Skip to content

ci(deps): bump the github-actions group across 1 directory with 5 updates#20

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github-actions-69838c719c
Open

ci(deps): bump the github-actions group across 1 directory with 5 updates#20
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github-actions-69838c719c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 12, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 5 updates in the / directory:

Package From To
github/codeql-action/init 3.36.2 3.37.0
github/codeql-action/analyze 3.36.2 3.37.0
sigstore/cosign-installer 3.7.0 3.10.1
github/codeql-action/upload-sarif 3.36.2 3.37.0
qltysh/qlty-action/coverage 2.2.1 2.3.0

Updates github/codeql-action/init from 3.36.2 to 3.37.0

Release notes

Sourced from github/codeql-action/init's releases.

v3.37.0

  • Update default CodeQL bundle version to 2.26.0. #3995
  • In addition to the existing input format, the config-file input for the codeql-action/init step will soon support a new [owner/]repo[@ref][:path] format. All components except the repository name are optional. If omitted, owner defaults to the same owner as the repository the analysis is running for, ref to main, and path to .github/codeql-action.yaml. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. #3973

v3.36.3

No user facing changes.

Commits
  • 02c5e83 Merge pull request #3998 from github/backport-v3.37.0-99df26d4f
  • af1b30e Rebuild
  • 530c909 Update version and changelog for v3.37.0
  • 0507814 Merge remote-tracking branch 'origin/releases/v4' into backport-v3.37.0-99df2...
  • 157d34d Revert "Rebuild"
  • b8c8426 Revert "Update version and changelog for v3.36.3"
  • 99df26d Merge pull request #3996 from github/update-v4.37.0-c7c896d71
  • 31c2707 Add changenote for #3973
  • 72df218 Update changelog for v4.37.0
  • c7c896d Merge pull request #3995 from github/update-bundle/codeql-bundle-v2.26.0
  • Additional commits viewable in compare view

Updates github/codeql-action/analyze from 3.36.2 to 3.37.0

Release notes

Sourced from github/codeql-action/analyze's releases.

v3.37.0

  • Update default CodeQL bundle version to 2.26.0. #3995
  • In addition to the existing input format, the config-file input for the codeql-action/init step will soon support a new [owner/]repo[@ref][:path] format. All components except the repository name are optional. If omitted, owner defaults to the same owner as the repository the analysis is running for, ref to main, and path to .github/codeql-action.yaml. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. #3973

v3.36.3

No user facing changes.

Commits
  • 02c5e83 Merge pull request #3998 from github/backport-v3.37.0-99df26d4f
  • af1b30e Rebuild
  • 530c909 Update version and changelog for v3.37.0
  • 0507814 Merge remote-tracking branch 'origin/releases/v4' into backport-v3.37.0-99df2...
  • 157d34d Revert "Rebuild"
  • b8c8426 Revert "Update version and changelog for v3.36.3"
  • 99df26d Merge pull request #3996 from github/update-v4.37.0-c7c896d71
  • 31c2707 Add changenote for #3973
  • 72df218 Update changelog for v4.37.0
  • c7c896d Merge pull request #3995 from github/update-bundle/codeql-bundle-v2.26.0
  • Additional commits viewable in compare view

Updates sigstore/cosign-installer from 3.7.0 to 3.10.1

Release notes

Sourced from sigstore/cosign-installer's releases.

v3.10.1

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

  • Bump default Cosign to v2.6.1 (#203)

v3.10.0

What's Changed

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

v3.9.2

What's Changed

Full Changelog: sigstore/cosign-installer@v3.9.1...v3.9.2

v3.9.1

What's Changed

Full Changelog: sigstore/cosign-installer@v3.9.0...v3.9.1

v3.9.0

What's Changed

Full Changelog: sigstore/cosign-installer@v3...v3.9.0

v3.8.2

What's Changed

Full Changelog: sigstore/cosign-installer@v3...v3.8.2

v3.8.1

What's Changed

... (truncated)

Commits

Updates github/codeql-action/upload-sarif from 3.36.2 to 3.37.0

Release notes

Sourced from github/codeql-action/upload-sarif's releases.

v3.37.0

  • Update default CodeQL bundle version to 2.26.0. #3995
  • In addition to the existing input format, the config-file input for the codeql-action/init step will soon support a new [owner/]repo[@ref][:path] format. All components except the repository name are optional. If omitted, owner defaults to the same owner as the repository the analysis is running for, ref to main, and path to .github/codeql-action.yaml. Support for this format ships in this version of the CodeQL Action, but will only be enabled over the coming weeks. #3973

v3.36.3

No user facing changes.

Commits
  • 02c5e83 Merge pull request #3998 from github/backport-v3.37.0-99df26d4f
  • af1b30e Rebuild
  • 530c909 Update version and changelog for v3.37.0
  • 0507814 Merge remote-tracking branch 'origin/releases/v4' into backport-v3.37.0-99df2...
  • 157d34d Revert "Rebuild"
  • b8c8426 Revert "Update version and changelog for v3.36.3"
  • 99df26d Merge pull request #3996 from github/update-v4.37.0-c7c896d71
  • 31c2707 Add changenote for #3973
  • 72df218 Update changelog for v4.37.0
  • c7c896d Merge pull request #3995 from github/update-bundle/codeql-bundle-v2.26.0
  • Additional commits viewable in compare view

Updates qltysh/qlty-action/coverage from 2.2.1 to 2.3.0

Release notes

Sourced from qltysh/qlty-action/coverage's releases.

v2.3.0

New

  • Add a selected input to the coverage action for marking an upload as covering a selected subset of the test suite, which contributes to diff coverage only and is excluded from total coverage (#200)

v2.2.3

  • Internal release process improvements (no user-facing changes) (#196)

v2.2.2

Fixed

  • Security updates to bundled dependencies (#190, #191)
Changelog

Sourced from qltysh/qlty-action/coverage's changelog.

Changelog

v2.3.0 (2026-07-09)

New

  • Add a selected input to the coverage action for marking an upload as covering a selected subset of the test suite, which contributes to diff coverage only and is excluded from total coverage (#200)

v2.2.3 (2026-07-07)

  • Internal release process improvements (no user-facing changes) (#196)

v2.2.2 (2026-07-07)

Fixed

  • Security updates to bundled dependencies (#190, #191)

v2.2.1 (2026-06-02)

  • Bump action runtime to node24

v2.2.0 (2025-08-11)

  • Testing release process (no changes)

v2.1.0 (2025-08-08)

New

  • support "dry-run" option for command complete

Improved

  • Use log level "error" instead of "warning" when a catastrophic error occurs but "skip-errors" is true

Fixed

  • Ignore "validate" option when command is "complete" (otherwise errors with invalid option)

v2.0.0 (2025-08-05)

This release mirrors the breaking change we introduced in the qlty CLI proper: we now validate coverage data by default instead of uploading coverage data to qlty that qlty cannot use. Now you must opt out of this behavior whereas previously opt in.

What This Means for You:

  • If coverage reporting is working as expected, you'll experience no impact. If you're uploading valid reports and seeing directory and file-level coverage metrics in Qlty, you don't need to do anything. (If your reports include mismatched paths, you'll see specific path errors listed within your CI output)
  • Potential CI Build Failures: Once this change is implemented, if your current CI/CD pipeline uploads a report with mismatched paths, your builds will begin to fail when executing qlty coverage publish.
  • Quick Fix for Build Failures: If your builds start failing and you need to get them passing immediately, you can temporarily add validate: false to the GitHub Action configuration. This will disable validation and allow your CI build to pass (though your coverage data will remain broken until you've uploaded a valid report).

... (truncated)

Commits
  • 08a0a86 Prepare release v2.3.0 (#201)
  • 8b0d5e5 Add selected input to the coverage action (#200)
  • dafbc1e Prepare release v2.2.3 (#197)
  • bb4c677 Announce releases to #feed-deploys (#196)
  • c9fe6ae Group security dependency fixes into one changelog item (#195)
  • b413a89 Release v2.2.2 (#194)
  • bbb11a9 Automate changelog drafting in the release process (#193)
  • 3baf1fc Fix Dependabot alerts in .qlty/configs: js-yaml, ajv, @​eslint/plugin-kit (#192)
  • 9341197 Fix @​opentelemetry/core Dependabot alerts: @​sentry/node 9 -> 10 (#191)
  • 1d3373b Fix undici Dependabot alerts via root override to ^6.27.0 (#190)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…ates

Bumps the github-actions group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github/codeql-action/init](https://github.com/github/codeql-action) | `3.36.2` | `3.37.0` |
| [github/codeql-action/analyze](https://github.com/github/codeql-action) | `3.36.2` | `3.37.0` |
| [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.7.0` | `3.10.1` |
| [github/codeql-action/upload-sarif](https://github.com/github/codeql-action) | `3.36.2` | `3.37.0` |
| [qltysh/qlty-action/coverage](https://github.com/qltysh/qlty-action) | `2.2.1` | `2.3.0` |



Updates `github/codeql-action/init` from 3.36.2 to 3.37.0
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@dd903d2...02c5e83)

Updates `github/codeql-action/analyze` from 3.36.2 to 3.37.0
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@dd903d2...02c5e83)

Updates `sigstore/cosign-installer` from 3.7.0 to 3.10.1
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@dc72c7d...7e8b541)

Updates `github/codeql-action/upload-sarif` from 3.36.2 to 3.37.0
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@dd903d2...02c5e83)

Updates `qltysh/qlty-action/coverage` from 2.2.1 to 2.3.0
- [Release notes](https://github.com/qltysh/qlty-action/releases)
- [Changelog](https://github.com/qltysh/qlty-action/blob/main/CHANGELOG.md)
- [Commits](qltysh/qlty-action@fd52dc8...08a0a86)

---
updated-dependencies:
- dependency-name: github/codeql-action/init
  dependency-version: 3.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: github/codeql-action/analyze
  dependency-version: 3.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: sigstore/cosign-installer
  dependency-version: 3.10.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: github/codeql-action/upload-sarif
  dependency-version: 3.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: qltysh/qlty-action/coverage
  dependency-version: 2.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added ci CI/CD dependencies Dependency updates labels Jul 12, 2026
@dependabot
dependabot Bot requested a review from CardSorting as a code owner July 12, 2026 13:25
@dependabot dependabot Bot added dependencies Dependency updates ci CI/CD labels Jul 12, 2026
@github-actions

Copy link
Copy Markdown

Thanks for your first pull request to LUMI!

Please read CONTRIBUTING.md and ensure:

  • PR title uses Conventional Commits (feat:, fix:, docs:, …) — Dependabot PRs are exempt
  • CI is green (Tests, E2E, CodeQL)
  • Governed-execution changes preserve projection invariants (see PR template)

@github-actions github-actions Bot removed the dependencies Dependency updates label Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants