Skip to content

chore(deps): bump the github-actions group across 1 directory with 6 updates#284

Merged
WilliamBerryiii merged 1 commit into
mainfrom
dependabot/github_actions/github-actions-378a7c5d5e
Mar 17, 2026
Merged

chore(deps): bump the github-actions group across 1 directory with 6 updates#284
WilliamBerryiii merged 1 commit into
mainfrom
dependabot/github_actions/github-actions-378a7c5d5e

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 17, 2026
edited
Loading

Bumps the github-actions group with 6 updates in the / directory:

Package From To
github/codeql-action 4.32.6 4.33.0
actions/download-artifact 8.0.0 8.0.1
actions/upload-pages-artifact 3.0.1 4.0.0
actions/create-github-app-token 2.2.1 3.0.0
astral-sh/setup-uv 7.4.0 7.6.0
terraform-linters/setup-tflint 6.2.1 6.2.2

Updates github/codeql-action from 4.32.6 to 4.33.0

Release notes

Sourced from github/codeql-action's releases.

v4.33.0

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.33.0 - 16 Mar 2026

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

  • Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

  • Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
  • Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
  • The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
  • Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
  • Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
  • Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
  • The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

4.32.4 - 20 Feb 2026

  • Update default CodeQL bundle version to 2.24.2. #3493
  • Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
  • When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
  • Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
  • Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

4.32.3 - 13 Feb 2026

  • Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

4.32.2 - 05 Feb 2026

... (truncated)

Commits
  • b1bff81 Merge pull request #3574 from github/update-v4.32.7-7dd76e6bf
  • e682234 Add changelog entry for #3570
  • 95be291 Bump minor version
  • 59bcb60 Update changelog for v4.32.7
  • 7dd76e6 Merge pull request #3572 from github/mbg/pr-checks/eslint
  • e3200e3 Merge pull request #3563 from github/mbg/private-registry/oidc
  • 4c356c7 Merge pull request #3570 from github/mbg/repo-props/warn-on-unexpected-props
  • b4937c1 Only emit one message with accumulated property names
  • 136b8ab Remove cache-dependency-path options as well
  • a5aba59 Remove package-lock.json that's no longer needed
  • Additional commits viewable in compare view

Updates actions/download-artifact from 8.0.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

Full Changelog: actions/download-artifact@v8...v8.0.1

Commits

Updates actions/upload-pages-artifact from 3.0.1 to 4.0.0

Release notes

Sourced from actions/upload-pages-artifact's releases.

v4.0.0

What's Changed

Full Changelog: actions/upload-pages-artifact@v3.0.1...v4.0.0

Commits
  • 7b1f4a7 Merge pull request #127 from heavymachinery/pin-sha
  • 4cc19c7 Pin actions/upload-artifact to SHA
  • 2d163be Merge pull request #107 from KittyChiu/main
  • c704843 fix: linted README
  • 9605915 Merge pull request #106 from KittyChiu/kittychiu/update-readme-1
  • e59cdfe Update README.md
  • a2d6704 doc: updated usage section in readme
  • 984864e Merge pull request #105 from actions/Jcambass-patch-1
  • 45dc788 Add workflow file for publishing releases to immutable action package
  • efaad07 Merge pull request #102 from actions/hidden-files
  • Additional commits viewable in compare view

Updates actions/create-github-app-token from 2.2.1 to 3.0.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

Bug Fixes

BREAKING CHANGES

  • Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
  • Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

  • deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
  • deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
  • deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
  • deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

  • fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

  • Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

  • deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)
  • deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)
  • deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
  • deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits
  • f8d387b build(release): 3.0.0 [skip ci]
  • d2129bd style: remove extra blank line in release workflow
  • 77b94ef build: refresh generated artifacts
  • 3ab4c66 chore: move undici to devDependencies
  • 739cf66 docs: update README action versions
  • db40289 build(deps): bump actions versions in test.yml
  • 496a7ac test: migrate from AVA to Node.js native test runner (#346)
  • 3870dc3 Rename end-to-end proxy job in test workflow
  • 4451bcb fix!: require NODE_USE_ENV_PROXY for proxy support (#342)
  • dce0ab0 fix: remove custom proxy handling (#143)
  • Additional commits viewable in compare view

Updates astral-sh/setup-uv from 7.4.0 to 7.6.0

Release notes

Sourced from astral-sh/setup-uv's releases.

v7.6.0 🌈 Fetch uv from Astral's mirror by default

Changes

We now default to download uv from releases.astral.sh. This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.

🚀 Enhancements

🧰 Maintenance

⬆️ Dependency updates

v7.5.0 🌈 Use astral-sh/versions as version provider

No more rate-limits

This release addresses a long-standing source of timeouts and rate-limit failures in setup-uv.

Previously, the action resolved version identifiers like 0.5.x by iterating over available uv releases via the GitHub API to find the best match. In contrast, latest and exact versions such as 0.5.0 skipped version resolution entirely and downloaded uv directly.

The manifest-file input was an earlier attempt to improve this. It allows providing an url to a file that lists available versions, checksums, and even custom download URLs. The action also shipped with such a manifest. However, because that bundled file could become outdated whenever new uv releases were published, the action still had to fall back to the GitHub API in many cases.

This release solves the problem by sourcing version data from Astral’s versions repository via the raw content endpoint:

https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson

By using the raw endpoint instead of the GitHub API, version resolution no longer depends on API authentication and is much less likely to run into rate limits or timeouts.

[!TIP] The next section is only interesting for users of the manifest-file input

The manifest-file input lets you override that source with your own URL, for example to test custom uv builds or alternate download locations.

The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:

{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}

... (truncated)

Commits
  • 37802ad Fetch uv from Astral's mirror by default (#809)
  • 9f00d18 chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#808)
  • fd8f376 Switch to ESM for source and test, use CommonJS for dist (#806)
  • f9070de Bump deps (#805)
  • cadb67b chore: update known checksums for 0.10.10 (#804)
  • e06108d Use astral-sh/versions as primary version provider (#802)
  • 0f6ec07 docs: replace copilot instructions with AGENTS.md (#794)
  • 821e5c9 docs: add cross-client dependabot rollup skill (#793)
  • See full diff in compare view

Updates terraform-linters/setup-tflint from 6.2.1 to 6.2.2

Release notes

Sourced from terraform-linters/setup-tflint's releases.

v6.2.2

What's Changed

Dependencies

... (truncated)

Commits
  • b480b8f build(deps): Bump the actions group across 1 directory with 3 updates (#411)
  • d4e7bc7 build(deps-dev): Bump eslint-plugin-jsdoc from 61.5.0 to 62.8.0 (#409)
  • 29adf10 build(deps-dev): Bump globals from 16.4.0 to 17.4.0 (#408)
  • 5199340 build(deps): bump @​actions/glob from 0.5.0 to 0.6.1 (#410)
  • 6978713 build(deps-dev): Bump @​babel/eslint-parser from 7.28.5 to 7.28.6 (#406)
  • 4f44956 build(deps-dev): Bump jest from 30.2.0 to 30.3.0 (#407)
  • 84b5812 build(deps-dev): Bump eslint-plugin-jest from 29.2.1 to 29.15.0 (#405)
  • fb123f3 build(deps-dev): Bump @​eslint/eslintrc from 3.3.3 to 3.3.5 (#404)
  • da37435 build(deps): Bump actions/setup-node from 6.2.0 to 6.3.0 (#402)
  • 382cd91 ci: group @actions/* Dependabot updates (#401)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 17, 2026

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Dependency version updates label Mar 17, 2026
@dependabot dependabot Bot requested a review from a team as a code owner March 17, 2026 02:09
@dependabot dependabot Bot added the dependencies Dependency version updates label Mar 17, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 17, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/upload-pages-artifact 7b1f4a764d45c48632c6b24a0339c27f5614fb0b 🟢 5.3
Details
CheckScoreReason
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Code-Review🟢 8Found 8/9 approved changesets -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
actions/github/codeql-action/upload-sarif b1bff81932f5cdfc8695c7752dcee935dcd061c8 UnknownUnknown
actions/astral-sh/setup-uv 37802adc94f370d6bfd71619e3f0bf239e1f3b78 UnknownUnknown

Scanned Files

  • .github/workflows/deploy-docs.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/validate-config-schema.yml

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 9.79%. Comparing base (1d2d3dc) to head (ce39258).

