Skip to content

Bump the actions group across 1 directory with 6 updates#868

Merged
bschwedler merged 2 commits into
mainfrom
dependabot/github_actions/actions-27f4cf3c22
May 27, 2026
Merged

Bump the actions group across 1 directory with 6 updates#868
bschwedler merged 2 commits into
mainfrom
dependabot/github_actions/actions-27f4cf3c22

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 13, 2026
edited
Loading

Bumps the actions group with 6 updates in the / directory:

Package From To
slackapi/slack-github-action 3.0.1 3.0.3
peter-evans/create-pull-request 6.1.0 8.1.1
zizmorcore/zizmor-action 0.5.2 0.5.6
actions/create-github-app-token 3.1.1 3.2.0
actions/add-to-project 1.0.2 2.0.0
aws-actions/configure-aws-credentials 6.1.0 6.1.2

Updates slackapi/slack-github-action from 3.0.1 to 3.0.3

Release notes

Sourced from slackapi/slack-github-action's releases.

Slack GitHub Action v3.0.3

Patch Changes

  • 66834e4: feat: add instrumentation to address error rates

Slack GitHub Action v3.0.2

Patch Changes

  • 79529d7: fix: resolve url.parse deprecation warning for webhook techniques
Changelog

Sourced from slackapi/slack-github-action's changelog.

slack-github-action

3.0.3

Patch Changes

  • 66834e4: feat: add instrumentation to address error rates

3.0.2

Patch Changes

  • 79529d7: fix: resolve url.parse deprecation warning for webhook techniques
Commits
  • 45a88b9 chore: release
  • 1c0bcf0 chore: release (#606)
  • 66834e4 feat: add instrumentation to address error rates (#600)
  • 0fe0f90 build(deps): bump @​actions/github from 9.0.0 to 9.1.1 (#605)
  • c5e7059 build(deps): bump @​slack/web-api from 7.15.0 to 7.15.1 (#604)
  • 0325526 build(deps-dev): bump @​biomejs/biome from 2.4.10 to 2.4.13 (#601)
  • 900cd3e build(deps-dev): bump @​types/node from 24.12.0 to 24.12.2 (#603)
  • 53fdcff build(deps): bump @​actions/core from 3.0.0 to 3.0.1 (#602)
  • 26856cc build(deps): bump slackapi/slack-github-action from 3.0.1 to 3.0.2 (#596)
  • feba1e2 ci: skip publish step if no release is needed (#599)
  • Additional commits viewable in compare view

Updates peter-evans/create-pull-request from 6.1.0 to 8.1.1

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v8.1.1

What's Changed

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1

Create Pull Request v8.1.0

What's Changed

New Contributors

Full Changelog: peter-evans/create-pull-request@v8.0.0...v8.1.0

Create Pull Request v8.0.0

What's new in v8

What's Changed

New Contributors

Full Changelog: peter-evans/create-pull-request@v7.0.11...v8.0.0

Create Pull Request v7.0.11

What's Changed

... (truncated)

Commits
  • 5f6978f fix: retry post-creation API calls on 422 eventual consistency errors (#4356)
  • d32e88d build(deps-dev): bump the npm group with 3 updates (#4349)
  • 8170bcc build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#4344)
  • 0041819 build(deps): bump picomatch (#4339)
  • b993918 build(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#4334)
  • 36d7c84 build(deps-dev): bump undici from 6.23.0 to 6.24.0 (#4328)
  • a45d1fb build(deps): bump @​tootallnate/once and jest-environment-jsdom (#4323)
  • 3499eb6 build(deps): bump the github-actions group with 2 updates (#4316)
  • 3f3b473 build(deps): bump minimatch (#4311)
  • 6699836 build(deps-dev): bump the npm group with 2 updates (#4305)
  • Additional commits viewable in compare view

Updates zizmorcore/zizmor-action from 0.5.2 to 0.5.6

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.5.6

  • 1.25.2 is now available via the action
  • 1.25.2 is now the default version of zizmor used by the action

v0.5.5

This is a no-op release.

v0.5.4

  • 1.25.0 is now available via the action
  • 1.25.0 is now the default version of zizmor used by the action

v0.5.3

What's Changed

  • 1.24.0 and 1.24.1 are now available via the action
  • 1.24.1 is now the default version of zizmor used by the action

Full Changelog: zizmorcore/zizmor-action@v0.5.2...v0.5.3

Commits

Updates actions/create-github-app-token from 3.1.1 to 3.2.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.2.0

3.2.0 (2026-05-12)

Features

  • add support for enterprise-level GitHub Apps (#263) (952a2a7)
  • support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

  • deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
  • validate private-key input (#376) (f24bbd8)
Changelog

Sourced from actions/create-github-app-token's changelog.

Changelog

3.2.0 (2026-05-12)

Features

  • add support for enterprise-level GitHub Apps (#263) (952a2a7)
  • support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

  • deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
  • validate private-key input (#376) (f24bbd8)
Commits
  • bcd2ba4 chore(main): release 3.2.0 (#370)
  • f24bbd8 fix: validate private-key input (#376)
  • 363531b docs: capitalize Git as a proper noun in README (#374)
  • fd28011 docs: update procedure to configure Git (#287)
  • 85eb8dd feat: support full repository names in repositories input (#372)
  • c9aabb8 build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...
  • e02e816 build(deps-dev): bump undici from 7.24.6 to 8.2.0 (#366)
  • 8d835bf build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...
  • 952a2a7 feat: add support for enterprise-level GitHub Apps (#263)
  • 43e5c34 fix(deps): bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependenc...
  • Additional commits viewable in compare view

Updates actions/add-to-project from 1.0.2 to 2.0.0

Release notes

Sourced from actions/add-to-project's releases.

v2

What's Changed

... (truncated)

Commits
  • 5afcf98 Merge pull request #712 from salmanmkc/node24
  • ffed68f Merge main and update action runtime to Node 24
  • 27022a1 Merge pull request #777 from actions/dependabot/npm_and_yarn/types/node-25.5.0
  • cc89d2e Merge pull request #778 from actions/dependabot/npm_and_yarn/globals-17.4.0
  • ef8e6ff Merge pull request #779 from actions/dependabot/npm_and_yarn/eslint-plugin-je...
  • eb406b3 Merge pull request #780 from actions/dependabot/npm_and_yarn/handlebars-4.7.9
  • bb8d4d7 Bump handlebars from 4.7.8 to 4.7.9
  • a6fcf8b Bump eslint-plugin-jest from 29.12.1 to 29.15.1
  • b35f5d3 Bump globals from 17.0.0 to 17.4.0
  • 036fea0 Bump @​types/node from 25.0.3 to 25.5.0
  • Additional commits viewable in compare view

Updates aws-actions/configure-aws-credentials from 6.1.0 to 6.1.2

Release notes

Sourced from aws-actions/configure-aws-credentials's releases.

v6.1.2

6.1.2 (2026-05-26)

Bug Fixes

v6.1.1

What's Changed

Full Changelog: aws-actions/configure-aws-credentials@v6...v6.1.1

Changelog

Sourced from aws-actions/configure-aws-credentials's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

6.1.2 (2026-05-26)

Features

Bug Fixes

  • additional filesystem checks (#1799) (c39f282)
  • skip credential check on output-env-credentials: false (#1778) (58e7c47)

6.1.1 (2026-05-05)

Miscellaneous Chores

  • various dependency updates

6.1.0 (2026-04-06)

Features

6.0.0 (2026-02-04)

⚠ BREAKING CHANGES

Features

Bug Fixes

... (truncated)

Commits
  • acca2b1 chore(main): release 6.1.2 (#1761)
  • c329d24 chore: Update dist
  • c39f282 fix: additional filesystem checks (#1799)
  • 8188bee chore(deps-dev): bump @​types/node from 25.6.0 to 25.9.1 (#1795)
  • 477988d chore(deps-dev): bump @​smithy/property-provider from 4.2.14 to 4.3.4 (#1798)
  • 9a5ab5b chore: Update dist
  • baa1fdf chore(deps): bump @​aws-sdk/client-sts from 3.1038.0 to 3.1053.0 (#1793)
  • 4be0a3c chore(deps-dev): bump generate-license-file from 4.1.1 to 4.2.1 (#1794)
  • f85f964 chore: Update dist
  • 6fddd0c chore(deps-dev): bump @​aws-sdk/credential-provider-env (#1791)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 13, 2026
@dependabot dependabot Bot requested review from a team as code owners May 13, 2026 04:45
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 13, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-27f4cf3c22 branch from 7ed2c49 to 4c5e155 Compare May 20, 2026 09:20
github-advanced-security[bot]
github-advanced-security AI found potential problems May 20, 2026
View reviewed changes
Comment thread .github/workflows/issues.yml Fixed
Comment thread .github/workflows/product-release.yml Fixed
@dependabot
Bump the actions group across 1 directory with 6 updates
d34ecae 
Bumps the actions group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) | `3.0.1` | `3.0.3` |
| [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `6.1.0` | `8.1.1` |
| [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.2` | `0.5.6` |
| [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.1.1` | `3.2.0` |
| [actions/add-to-project](https://github.com/actions/add-to-project) | `1.0.2` | `2.0.0` |
| [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | `6.1.0` | `6.1.2` |



Updates `slackapi/slack-github-action` from 3.0.1 to 3.0.3
- [Release notes](https://github.com/slackapi/slack-github-action/releases)
- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md)
- [Commits](slackapi/slack-github-action@af78098...45a88b9)

Updates `peter-evans/create-pull-request` from 6.1.0 to 8.1.1
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](peter-evans/create-pull-request@v6.1.0...5f6978f)

Updates `zizmorcore/zizmor-action` from 0.5.2 to 0.5.6
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@71321a2...5f14fd0)

Updates `actions/create-github-app-token` from 3.1.1 to 3.2.0
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md)
- [Commits](actions/create-github-app-token@1b10c78...bcd2ba4)

Updates `actions/add-to-project` from 1.0.2 to 2.0.0
- [Release notes](https://github.com/actions/add-to-project/releases)
- [Commits](actions/add-to-project@244f685...5afcf98)

Updates `aws-actions/configure-aws-credentials` from 6.1.0 to 6.1.2
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](aws-actions/configure-aws-credentials@ec61189...acca2b1)

---
updated-dependencies:
- dependency-name: actions/add-to-project
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/create-github-app-token
  dependency-version: 3.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: aws-actions/configure-aws-credentials
  dependency-version: 6.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: peter-evans/create-pull-request
  dependency-version: 8.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: slackapi/slack-github-action
  dependency-version: 3.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-27f4cf3c22 branch from 4c5e155 to d34ecae Compare May 27, 2026 14:18
@bschwedler
Scope app token permissions for zizmor github-app audit
a030199 
`actions/create-github-app-token` was being called without
`permission-*` inputs, so the installation token inherited every
permission granted to the Posit Platform app. zizmor's github-app
audit flagged both call sites as "dangerous use of GitHub App
tokens: app token inherits blanket installation permissions".

- issues.yml: limit to `organization-projects: write` — the only
  permission `actions/add-to-project` needs against the target
  org-level project (it reads the issue/PR node_id from the
  webhook payload, not the API).
- product-release.yml: limit to `contents: write` (for the push
  by `peter-evans/create-pull-request`) and `pull-requests:
  write` (to open the PR). The workflow does not touch workflow
  files, so `workflows: write` is not needed.
@bschwedler bschwedler merged commit 3c53a8f into main May 27, 2026
8 checks passed
@bschwedler bschwedler deleted the dependabot/github_actions/actions-27f4cf3c22 branch May 27, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bschwedler bschwedler bschwedler approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bschwedler @github-advanced-security