chore(deps): bump the github-actions group across 1 directory with 7 updates by dependabot[bot] · Pull Request #370 · microsoft/physical-ai-toolchain

dependabot · 2026-03-30T03:32:23Z

Bumps the github-actions group with 7 updates in the / directory:

Package	From	To
github/codeql-action	`4.34.1`	`4.35.1`
astral-sh/setup-uv	`7.6.0`	`8.0.0`
codecov/codecov-action	`5.5.3`	`6.0.0`
dependabot/fetch-metadata	`2.5.0`	`3.0.0`
actions/configure-pages	`5.0.0`	`6.0.0`
actions/deploy-pages	`4.0.5`	`5.0.0`
actions/setup-go	`5.6.0`	`6.4.0`

Updates github/codeql-action from 4.34.1 to 4.35.1

Release notes

Sourced from github/codeql-action's releases.

v4.35.1

Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v4.35.0

Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767

Update default CodeQL bundle version to 2.25.1. #3773

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.35.1 - 27 Mar 2026

Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767

Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569

We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584

Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

To opt out of this change:

Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507

Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487

The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515

... (truncated)

Commits

c10b806 Merge pull request #3782 from github/update-v4.35.1-d6d1743b8
c5ffd06 Update changelog for v4.35.1
d6d1743 Merge pull request #3781 from github/henrymercer/update-git-minimum-version
65d2efa Add changelog note
2437b20 Update minimum git version for overlay to 2.36.0
ea5f719 Merge pull request #3775 from github/dependabot/npm_and_yarn/node-forge-1.4.0
45ceeea Merge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f28
24448c9 Rebuild
7c51060 Update changelog and version after v4.35.0
b8bb9f2 Merge pull request #3776 from github/update-v4.35.0-0078ad667
Additional commits viewable in compare view

Updates astral-sh/setup-uv from 7.6.0 to 8.0.0

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.0.0 🌈 Immutable releases and secure tags

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP] Use the immutable tag as a version astral-sh/setup-uv@v8.0.0 Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

Remove update-major-minor-tags workflow @eifinger (#826)

Remove deprecrated custom manifest @eifinger (#813)

🧰 Maintenance

Shortcircuit latest version from manifest @eifinger (#828)

Simplify inputs.ts @eifinger (#827)

Bump release-drafter to v7.1.1 @eifinger (#825)

Refactor inputs @eifinger (#823)

Replace inline compile args with tsconfig @eifinger (#824)

chore: update known checksums for 0.11.2 @github-actions[bot] (#821)

chore: update known checksums for 0.11.1 @github-actions[bot] (#817)

chore: update known checksums for 0.11.0 @github-actions[bot] (#815)

Fix latest-version workflow check @eifinger (#812)

chore: update known checksums for 0.10.11/0.10.12 @github-actions[bot] (#811)

Commits

cec2083 Shortcircuit latest version from manifest (#828)
4dd8ab4 Simplify inputs.ts (#827)
7fdbe7c Remove update-major-minor-tags workflow (#826)
485abd0 Bump release-drafter to v7.1.1 (#825)
f82eb19 Refactor inputs (#823)
868d1f7 Replace inline compile args with tsconfig (#824)
447e6d0 chore: update known checksums for 0.11.2 (#821)
5c62c59 chore: update known checksums for 0.11.1 (#817)
e1a7373 chore: update known checksums for 0.11.0 (#815)
8970931 Remove deprecrated custom manifest (#813)
Additional commits viewable in compare view

Updates codecov/codecov-action from 5.5.3 to 6.0.0

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.0

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @thomasrockhu-codecov in codecov/codecov-action#1929

Th/6.0.0 by @thomasrockhu-codecov in codecov/codecov-action#1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v5.5.4

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @thomasrockhu-codecov in codecov/codecov-action#1926

chore(release): 5.5.4 by @thomasrockhu-codecov in codecov/codecov-action#1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

fix: overwrite pr number on fork by @thomasrockhu-codecov in codecov/codecov-action#1871

build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @app/dependabot in codecov/codecov-action#1868

build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @app/dependabot in codecov/codecov-action#1867

fix: update to use local app/ dir by @thomasrockhu-codecov in codecov/codecov-action#1872

docs: fix typo in README by @datalater in codecov/codecov-action#1866

Document a codecov-cli version reference example by @webknjaz in codecov/codecov-action#1774

build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @app/dependabot in codecov/codecov-action#1861

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

feat: upgrade wrapper to 0.2.4 by @jviall in codecov/codecov-action#1864

Pin actions/github-script by Git SHA by @martincostello in codecov/codecov-action#1859

fix: check reqs exist by @joseph-sentry in codecov/codecov-action#1835

fix: Typo in README by @spalmurray in codecov/codecov-action#1838

docs: Refine OIDC docs by @spalmurray in codecov/codecov-action#1837

build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @app/dependabot in codecov/codecov-action#1822

fix: OIDC on forks by @joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

57e3a13 Th/6.0.0 (#1928)
f67d33d Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0""...
75cd116 chore(release): 5.5.4 (#1927)
87d39f4 Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" (#1926)
See full diff in compare view

Updates dependabot/fetch-metadata from 2.5.0 to 3.0.0

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.0.0

The breaking change is requiring Node.js version v24 as the Actions runtime.

What's Changed

feat: Parse versions from metadata links by @ppkarwasz in dependabot/fetch-metadata#632

Upgrade actions core and actions github packages by @truggeri in dependabot/fetch-metadata#649

docs: Add notes for using alert-lookup with App Token by @sue445 in dependabot/fetch-metadata#656

feat!: update Node.js version to v24 by @sturman in dependabot/fetch-metadata#671

Switch build tooling from ncc to esbuild by @truggeri in dependabot/fetch-metadata#676

Add --legal-comments=none to esbuild build commands by @jeffwidman in dependabot/fetch-metadata#679

Bump tsconfig target from es2022 to es2024 by @jeffwidman in dependabot/fetch-metadata#680

Remove vestigial outDir from tsconfig.json by @jeffwidman in dependabot/fetch-metadata#681

Switch tsconfig module resolution to bundler by @jeffwidman in dependabot/fetch-metadata#682

Remove skipLibCheck from tsconfig.json by @jeffwidman in dependabot/fetch-metadata#683

Add typecheck step to CI by @jeffwidman in dependabot/fetch-metadata#685

Enable noImplicitAny in tsconfig.json by @jeffwidman in dependabot/fetch-metadata#684

Upgrade @actions/core to ^3.0.0 by @truggeri in dependabot/fetch-metadata#677

Upgrade @actions/github to ^9.0.0 and @octokit/request-error to ^7.1.0 by @truggeri in dependabot/fetch-metadata#678

Bump qs from 6.14.0 to 6.14.1 by @dependabot[bot] in dependabot/fetch-metadata#651

Bump hono from 4.11.1 to 4.11.4 by @dependabot[bot] in dependabot/fetch-metadata#652

Bump hono from 4.11.4 to 4.11.7 by @dependabot[bot] in dependabot/fetch-metadata#653

Bump hono from 4.11.7 to 4.12.0 by @dependabot[bot] in dependabot/fetch-metadata#657

Bump qs from 6.14.1 to 6.14.2 by @dependabot[bot] in dependabot/fetch-metadata#655

Bump @modelcontextprotocol/sdk from 1.25.1 to 1.26.0 by @dependabot[bot] in dependabot/fetch-metadata#654

Bump @hono/node-server from 1.19.9 to 1.19.10 by @dependabot[bot] in dependabot/fetch-metadata#665

Bump hono from 4.12.2 to 4.12.5 by @dependabot[bot] in dependabot/fetch-metadata#664

Bump minimatch from 3.1.2 to 3.1.5 by @dependabot[bot] in dependabot/fetch-metadata#667

Bump hono from 4.12.5 to 4.12.7 by @dependabot[bot] in dependabot/fetch-metadata#668

Bump actions/create-github-app-token from 2.2.1 to 3.0.0 by @dependabot[bot] in dependabot/fetch-metadata#669

Bump flatted from 3.3.3 to 3.4.2 by @dependabot[bot] in dependabot/fetch-metadata#670

build(deps-dev): bump picomatch from 2.3.1 to 2.3.2 by @dependabot[bot] in dependabot/fetch-metadata#674

New Contributors

@ppkarwasz made their first contribution in dependabot/fetch-metadata#632

@truggeri made their first contribution in dependabot/fetch-metadata#649

@sue445 made their first contribution in dependabot/fetch-metadata#656

@sturman made their first contribution in dependabot/fetch-metadata#671

Full Changelog: dependabot/fetch-metadata@v2...v3.0.0

Commits

ffa630c v3.0.0 (#686)
ec8fff2 Merge pull request #674 from dependabot/dependabot/npm_and_yarn/picomatch-2.3.2
caf48bd build(deps-dev): bump picomatch from 2.3.1 to 2.3.2
13d8274 Upgrade @actions/github to ^9.0.0 and @octokit/request-error to ^7.1.0 (#678)
b603099 Upgrade @actions/core from ^1.11.1 to ^3.0.0 (#677)
c5dc5b1 Enable noImplicitAny in tsconfig.json (#684)
a183f3c Add typecheck step to CI (#685)
5e17564 Remove skipLibCheck from tsconfig.json (#683)
bb56eeb Switch tsconfig module resolution to bundler (#682)
3632e3d Remove vestigial outDir from tsconfig.json (#681)
Additional commits viewable in compare view

Updates actions/configure-pages from 5.0.0 to 6.0.0

Release notes

Sourced from actions/configure-pages's releases.

v6.0.0

Changelog

upgrade to node 24 @salmanmkc (#186)

Upgrade IA Publish @Jcambass (#165)

Add workflow file for publishing releases to immutable action package @Jcambass (#163)

pin draft release version @YiMysty (#162)

Bump espree from 9.6.1 to 10.1.0 @dependabot (#160)

Bump eslint-config-prettier from 8.8.0 to 9.1.0 @dependabot (#143)

Be more friendly to Dependabot @yoannchaudet (#158)

Bump eslint-plugin-github from 4.10.2 to 5.0.1 @dependabot (#154)

Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group @dependabot (#156)

Bump undici from 5.28.3 to 5.28.4 @dependabot (#145)

See details of all code changes since previous release.

Commits

45bfe01 Merge pull request #186 from salmanmkc/node24
d8770c2 Update Node version from 20 to 24 in action.yml
cb8a1a3 upgrade to node 24
d560657 Merge pull request #165 from actions/Jcambass-patch-1
35e0ac4 Upgrade IA Publish
1dfbcbf Merge pull request #163 from actions/Jcambass-patch-1
2f4f988 Add workflow file for publishing releases to immutable action package
0d7570c Merge pull request #162 from actions/pin-draft-release-verssion
3ea1966 pin draft release version
aabcbc4 Merge pull request #160 from actions/dependabot/npm_and_yarn/espree-10.1.0
Additional commits viewable in compare view

Updates actions/deploy-pages from 4.0.5 to 5.0.0

Release notes

Sourced from actions/deploy-pages's releases.

v5.0.0

Changelog

Update Node.js version to 24.x @salmanmkc (#404)

Add workflow file for publishing releases to immutable action package @Jcambass (#374)

Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group across 1 directory @dependabot (#360)

Make the rebuild dist workflow work nicer with Dependabot @yoannchaudet (#361)

Bump the non-breaking-changes group across 1 directory with 3 updates @dependabot (#358)

Delete repeated sentence @garethsb (#359)

Update README.md @tsusdere (#348)

Bump the non-breaking-changes group with 4 updates @dependabot (#341)

Remove error message for file permissions @TooManyBees (#340)

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

Commits

cd2ce8f Merge pull request #404 from salmanmkc/node24
bbe2a95 Update Node.js version to 24.x
854d7aa Merge pull request #374 from actions/Jcambass-patch-1
306bb81 Add workflow file for publishing releases to immutable action package
b742728 Merge pull request #360 from actions/dependabot/npm_and_yarn/npm_and_yarn-513...
7273294 Bump braces in the npm_and_yarn group across 1 directory
963791f Merge pull request #361 from actions/dependabot-friendly
51bb29d Make the rebuild dist workflow safer for Dependabot
89f3d10 Merge pull request #358 from actions/dependabot/npm_and_yarn/non-breaking-cha...
bce7355 Merge branch 'main' into dependabot/npm_and_yarn/non-breaking-changes-99c12deb21
Additional commits viewable in compare view

Updates actions/setup-go from 5.6.0 to 6.4.0

Release notes

Sourced from actions/setup-go's releases.

v6.4.0

What's Changed

Enhancement

Add go-download-base-url input for custom Go distributions by @gdams in actions/setup-go#721

Dependency update

Upgrade minimatch from 3.1.2 to 3.1.5 by @dependabot in actions/setup-go#727

Documentation update

Rearrange README.md, add advanced-usage.md by @priyagupta108 in actions/setup-go#724

Fix Microsoft build of Go link by @gdams in actions/setup-go#734

New Contributors

@gdams made their first contribution in actions/setup-go#721

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

What's Changed

Update default Go module caching to use go.mod by @priyagupta108 in actions/setup-go#705

Fix golang download url to go.dev by @178inaba in actions/setup-go#469

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

What's Changed

Enhancements

Example for restore-only cache in documentation by @aparnajyothi-y in actions/setup-go#696

Update Node.js version in action.yml by @ccoVeille in actions/setup-go#691

Documentation update of actions/checkout by @deining in actions/setup-go#683

Dependency updates

Upgrade js-yaml from 3.14.1 to 3.14.2 by @dependabot in actions/setup-go#682

Upgrade @actions/cache to v5 by @salmanmkc in actions/setup-go#695

Upgrade actions/checkout from 5 to 6 by @dependabot in actions/setup-go#686

Upgrade qs from 6.14.0 to 6.14.1 by @dependabot in actions/setup-go#703

New Contributors

@ccoVeille made their first contribution in actions/setup-go#691

@deining made their first contribution in actions/setup-go#683

Full Changelog: actions/setup-go@v6...v6.2.0

v6.1.0

What's Changed

Enhancements

Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @nicholasngai in actions/setup-go#665

Add support for .tool-versions file and update workflow by @priya-kinthali in actions/setup-go#673

Add comprehensive breaking changes documentation for v6 by @mahabaleshwars in actions/setup-go#674

... (truncated)

Commits

4a36011 docs: fix Microsoft build of Go link (#734)
8f19afc feat: add go-download-base-url input for custom Go distributions (#721)
27fdb26 Bump minimatch from 3.1.2 to 3.1.5 (#727)
def8c39 Rearrange README.md, add advanced-usage.md (#724)
4b73464 Fix golang download url to go.dev (#469)
a5f9b05 Update default Go module caching to use go.mod (#705)
7a3fe6c Bump qs from 6.14.0 to 6.14.1 (#703)
b9adafd Bump actions/checkout from 5 to 6 (#686)
d73f6bc README.md: correct to actions/checkout@v6 (#683)
ae252ee Bump @actions/cache to v5 (#695)
Additional commits viewable in compare view

github-actions · 2026-03-30T03:32:41Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 300ca68.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package

Version

Score

Details

actions/dependabot/fetch-metadata

ffa630c65fa7e0ecfa0625b5ceda64399aea1b36

🟢 6.9

Details

Check	Score	Reason
Maintained	🟢 10	24 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
Binary-Artifacts	🟢 10	no binaries found in the repo
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	🟢 3	dependency not pinned by hash detected -- score normalized to 3
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 5	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
SAST	🟢 9	SAST tool is not run on all commits -- score normalized to 9

actions/actions/setup-go

4a3601121dd01d1626a1e23e37211e3254c1c06c

🟢 6.1

Details

Check	Score	Reason
Maintained	🟢 10	12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Security-Policy	🟢 9	security policy file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	🟢 9	SAST tool is not run on all commits -- score normalized to 9

actions/codecov/codecov-action

57e3a136b779b570ffcdbf80b3bdc90e7fab3de2

🟢 7.2

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 5	6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Binary-Artifacts	🟢 10	no binaries found in the repo
Dependency-Update-Tool	🟢 10	update tool detected
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Vulnerabilities	🟢 10	0 existing vulnerabilities detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
License	🟢 10	license file detected
Security-Policy	🟢 10	security policy file detected
Fuzzing	⚠️ 0	project is not fuzzed
SAST	🟢 9	SAST tool detected but not run on all commits
CI-Tests	🟢 9	29 out of 30 merged PRs checked by a CI test -- score normalized to 9
Contributors	🟢 10	project has 13 contributing companies or organizations

actions/github/codeql-action/upload-sarif

c10b8064de6f491fea524254123dbe5e09572f13

Unknown

actions/astral-sh/setup-uv

cec208311dfd045dd5311c1add060b2062131d57

Unknown

Scanned Files

.github/workflows/dependabot-security-prefix.yml
.github/workflows/go-tests.yml
.github/workflows/scorecard.yml
.github/workflows/validate-config-schema.yml

codecov-commenter · 2026-03-30T03:33:35Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.58%. Comparing base (aeae624) to head (ecdf952).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #370   +/-   ##
=======================================
  Coverage   43.58%   43.58%           
=======================================
  Files         242      242           
  Lines       14840    14840           
  Branches     1903     1855   -48     
=======================================
  Hits         6468     6468           
  Misses       8082     8082           
  Partials      290      290

Flag	Coverage Δ	*Carryforward flag
pester	`79.87% <ø> (ø)`
pytest	`6.89% <ø> (ø)`	Carriedforward from aeae624
pytest-dataviewer	`61.98% <ø> (ø)`
vitest	`50.72% <ø> (ø)`

*This pull request uses carry forward flags. Click here to find out more.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

katriendg · 2026-03-31T05:53:09Z

@dependabot rebase

Bumps the github-actions group with 7 updates: | Package | From | To | | --- | --- | --- | | [github/codeql-action](https://github.com/github/codeql-action) | `4.34.1` | `4.35.1` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `7.6.0` | `8.0.0` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.5.3` | `6.0.0` | | [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `2.5.0` | `3.0.0` | | [actions/configure-pages](https://github.com/actions/configure-pages) | `5.0.0` | `6.0.0` | | [actions/deploy-pages](https://github.com/actions/deploy-pages) | `4.0.5` | `5.0.0` | | [actions/setup-go](https://github.com/actions/setup-go) | `5.6.0` | `6.4.0` | Updates `github/codeql-action` from 4.34.1 to 4.35.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3869755...c10b806) Updates `astral-sh/setup-uv` from 7.6.0 to 8.0.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@37802ad...cec2083) Updates `codecov/codecov-action` from 5.5.3 to 6.0.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@1af5884...57e3a13) Updates `dependabot/fetch-metadata` from 2.5.0 to 3.0.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@21025c7...ffa630c) Updates `actions/configure-pages` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/actions/configure-pages/releases) - [Commits](actions/configure-pages@983d773...45bfe01) Updates `actions/deploy-pages` from 4.0.5 to 5.0.0 - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](actions/deploy-pages@d6db901...cd2ce8f) Updates `actions/setup-go` from 5.6.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@40f1582...4a36011) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: astral-sh/setup-uv dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: dependabot/fetch-metadata dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/configure-pages dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/deploy-pages dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>

🤖 I have created a release *beep* *boop* --- ## [0.6.0](v0.5.0...v0.6.0) (2026-04-08) ### ✨ Features * **build:** add terraform-docs generation pipeline ([#378](#378)) ([78e90d0](78e90d0)) * **infrastructure:** enable optional AML diagnostic logs ([#400](#400)) ([58dd8db](58dd8db)) * **scripts:** consolidate scripts library paths and enhance dataviewer ([#383](#383)) ([176d9c9](176d9c9)) ### 🐛 Bug Fixes * **build:** remediate CVEs, enforce equality pinning, repair Dependabot config ([#391](#391)) ([0c29148](0c29148)) * **infrastructure:** add Storage File Data Privileged Contributor role for ML identity ([#380](#380)) ([378f7ed](378f7ed)) * **infrastructure:** replace hardcoded NAT Gateway availability zones with variable ([#356](#356)) ([a1397bd](a1397bd)) * **infrastructure:** resolve TFLint violations and enable hard-fail ([#376](#376)) ([dfb55cd](dfb55cd)) * **scripts:** add dot-source guard to Invoke-MsDateFreshnessCheck.ps1 ([#397](#397)) ([f6f22c3](f6f22c3)) * **training:** validate AzureML and OSMO RL submissions end to end ([#372](#372)) ([49904d3](49904d3)) ### 📚 Documentation * **infrastructure:** add terraform-docs tooling and improve developer experience ([#365](#365)) ([a0fb03a](a0fb03a)) * **reference:** centralize workflow template docs and convert workflow READMEs to pointer index ([#379](#379)) ([68097e4](68097e4)) ### 🔧 Miscellaneous * **deps-dev:** bump the npm_and_yarn group across 1 directory with 2 updates ([#374](#374)) ([d848c8b](d848c8b)) * **deps-dev:** bump vite from 6.4.1 to 6.4.2 in /data-management/viewer/frontend in the npm_and_yarn group across 1 directory ([#395](#395)) ([6ec7f19](6ec7f19)) * **deps:** bump the github-actions group across 1 directory with 7 updates ([#370](#370)) ([4d1b951](4d1b951)) * **deps:** bump the uv group across 2 directories with 1 update ([#373](#373)) ([ba66ed9](ba66ed9)) ### 🔒 Security * **deps-dev:** bump brace-expansion from 1.1.12 to 1.1.13 in /docs/docusaurus in the npm_and_yarn group across 1 directory ([#389](#389)) ([27129d9](27129d9)) * **deps-dev:** bump the npm_and_yarn group across 2 directories with 2 updates ([#363](#363)) ([aeae624](aeae624)) * **deps-dev:** bump the python-dependencies group with 5 updates ([#403](#403)) ([bb85560](bb85560)) * **deps:** bump cryptography from 46.0.5 to 46.0.6 in /training/rl ([#367](#367)) ([a82dd68](a82dd68)) * **deps:** bump the inference-dependencies group in /evaluation with 2 updates ([#401](#401)) ([c88d253](c88d253)) * **deps:** bump the pip group across 4 directories with 2 updates ([#411](#411)) ([1230fe0](1230fe0)) * **deps:** bump the training-dependencies group across 1 directory with 67 updates ([#375](#375)) ([8e05172](8e05172)) * **deps:** bump the uv group across 2 directories with 1 update ([#382](#382)) ([b6c7aea](b6c7aea)) * **deps:** update marshmallow requirement from <4.3.0,>=3.5 to >=3.5,<4.4.0 in /evaluation in the inference-dependencies group ([#393](#393)) ([599c7eb](599c7eb)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: physical-ai-toolchain-release[bot] <267194360+physical-ai-toolchain-release[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

dependabot Bot added dependencies Dependency version updates github-actions labels Mar 30, 2026

dependabot Bot requested a review from a team as a code owner March 30, 2026 03:32

dependabot Bot added dependencies Dependency version updates github-actions labels Mar 30, 2026

github-actions Bot changed the title ~~chore(deps): bump the github-actions group with 7 updates~~ security(deps): bump the github-actions group with 7 updates Mar 30, 2026

katriendg approved these changes Mar 30, 2026

View reviewed changes

dependabot Bot changed the title ~~security(deps): bump the github-actions group with 7 updates~~ chore(deps): bump the github-actions group across 1 directory with 7 updates Mar 31, 2026

dependabot Bot force-pushed the dependabot/github_actions/github-actions-d34d1c203b branch from ecdf952 to 300ca68 Compare March 31, 2026 05:59

katriendg merged commit 4d1b951 into main Mar 31, 2026
29 checks passed

katriendg deleted the dependabot/github_actions/github-actions-d34d1c203b branch March 31, 2026 07:10

physical-ai-toolchain-release Bot mentioned this pull request Mar 31, 2026

chore(main): release 0.6.0 #364

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the github-actions group across 1 directory with 7 updates#370

chore(deps): bump the github-actions group across 1 directory with 7 updates#370
katriendg merged 1 commit into
mainfrom
dependabot/github_actions/github-actions-d34d1c203b

dependabot Bot commented on behalf of github Mar 30, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Mar 30, 2026 •

edited

Loading

Uh oh!

codecov-commenter commented Mar 30, 2026 •

edited

Loading

Uh oh!

katriendg commented Mar 31, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

dependabot Bot commented on behalf of github Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.35.1

v4.35.0

CodeQL Action Changelog

[UNRELEASED]

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

4.34.1 - 20 Mar 2026

4.34.0 - 20 Mar 2026

4.33.0 - 16 Mar 2026

4.32.6 - 05 Mar 2026

4.32.5 - 02 Mar 2026

v8.0.0 🌈 Immutable releases and secure tags

This is the first immutable release of setup-uv 🥳

New format for manifest-file

No more major and minor tags

🚨 Breaking changes

🧰 Maintenance

v6.0.0

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

v5.5.4

What's Changed

v5.5.2

What's Changed

v5.5.1

What's Changed

v5.5.0

What's Changed

v5.4.3

What's Changed

v5.4.2

v3.0.0

What's Changed

New Contributors

v6.0.0

Changelog

v5.0.0

Changelog

v6.4.0

What's Changed

Enhancement

Dependency update

Documentation update

New Contributors

v6.3.0

What's Changed

v6.2.0

What's Changed

Enhancements

Dependency updates

New Contributors

v6.1.0

What's Changed

Enhancements

Uh oh!

github-actions Bot commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

Snapshot Warnings

OpenSSF Scorecard

Scanned Files

Uh oh!

codecov-commenter commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

katriendg commented Mar 31, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot Bot commented on behalf of github Mar 30, 2026 •

edited

Loading

This is the first immutable release of `setup-uv` 🥳

New format for `manifest-file`

github-actions Bot commented Mar 30, 2026 •

edited

Loading

codecov-commenter commented Mar 30, 2026 •

edited

Loading