Additional details and impacted files 
@@          Coverage Diff          @@
##            main    #284   +/-   ##
=====================================
  Coverage   9.79%   9.79%           
=====================================
  Files         29      29           
  Lines       3881    3881           
  Branches     497     497           
=====================================
  Hits         380     380           
  Misses      3491    3491           
  Partials      10      10
Flag Coverage Δ *Carryforward flag
pester 79.87% <ø> (ø)
pytest 6.89% <ø> (ø) Carriedforward from 1d2d3dc

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-378a7c5d5e branch 5 times, most recently from 80cedef to 8aabe69 Compare March 17, 2026 04:01
@dependabot
chore(deps): bump the github-actions group across 1 directory with 6 …
ce39258 
…updates

Bumps the github-actions group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.32.6` | `4.33.0` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `8.0.0` | `8.0.1` |
| [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) | `3.0.1` | `4.0.0` |
| [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `2.2.1` | `3.0.0` |
| [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `7.4.0` | `7.6.0` |
| [terraform-linters/setup-tflint](https://github.com/terraform-linters/setup-tflint) | `6.2.1` | `6.2.2` |



Updates `github/codeql-action` from 4.32.6 to 4.33.0
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@0d579ff...b1bff81)

Updates `actions/download-artifact` from 8.0.0 to 8.0.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@70fc10c...3e5f45b)

Updates `actions/upload-pages-artifact` from 3.0.1 to 4.0.0
- [Release notes](https://github.com/actions/upload-pages-artifact/releases)
- [Commits](actions/upload-pages-artifact@56afc60...7b1f4a7)

Updates `actions/create-github-app-token` from 2.2.1 to 3.0.0
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](actions/create-github-app-token@29824e6...f8d387b)

Updates `astral-sh/setup-uv` from 7.4.0 to 7.6.0
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@6ee6290...37802ad)

Updates `terraform-linters/setup-tflint` from 6.2.1 to 6.2.2
- [Release notes](https://github.com/terraform-linters/setup-tflint/releases)
- [Commits](terraform-linters/setup-tflint@4cb9fee...b480b8f)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/upload-pages-artifact
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/create-github-app-token
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: astral-sh/setup-uv
  dependency-version: 7.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: terraform-linters/setup-tflint
  dependency-version: 6.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-378a7c5d5e branch from 8aabe69 to ce39258 Compare March 17, 2026 04:05
@WilliamBerryiii WilliamBerryiii merged commit c40eff6 into main Mar 17, 2026
24 checks passed
@WilliamBerryiii WilliamBerryiii deleted the dependabot/github_actions/github-actions-378a7c5d5e branch March 17, 2026 04:09
@physical-ai-toolchain-release physical-ai-toolchain-release Bot mentioned this pull request Mar 17, 2026
Merged
WilliamBerryiii pushed a commit that referenced this pull request Mar 26, 2026
@physical-ai-toolchain-release @github-actions
chore(main): release 0.5.0 (#173)
fedf854 
🤖 I have created a release *beep* *boop*
---


