chore(deps): bump the github-actions group across 1 directory with 12 updates

[dependabot]

Bumps the github-actions group with 12 updates in the / directory:

Package	From	To
step-security/harden-runner	2.15.0	2.16.0
actions/upload-artifact	6.0.0	7.0.0
docker/setup-qemu-action	3.7.0	4.0.0
actions/download-artifact	7.0.0	8.0.1
actions/attest-build-provenance	3.2.0	4.1.0
actions/setup-dotnet	5.1.0	5.2.0
anthropics/claude-code-action	1.0.60	1.0.73
github/codeql-action	4.32.4	4.33.0
actions/dependency-review-action	4.8.3	4.9.0
actions/create-github-app-token	2.2.1	3.0.0
danielpalme/ReportGenerator-GitHub-Action	5.5.1	5.5.4
marocchino/sticky-pull-request-comment	2.9.4	3.0.2

Updates step-security/harden-runner from 2.15.0 to 2.16.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.16.0

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

What's Changed

• Fixes step-security/harden-runner#642 bug due to which post step was failing on Windows ARM runners
• Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

Commits

• fa2e9d6 Release v2.16.0 (#646)
• 58077d3 Release v2.15.1 (#641)
• See full diff in compare view

Updates actions/upload-artifact from 6.0.0 to 7.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

Commits

• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• See full diff in compare view

Updates docker/setup-qemu-action from 3.7.0 to 4.0.0

Release notes

Sourced from docker/setup-qemu-action's releases.

v4.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/setup-qemu-action#245
• Switch to ESM and update config/test wiring by @​crazy-max in docker/setup-qemu-action#241
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/setup-qemu-action#244
• Bump @​docker/actions-toolkit from 0.67.0 to 0.77.0 in docker/setup-qemu-action#243
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in docker/setup-qemu-action#240
• Bump js-yaml from 3.14.1 to 3.14.2 in docker/setup-qemu-action#231
• Bump lodash from 4.17.21 to 4.17.23 in docker/setup-qemu-action#238

Full Changelog: docker/setup-qemu-action@v3.7.0...v4.0.0

Commits

• ce36039 Merge pull request #245 from crazy-max/node24
• 6386344 node 24 as default runtime
• 1ea3db7 Merge pull request #243 from docker/dependabot/npm_and_yarn/docker/actions-to...
• b56a002 chore: update generated content
• c43f02d build(deps): bump @​docker/actions-toolkit from 0.67.0 to 0.77.0
• ce10c58 Merge pull request #244 from docker/dependabot/npm_and_yarn/actions/core-3.0.0
• 429fc9d chore: update generated content
• 060e5f8 build(deps): bump @​actions/core from 1.11.1 to 3.0.0
• 44be13e Merge pull request #231 from docker/dependabot/npm_and_yarn/js-yaml-3.14.2
• 1897438 chore: update generated content
• Additional commits viewable in compare view

Updates actions/download-artifact from 7.0.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• Additional commits viewable in compare view

Updates actions/attest-build-provenance from 3.2.0 to 4.1.0

Release notes

Sourced from actions/attest-build-provenance's releases.

v4.1.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Update RELEASE.md docs by @​bdehamer in actions/attest-build-provenance#836
• Bump actions/attest from 4.0.0 to 4.1.0 by @​bdehamer in actions/attest-build-provenance#838
  • Bump @actions/attest from 3.0.0 to 3.1.0 by @​bdehamer in actions/attest#362
  • Bump @actions/attest from 3.1.0 to 3.2.0 by @​bdehamer in actions/attest#365
  • Add new subject-version input for inclusion in storage record by @​bdehamer in actions/attest#364
  • Add storage record content to README by @​bdehamer in actions/attest#366

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Prepare v4 release by @​bdehamer in actions/attest-build-provenance#835

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

Commits

• a2bbfa2 bump actions/attest from 4.0.0 to 4.1.0 (#838)
• 0856891 update RELEASE.md docs (#836)
• e4d4f7c prepare v4 release (#835)
• 02a49bd Bump github/codeql-action in the actions-minor group (#824)
• 7c757df Bump the npm-development group with 2 updates (#825)
• c44148e Bump github/codeql-action in the actions-minor group (#818)
• 3234352 Bump @​types/node from 25.0.10 to 25.2.0 in the npm-development group (#819)
• 18db129 Bump tar from 7.5.6 to 7.5.7 (#816)
• 90fadfa Bump @​actions/core from 2.0.1 to 2.0.2 in the npm-production group (#799)
• 57db8ba Bump the npm-development group across 1 directory with 3 updates (#808)
• Additional commits viewable in compare view

Updates actions/setup-dotnet from 5.1.0 to 5.2.0

Release notes

Sourced from actions/setup-dotnet's releases.

v5.2.0

What's changed

Enhancements

• Add support for workloads input by @​gowridurgad in actions/setup-dotnet#693
• Add support for optional architecture input for cross-architecture .NET installs by @​priya-kinthali in actions/setup-dotnet#700

Dependency Updates

• Upgrade fast-xml-parser from 4.4.1 to 5.3.6 by @​dependabot in actions/setup-dotnet#671
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in actions/setup-dotnet#705

Full Changelog: actions/setup-dotnet@v5...v5.2.0

Commits

• c2fa09f Bump minimatch from 3.1.2 to 3.1.5 (#705)
• 02574b1 Add support for optional architecture input for cross-architecture .NET insta...
• 16c7b3c Bump fast-xml-parser from 4.4.1 to 5.3.6 (#671)
• 131b410 Add support for workloads input (#693)
• See full diff in compare view

Updates anthropics/claude-code-action from 1.0.60 to 1.0.73

Release notes

Sourced from anthropics/claude-code-action's releases.

v1.0.73

Full Changelog: anthropics/claude-code-action@v1...v1.0.73

v1.0.72

What's Changed

• Harden tag mode tool permissions against prompt injection by @​km-anthropic in anthropics/claude-code-action#1002

Full Changelog: anthropics/claude-code-action@v1...v1.0.72

v1.0.71

What's Changed

• docs: warn that allowed_bots can expose the action to external triggers by @​an-dustin in anthropics/claude-code-action#1039
• feat(inline-comment): add confirmed param + probe-pattern safety net by @​km-anthropic in anthropics/claude-code-action#1048

New Contributors

• @​an-dustin made their first contribution in anthropics/claude-code-action#1039

Full Changelog: anthropics/claude-code-action@v1...v1.0.71

v1.0.70

Full Changelog: anthropics/claude-code-action@v1...v1.0.70

v1.0.69

Full Changelog: anthropics/claude-code-action@v1...v1.0.69

v1.0.68

Full Changelog: anthropics/claude-code-action@v1...v1.0.68

v1.0.67

What's Changed

• Improve gh.sh wrapper: stricter validation and better error messages by @​OctavianGuzu in anthropics/claude-code-action#996

Full Changelog: anthropics/claude-code-action@v1...v1.0.67

v1.0.66

What's Changed

• Only expose permission_denials count in sanitized output by @​ddworken in anthropics/claude-code-action#993

Full Changelog: anthropics/claude-code-action@v1...v1.0.66

v1.0.65

What's Changed

• Change the default display_report option to false to restrict exposed data by @​ddworken in anthropics/claude-code-action#992

Full Changelog: anthropics/claude-code-action@v1...v1.0.65

... (truncated)

Commits

• 1b422b3 chore: bump Claude Code to 2.1.78 and Agent SDK to 0.2.77
• 4c044bb chore: bump Claude Code to 2.1.77 and Agent SDK to 0.2.77
• cd77b50 chore: bump Claude Code to 2.1.76 and Agent SDK to 0.2.76
• 0e80d3c chore: bump Claude Code to 2.1.75 and Agent SDK to 0.2.75
• f956510 Harden tag mode tool permissions against prompt injection (#1002)
• 5d0cc74 feat(inline-comment): add confirmed param + probe-pattern safety net (#1048)
• 567be3d chore: bump Claude Code to 2.1.73 and Agent SDK to 0.2.73
• eb99fb3 chore: bump Claude Code to 2.1.72 and Agent SDK to 0.2.72
• 33fbb80 docs: warn that allowed_bots can expose the action to external triggers (#1039)
• 3428ca8 chore: bump Claude Code to 2.1.71 and Agent SDK to 0.2.71
• Additional commits viewable in compare view

Updates github/codeql-action from 4.32.4 to 4.33.0

Release notes

Sourced from github/codeql-action's releases.

v4.33.0

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v4.32.6

• Update default CodeQL bundle version to 2.24.3. #3548

v4.32.5

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.33.0 - 16 Mar 2026

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

• Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

4.32.4 - 20 Feb 2026

• Update default CodeQL bundle version to 2.24.2. #3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

4.32.3 - 13 Feb 2026

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

4.32.2 - 05 Feb 2026

... (truncated)

Commits

• b1bff81 Merge pull request #3574 from github/update-v4.32.7-7dd76e6bf
• e682234 Add changelog entry for #3570
• 95be291 Bump minor version
• 59bcb60 Update changelog for v4.32.7
• 7dd76e6 Merge pull request #3572 from github/mbg/pr-checks/eslint
• e3200e3 Merge pull request #3563 from github/mbg/private-registry/oidc
• 4c356c7 Merge pull request #3570 from github/mbg/repo-props/warn-on-unexpected-props
• b4937c1 Only emit one message with accumulated property names
• 136b8ab Remove cache-dependency-path options as well
• a5aba59 Remove package-lock.json that's no longer needed
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.8.3 to 4.9.0

Release notes

Sourced from actions/dependency-review-action's releases.

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in actions/dependency-review-action#1056
• Make purl comparisons case insensitive by @​juxtin in actions/dependency-review-action#1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in actions/dependency-review-action#1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in actions/dependency-review-action#1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in actions/dependency-review-action#1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in actions/dependency-review-action#1021
• Updates for release 4.9.0 by @​ahpook in actions/dependency-review-action#1064

New Contributors

• @​jantiebot made their first contribution in actions/dependency-review-action#1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

Commits

• 2031cfc Merge pull request #1064 from actions/ahpook/release-4.9.0
• d02fa39 Updates for release 4.9.0
• 4038a34 Merge pull request #1021 from actions/dependabot/github_actions/actions/check...
• a632b83 Merge pull request #1058 from actions/dependabot/github_actions/actions/stale...
• 57a3d46 Merge pull request #1060 from jantiebot/main
• 5ecdc4b Merge pull request #1045 from forks-felickz/main
• e8c2f9a fix: remove inferrable type annotation to pass eslint
• 0e129e1 Prettier - Refactor summary table rendering for improved readability
• aa60746 Add 'show-patched-versions' option to configuration and update summary handling
• e404798 Merge upstream actions/dependency-review-action main
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 2.2.1 to 3.0.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)
• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)
• deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
• deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits

• f8d387b build(release): 3.0.0 [skip ci]
• d2129bd style: remove extra blank line in release workflow
• 77b94ef build: refresh generated artifacts
• 3ab4c66 chore: move undici to devDependencies
• 739cf66 docs: update README action versions
• db40289 build(deps): bump actions versions in test.yml
• 496a7ac test: migrate from AVA to Node.js native test runner (#346)
• 3...

  Description has been truncated

[github-actions]

Test Results: Windows

    2 files      2 suites   16s ⏱️
4 052 tests 4 033 ✅ 19 💤 0 ❌
4 054 runs  4 035 ✅ 19 💤 0 ❌

Results for commit 537dcfd.

[github-actions]

Test Results: Ubuntu

    2 files      2 suites   47s ⏱️
4 044 tests 4 025 ✅ 19 💤 0 ❌
4 046 runs  4 027 ✅ 19 💤 0 ❌

Results for commit 537dcfd.

[github-actions]

Package	Line Rate	Branch Rate	Complexity	Health
Yubico.Core	52%	41%	1519	➖
Yubico.YubiKey	50%	46%	7178	➖
Summary	50% (12810 / 25442)	45% (3069 / 6852)	8697	➖

Minimum allowed line rate is 40%

[github-actions]

Test Results: MacOS

    4 files      4 suites   32s ⏱️
4 026 tests 4 026 ✅ 0 💤 0 ❌
4 028 runs  4 028 ✅ 0 💤 0 ❌

Results for commit 537dcfd.

[DennisDyallo]

@claude review and fix any minor or breaking changes that may have been introduced by this PR

[claude]

Claude finished @DennisDyallo's task in 2m 44s —— View job

---

PR Review: GitHub Actions Dependency Updates

Tasks:

• Gather context and understand request
• Read all 14 changed workflow files
• Identify breaking changes in major version bumps
• Review impact of each upgrade and post findings

---

Summary

All CI checks passed (4,033+ tests across Windows, Ubuntu, and macOS with 0 failures), confirming no functional regressions. The PR is generally safe to merge. Below is a breakdown of the major version bumps and any notes worth considering.

---

Major Version Bump Analysis

✅ actions/upload-artifact v6 → v7

Usage: All workflows (build, test, nativeshims artifacts)

The new archive: false parameter for direct unzipped uploads is optional and not used in any current workflow. ESM upgrade is transparent to callers. No breaking changes.

---

✅ actions/download-artifact v7 → v8

Usage: test.yml, build.yml, build-nativeshims.yml, upload-docs.yml

Two notable v8 changes:

1. Hash mismatches now error by default (previously a warning). This is a security improvement. Since CI passed, no latent hash mismatches existed.
2. Non-zipped files won't be auto-unzipped — only relevant if upload-artifact uses archive: false, which none of these workflows do.

No breaking changes for current usage.

---

✅ actions/attest-build-provenance v3 → v4

Usage: build.yml:172, build-nativeshims.yml:474

v4 is now a wrapper on actions/attest. All existing inputs still work. Release notes note that new implementations should prefer actions/attest directly, but this is informational only.

No breaking changes for existing usage.

---

✅ actions/setup-dotnet v5.1.0 → v5.2.0

Usage: build.yml, build-pull-requests.yml, codeql-analysis.yml, verify-code-style.yml

Adds optional workloads and architecture inputs. Minor version, no breaking changes.

---

✅ anthropics/claude-code-action v1.0.60 → v1.0.73

Usage: claude.yml:45

Security hardening (prompt injection protections in v1.0.72, v1.0.71), updated Claude Code/Agent SDK versions. No API breaking changes.

---

✅ actions/dependency-review-action v4.8.3 → v4.9.0

Usage: dependency-review.yml:27

Adds optional show_patched_versions feature. No breaking changes.

---

✅ danielpalme/ReportGenerator-GitHub-Action v5.5.1 → v5.5.4

Usage: test.yml:90

Patch version bump, bug fixes only.

---

✅ marocchino/sticky-pull-request-comment v2.9.4 → v3.0.2

Usage: test.yml:142 with recreate: true and path: code-coverage-results.md

Major version bump. The parameters used (recreate, path) are basic and present in v3. CI passed with these parameters, confirming compatibility.

---

✅ step-security/harden-runner v2.15.0 → v2.16.0

Usage: All workflows

Security fixes for two medium-severity vulnerabilities in the Community Tier:

• DNS-over-HTTPS egress bypass (GHSA-46g3-37rh-v698)
• DNS-over-TCP egress bypass (GHSA-g699-3x6g-wm3g)

This is a welcome security patch. No breaking changes.

---

⚠️ Items to Be Aware Of

Node 24 Runtime Requirement

Three upgrades now require Actions Runner v2.327.1 or later:

• docker/setup-qemu-action v4 (build-nativeshims.yml:325)
• actions/create-github-app-token v3 (deploy-docs.yml:49,107)

GitHub-hosted runners are up to date. Action required only if using self-hosted runners — ensure they are updated to v2.327.1+.

actions/create-github-app-token v2 → v3 — Proxy Handling Change

Usage: deploy-docs.yml:49,107

Custom proxy handling has been removed. If HTTP_PROXY or HTTPS_PROXY environment variables are set on the runner, you must now also set NODE_USE_ENV_PROXY=1 on the step. This is not an issue on standard GitHub-hosted runners.

github/codeql-action v4.32.4 → v4.33.0 — Upcoming Behavior Change

Usage: codeql-analysis.yml:77,90

Starting April 2026, CodeQL will skip file coverage collection on PRs by default. This is to improve performance and won't affect the analysis results themselves. You may see a warning in logs soon. To opt out, set CODEQL_ACTION_FILE_COVERAGE_ON_PRS=true in the workflow environment, or create the github-codeql-file-coverage-on-prs repository property. No action needed unless file coverage on PRs is required.

---

Conclusion

This PR is safe to merge. All tests pass and no functional breaking changes were introduced. The items flagged above are informational:

• Self-hosted runner users should verify runner version ≥ v2.327.1
• The proxy change in create-github-app-token v3 is not relevant for GitHub-hosted runners
• The CodeQL file coverage change in April 2026 may require action at that time

Note: I cannot directly modify .github/workflows/ files (GitHub App permissions restriction), so no automated fixes were applied. All findings are informational and no code changes are required.