

• @​AndreasAlbertQC made their first contribution in prefix-dev/setup-pixi#266

Full Changelog: prefix-dev/setup-pixi@v0.9.5...v0.9.6

v0.9.5

What's Changed

📝 Documentation

• Fix broken authentication documentation link by @​Copilot in prefix-dev/setup-pixi#252

⬆️ Dependency updates

• chore(deps): bump the gh-actions group across 1 directory with 3 updates by @​dependabot[bot] in prefix-dev/setup-pixi#253
• chore(deps): bump the nodejs group with 7 updates by @​dependabot[bot] in prefix-dev/setup-pixi#250
• chore(deps): bump Quantco/ui-actions from 1.0.18 to 1.0.19 in the gh-actions group by @​dependabot[bot] in prefix-dev/setup-pixi#256
• chore(deps): bump the nodejs group with 10 dependencies by @​dependabot[bot] in prefix-dev/setup-pixi#257
• chore(deps): bump dependencies by @​dependabot[bot] in prefix-dev/setup-pixi#259

🤷🏻 Other changes

• docs: Mention cooldown in dependabot config by @​pavelzw in prefix-dev/setup-pixi#247

New Contributors

• @​Copilot made their first contribution in prefix-dev/setup-pixi#252

Full Changelog: prefix-dev/setup-pixi@v0.9.4...v0.9.5

Commits

• 5185adf feat: Add persist-credentials option (#266)
• 92596c3 chore(deps): bump the nodejs group with 6 updates (#264)
• 68a459a chore(deps): bump the gh-actions group with 5 updates (#263)
• 8ce6348 add octo-sts (#262)
• b92f010 Reference latest Pixi version in README (#260)
• 46d4c99 chore(deps): bump the gh-actions group with 4 updates (#261)
• 1b2de7f chore(deps): bump dependencies (#259)
• 6ef6983 chore(deps): bump the nodejs group with 10 dependencies (#257)
• e6477eb chore(deps): bump Quantco/ui-actions from 1.0.18 to 1.0.19 in the gh-actions ...
• 33be5ba chore(deps): bump the nodejs group with 7 updates (#250)
• Additional commits viewable in compare view

Updates github/codeql-action from 4.32.4 to 4.36.0

Release notes

Sourced from github/codeql-action's releases.

v4.36.0

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

v4.35.1

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v4.35.0

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

v4.34.1

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

v4.33.0

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.1 - 02 Jun 2026

No user facing changes.

4.36.0 - 22 May 2026

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

... (truncated)

Commits

• 7211b7c Merge pull request #3927 from github/update-v4.36.0-ebc2d9e2b
• 7740f2f Update changelog for v4.36.0
• ebc2d9e Merge pull request #3926 from github/update-bundle/codeql-bundle-v2.25.5
• d1f74b7 Add changelog note
• 2dc40ce Update default bundle to codeql-bundle-v2.25.5
• 8449852 Merge pull request #3910 from github/henrymercer/repo-size-diff-check
• 72ac23c Update excluded required check list
• c5297a2 Merge pull request #3919 from github/henrymercer/workflow-concurrency
• 8ffeae7 CI: Automatically cancel non-generated workflows
• f3f52bf Revert getErrorMessage import
• Additional commits viewable in compare view