##
[0.5.0](v0.4.0...v0.5.0)
(2026-03-26)


### ✨ Features

* add dataviewer web application for dataset analysis and annotation
([#375](#375))
([c44d7bb](c44d7bb))
* add return type annotations to cli_args functions
([#476](#476))
([35523ee](35523ee))
* add YAML config schema with pydantic validation for ROS 2 recording
([#376](#376))
([1fa5243](1fa5243))
* **agents:** Copilot agents and skills for dataviewer and OSMO training
workflows.
([#444](#444))
([8b72daf](8b72daf))
* **build:** add automated ms.date freshness checking
([#448](#448))
([f92ddbc](f92ddbc))
* **build:** add CLA section, Dependabot security prefix, and OWASP ZAP
DAST scan
([#241](#241))
([083a8af](083a8af))
* **build:** add coverage.py configuration to pyproject.toml
([#428](#428))
([eac7426](eac7426))
* **build:** add Go CI pipeline with golangci-lint and go test
([#351](#351))
([b27e4fb](b27e4fb))
* **build:** add OpenSSF Scorecard workflow and badge
([#431](#431))
([98a62e7](98a62e7))
* **build:** add release artifact signing and SBOM attestation
([#480](#480))
([b226e96](b226e96))
* **build:** add TFLint reusable GitHub Actions workflow
([#229](#229))
([34d5575](34d5575))
* **build:** split Go CI into separate lint and test pipelines
([#354](#354))
([2dec155](2dec155))
* **dataviewer:** add authentication middleware and CSRF protection for
mutation endpoints
([#432](#432))
([77c8a01](77c8a01))
* **docs:** create training documentation hub with guides and migration
([#380](#380))
([0fdccc5](0fdccc5))
* **docs:** port Docusaurus documentation site with full build
validation
([#182](#182))
([29dd640](29dd640))
* fix and deploy dataviewer
([#498](#498))
([c922d49](c922d49))
* **inference:** add AzureML and local LeRobot inference workflows
([#438](#438))
([f7d786a](f7d786a))
* **inference:** add MLflow trajectory plots and multi-source support to
OSMO inference workflow
([#421](#421))
([8637458](8637458))
* **infra:** add blob storage lifecycle policies and folder structure
([#179](#179))
([101a6e8](101a6e8))
* **infrastructure:** add optional observability and compute feature
flags
([#437](#437))
([9eba0da](9eba0da))
* **infrastructure:** add private Linux Isaac Sim VM deployment option
([#348](#348))
([3748c2d](3748c2d))
* **infrastructure:** add terraform-docs auto-generation pipeline
([#358](#358))
([6565caa](6565caa))
* **infrastructure:** harden Isaac Sim VM deployment with encryption and
spot options
([#355](#355))
([6ebc1f2](6ebc1f2))
* **repo:** migrate to domain-driven architecture
([#270](#270))
([a339e70](a339e70))
* **scripts:** add --config-preview and deployment summary to submission
scripts
([#499](#499))
([4069806](4069806))
* **scripts:** add Copilot attribution footer validation to frontmatter
linting
([#378](#378))
([4d595f2](4d595f2))
* **src:** add dataviewer web application with storage adapter layer
([#404](#404))
([8a9fb70](8a9fb70))


### 🐛 Bug Fixes

* **build:** add GHSA to cspell custom dictionary
([#315](#315))
([67db81a](67db81a))
* **build:** correct codecov report_type input for terraform test
uploads
([#324](#324))
([d90d66d](d90d66d))
* **build:** expand CODEOWNERS coverage to critical paths
([#505](#505))
([bafade1](bafade1))
* **build:** pin Docker base image and pip dependencies with Dependabot
coverage
([#497](#497))
([d3d7ea4](d3d7ea4))
* **build:** pin pydantic version and use uv in config schema validation
workflow
([#493](#493))
([28d823f](28d823f))
* **build:** pin uv installer to versioned URL
([#495](#495))
([8d8541b](8d8541b))
* **build:** remediate GHSA vulnerabilities flagged by OSSF Scorecard
([#271](#271))
([49b6e58](49b6e58))
* **build:** remove README frontmatter, add FrontmatterExcludePaths,
enforce Pester 5
([#443](#443))
([641d0f3](641d0f3))
* **build:** resolve CI failures for release 0.5.0 PR
([#174](#174))
([62c9900](62c9900))
* **build:** resolve codecov PR comment suppression
([#523](#523))
([5603bd7](5603bd7))
* **build:** use npm ci for deterministic frontend dependency install
([#491](#491))
([ee8b5d3](ee8b5d3)),
closes
[#490](#490)
* **ci:** add `wait_for_ci` to Codecov configuration
([#183](#183))
([370cf44](370cf44))
* **CI:** Issue 116 clean up dataviewer tests
([#184](#184))
([f466c23](f466c23))
* **ci:** pin pydantic to ==2.12.5 across all references
([#230](#230))
([9d841d5](9d841d5))
* **dataviewer:** add HTTP Range support for blob video streaming
([#165](#165))
([8adde50](8adde50))
* **dataviewer:** remediate CodeQL alerts and align ruff config
([#419](#419))
([eb6fac9](eb6fac9))
* **dataviewer:** remediate path traversal and input validation
vulnerabilities
([#413](#413))
([0a1d2ca](0a1d2ca))
* **docs:** remove trailingSlash: false for GitHub Pages compatibility
([#228](#228))
([a78cb97](a78cb97))
* **gpu:** add GPU Operator validation dependencies to GRID driver
installer
([#441](#441))
([eec42da](eec42da))
* **infrastructure:** add zone-redundant config to VPN gateway public IP
([#352](#352))
([2d734f4](2d734f4))
* **infrastructure:** improve stdout handling for helm commands in GPU…
([#311](#311))
([153f467](153f467))
* **infrastructure:** resolve remaining TFLint violations in SIL module
and example configs
([#298](#298))
([c0ce3e5](c0ce3e5))
* **infrastructure:** resolve TFLint violations in root and automation
modules
([#287](#287))
([b6a4604](b6a4604)),
closes
[#203](#203)
* **infrastructure:** update deprecated bgp vng variable name
([#307](#307))
([f530734](f530734))
* **scripts:** pin uv version in OSMO workflow templates
([#500](#500))
([7edf13a](7edf13a))
* **scripts:** replace lambda with def in lerobot_handler to satisfy R…
([#176](#176))
([baf9e58](baf9e58))
* **scripts:** support OSMO control-plane deploys with in-cluster Redis
([#317](#317))
([d4b70de](d4b70de))
* **scripts:** update compute target name derivation logic
([#319](#319))
([bb20431](bb20431))
* **settings:** update devcontainer name to match project context
([#177](#177))
([745321e](745321e))
* **terraform:** create PostgreSQL Key Vault secret via ARM control
plane
([#304](#304))
([5d73b81](5d73b81))
* **terraform:** gate observability with feature flags
([#303](#303))
([ea5e056](ea5e056))
* **terraform:** switch VPN gateway defaults to AZ SKUs
([#309](#309))
([74989c5](74989c5))
* **training:** correct learning rate mapping and pin LeRobot version
([#439](#439))
([5cf9943](5cf9943))
* **workflows:** enable SARIF upload for dependency-pinning scans
([#502](#502))
([124cad6](124cad6)),
closes
[#501](#501)
* **workflows:** remove redundant top-level permissions from
codeql-analysis
([#489](#489))
([1490fda](1490fda))
* **workflows:** use bash shell for uv.lock regeneration and add SARIF
to dictionary
([#225](#225))
([e6fa6ea](e6fa6ea))


### 📚 Documentation

* add chunking and compression configuration guide for Jetson edge
recording
([#408](#408))
([787a322](787a322))
* add OpenSSF Best Practices badge to README
([#282](#282))
([01ea384](01ea384))
* add threat model cross-reference to SECURITY.md
([#235](#235))
([88a461e](88a461e))
* add vulnerability remediation timeline to SECURITY.md
([#233](#233))
([5ead3ee](5ead3ee))
* **contributing:** remove version-specific planning language from
ownership tip
([#407](#407))
([3191f9b](3191f9b))
* **deploy:** replace deploy/ READMEs with pointer files
([#379](#379))
([b3c3abb](b3c3abb))
* **docs:** add bug report response timeline for OSSF report_responses
criterion
([#485](#485))
([9b26212](9b26212))
* **docs:** add component update process for OpenSSF Silver badge
([#446](#446))
([6adc8a2](6adc8a2))
* **docs:** Add data collection and training recipes
([#343](#343))
([9c34f86](9c34f86))
* **docs:** add deprecation policy for external interfaces
([#445](#445))
([229d5db](229d5db))
* **docs:** add structure for recipes in repo
([#322](#322))
([098757b](098757b))
* **docs:** add YAML frontmatter to SUPPORT.md
([#478](#478))
([d94c15d](d94c15d)),
closes
[#347](#347)
* **docs:** clarify issue assignment requirement before starting work
([#299](#299))
([1534462](1534462))
* **docs:** create inference and training docs hubs
([#402](#402))
([7a20a2e](7a20a2e))
* **docs:** create reference hub and migrate script documentation
([#503](#503))
([03a31c6](03a31c6))
* **docs:** create training and inference documentation hubs
([#403](#403))
([7be003b](7be003b))
* **operations:** create operations hub and troubleshooting guide
([#525](#525))
([31c7aaa](31c7aaa))
* **reference:** add copilot artifacts documentation hub
([#170](#170))
([9a45ca4](9a45ca4))
* simplify root README and update prerequisites
([#440](#440))
([c0c7710](c0c7710))


### ♻️ Code Refactoring

* **build:** align Python dependency workflows with uv
([#447](#447))
([3102e03](3102e03))
* **docs:** rename Docusaurus site to Physical AI Toolchain
([#224](#224))
([cfdf47a](cfdf47a))
* **infrastructure:** rename boolean variables to `should_` prefix and
add missing core variables
([#292](#292))
([4496593](4496593))
* **python:** move runtime deps to workflow pyproject manifests
([#405](#405))
([6c5fbeb](6c5fbeb))


### 📦 Build System

* **build:** add Codecov upload to pytest workflow
([#434](#434))
([0110c17](0110c17))
* **deps-dev:** bump the npm_and_yarn group across 2 directories with 1
update
([#325](#325))
([59cf9e6](59cf9e6))
* **workflows:** enable coverage parameters and fix Pester test
infrastructure
([#435](#435))
([528bbde](528bbde))


### 🔧 Miscellaneous

* add gomod to cspell general-technical wordlist
([#362](#362))
([1f93f47](1f93f47))
* **build:** add codecov.yml for unified coverage reporting
([#430](#430))
([b0faf70](b0faf70))
* **build:** add Go toolchain devcontainer feature and Dependabot gomod
([#337](#337))
([8a36620](8a36620))
* **deps:** bump cryptography from 45.0.7 to 46.0.5 in /src/training
([#506](#506))
([a06434e](a06434e))
* **deps:** bump minimatch in /src/dataviewer/frontend
([#416](#416))
([38a7607](38a7607))
* **deps:** bump pyasn1 from 0.6.2 to 0.6.3 in /training/rl
([#296](#296))
([7b42cf5](7b42cf5))
* **deps:** bump rollup in /src/dataviewer/frontend
([#417](#417))
([6302ce4](6302ce4))
* **deps:** bump the common-dependencies group in /src/common with 3
updates
([#507](#507))
([db05074](db05074))
* **deps:** bump the github-actions group across 1 directory with 6
updates
([#284](#284))
([c40eff6](c40eff6))
* **deps:** bump the github-actions group across 1 directory with 6
updates
([#433](#433))
([2d9dd4f](2d9dd4f))
* **deps:** bump the github-actions group across 1 directory with 6
updates
([#510](#510))
([c334a64](c334a64))
* **deps:** bump the github-actions group with 2 updates
([#163](#163))
([f25713e](f25713e))
* **deps:** bump the inference-dependencies group in /evaluation with 3
updates
([#279](#279))
([1d2d3dc](1d2d3dc))
* **deps:** bump the inference-dependencies group in /src/inference with
5 updates
([#508](#508))
([2852ffb](2852ffb))
* **deps:** bump the lerobot-inference-dependencies group in
/workflows/azureml with 4 updates
([#511](#511))
([b7c5773](b7c5773))
* **deps:** bump the npm_and_yarn group across 2 directories with 1
update
([#223](#223))
([6a261ab](6a261ab))
* **deps:** bump the training-dependencies group
([#429](#429))
([66e43f4](66e43f4))
* **deps:** bump tornado from 6.5.4 to 6.5.5 in the uv group across 1
directory
([#172](#172))
([d6caf29](d6caf29))
* **docs:** correct ms.date tooling and refresh stale documentation
([#349](#349))
([ccaa1e8](ccaa1e8))
* **infrastructure:** add Go module and golangci-lint config for e2e
tests
([#347](#347))
([e0e6bbf](e0e6bbf))
* **infrastructure:** add root .terraform-docs.yml configuration
([#312](#312))
([bb73bbb](bb73bbb))
* migrate references from Azure-Samples to
microsoft/physical-ai-toolchain
([f58f0ef](f58f0ef))
* **workflows:** update Dependabot, CodeQL, CODEOWNERS, and cspell for
dataviewer coverage
([#231](#231))
([6d8c2e8](6d8c2e8))


### 🔒 Security

* **deps:** bump mlflow from 3.5.0 to 3.8.0rc0 in /training/rl
([#297](#297))
([e9929df](e9929df))
* **deps:** bump the github-actions group across 1 directory with 4
updates
([#344](#344))
([6826929](6826929))
* **deps:** bump the inference-dependencies group in /evaluation with 2
updates
([#339](#339))
([6804630](6804630))
* **deps:** bump the npm_and_yarn group across 3 directories with 1
update
([#361](#361))
([6760857](6760857))
* **deps:** bump the training-dependencies group across 1 directory with
54 updates
([#286](#286))
([d9ae04f](d9ae04f))
* **deps:** bump the uv group across 3 directories with 1 update
([#360](#360))
([dfbda06](dfbda06))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: physical-ai-toolchain-release[bot] <267194360+physical-ai-toolchain-release[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Bill Berry <wbery@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WilliamBerryiii WilliamBerryiii WilliamBerryiii approved these changes

Assignees

No one assigned

Labels

dependencies Dependency version updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codecov-commenter @WilliamBerryiii