ci(deps): bump the actions group across 1 directory with 12 updates

[dependabot]

Bumps the actions group with 12 updates in the / directory:

Package	From	To
actions/checkout	6.0.2	6.0.3
actions/upload-artifact	7.0.0	7.0.1
golangci/golangci-lint-action	9.2.0	9.2.1
aquasecurity/trivy-action	0.35.0	0.36.0
actions/cache	5.0.4	5.0.5
marocchino/sticky-pull-request-comment	3.0.3	3.0.4
actions/github-script	8.0.0	9.0.0
codecov/codecov-action	6.0.0	6.0.1
actions/setup-node	6.3.0	6.4.0
goreleaser/goreleaser-action	7.0.0	7.2.2
aquasecurity/setup-trivy	0.2.6	0.3.1
github/codeql-action	4.35.1	4.36.1

Updates actions/checkout from 6.0.2 to 6.0.3

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

• Update changelog by @​ericsciple in actions/checkout#2357
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414
• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• Update changelog for v6.0.3 by @​yaananth in actions/checkout#2446

New Contributors

• @​yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774

... (truncated)

Commits

• df4cb1c Update changelog for v6.0.3 (#2446)
• 1cce339 Fix checkout init for SHA-256 repositories (#2439)
• 900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
• 0c366fd Update changelog (#2357)
• See full diff in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• See full diff in compare view

Updates golangci/golangci-lint-action from 9.2.0 to 9.2.1

Release notes

Sourced from golangci/golangci-lint-action's releases.

v9.2.1

What's Changed

IMPORTANT: this is the first immutable release.

Changes

• chore: improve workflows by @​ldez in golangci/golangci-lint-action#1394

Dependencies

• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in golangci/golangci-lint-action#1325
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1326
• build(deps): bump the dependencies group with 4 updates by @​dependabot[bot] in golangci/golangci-lint-action#1327
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1328
• build(deps): bump @​types/node from 25.0.2 to 25.0.3 in the dependencies group by @​dependabot[bot] in golangci/golangci-lint-action#1329
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1330
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1332
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1333
• build(deps): bump the dependencies group with 6 updates by @​dependabot[bot] in golangci/golangci-lint-action#1334
• build(deps-dev): bump the dev-dependencies group with 4 updates by @​dependabot[bot] in golangci/golangci-lint-action#1335
• build(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1336
• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot[bot] in golangci/golangci-lint-action#1337
• build(deps): bump @​types/node from 25.0.9 to 25.0.10 in the dependencies group by @​dependabot[bot] in golangci/golangci-lint-action#1338
• build(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 by @​dependabot[bot] in golangci/golangci-lint-action#1339
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot[bot] in golangci/golangci-lint-action#1340
• build(deps-dev): bump the dev-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in golangci/golangci-lint-action#1344
• build(deps): bump fast-xml-parser from 5.3.4 to 5.3.6 by @​dependabot[bot] in golangci/golangci-lint-action#1346
• build(deps): bump minimatch by @​dependabot[bot] in golangci/golangci-lint-action#1348
• build(deps): bump minimatch from 3.1.3 to 3.1.5 by @​dependabot[bot] in golangci/golangci-lint-action#1350
• build(deps): bump fast-xml-parser from 5.3.6 to 5.4.1 by @​dependabot[bot] in golangci/golangci-lint-action#1351
• build(deps): bump fast-xml-parser from 5.4.1 to 5.5.6 by @​dependabot[bot] in golangci/golangci-lint-action#1357
• build(deps): bump fast-xml-parser from 5.5.6 to 5.5.7 by @​dependabot[bot] in golangci/golangci-lint-action#1358
• build(deps-dev): bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in golangci/golangci-lint-action#1359
• build(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in golangci/golangci-lint-action#1364
• build(deps): bump yaml from 2.8.2 to 2.8.3 by @​dependabot[bot] in golangci/golangci-lint-action#1365
• build(deps): bump brace-expansion by @​dependabot[bot] in golangci/golangci-lint-action#1370
• build(deps-dev): bump the dev-dependencies group across 1 directory with 7 updates by @​ldez in golangci/golangci-lint-action#1374
• build(deps): bump github/codeql-action from 4 to 4.35.2 by @​dependabot[bot] in golangci/golangci-lint-action#1384
• build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 by @​dependabot[bot] in golangci/golangci-lint-action#1386
• build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 by @​dependabot[bot] in golangci/golangci-lint-action#1389
• build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 by @​dependabot[bot] in golangci/golangci-lint-action#1391

Full Changelog: golangci/golangci-lint-action@v9.2.0...v9.2.1

Commits

• 82606bf chore: prepare release v9.2.1
• 97c8387 chore: improve workflows (#1394)
• 28d0a19 build(deps): bump the dependencies group across 1 directory with 2 updates
• 633fbc7 build(deps): bump github/codeql-action from 4.35.3 to 4.35.4 (#1391)
• 59f43e2 build(deps): bump github/codeql-action from 4.35.2 to 4.35.3 (#1389)
• 9eb174e build(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 (#1386)
• 4f52504 build(deps): bump github/codeql-action from 4 to 4.35.2 (#1384)
• 6f87dfd docs: update examples
• c9500d7 chore: improve workflows
• 03b1faa chore: improve issue templates
• Additional commits viewable in compare view

Updates aquasecurity/trivy-action from 0.35.0 to 0.36.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.36.0

What's Changed

• chore(ci): update bump-trivy workflow by @​DmitriyLewen in aquasecurity/trivy-action#546
• ci: use action.yaml as single source of truth for Trivy version by @​nikpivkin in aquasecurity/trivy-action#552
• ci: replace peter-evans/create-pull-request with gh CLI by @​nikpivkin in aquasecurity/trivy-action#550
• test: use pinned digests for trivy-db, trivy-java-db and trivy-checks by @​nikpivkin in aquasecurity/trivy-action#555
• ci: add dependabot config by @​nikpivkin in aquasecurity/trivy-action#556
• chore: add zizmor config by @​nikpivkin in aquasecurity/trivy-action#557
• chore(deps): bump the actions group with 5 updates by @​dependabot[bot] in aquasecurity/trivy-action#558
• fix: use portable shebang in entrypoint.sh by @​Hayao0819 in aquasecurity/trivy-action#545
• Fix typo in GOOGLE_APPLICATION_CREDENTIALS env var name by @​patrik-csak in aquasecurity/trivy-action#547
• Upgrade Trivy action version from 0.33.1 to 0.35.0 fixes #549 by @​Aditya09-cse in aquasecurity/trivy-action#548
• chore: use GitHub Actions as git commit author in bump-trivy workflow by @​nikpivkin in aquasecurity/trivy-action#561
• chore(deps): Update trivy to v0.70.0 by @​Argon-DevOps-Mgt in aquasecurity/trivy-action#559
• chore: update action version to v0.36.0 in examples by @​nikpivkin in aquasecurity/trivy-action#563

New Contributors

• @​dependabot[bot] made their first contribution in aquasecurity/trivy-action#558
• @​Hayao0819 made their first contribution in aquasecurity/trivy-action#545
• @​patrik-csak made their first contribution in aquasecurity/trivy-action#547
• @​Aditya09-cse made their first contribution in aquasecurity/trivy-action#548
• @​Argon-DevOps-Mgt made their first contribution in aquasecurity/trivy-action#559

Full Changelog: aquasecurity/trivy-action@v0.35.0...v0.36.0

Commits

• ed142fd chore: update action version to v0.36.0 in examples (#563)
• dea62cf chore(deps): Update trivy to v0.70.0 (#559)
• 128d9a8 chore: use GitHub Actions as git commit author in bump-trivy workflow (#561)
• 876cf04 Upgrade Trivy action version from 0.33.1 to 0.35.0 fixes #549 (#548)
• dada784 Fix typo in GOOGLE_APPLICATION_CREDENTIALS env var name (#547)
• 4a2deec fix: use portable shebang in entrypoint.sh (#545)
• 1994662 chore(deps): bump the actions group with 5 updates (#558)
• 6b36659 chore: add zizmor config (#557)
• 316aa5a ci: add dependabot config (#556)
• 264c9c5 test: use pinned digests for trivy-db, trivy-java-db and trivy-checks (#555)
• Additional commits viewable in compare view

Updates actions/cache from 5.0.4 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• See full diff in compare view

Updates marocchino/sticky-pull-request-comment from 3.0.3 to 3.0.4

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v3.0.4

What's Changed

• build(deps-dev): Bump vite from 8.0.3 to 8.0.5 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1679
• build(deps-dev): Bump vitest from 4.1.2 to 4.1.3 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1680
• build(deps-dev): Bump @​types/node from 25.5.2 to 25.6.0 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1684
• build(deps): Bump @​actions/github from 9.0.0 to 9.1.0 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1683
• build(deps-dev): Bump vitest from 4.1.3 to 4.1.4 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1682
• build(deps-dev): Bump @​biomejs/biome from 2.4.10 to 2.4.11 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1681

Full Changelog: marocchino/sticky-pull-request-comment@v3.0.3...v3.0.4

Commits

• 0ea0beb 📦️ Build
• df6c1bd build(deps-dev): Bump @​biomejs/biome from 2.4.10 to 2.4.11 (#1681)
• 3ad213f build(deps-dev): Bump vitest from 4.1.3 to 4.1.4 (#1682)
• 58072e5 build(deps): Bump @​actions/github from 9.0.0 to 9.1.0 (#1683)
• 313a938 build(deps-dev): Bump @​types/node from 25.5.2 to 25.6.0 (#1684)
• 159c677 build(deps-dev): Bump vitest from 4.1.2 to 4.1.3 (#1680)
• b37c1a1 build(deps-dev): Bump vite from 8.0.3 to 8.0.5 (#1679)
• See full diff in compare view

Updates actions/github-script from 8.0.0 to 9.0.0

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in actions/github-script#695
• ci: use deployment: false for integration test environments by @​salmanmkc in actions/github-script#712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in actions/github-script#700

New Contributors

• @​Copilot made their first contribution in actions/github-script#695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

Commits

• 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
• ca10bbd fix: use @​octokit/core/types import for v7 compatibility
• 86e48e2 merge: incorporate main branch changes
• c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
• afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
• ff8117e ci: fix user-agent test to handle orchestration ID
• 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
• 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
• c17d55b ci: add getOctokit integration test job
• a047196 test: add getOctokit integration tests via callAsyncFunction
• Additional commits viewable in compare view

Updates codecov/codecov-action from 6.0.0 to 6.0.1

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.1

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in codecov/codecov-action#1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in codecov/codecov-action#1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in codecov/codecov-action#1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in codecov/codecov-action#1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• docs: fix typo in README by @​datalater in codecov/codecov-action#1866
• Document a codecov-cli version reference example by @​webknjaz in codecov/codecov-action#1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in codecov/codecov-action#1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in codecov/codecov-action#1864
• Pin actions/github-script by Git SHA by @​martincostello in codecov/codecov-action#1859
• fix: check reqs exist by @​joseph-sentry in codecov/codecov-action#1835
• fix: Typo in README by @​spalmurray in codecov/codecov-action#1838
• docs: Refine OIDC docs by @​spalmurray in codecov/codecov-action#1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in codecov/codecov-action#1822
• fix: OIDC on forks by @​joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

• e79a696 chore(release): 6.0.1 (#1949)
• 51e6422 fix: prevent template injection in run: steps (VULN-1652) (#1947)
• See full diff in compare view

Updates actions/setup-node from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in actions/setup-node#1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in actions/setup-node#1533

New Contributors

• @​Copilot made their first contribution in actions/setup-node#1525

Full Changelog: actions/setup-node@v6...v6.4.0

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• See full diff in compare view

Updates goreleaser/goreleaser-action from 7.0.0 to 7.2.2

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v7.2.2

What's Changed

• ci(deps): bump the actions group with 3 updates by @​dependabot[bot] in goreleaser/goreleaser-action#560
• fix: nightly resolution to select newest published release by @​Copilot in goreleaser/goreleaser-action#562

New Contributors

• @​Copilot made their first contribution in goreleaser/goreleaser-action#562

Full Changelog: goreleaser/goreleaser-action@v7...v7.2.2

v7.2.1

This fully removes the usage of the old nightly moving tag.

Full Changelog: goreleaser/goreleaser-action@v7.2.0...v7.2.1

v7.2.0

What's Changed

• test: cover install across release eras by @​caarlos0 in goreleaser/goreleaser-action#555
• feat: add version-file input by @​caarlos0 in goreleaser/goreleaser-action#556
• feat: resolve nightly to latest vX.Y.Z--nightly release by @​caarlos0 in goreleaser/goreleaser-action#558

Full Changelog: goreleaser/goreleaser-action@v7...v7.2.0

v7.1.0

What's Changed

• feat: verify release checksum and cosign signature by @​caarlos0 in goreleaser/goreleaser-action#550
• docs: document cosign verification in README by @​caarlos0 in goreleaser/goreleaser-action#553
• docs: Upgrade import GPG action version by @​flecno in goreleaser/goreleaser-action#547
• ci: drop docker-bake in favor of plain npm by @​caarlos0 in goreleaser/goreleaser-action#551
• ci: add release-major-tag workflow by @​caarlos0 in goreleaser/goreleaser-action#552
• ci: drop pre-cosign-v3 goreleaser versions from tests by @​caarlos0 in goreleaser/goreleaser-action#554
• ci(deps): bump the actions group with 2 updates by @​dependabot[bot] in goreleaser/goreleaser-action#543
• ci(deps): bump the actions group with 5 updates by @​dependabot[bot] in goreleaser/goreleaser-action#546
• chore(deps): bump undici from 6.23.0 to 6.24.1 by @​dependabot[bot] in goreleaser/goreleaser-action#545

New Contributors

• @​flecno made their first contribution in goreleaser/goreleaser-action#547

Full Changelog: goreleaser/goreleaser-action@v7...v7.1.0

Commits

• 5daf1e9 fix: nightly resolution to select newest published release (#562)
• 5cc7ebb ci: update actions
• 702f5f9 ci(deps): bump the actions group with 3 updates (#560)
• 1a80836 ci(nightly): pass GITHUB_TOKEN to nightly integration job
• a71152e refactor: drop legacy 'nightly' tag fallback
• 4c6ab56 feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release (#558)
• 4f96abf feat: add version-file input (#556)
• 15fa2a9 test: cover install across release eras (#555)
• e24998b ci: drop pre-cosign-v3 goreleaser versions from tests (#554)
• be2e8a3 docs: document cosign verification in README (#553)
• Additional commits viewable in compare view

Updates aquasecurity/setup-trivy from 0.2.6 to 0.3.1

Release notes

Sourced from aquasecurity/setup-trivy's releases.

v0.3.1

v0.3.1

🐛 Bug fix

Fixes a regression in v0.3.0 that made the action fail to load in every workflow, even when path was not set:

Unrecognized named-value: 'runner'. Located at position 1 within expression: runner.temp

A literal ${{ runner.temp }} had been left in an input description inside action.yaml. GitHub evaluates every ${{ }} expression in the file — including input descriptions, where the runner context is unavailable — so the action could not be loaded at all. The expression has been removed from the description and from the validation error message. See #37 (#38).

If you are on v0.3.0, upgrade to v0.3.1.

✅ Tests

Added a CI workflow that runs the action on ubuntu / windows / macOS (default, cached, and custom-path installs) and verifies that an invalid pathDescription has been truncated

[github-actions]

🟢 Change Impact Analysis

Metric	Value
Risk Level	LOW 🟢
Files Changed	13
Symbols Changed	13
Directly Affected	0
Transitively Affected	0

Blast Radius: 0 modules, 0 files, 0 unique callers

📝 Changed Symbols (13)

Symbol	File	Type	Confidence
.github/workflows/build-matrix.yml	.github/workflows/build-matrix.yml	modified	30%
.github/workflows/ci.yml	.github/workflows/ci.yml	modified	30%
.github/workflows/ckb.yml	.github/workflows/ckb.yml	modified	30%
.github/workflows/cov.yml	.github/workflows/cov.yml	modified	30%
.github/workflows/nfr.yml	.github/workflows/nfr.yml	modified	30%
.github/workflows/release.yml	.github/workflows/release.yml	modified	30%
.github/workflows/security-dependencies.yml	.github/workflows/security-dependencies.yml	modified	30%
.github/workflows/security-detect.yml	.github/workflows/security-detect.yml	modified	30%
.github/workflows/security-gate.yml	.github/workflows/security-gate.yml	modified	30%
.github/workflows/security-sast-common.yml	.github/workflows/security-sast-common.yml	modified	30%
.github/workflows/security-sast-go.yml	.github/workflows/security-sast-go.yml	modified	30%
.github/workflows/security-sast-python.yml	.github/workflows/security-sast-python.yml	modified	30%
.github/workflows/security-secrets.yml	.github/workflows/security-secrets.yml	modified	30%

Recommendations

• ℹ️ coverage: 13 symbols have low mapping confidence. Index may be stale.
  • Action: Run 'ckb index' to refresh the SCIP index

---

_{Generated by CKB}

[github-actions]

CKB Analysis

🎯 13 changed → 0 affected · 🔥 13 hotspots · 📚 197 stale

Risk factors: Medium-sized PR with 13 files • Touches 13 hotspot(s)

👥 Suggested: @lisa.welsch1985@gmail.com (77%), @talantyyr@gmail.com (77%)

Metric	Value
Impact Analysis	13 symbols → 0 affected	🟢
Doc Coverage	6.598984771573605%	⚠️
Complexity	0 violations	✅
Coupling	0 gaps	✅
Blast Radius	0 modules, 0 files	✅
Index	indexed (0s)	🆕

🎯 Change Impact Analysis · 🟢 LOW · 13 changed → 0 affected

Metric	Value
Symbols Changed	13
Directly Affected	0
Transitively Affected	0
Modules in Blast Radius	0
Files in Blast Radius	0

Symbols changed in this PR:

• .github/workflows/build-matrix.yml [modified] (30%) — .github/workflows/build-matrix.yml
• .github/workflows/ci.yml [modified] (30%) — .github/workflows/ci.yml
• .github/workflows/ckb.yml [modified] (30%) — .github/workflows/ckb.yml
• .github/workflows/cov.yml [modified] (30%) — .github/workflows/cov.yml
• .github/workflows/nfr.yml [modified] (30%) — .github/workflows/nfr.yml
• .github/workflows/release.yml [modified] (30%) — .github/workflows/release.yml
• .github/workflows/security-dependencies.yml [modified] (30%) — .github/workflows/security-dependencies.yml
• .github/workflows/security-detect.yml [modified] (30%) — .github/workflows/security-detect.yml
• .github/workflows/security-gate.yml [modified] (30%) — .github/workflows/security-gate.yml
• .github/workflows/security-sast-common.yml [modified] (30%) — .github/workflows/security-sast-common.yml
• … and 3 more

Recommendations:

• ℹ️ 13 symbols have low mapping confidence. Index may be stale.
  • Action: Run 'ckb index' to refresh the SCIP index

🔥 Hotspots · 13 volatile files

File	Churn Score
.github/workflows/build-matrix.yml	2.01
.github/workflows/ci.yml	3.91
.github/workflows/ckb.yml	3.80
.github/workflows/cov.yml	2.43
.github/workflows/nfr.yml	3.20
.github/workflows/release.yml	2.43
.github/workflows/security-dependencies.yml	2.74
.github/workflows/security-detect.yml	1.37

📦 Modules · 1 at risk

	Module	Files
🔴	.github/workflows	13

💡 Quick wins · 10 suggestions

• 🟡 Add tests → internal/webhooks/webhooks_test.go
• 🟡 Add tests → internal/daemon/daemon_test.go
• 🟡 Add tests → internal/mcp/tool_impls_test.go
• 🟡 Add tests → internal/paths/paths_test.go
• 🟡 Add tests → internal/query/navigation_extended_test.go
• 🟢 Assign backup owner → internal/webhooks/webhooks_test.go
• 🟢 Assign backup owner → internal/daemon/daemon_test.go
• 🟢 Assign backup owner → internal/mcp/tool_impls_test.go

📚 Stale docs · 197 broken references

• docs/CONTRIBUTING.md:108 → errors.New
• docs/CONTRIBUTING.md:108 → errors.SYMBOL_NOT_FOUND
• docs/CONTRIBUTING.md:111 → errors.Wrap
• docs/backlog/index-refresh-improvements.md:36 → watcher.Add
• docs/backlog/index-refresh-improvements.md:36 → filepath.Join
• docs/backlog/index-refresh-improvements.md:97 → time.Second
• docs/featureplans/change-impact-analysis-checklist.md:208 → coverage.out
• docs/featureplans/change-impact-analysis-checklist.md:214 → lcov.info
• docs/featureplans/change-impact-analysis-checklist.md:309 → coverage.out
• docs/featureplans/change-impact-analysis.md:448 → scip.SCIPIndex
• docs/featureplans/change-impact-analysis.md:478 → context.Context
• docs/featureplans/change-impact-analysis.md:669 → coverage.out
• docs/features/a2a/overview.md:41 → index.initialized
• docs/features/a2a/overview.md:42 → index.fresh
• docs/features/a2a/overview.md:43 → index.commitsBehind

---

_{Generated by CKB · Run details}

[github-actions]

CKB Review: ✅ PASS — 90/100

13 files (+108 changes) · 1 modules

Changes 13 files across 1 modules. No blocking issues found.

Check	Status	Detail
blast-radius	ℹ️ INFO	No symbols with callers in changes
hotspots	ℹ️ INFO	13 hotspot file(s) touched (top 10 shown)
dead-code	✅ PASS	No dead code in changed files
breaking	✅ PASS	No breaking API changes
format-consistency	✅ PASS	No format consistency issues
bug-patterns	✅ PASS	No bug patterns detected
coupling	✅ PASS	No missing co-change files
risk	✅ PASS	Risk score: 0.45 (medium)
complexity	✅ PASS	No significant complexity increase
health	✅ PASS	No significant health changes
secrets	✅ PASS	No secrets detected
unwired	✅ PASS	All exported symbols are reachable from entrypoints
comment-drift	✅ PASS	No comment/code drift detected
test-gaps	✅ PASS	All changed functions have tests
tests	✅ PASS	0 test(s) cover the changes
layers	⚪ SKIP	Cartographer not compiled in this build
arch-health	⚪ SKIP	Cartographer not compiled in this build

Change Breakdown

Category	Files	Review Priority
config	13	🟢 Quick check

Code Health

Estimated review: ~39min (moderate)

Reviewers: lisa.welsch1985 (77%) · talantyyr (77%)