ci: bump the actions-updates group with 3 updates by dependabot[bot] · Pull Request #219 · tis24dev/proxsave

dependabot · 2026-05-25T03:34:21Z

Bumps the actions-updates group with 3 updates: codecov/codecov-action, goreleaser/goreleaser-action and github/codeql-action.

Updates codecov/codecov-action from 6.0.0 to 6.0.1

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.1

What's Changed

fix: prevent template injection in run: steps (VULN-1652) by @thomasrockhu-codecov in codecov/codecov-action#1947

chore(release): 6.0.1 by @thomasrockhu-codecov in codecov/codecov-action#1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

fix: overwrite pr number on fork by @thomasrockhu-codecov in codecov/codecov-action#1871

build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @app/dependabot in codecov/codecov-action#1868

build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @app/dependabot in codecov/codecov-action#1867

fix: update to use local app/ dir by @thomasrockhu-codecov in codecov/codecov-action#1872

docs: fix typo in README by @datalater in codecov/codecov-action#1866

Document a codecov-cli version reference example by @webknjaz in codecov/codecov-action#1774

build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @app/dependabot in codecov/codecov-action#1861

build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

feat: upgrade wrapper to 0.2.4 by @jviall in codecov/codecov-action#1864

Pin actions/github-script by Git SHA by @martincostello in codecov/codecov-action#1859

fix: check reqs exist by @joseph-sentry in codecov/codecov-action#1835

fix: Typo in README by @spalmurray in codecov/codecov-action#1838

docs: Refine OIDC docs by @spalmurray in codecov/codecov-action#1837

build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @app/dependabot in codecov/codecov-action#1822

fix: OIDC on forks by @joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

e79a696 chore(release): 6.0.1 (#1949)
51e6422 fix: prevent template injection in run: steps (VULN-1652) (#1947)
See full diff in compare view

Updates goreleaser/goreleaser-action from 7.2.1 to 7.2.2

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v7.2.2

What's Changed

ci(deps): bump the actions group with 3 updates by @dependabot[bot] in goreleaser/goreleaser-action#560

fix: nightly resolution to select newest published release by @Copilot in goreleaser/goreleaser-action#562

New Contributors

@Copilot made their first contribution in goreleaser/goreleaser-action#562

Full Changelog: goreleaser/goreleaser-action@v7...v7.2.2

Commits

5daf1e9 fix: nightly resolution to select newest published release (#562)
5cc7ebb ci: update actions
702f5f9 ci(deps): bump the actions group with 3 updates (#560)
See full diff in compare view

Updates github/codeql-action from 4.35.5 to 4.36.0

Release notes

Sourced from github/codeql-action's releases.

v4.36.0

Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894

Add support for SHA-256 Git object IDs. #3893

Update default CodeQL bundle version to 2.25.5. #3926

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.0 - 22 May 2026

Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894

Add support for SHA-256 Git object IDs. #3893

Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899

For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791

If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892

Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837

Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850

Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853

Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852

Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795

The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789

Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807

Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767

Update default CodeQL bundle version to 2.25.1. #3773

... (truncated)

Commits

7211b7c Merge pull request #3927 from github/update-v4.36.0-ebc2d9e2b
7740f2f Update changelog for v4.36.0
ebc2d9e Merge pull request #3926 from github/update-bundle/codeql-bundle-v2.25.5
d1f74b7 Add changelog note
2dc40ce Update default bundle to codeql-bundle-v2.25.5
8449852 Merge pull request #3910 from github/henrymercer/repo-size-diff-check
72ac23c Update excluded required check list
c5297a2 Merge pull request #3919 from github/henrymercer/workflow-concurrency
8ffeae7 CI: Automatically cancel non-generated workflows
f3f52bf Revert getErrorMessage import
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Greptile Summary

This is an automated Dependabot PR updating three GitHub Actions used across CI workflows. All action references remain SHA-pinned, which is the correct security posture.

codecov/codecov-action bumped from v6.0.0 → v6.0.1: patches a template injection vulnerability (VULN-1652) in run: steps — a welcome security fix.
goreleaser/goreleaser-action bumped from v7.2.1 → v7.2.2: minor patch for nightly release resolution; no breaking changes.
github/codeql-action bumped from 4.35.5 → 4.36.0: adds SHA-256 Git object ID support and updates the default CodeQL bundle to v2.25.5; breaking change bumps minimum required bundle to 2.19.4, which GitHub-hosted runners satisfy automatically.

Confidence Score: 5/5

Safe to merge — all three updates are routine patch/minor bumps with SHA-pinned references and no changes to workflow logic.

All changes are Dependabot-generated SHA-pin updates. The codecov bump specifically closes a template injection security hole, making the merge beneficial. The codeql-action minor bump raises the minimum required bundle version, but GitHub-hosted runners already meet that requirement. No workflow logic, permissions, or secrets handling was modified.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/codecov.yml	Bumps codecov/codecov-action SHA from v6.0.0 to v6.0.1, which patches a template injection security vulnerability (VULN-1652).
.github/workflows/release.yml	Bumps goreleaser/goreleaser-action SHA from v7.2.1 to v7.2.2, a minor patch fixing nightly release resolution.
.github/workflows/security-ultimate.yml	Bumps github/codeql-action from 4.35.5 to 4.36.0 across all three action calls (upload-sarif, init, analyze); the new version raises the minimum required CodeQL bundle to 2.19.4.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot PR #219] --> B[codecov.yml]
    A --> C[release.yml]
    A --> D[security-ultimate.yml]

    B --> B1["codecov/codecov-action\nv6.0.0 → v6.0.1\n🔒 fixes VULN-1652 template injection"]
    C --> C1["goreleaser/goreleaser-action\nv7.2.1 → v7.2.2\npatch: nightly resolution fix"]
    D --> D1["github/codeql-action/upload-sarif\n4.35.5 → 4.36.0"]
    D --> D2["github/codeql-action/init\n4.35.5 → 4.36.0"]
    D --> D3["github/codeql-action/analyze\n4.35.5 → 4.36.0"]

    D1 & D2 & D3 --> E["Min CodeQL bundle: 2.19.4\nDefault bundle: v2.25.5\n✅ met by GitHub-hosted runners"]

_{Reviews (1): Last reviewed commit: "ci: bump the actions-updates group with ..." | Re-trigger Greptile}

Bumps the actions-updates group with 3 updates: [codecov/codecov-action](https://github.com/codecov/codecov-action), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [github/codeql-action](https://github.com/github/codeql-action). Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@57e3a13...e79a696) Updates `goreleaser/goreleaser-action` from 7.2.1 to 7.2.2 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@1a80836...5daf1e9) Updates `github/codeql-action` from 4.35.5 to 4.36.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@9e0d7b8...7211b7c) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-updates - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-updates - dependency-name: github/codeql-action dependency-version: 4.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-updates ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-05-25T03:34:34Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/github/codeql-action/analyze	7211b7c8077ea37d8641b6271f6a365a22a5fbfa	Unknown	Unknown
actions/github/codeql-action/init	7211b7c8077ea37d8641b6271f6a365a22a5fbfa	Unknown	Unknown
actions/github/codeql-action/upload-sarif	7211b7c8077ea37d8641b6271f6a365a22a5fbfa	Unknown	Unknown

Scanned Files

.github/workflows/security-ultimate.yml

codecov · 2026-05-25T03:36:53Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

* Bump x/crypto to v0.52.0 Fix GO-2026-5018 by updating golang.org/x/crypto and related checksums. * ci: download modules before govulncheck Ensure module checksums are fetched before vulnerability scanning. * Preserve legacy manifest parse causes Return both JSON and legacy parse errors from LoadManifest and cover the missing-archive metadata path in tests. * Align remote legacy manifest parsing Parse legacy targets and version fields in inspectRcloneMetadataManifest to match local manifest handling. * Propagate legacy scanner failures Return scanner errors from parseLegacyMetadata and fail fast when legacy metadata scanning is truncated. * Expand test coverage Add broader coverage for safeexec and staged/orchestrated restore flows. * Fix staged apply tests to use injectable root checks. Use accessControlApplyGeteuid and mountGuardGeteuid in maybeApply paths so CI tests can exercise error branches without real root, matching hooks used elsewhere in orchestrator. * test: expand PVE collector coverage * fix(backup): isolate PXAR per-datastore errors in parallel step Stop runPBSPXARStep from canceling sibling datastores on the first failure. Add isParentContextError and handlePBSPXARStepError so parent cancel/deadline propagates while datastore errors remain best-effort. Stabilizes race CI. * test: expand system collector probe and collection coverage Add branch and integration tests for systemctl, sensors, dmidecode, and related system collection paths in collector_system_test.go. * ci: bump the actions-updates group with 3 updates (#219) Bumps the actions-updates group with 3 updates: [codecov/codecov-action](https://github.com/codecov/codecov-action), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [github/codeql-action](https://github.com/github/codeql-action). Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@57e3a13...e79a696) Updates `goreleaser/goreleaser-action` from 7.2.1 to 7.2.2 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@1a80836...5daf1e9) Updates `github/codeql-action` from 4.35.5 to 4.36.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@9e0d7b8...7211b7c) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-updates - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-updates - dependency-name: github/codeql-action dependency-version: 4.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(backup): preserve JSON parse cause in LoadManifest error message json.Unmarshal was called with :=, shadowing the outer err variable. The combined error message reported JSON (<nil>) instead of the actual parse failure. Rename to unmarshalErr to capture and propagate it. Harden tests to assert both JSON and legacy causes in combined errors. * test(orchestrator): use unique per-run storage IDs in PVE mount guard tests Replace fixed /mnt/pve/<name> storage IDs (activate-ok, proxsave-offline, mkdir-fail, etc.) with unique per-run IDs using a proxsave-it-<hash>-<label> prefix. Add safety helpers that refuse RemoveAll/Remove on paths not owned by the test (no proxsave-it- prefix), preventing accidental collision with real PVE storage IDs on privileged hosts. Also add requireWritablePveMountRoot with a real write/remove probe and TestPveMountIntegrationTestPathSafety to guard the path-ownership logic. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

dependabot Bot added dependencies github-actions labels May 25, 2026

tis24dev merged commit 2a42192 into dev May 26, 2026
4 of 5 checks passed

dependabot Bot deleted the dependabot/github_actions/dev/actions-updates-d1f1034c07 branch May 26, 2026 14:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ci: bump the actions-updates group with 3 updates#219

ci: bump the actions-updates group with 3 updates#219
tis24dev merged 1 commit into
devfrom
dependabot/github_actions/dev/actions-updates-d1f1034c07

dependabot Bot commented on behalf of github May 25, 2026 •

edited by greptile-apps Bot

Loading

Uh oh!

github-actions Bot commented May 25, 2026

Uh oh!

codecov Bot commented May 25, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

dependabot Bot commented on behalf of github May 25, 2026 • edited by greptile-apps Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v6.0.1

What's Changed

v5.5.2

What's Changed

v5.5.1

What's Changed

v5.5.0

What's Changed

v5.4.3

What's Changed

v5.4.2

v7.2.2

What's Changed

New Contributors

v4.36.0

CodeQL Action Changelog

[UNRELEASED]

4.36.0 - 22 May 2026

4.35.5 - 15 May 2026

4.35.4 - 07 May 2026

4.35.3 - 01 May 2026

4.35.2 - 15 Apr 2026

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

Greptile Summary

Confidence Score: 5/5

Important Files Changed

Flowchart

Uh oh!

github-actions Bot commented May 25, 2026

Dependency Review

OpenSSF Scorecard

Scanned Files

Uh oh!

codecov Bot commented May 25, 2026

Codecov Report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github May 25, 2026 •

edited by greptile-apps Bot

Loading