chore(deps): bump the github-actions group across 1 directory with 7 updates

[dependabot]

Bumps the github-actions group with 7 updates in the / directory:

Package	From	To
actions/checkout	4.3.1	6.0.2
actions/setup-go	5.5.0	6.2.0
step-security/harden-runner	2.11.1	2.14.2
goreleaser/goreleaser-action	6.4.0	7.0.0
actions/labeler	5.0.0	6.0.1
ossf/scorecard-action	2.4.1	2.4.3
anothrNick/github-tag-action	1.67.0	1.75.0

Updates actions/checkout from 4.3.1 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates actions/setup-go from 5.5.0 to 6.2.0

Release notes

Sourced from actions/setup-go's releases.

v6.2.0

What's Changed

Enhancements

• Example for restore-only cache in documentation by @​aparnajyothi-y in actions/setup-go#696
• Update Node.js version in action.yml by @​ccoVeille in actions/setup-go#691
• Documentation update of actions/checkout by @​deining in actions/setup-go#683

Dependency updates

• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot in actions/setup-go#682
• Upgrade @​actions/cache to v5 by @​salmanmkc in actions/setup-go#695
• Upgrade actions/checkout from 5 to 6 by @​dependabot in actions/setup-go#686
• Upgrade qs from 6.14.0 to 6.14.1 by @​dependabot in actions/setup-go#703

New Contributors

• @​ccoVeille made their first contribution in actions/setup-go#691
• @​deining made their first contribution in actions/setup-go#683

Full Changelog: actions/setup-go@v6...v6.2.0

v6.1.0

What's Changed

Enhancements

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​nicholasngai in actions/setup-go#665
• Add support for .tool-versions file and update workflow by @​priya-kinthali in actions/setup-go#673
• Add comprehensive breaking changes documentation for v6 by @​mahabaleshwars in actions/setup-go#674

Dependency updates

• Upgrade eslint-config-prettier from 10.0.1 to 10.1.8 and document breaking changes in v6 by @​dependabot in actions/setup-go#617
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in actions/setup-go#641
• Upgrade semver and @​types/semver by @​dependabot in actions/setup-go#652

New Contributors

• @​nicholasngai made their first contribution in actions/setup-go#665
• @​priya-kinthali made their first contribution in actions/setup-go#673
• @​mahabaleshwars made their first contribution in actions/setup-go#674

Full Changelog: actions/setup-go@v6...v6.1.0

v6.0.0

What's Changed

Breaking Changes

• Improve toolchain handling to ensure more reliable and consistent toolchain selection and management by @​matthewhughes934 in actions/setup-go#460
• Upgrade Nodejs runtime from node20 to node 24 by @​salmanmkc in actions/setup-go#624

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

... (truncated)

Commits

• 7a3fe6c Bump qs from 6.14.0 to 6.14.1 (#703)
• b9adafd Bump actions/checkout from 5 to 6 (#686)
• d73f6bc README.md: correct to actions/checkout@v6 (#683)
• ae252ee Bump @​actions/cache to v5 (#695)
• bf7446a Bump js-yaml from 3.14.1 to 3.14.2 (#682)
• 02aadfe Fix Node.js version in action.yml (#691)
• 4aaadf4 Example for restore-only cache in documentation (#696)
• 4dc6199 Bump semver and @​types/semver (#652)
• f3787be Add comprehensive breaking changes documentation for v6 (#674)
• 3a0c2c8 Bump actions/publish-action from 0.3.0 to 0.4.0 (#641)
• Additional commits viewable in compare view

Updates step-security/harden-runner from 2.11.1 to 2.14.2

Release notes

Sourced from step-security/harden-runner's releases.

v2.14.2

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

What's Changed

• Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
• Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

What's Changed

• Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

What's Changed

• Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
• Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

v2.13.1

What's Changed

• Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

• Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

• Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

... (truncated)

Commits

• 5ef0c07 Merge pull request #635 from step-security/rc-34
• eb43c7b update agent
• e3f713f Merge pull request #631 from step-security/rc-31
• 423acdd chore: fix npm audit vulnerabilities
• 0ddb86c update agent
• 20cf305 Merge pull request #622 from step-security/feature/custom-property-skip
• c51e8ee feat: skip agent install and post step on subsequent runs for GitHub-hosted r...
• e152b90 feat: skip harden-runner based on repository custom property
• ee1faec feat: replace skip-harden-runner with skip-on-custom-property input
• 1dc7c17 feat: add skip-harden-runner input to conditionally skip execution
• Additional commits viewable in compare view

Updates goreleaser/goreleaser-action from 6.4.0 to 7.0.0

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v7.0.0

What's Changed

• feat!: node 24, update deps, rm yarn, ESM by @​caarlos0 in goreleaser/goreleaser-action#533
• sec: pin github action versions by @​caarlos0 in goreleaser/goreleaser-action#514
• docs: Upgrade checkout GitHub Action in README.md by @​dunglas in goreleaser/goreleaser-action#507
• chore(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in goreleaser/goreleaser-action#504
• ci(deps): bump the actions group with 2 updates by @​dependabot[bot] in goreleaser/goreleaser-action#517
• ci(deps): bump the actions group with 2 updates by @​dependabot[bot] in goreleaser/goreleaser-action#523
• ci(deps): bump docker/bake-action from 6.9.0 to 6.10.0 in the actions group by @​dependabot[bot] in goreleaser/goreleaser-action#526
• ci(deps): bump the actions group across 1 directory with 4 updates by @​dependabot[bot] in goreleaser/goreleaser-action#532
• ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by @​dependabot[bot] in goreleaser/goreleaser-action#534
• chore(deps): bump the npm group across 1 directory with 4 updates by @​dependabot[bot] in goreleaser/goreleaser-action#536
• chore(deps): bump @​actions/http-client from 3.0.2 to 4.0.0 in the npm group by @​dependabot[bot] in goreleaser/goreleaser-action#537
• ci(deps): bump docker/setup-buildx-action from 3.10.0 to 3.12.0 in the actions group by @​dependabot[bot] in goreleaser/goreleaser-action#538
• chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group by @​dependabot[bot] in goreleaser/goreleaser-action#539

Full Changelog: goreleaser/goreleaser-action@v6...v7.0.0

Commits

• ec59f47 fix: yargs usage
• 752dede fix: gitignore
• 1881ae0 ci: update dependabot settings
• fdc5e66 chore: gitignore provenance.json
• 51b5b35 chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group (#539)
• 4247c53 ci(deps): bump docker/setup-buildx-action in the actions group (#538)
• c169bfd chore(deps): bump @​actions/http-client from 3.0.2 to 4.0.0 in the npm group (...
• 902ab4a chore(deps): bump the npm group across 1 directory with 4 updates (#536)
• c59a691 chore: gitignore
• 56cc8b2 ci: add job to automate dependabot pre-checkin/vendor
• Additional commits viewable in compare view

Updates actions/labeler from 5.0.0 to 6.0.1

Release notes

Sourced from actions/labeler's releases.

v6.0.1

What's Changed

• Upgrade publish-action from 0.2.2 to 0.4.0 by @​aparnajyothi-y in actions/labeler#901

New Contributors

• @​aparnajyothi-y made their first contribution in actions/labeler#901

Full Changelog: actions/labeler@v6.0.0...v6.0.1

v6.0.0

What's Changed

• Add workflow file for publishing releases to immutable action package by @​jcambass in actions/labeler#802

Breaking Changes

• Upgrade Node.js version to 24 in action and dependencies @​salmanmkc in actions/labeler#891 Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. Release Notes

Dependency Upgrades

• Upgrade eslint-config-prettier from 9.0.0 to 9.1.0 by @​dependabot[bot] in actions/labeler#711
• Upgrade eslint from 8.52.0 to 8.55.0 by @​dependabot[bot] in actions/labeler#720
• Upgrade @​types/jest from 29.5.6 to 29.5.11 by @​dependabot[bot] in actions/labeler#719
• Upgrade @​types/js-yaml from 4.0.8 to 4.0.9 by @​dependabot[bot] in actions/labeler#718
• Upgrade @​typescript-eslint/parser from 6.9.0 to 6.14.0 by @​dependabot[bot] in actions/labeler#717
• Upgrade prettier from 3.0.3 to 3.1.1 by @​dependabot[bot] in actions/labeler#726
• Upgrade eslint from 8.55.0 to 8.56.0 by @​dependabot[bot] in actions/labeler#725
• Upgrade @​typescript-eslint/parser from 6.14.0 to 6.19.0 by @​dependabot[bot] in actions/labeler#745
• Upgrade eslint-plugin-jest from 27.4.3 to 27.6.3 by @​dependabot[bot] in actions/labeler#744
• Upgrade @​typescript-eslint/eslint-plugin from 6.9.0 to 6.20.0 by @​dependabot[bot] in actions/labeler#750
• Upgrade prettier from 3.1.1 to 3.2.5 by @​dependabot[bot] in actions/labeler#752
• Upgrade undici from 5.26.5 to 5.28.3 by @​dependabot[bot] in actions/labeler#757
• Upgrade braces from 3.0.2 to 3.0.3 by @​dependabot[bot] in actions/labeler#789
• Upgrade minimatch from 9.0.3 to 10.0.1 by @​dependabot[bot] in actions/labeler#805
• Upgrade @​actions/core from 1.10.1 to 1.11.1 by @​dependabot[bot] in actions/labeler#811
• Upgrade typescript from 5.4.3 to 5.7.2 by @​dependabot[bot] in actions/labeler#819
• Upgrade @​typescript-eslint/parser from 7.3.1 to 8.17.0 by @​dependabot[bot] in actions/labeler#824
• Upgrade prettier from 3.2.5 to 3.4.2 by @​dependabot[bot] in actions/labeler#825
• Upgrade @​types/jest from 29.5.12 to 29.5.14 by @​dependabot[bot] in actions/labeler#827
• Upgrade eslint-plugin-jest from 27.9.0 to 28.9.0 by @​dependabot[bot] in actions/labeler#832
• Upgrade ts-jest from 29.1.2 to 29.2.5 by @​dependabot[bot] in actions/labeler#831
• Upgrade @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot[bot] in actions/labeler#830
• Upgrade typescript from 5.7.2 to 5.7.3 by @​dependabot[bot] in actions/labeler#835
• Upgrade eslint-plugin-jest from 28.9.0 to 28.11.0 by @​dependabot[bot] in actions/labeler#839
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot[bot] in actions/labeler#842
• Upgrade @​octokit/request-error from 5.0.1 to 5.1.1 by @​dependabot[bot] in actions/labeler#846

Documentation changes

• Add note regarding pull_request_target to README.md by @​silverwind in actions/labeler#669
• Update readme with additional examples and important note about pull_request_target event by @​IvanZosimov in actions/labeler#721
• Document update - permission section by @​harithavattikuti in actions/labeler#840

... (truncated)

Commits

• 634933e publish-action upgrade to 0.4.0 from 0.2.2 (#901)
• f1a63e8 Update Node.js version to 24 in action and dependencies (#891)
• b0a1180 Bump @​octokit/request-error from 5.0.1 to 5.1.1 (#846)
• 110d441 Update README.md (#871)
• bee50fe Bump undici from 5.28.4 to 5.28.5 (#842)
• 6463cdb Bump eslint-plugin-jest from 28.9.0 to 28.11.0 (#839)
• c209686 Bump typescript from 5.7.2 to 5.7.3 (#835)
• 5184940 Bump @​vercel/ncc from 0.38.1 to 0.38.3 (#830)
• 3629d55 Document update - permission section (#840)
• d24f7f3 Bump ts-jest from 29.1.2 to 29.2.5 (#831)
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.1 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in ossf/scorecard-action#1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in ossf/scorecard-action#1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in ossf/scorecard-action#1566
• setup codeowners for requesting reviews by @​spencerschrock in ossf/scorecard-action#1576
• 🌱 Improve printing options by @​deivid-rodriguez in ossf/scorecard-action#1584

New Contributors

• @​timothyklee made their first contribution in ossf/scorecard-action#1566
• @​pankajtaneja5 made their first contribution in ossf/scorecard-action#1574
• @​deivid-rodriguez made their first contribution in ossf/scorecard-action#1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

Commits

• 4eaacf0 bump docker to ghcr v2.4.3 (#1587)
• 42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
• 88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
• 6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
• 92083b5 📖 Fix recommended command to test the image in development (#1583)
• 7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
• 0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
• 46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
• c3f1350 🌱 Improve printing options (#1584)
• 43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
• Additional commits viewable in compare view

Updates anothrNick/github-tag-action from 1.67.0 to 1.75.0

Release notes

Sourced from anothrNick/github-tag-action's releases.

1.75.0

What's Changed

• Support Escapable Characters in Prefix With BATs Testing by @​TheYorkshireDev in anothrNick/github-tag-action#347

New Contributors

• @​TheYorkshireDev made their first contribution in anothrNick/github-tag-action#347

Full Changelog: anothrNick/github-tag-action@1...1.75.0

1.74.0

What's Changed

• Bugfix for duplicate prefix on first prerelease tag by @​rorybartie in anothrNick/github-tag-action#338

New Contributors

• @​rorybartie made their first contribution in anothrNick/github-tag-action#338

Full Changelog: anothrNick/github-tag-action@1...1.74.0

1.73.0

What's Changed

• Add git-lfs to installed packages in Dockerfile by @​mikaellindemann in anothrNick/github-tag-action#329

New Contributors

• @​mikaellindemann made their first contribution in anothrNick/github-tag-action#329

Full Changelog: anothrNick/github-tag-action@1...1.73.0

1.72.0

What's Changed

• Added TAG_PREFIX so more descriptive tags can be used by @​timothyclarke in anothrNick/github-tag-action#326

New Contributors

• @​timothyclarke made their first contribution in anothrNick/github-tag-action#326

Full Changelog: anothrNick/github-tag-action@1...1.72.0

1.71.0

What's Changed

• Add tag message override by @​omerap12 in anothrNick/github-tag-action#323

New Contributors

• @​omerap12 made their first contribution in anothrNick/github-tag-action#323

Full Changelog: anothrNick/github-tag-action@1...1.71.0

1.70.0

What's Changed

• Add old_tag Output to the README by @​gabriel-stackhouse in anothrNick/github-tag-action#314
• Fix Auto Releases by @​gabriel-stackhouse in anothrNick/github-tag-action#317

... (truncated)

Commits

• 4ed4496 Merge pull request #347 from TheYorkshireDev/bugfix/support-forward-slash
• 6353aab Merge pull request #338 from rorybartie/bugfix/duplicate-prefix-on-prerelease
• 32cc67b Fix for forward slash
• 5436078 Add Tests for / prefix
• 6b38e5f Add Tests for 'v' prefix
• 0b6e07c Add BATs Support with Tests for Defaults
• 0fda9f9 Add .gitIgnore
• c659e4c Remove second addition of prefix to tag
• e528bc2 Merge pull request #329 from mikaellindemann/feature/support-lfs
• da70c4e Merge pull request #326 from timothyclarke/Issue_320/prefix
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions