ci: bump the github-actions group across 1 directory with 7 updates

[dependabot]

Bumps the github-actions group with 7 updates in the / directory:

Package	From	To
github/codeql-action	3.28.11	3.28.18
python-semantic-release/python-semantic-release	9.21.0	10.0.2
astral-sh/setup-uv	5.3.1	6.1.0
actions/download-artifact	4.1.9	4.3.0
softprops/action-gh-release	2.2.1	2.2.2
docker/build-push-action	6.15.0	6.18.0
ossf/scorecard-action	2.4.1	2.4.2

Updates github/codeql-action from 3.28.11 to 3.28.18

Release notes

Sourced from github/codeql-action's releases.

v3.28.18

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.18 - 16 May 2025

• Update default CodeQL bundle version to 2.21.3. #2893
• Skip validating SARIF produced by CodeQL for improved performance. #2894
• The number of threads and amount of RAM used by CodeQL can now be set via the CODEQL_THREADS and CODEQL_RAM runner environment variables. If set, these environment variables override the threads and ram inputs respectively. #2891

See the full CHANGELOG.md for more information.

v3.28.17

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.17 - 02 May 2025

• Update default CodeQL bundle version to 2.21.2. #2872

See the full CHANGELOG.md for more information.

v3.28.16

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

See the full CHANGELOG.md for more information.

v3.28.15

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

See the full CHANGELOG.md for more information.

v3.28.14

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• The CodeQL Action no longer includes its own copy of the extractor for the actions language, which is currently in public preview. The actions extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the actions language and you have pinned your tools: property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable actions analysis.

3.28.18 - 16 May 2025

• Update default CodeQL bundle version to 2.21.3. #2893
• Skip validating SARIF produced by CodeQL for improved performance. #2894
• The number of threads and amount of RAM used by CodeQL can now be set via the CODEQL_THREADS and CODEQL_RAM runner environment variables. If set, these environment variables override the threads and ram inputs respectively. #2891

3.28.17 - 02 May 2025

• Update default CodeQL bundle version to 2.21.2. #2872

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

3.28.14 - 07 Apr 2025

• Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

• Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
• Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #2793

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

... (truncated)

Commits

• ff0a06e Merge pull request #2896 from github/update-v3.28.18-b86edfc27
• a41e084 Update changelog for v3.28.18
• b86edfc Merge pull request #2893 from github/update-bundle/codeql-bundle-v2.21.3
• e93b900 Merge branch 'main' into update-bundle/codeql-bundle-v2.21.3
• 510dfa3 Merge pull request #2894 from github/henrymercer/skip-validating-codeql-sarif
• 492d783 Merge branch 'main' into henrymercer/skip-validating-codeql-sarif
• 83bdf3b Merge pull request #2859 from github/update-supported-enterprise-server-versions
• cffc916 Merge pull request #2891 from austinpray-mixpanel/patch-1
• 4420887 Add deprecation warning for CodeQL 2.16.5 and earlier
• 4e178c5 Update supported versions table in README
• Additional commits viewable in compare view

Updates python-semantic-release/python-semantic-release from 9.21.0 to 10.0.2

Release notes

Sourced from python-semantic-release/python-semantic-release's releases.

v10.0.2 (2025-05-26)

This release is published under the MIT License.

🪲 Bug Fixes

• github-actions: Add filesystem UID/GID fixer after action workspace modification (PR#1262, 93e23c8)

---

Detailed Changes: v10.0.1...v10.0.2

---

Installable artifacts are available from:

• PyPi Registry

• GitHub Release Assets

v10.0.1 (2025-05-25)

This release is published under the MIT License.

🪲 Bug Fixes

• github-actions: Bump the github-actions dependency to v10.0.0 (PR#1255, 2803676)

✅ Resolved Issues

• #1257: bug: github action v10.0.0 is still running PSR v9.21.1

---

Detailed Changes: v10.0.0...v10.0.1

---

Installable artifacts are available from:

• PyPi Registry

• GitHub Release Assets

v10.0.0 (2025-05-25)

This release is published under the MIT License.

✨ Features

... (truncated)

Changelog

Sourced from python-semantic-release/python-semantic-release's changelog.

.. _changelog:

========= CHANGELOG

.. _changelog-v10.0.2:

v10.0.2 (2025-05-26)

🪲 Bug Fixes

• github-actions: Add filesystem UID/GID fixer after action workspace modification (PR#1262, 93e23c8)

.. _93e23c8: python-semantic-release/python-semantic-release@93e23c8 .. _PR#1262: python-semantic-release/python-semantic-release#1262

.. _changelog-v10.0.1:

v10.0.1 (2025-05-25)

🪲 Bug Fixes

• github-actions: Bump the github-actions dependency to v10.0.0 (PR#1255, 2803676)

.. _2803676: python-semantic-release/python-semantic-release@2803676 .. _PR#1255: python-semantic-release/python-semantic-release#1255

.. _changelog-v10.0.0:

v10.0.0 (2025-05-25)

✨ Features

• cmd-version: Enable version_variables version stamp of vars with double-equals (PR#1244, 080e4bc)

• parser-conventional: Set parser to evaluate all squashed commits by default (6fcdc99_)

• parser-conventional: Set parser to ignore merge commits by default (59bf084_)

... (truncated)

Commits

• 1a32400 10.0.2
• 93e23c8 fix(github-actions): add filesystem UID/GID fixer after action workspace modi...
• 109b8bd ci(deps): bump python-semantic-release/publish-action@v10.0.0 to v10.0.1
• ffb2976 ci(deps): bump python-semantic-release@v10.0.0 action to v10.0.1
• 917a2c7 10.0.1
• f928991 ci(release): add filesystem check post psr action to detect error
• 74f7260 ci(deps): force python-semantic-release action to have v10.0.0
• 3b7b821 Revert "10.0.1"
• b15f3cb 10.0.1
• d099c20 test(fixtures): always run e2e tests in very verbose mode for test failure de...
• Additional commits viewable in compare view

Updates astral-sh/setup-uv from 5.3.1 to 6.1.0

Release notes

Sourced from astral-sh/setup-uv's releases.

v6.1.0 🌈

Changes

This release adds the input server-url which defaults to https://github.com. You can set this to a custom url to control where this action downloads the uv release from. This is useful for users of gitea and comparable solutions.

@​sebadevo pointed out that we don't invalidate the cache when the prune-cache input is changed. This leads to unnessecarily big caches. The input is now used to compute the cache key, properly invalidating the cache when it is changed.

[!NOTE]
For most users this release will invalidate the cache once. You will see the known warning no-github-actions-cache-found-for-key This is expected and will only appear once.

🐛 Bug fixes

• Purge cache in cache key @​eifinger (#423)

🚀 Enhancements

• feat: support custom github url @​Zoupers (#414)

🧰 Maintenance

• chore: update known versions for 0.7.7 @github-actions[bot] (#422)
• chore: update known versions for 0.7.6 @github-actions[bot] (#415)
• chore: update known versions for 0.7.5 @github-actions[bot] (#412)
• chore: update known versions for 0.7.4 @github-actions[bot] (#410)
• chore: update known versions for 0.7.3 @github-actions[bot] (#405)
• Fix path to known-checksums.ts @​eifinger (#404)
• Fix update-known-versions workflow argument @​eifinger (#401)
• Fix update-known-versions workflow @​eifinger (#400)
• Create version-manifest.json on uv release @​eifinger (#399)
• Run infrastructure workflows on arm runners @​eifinger (#396)
• chore: update known checksums for 0.7.2 @github-actions[bot] (#395)
• chore: update known checksums for 0.7.0 @github-actions[bot] (#390)

📚 Documentation

• Add section to README explaining if packages are installed by setup-uv @​pirate (#398)

⬆️ Dependency updates

• Bump dependencies @​eifinger (#424)
• Bump typescript from 5.8.2 to 5.8.3 @dependabot[bot] (#393)

v6.0.1 🌈 Fix default cache dependency glob

Changes

The new default in v6 used illegal patterns and therefore didn't match requirements files. This is now fixed.

🐛 Bug fixes

... (truncated)

Commits

• f0ec1fc Bump dependencies (#424)
• e3d2ea5 Purge cache in cache key (#423)
• b3d7ca7 chore: update known versions for 0.7.7 (#422)
• 0e0f4bf feat: support custom github url (#414)
• 71bb882 chore: update known versions for 0.7.6 (#415)
• 1417e89 chore: update known versions for 0.7.5 (#412)
• 1761eea chore: update known versions for 0.7.4 (#410)
• 9864bc9 chore: update known versions for 0.7.3 (#405)
• 0e9cccb Fix path to known-checksums.ts (#404)
• b6f9e9c Bump typescript from 5.8.2 to 5.8.3 (#393)
• Additional commits viewable in compare view

Updates actions/download-artifact from 4.1.9 to 4.3.0

Release notes

Sourced from actions/download-artifact's releases.

v4.3.0

What's Changed

• feat: implement new artifact-ids input by @​GrantBirki in actions/download-artifact#401
• Fix workflow example for downloading by artifact ID by @​joshmgross in actions/download-artifact#402
• Prep for v4.3.0 release by @​robherley in actions/download-artifact#404

New Contributors

• @​GrantBirki made their first contribution in actions/download-artifact#401

Full Changelog: actions/download-artifact@v4.2.1...v4.3.0

v4.2.1

What's Changed

• Add unit tests by @​GhadimiR in actions/download-artifact#392
• Fix bug introduced in 4.2.0 by @​GhadimiR in actions/download-artifact#391

Full Changelog: actions/download-artifact@v4.2.0...v4.2.1

v4.2.0

What's Changed

• Update README.md by @​lkfortuna in actions/download-artifact#384
• Bump artifact version, do digest check by @​GhadimiR in actions/download-artifact#383

New Contributors

• @​lkfortuna made their first contribution in actions/download-artifact#384
• @​GhadimiR made their first contribution in actions/download-artifact#383

Full Changelog: actions/download-artifact@v4.1.9...v4.2.0

Commits

• d3f86a1 Merge pull request #404 from actions/robherley/v4.3.0
• fc02353 prep for v4.3.0 release
• 7745437 Merge pull request #402 from actions/joshmgross/download-by-id-example
• 84fc7a0 Remove path filters from Check dist workflow
• 67f2bc3 Fix workflow example for downloading by artifact ID
• 8ea3c2c Merge pull request #401 from actions/download-by-id
• d219c63 add supporting unit tests for artifact downloads with ids
• 54124fb revert getArtifact() changes - for now we have to list and filter by artifa...
• b83057b bundle
• 171183c use the same artifactClient.getArtifact structure as seen above in `isSingl...
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.2.1 to 2.2.2

Release notes

Sourced from softprops/action-gh-release's releases.

v2.2.2

What's Changed

Bug fixes 🐛

• fix: updating release draft status from true to false by @​galargh in softprops/action-gh-release#316

Other Changes 🔄

• chore: simplify ref_type test by @​steinybot in softprops/action-gh-release#598
• fix(docs): clarify the default for tag_name by @​muzimuzhi in softprops/action-gh-release#599
• test(release): add unit tests when searching for a release by @​rwaskiewicz in softprops/action-gh-release#603
• dependency updates

New Contributors

• @​steinybot made their first contribution in softprops/action-gh-release#598
• @​muzimuzhi made their first contribution in softprops/action-gh-release#599
• @​galargh made their first contribution in softprops/action-gh-release#316
• @​rwaskiewicz made their first contribution in softprops/action-gh-release#603

Full Changelog: softprops/action-gh-release@v2...v2.2.2

Changelog

Sourced from softprops/action-gh-release's changelog.

2.2.2

What's Changed

Bug fixes 🐛

• fix: updating release draft status from true to false by @​galargh in softprops/action-gh-release#316

Other Changes 🔄

• chore: simplify ref_type test by @​steinybot in softprops/action-gh-release#598
• fix(docs): clarify the default for tag_name by @​muzimuzhi in softprops/action-gh-release#599
• test(release): add unit tests when searching for a release by @​rwaskiewicz in softprops/action-gh-release#603
• dependency updates

2.2.1

What's Changed

Bug fixes 🐛

• fix: big file uploads by @​xen0n in softprops/action-gh-release#562

Other Changes 🔄

• chore(deps): bump @​types/node from 22.10.1 to 22.10.2 by @​dependabot in softprops/action-gh-release#559
• chore(deps): bump @​types/node from 22.10.2 to 22.10.5 by @​dependabot in softprops/action-gh-release#569
• chore: update error and warning messages for not matching files in files field by @​ytimocin in softprops/action-gh-release#568

2.2.0

What's Changed

Exciting New Features 🎉

• feat: read the release assets asynchronously by @​xen0n in softprops/action-gh-release#552

Bug fixes 🐛

• fix(docs): clarify the default for tag_name by @​alexeagle in softprops/action-gh-release#544

Other Changes 🔄

• chore(deps): bump typescript from 5.6.3 to 5.7.2 by @​dependabot in softprops/action-gh-release#548
• chore(deps): bump @​types/node from 22.9.0 to 22.9.4 by @​dependabot in softprops/action-gh-release#547
• chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 by @​dependabot in softprops/action-gh-release#545
• chore(deps): bump @​vercel/ncc from 0.38.2 to 0.38.3 by @​dependabot in softprops/action-gh-release#543
• chore(deps): bump prettier from 3.3.3 to 3.4.1 by @​dependabot in softprops/action-gh-release#550
• chore(deps): bump @​types/node from 22.9.4 to 22.10.1 by @​dependabot in softprops/action-gh-release#551
• chore(deps): bump prettier from 3.4.1 to 3.4.2 by @​dependabot in softprops/action-gh-release#554

... (truncated)

Commits

• da05d55 release 2.2.2
• 6b18c2f test(release): add unit tests when searching for a release (#603)
• e2b105c chore(deps): bump actions/setup-node in the github-actions group (#607)
• e707470 chore(deps): bump the npm group with 4 updates (#608)
• 36833a1 fix: updating release draft status (#316)
• 8bb7207 chore(deps): bump actions/setup-node in the github-actions group (#597)
• 93bb5ff fix(docs): clarify the default for tag_name (#599)
• 581b12c chore: simplify ref_type test (#598)
• b540ad2 chore(deps): bump @​octokit/request (#605)
• ac224e9 chore(deps): bump the npm group across 1 directory with 5 updates (#604)
• Additional commits viewable in compare view

Updates docker/build-push-action from 6.15.0 to 6.18.0

Release notes

Sourced from docker/build-push-action's releases.

v6.18.0

• Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1 in docker/build-push-action#1381

[!NOTE] Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

• Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0 by @​crazy-max in docker/build-push-action#1364

[!NOTE] Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

• Handle no default attestations env var by @​crazy-max in docker/build-push-action#1343
• Only print secret keys in build summary output by @​crazy-max in docker/build-push-action#1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in docker/build-push-action#1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

Commits

• 2634353 Merge pull request #1381 from docker/dependabot/npm_and_yarn/docker/actions-t...
• c0432d2 chore: update generated content
• 0bb1f27 set builder driver and endpoint attributes for dbc summary support
• 5f9dbf9 chore(deps): Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1
• 0788c44 Merge pull request #1375 from crazy-max/remove-gcr
• aa179ca e2e: remove GCR
• 1dc7386 Merge pull request #1364 from crazy-max/history-export-cmd
• 9c9803f chore: update generated content
• db1f6c4 DOCKER_BUILD_EXPORT_LEGACY env var to opt-in for legacy export
• 721e8c7 Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.1 to 2.4.2

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

Commits

• 05b42c6 🌱 bump docker to ghcr v2.4.2 (#1548)
• b225da6 Bump github.com/ossf/scorecard/v5 from v5.2.0 to v5.2.1 (#1550)
• 9399f6f 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
• e1daa8c 🌱 Bump the github-actions group across 1 directory with 5 updates (#...
• 9fe6511 🌱 Bump golang.org/x/net from 0.39.0 to 0.40.0 (#1542)
• 25b9cd9 🌱 Bump github.com/ossf/scorecard/v5 from v5.1.1 to v5.2.0 (#1547)
• 18cc9b8 🌱 Bump golang.org/x/net from 0.38.0 to 0.39.0 (#1536)
• db78142 🌱 Bump the github-actions group with 2 updates (#1538)
• de386ed 🌱 Bump golang from 1.24.1 to 1.24.2 in the docker-images group (#1534)
• 5b7cedb 🌱 Bump github.com/sigstore/cosign/v2 from 2.4.3 to 2.5.0 (#1537)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.