chore(deps): bump the actions group with 16 updates

[dependabot]

Bumps the actions group with 16 updates:

Package	From	To
actions/checkout	4.1.1	6.0.2
haskell-actions/setup	2.7.5	2.11.0
actions/cache	4.3.0	5.0.5
actions/configure-pages	5.0.0	6.0.0
actions/upload-pages-artifact	3.0.1	5.0.0
actions/deploy-pages	4.0.5	5.0.0
denoland/setup-deno	1.0.0	2.0.4
cachix/install-nix-action	24	31
peaceiris/actions-gh-pages	3.9.3	4.1.0
slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml	1.9.0	2.1.0
aquasecurity/trivy-action	0.35.0	0.36.0
codecov/codecov-action	3.1.6	6.0.1
actions/github-script	8.0.0	9.0.0
peter-evans/repository-dispatch	3.0.0	4.0.1
webfactory/ssh-agent	0.9.0	0.10.0
trufflesecurity/trufflehog	3.93.8	3.95.3

Updates actions/checkout from 4.1.1 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates haskell-actions/setup from 2.7.5 to 2.11.0

Release notes

Sourced from haskell-actions/setup's releases.

v2.11.0

GHC: try ghcup first, choco only as fallback

What's Changed

• Add GHC 9.12.4 and Stack 3.9.3 by @​andreasabel in haskell-actions/setup#142
• Bump softprops/action-gh-release from 2 to 3 by @​dependabot[bot] in haskell-actions/setup#143
• GHC: try ghcup first, choco only as fallback by @​andreasabel in haskell-actions/setup#144

Full Changelog: haskell-actions/setup@v2.10.3...v2.11.0

v2.10.4

Add GHC 9.12.4 and Stack 3.9.3

What's Changed

• Add GHC 9.12.4 and Stack 3.9.3 by @​andreasabel in haskell-actions/setup#142

Full Changelog: haskell-actions/setup@v2.10.3...v2.10.4

v2.10.3

Add Stack 3.9.1

What's Changed

• Add Stack 3.9.1 by @​andreasabel in haskell-actions/setup#138

Full Changelog: haskell-actions/setup@v2.10.2...v2.10.3

v2.10.2

Remove GHCup vanilla channel from defaults

What's Changed

• Remove GHCup vanilla channel from defaults by @​andreasabel in haskell-actions/setup#137

Full Changelog: haskell-actions/setup@v2.10.1...v2.10.2

... (truncated)

Commits

• cd0d9bd GHC: try ghcup first, choco only as fallback
• 4568e64 Bump softprops/action-gh-release from 2 to 3
• de26526 Add GHC 9.12.4 and Stack 3.9.3
• f9150cb Add Stack 3.9.1
• dc63c94 Remove GHCup vanilla channel from defaults
• 7786314 await addGhcupReleaseChannel
• 5757174 Move all ghcup-add-channel commands into same group
• ca45ec3 Remove broken GHC 9.12.3
• eb29c23 Use GHCup vanilla and prereleases channels by default
• 243ff44 Add GHCs 9.14.1 and 9.12.3 and Cabal 3.16.1.0
• Additional commits viewable in compare view

Updates actions/cache from 4.3.0 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

• Add release instructions and update maintainer docs by @​Link- in actions/cache#1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in actions/cache#1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in actions/cache#1699
• docs: Update examples to use the latest version by @​XZTDean in actions/cache#1690
• Fix proxy integration tests by @​Link- in actions/cache#1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in actions/cache#1722
• Update dependencies & patch security vulnerabilities by @​Link- in actions/cache#1738

New Contributors

• @​XZTDean made their first contribution in actions/cache#1690
• @​RyPeck made their first contribution in actions/cache#1722

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

v5.0.1

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
• e340396 Update RELEASES
• 8a67110 Add licenses
• 1865903 Update dependencies & patch security vulnerabilities
• 5656298 Merge pull request #1722 from RyPeck/patch-1
• 4e380d1 Fix cache key in examples.md for bun.lock
• Additional commits viewable in compare view

Updates actions/configure-pages from 5.0.0 to 6.0.0

Release notes

Sourced from actions/configure-pages's releases.

v6.0.0

Changelog

• upgrade to node 24 @​salmanmkc (#186)
• Upgrade IA Publish @​Jcambass (#165)
• Add workflow file for publishing releases to immutable action package @​Jcambass (#163)
• pin draft release version @​YiMysty (#162)
• Bump espree from 9.6.1 to 10.1.0 @​dependabot (#160)
• Bump eslint-config-prettier from 8.8.0 to 9.1.0 @​dependabot (#143)
• Be more friendly to Dependabot @​yoannchaudet (#158)
• Bump eslint-plugin-github from 4.10.2 to 5.0.1 @​dependabot (#154)
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group @​dependabot (#156)
• Bump undici from 5.28.3 to 5.28.4 @​dependabot (#145)

See details of all code changes since previous release.

Commits

• 45bfe01 Merge pull request #186 from salmanmkc/node24
• d8770c2 Update Node version from 20 to 24 in action.yml
• cb8a1a3 upgrade to node 24
• d560657 Merge pull request #165 from actions/Jcambass-patch-1
• 35e0ac4 Upgrade IA Publish
• 1dfbcbf Merge pull request #163 from actions/Jcambass-patch-1
• 2f4f988 Add workflow file for publishing releases to immutable action package
• 0d7570c Merge pull request #162 from actions/pin-draft-release-verssion
• 3ea1966 pin draft release version
• aabcbc4 Merge pull request #160 from actions/dependabot/npm_and_yarn/espree-10.1.0
• Additional commits viewable in compare view

Updates actions/upload-pages-artifact from 3.0.1 to 5.0.0

Release notes

Sourced from actions/upload-pages-artifact's releases.

v5.0.0

Changelog

• Update upload-artifact action to version 7 @​Tom-van-Woudenberg (#139)
• feat: add include-hidden-files input @​jonchurch (#137)

See details of all code changes since previous release.

v4.0.0

What's Changed

• Potentially breaking change: hidden files (specifically dotfiles) will not be included in the artifact by @​tsusdere in actions/upload-pages-artifact#102 If you need to include dotfiles in your artifact: instead of using this action, create your own artifact according to these requirements https://github.com/actions/upload-pages-artifact?tab=readme-ov-file#artifact-validation
• Pin actions/upload-artifact to SHA by @​heavymachinery in actions/upload-pages-artifact#127

Full Changelog: actions/upload-pages-artifact@v3.0.1...v4.0.0

Commits

• fc324d3 Merge pull request #139 from Tom-van-Woudenberg/patch-1
• fe9d4b7 Merge branch 'main' into patch-1
• 0ca1617 Merge pull request #137 from jonchurch/include-hidden-files
• 57f0e84 Update action.yml
• 4a90348 v7 --> hash
• 56f665a Update upload-artifact action to version 7
• f7615f5 Add include-hidden-files input
• 7b1f4a7 Merge pull request #127 from heavymachinery/pin-sha
• 4cc19c7 Pin actions/upload-artifact to SHA
• 2d163be Merge pull request #107 from KittyChiu/main
• Additional commits viewable in compare view

Updates actions/deploy-pages from 4.0.5 to 5.0.0

Release notes

Sourced from actions/deploy-pages's releases.

v5.0.0

Changelog

• Update Node.js version to 24.x @​salmanmkc (#404)
• Add workflow file for publishing releases to immutable action package @​Jcambass (#374)
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group across 1 directory @​dependabot (#360)
• Make the rebuild dist workflow work nicer with Dependabot @​yoannchaudet (#361)
• Bump the non-breaking-changes group across 1 directory with 3 updates @​dependabot (#358)
• Delete repeated sentence @​garethsb (#359)
• Update README.md @​tsusdere (#348)
• Bump the non-breaking-changes group with 4 updates @​dependabot (#341)
• Remove error message for file permissions @​TooManyBees (#340)

---

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

Commits

• cd2ce8f Merge pull request #404 from salmanmkc/node24
• bbe2a95 Update Node.js version to 24.x
• 854d7aa Merge pull request #374 from actions/Jcambass-patch-1
• 306bb81 Add workflow file for publishing releases to immutable action package
• b742728 Merge pull request #360 from actions/dependabot/npm_and_yarn/npm_and_yarn-513...
• 7273294 Bump braces in the npm_and_yarn group across 1 directory
• 963791f Merge pull request #361 from actions/dependabot-friendly
• 51bb29d Make the rebuild dist workflow safer for Dependabot
• 89f3d10 Merge pull request #358 from actions/dependabot/npm_and_yarn/non-breaking-cha...
• bce7355 Merge branch 'main' into dependabot/npm_and_yarn/non-breaking-changes-99c12deb21
• Additional commits viewable in compare view

Updates denoland/setup-deno from 1.0.0 to 2.0.4

Release notes

Sourced from denoland/setup-deno's releases.

v2.0.4

Full Changelog: denoland/setup-deno@v2.0.3...v2.0.4

v2.0.3

Full Changelog: denoland/setup-deno@v2.0.2...v2.0.3

v2.0.2

What's Changed

• feat: add problem matchers for deno lint by @​r7kamura in denoland/setup-deno#62
• refactor: use GitHub downloads for stable version download by @​crowlKats in denoland/setup-deno#91

Full Changelog: denoland/setup-deno@v2.0.1...v2.0.2

v2.0.1

What's Changed

• fix: update README and tests by @​crowlKats in denoland/setup-deno#85

Full Changelog: denoland/setup-deno@v2.0.0...v2.0.1

v2.0.0

What's Changed

• feat: v2 by @​lucacasonato in denoland/setup-deno#82

Full Changelog: denoland/setup-deno@v1.5.1...v2.0.0

v1.5.2

What's Changed

• refactor: use GitHub downloads for stable version download by @​crowlKats in denoland/setup-deno#91

Full Changelog: denoland/setup-deno@v1.5.1...v1.5.2

v1.5.1

What's Changed

• fix: use npm install by @​lucacasonato in denoland/setup-deno#77

Full Changelog: denoland/setup-deno@v1.5.0...v1.5.1

v1.5.0

What's Changed

• feat: allow specifying binary name by @​crowlKats in denoland/setup-deno#71
• feat: support installing rc versions by @​crowlKats in denoland/setup-deno#72
• chore: migrate code to ESM by @​lucacasonato in denoland/setup-deno#73

Full Changelog: denoland/setup-deno@v1.4.1...v1.5.0

1.4.1

... (truncated)

Commits

• 667a34c 2.0.3
• 3f17b4e feat: upgrade Node.js runtime from node20 to node24 (#123)
• 06fd750 docs: fix identifier for latest stable release (#115)
• 587bed9 docs: condense Deno version information in one section (#100)
• 2af9d57 docs: add lts as possible release-channel output (#99)
• 0c3e771 Update actions/checkout (#106)
• e95548e 2.0.3 (#102)
• 8273ddd fix: switch back to package.json as it's necessary for GH actions (#101)
• 609c005 feat: include a hash of deno.lock files in the cache key automatically (#98)
• aa0fea1 feat: add built-in caching via inputs (#89)
• Additional commits viewable in compare view

Updates cachix/install-nix-action from 24 to 31

Release notes

Sourced from cachix/install-nix-action's releases.

v31

Starting with v31, this action will use semantic versioning for releases. Major tags, like v31, will be bumped to point to the latest minor/patch release. This is in line with how most GitHub actions manage releases.

What's Changed

• nix: 2.26.3 -> 2.28.2 by @​Mic92 in cachix/install-nix-action#232

• nix: 2.24.9 -> 2.25.2 by @​Mic92 in cachix/install-nix-action#218

• ci: fix latest installer tests by @​sandydoo in cachix/install-nix-action#220

• ci: add ubuntu-24.04-arm to matrix by @​msgilligan in cachix/install-nix-action#221

• nix: 2.25.2 -> 2.26.2 by @​Mic92 in cachix/install-nix-action#226

• nix: 2.26.2 -> 2.26.3 by @​sandydoo in cachix/install-nix-action#228

• feat: Pin actions to hashes by @​l0b0 in cachix/install-nix-action#201

• chore(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @​dependabot in cachix/install-nix-action#234

• docs: document how to provide AWS credentials to the nix-daemon by @​sandydoo in cachix/install-nix-action#235

• nix: 2.28.2 -> 2.28.3 by @​Mic92 in cachix/install-nix-action#236

• nix: 2.28.3 -> 2.29.0 by @​Mic92 in cachix/install-nix-action#239 Release notes: https://nix.dev/manual/nix/latest/release-notes/rl-2.29

• Automate nix updates in CI by @​Mic92 in cachix/install-nix-action#241

• nix: 2.29.0 -> 2.29.1 by @​github-actions in cachix/install-nix-action#243 [SECURITY] https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017

• nix: 2.29.1 -> 2.30.0 by @​github-actions in cachix/install-nix-action#244 Release notes: https://nix.dev/manual/nix/2.30/release-notes/rl-2.30.html

• nix: 2.30.0 -> 2.30.1 by @​xokdvium in cachix/install-nix-action#245 [SECURITY] Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build users. GHSA-qc7j-jgf3-qmhg

• docs: add example for nix develop by @​jennydaman in cachix/install-nix-action#248

• nix: 2.30.2 -> 2.31.0 by @​github-actions[bot] in cachix/install-nix-action#250 Release notes: https://discourse.nixos.org/t/nix-2-31-0-released/68465

• nix: 2.31.0 -> 2.31.1 by @​github-actions[bot] in cachix/install-nix-action#253

• nix: 2.31.1 -> 2.31.2 by @​github-actions[bot] in cachix/install-nix-action#256

• feat: set up the environment based on the installer shell scripts by @​sandydoo in cachix/install-nix-action#251 Adds the bin directory from the user's profile to $PATH. Configures the following environment variables:

  • NIX_PROFILES
  • NIX_SSL_CERT_FILE (if not set)

• nix: 2.31.2 -> 2.32.0 by @​github-actions[bot] in cachix/install-nix-action#257 Release notes: https://discourse.nixos.org/t/nix-2-32-0-released/70528

• nix: 2.32.0 -> 2.32.1 by @​github-actions[bot] in cachix/install-nix-action#258

• nix: 2.32.1 -> 2.32.2 by @​github-actions[bot] in cachix/install-nix-action#259

• nix: 2.32.2 -> 2.32.3 by @​github-actions[bot] in cachix/install-nix-action#260

• nix: 2.32.3 -> 2.32.4 by @​github-actions[bot] in cachix/install-nix-action#261

• nix: 2.32.4 -> 2.33.0 by @​github-actions[bot] in cachix/install-nix-action#264

• nix: 2.33.0 -> 2.33.3 by @​github-actions[bot] in cachix/install-nix-action#266

• nix: 2.33.3 -> 2.34.0 by @​github-actions[bot] in cachix/install-nix-action#267 Release notes: https://discourse.nixos.org/t/nix-2-34-0-released/75818 Rolled back due to reports of issues with cachix-action

• nix: 2.34.0 -> 2.34.1 by @​github-actions[bot] in cachix/install-nix-action#269 Fixes a bug introduced in 2.34.0 that made the Nix daemon fail to load authentication keys configured by cachix-action.

• nix: 2.34.1 -> 2.34.2 by @​github-actions[bot] in cachix/install-nix-action#270

• nix: 2.34.2 -> 2.34.4 by @​github-actions[bot] in cachix/install-nix-action#271

... (truncated)

Changelog

Sourced from cachix/install-nix-action's changelog.

Release

As of v31, releases of this action follow Semantic Versioning.

Publishing a new release

Publish the release

Draft a new release on GitHub:

• In Choose a tag, create a new tag, like v31.2.1, following semver.
• Click Generate release notes.
• Set as the latest release should be selected automatically.
• Publish release

Update the major tag

The major tag, like v31, allows downstream users to opt-in to automatic non-breaking updates.

This process follows GitHub's own guidelines: https://github.com/actions/toolkit/blob/main/docs/action-versioning.md

Fetch the latest tags

git pull --tags --force

Move the tag

git tag -fa v31

git push origin v31 --force

Update the release notes for the major tag

Find the release on GitHub: https://github.com/cachix/install-nix-action/releases

Edit the release and click Generate release notes. Edit the formatting and publish.

Commits

• 8aa0397 Merge pull request #275 from cachix/create-pull-request/patch
• 21d0b78 nix: 2.34.6 -> 2.34.7
• ab73962 Merge pull request #274 from cachix/create-pull-request/patch
• 41e4d4a nix: 2.34.5 -> 2.34.6
• 6165592 Merge pull request #273 from cachix/create-pull-request/patch
• b9f700d nix: 2.34.4 -> 2.34.5
• 96951a3 Merge pull request #271 from cachix/create-pull-request/patch
• 6281169 nix: 2.34.2 -> 2.34.4
• 51f3067 Revert "ci: use 25.11 for channel tests"
• 15118c1 ci: use 25.11 for channel tests
• Additional commits viewable in compare view

Updates peaceiris/actions-gh-pages from 3.9.3 to 4.1.0

Release notes

Sourced from peaceiris/actions-gh-pages's releases.

actions-github-pages v4.1.0

See CHANGELOG.md for more details.

What's Changed

• Actions examples: update to modern versions of actions by @​clintonsteiner in peaceiris/actions-gh-pages#1117
• chore: update Node runtime and dependencies by @​peaceiris in peaceiris/actions-gh-pages#1147
• ci: harden GitHub Actions workflows by @​peaceiris in peaceiris/actions-gh-pages#1156

New Contributors

• @​clintonsteiner made their first contribution in peaceiris/actions-gh-pages#1117

Full Changelog: peaceiris/actions-gh-pages@v4.0.0...v4.1.0

actions-github-pages v4.0.0

See CHANGELOG.md for more details.

Changelog

Sourced from peaceiris/actions-gh-pages's changelog.Description has been truncated

[github-actions]

🔍 Hypatia Security Scan

Findings: 36 issues detected

Severity	Count
🔴 Critical	1
🟠 High	22
🟡 Medium	13

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Workflow executes remote script directly (curl/wget piped to shell). Download, verify checksum/signature, then execute.",
    "type": "download_then_run",
    "file": "mirror.yml",
    "action": "verify_download_integrity",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/preference-injector/preference-injector/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 243,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/preference-injector/preference-injector/docs/API.md",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "reason": "Js.Dict deprecated -- use Dict (26 occurrences)",
    "type": "deprecated_api",
    "file": "/home/runner/work/preference-injector/preference-injector/src/rescript/crdt/GCounter.res",
    "action": "module_replace",
    "rule_module": "migration_rules",
    "severity": "high"
  },
  {
    "reason": "Js.Json deprecated -- use JSON (14 occurrences)",
    "type": "deprecated_api",
    "file": "/home/runner/work/preference-injector/preference-injector/src/rescript/crdt/GCounter.res",
    "action": "module_replace",
    "rule_module": "migration_rules",
    "severity": "medium"
  },
  {
    "reason": "Js.Dict deprecated -- use Dict (23 occurrences)",
    "type": "deprecated_api",
    "file": "/home/runner/work/preference-injector/preference-injector/src/rescript/crdt/LWWMap.res",
    "action": "module_replace",
    "rule_module": "migration_rules",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence