Skip to content

chore(deps): bump the github-actions group across 1 directory with 8 updates#2971

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github-actions-03fa985380
Open

chore(deps): bump the github-actions group across 1 directory with 8 updates#2971
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/github-actions-03fa985380

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 2, 2026
edited
Loading

Bumps the github-actions group with 8 updates in the / directory:

Package From To
actions/create-github-app-token 1.12.0 3.0.0
actions/cache 4.3.0 5.0.4
anthropics/claude-code-action 1.0.39 1.0.85
actions/upload-artifact 4.6.2 7.0.0
dorny/paths-filter 2.11.1 4.0.1
inkeep/pr-commenter-action 10 11
speakeasy-api/sdk-generation-action 15.58.9 15.60.0
peter-evans/create-pull-request 7.0.8 8.1.0

Updates actions/create-github-app-token from 1.12.0 to 3.0.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

Bug Fixes

BREAKING CHANGES

  • Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
  • Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

  • deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
  • deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
  • deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
  • deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

  • fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

  • Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

  • deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)
  • deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)
  • deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
  • deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits
  • f8d387b build(release): 3.0.0 [skip ci]
  • d2129bd style: remove extra blank line in release workflow
  • 77b94ef build: refresh generated artifacts
  • 3ab4c66 chore: move undici to devDependencies
  • 739cf66 docs: update README action versions
  • db40289 build(deps): bump actions versions in test.yml
  • 496a7ac test: migrate from AVA to Node.js native test runner (#346)
  • 3870dc3 Rename end-to-end proxy job in test workflow
  • 4451bcb fix!: require NODE_USE_ENV_PROXY for proxy support (#342)
  • dce0ab0 fix: remove custom proxy handling (#143)
  • Additional commits viewable in compare view

Updates actions/cache from 4.3.0 to 5.0.4

Release notes

Sourced from actions/cache's releases.

v5.0.4

What's Changed

New Contributors

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

v5.0.1

What's Changed

v5.0.0

What's Changed

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

  • Bump @actions/cache to v5.0.3 #1692

5.0.1

  • Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

Updates anthropics/claude-code-action from 1.0.39 to 1.0.85

Release notes

Sourced from anthropics/claude-code-action's releases.

v1.0.85

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.85

v1.0.84

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.84

v1.0.83

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.83

v1.0.82

Full Changelog: anthropics/claude-code-action@v1...v1.0.82

v1.0.81

Full Changelog: anthropics/claude-code-action@v1...v1.0.81

v1.0.80

Full Changelog: anthropics/claude-code-action@v1...v1.0.80

v1.0.79

Full Changelog: anthropics/claude-code-action@v1...v1.0.79

v1.0.78

Full Changelog: anthropics/claude-code-action@v1...v1.0.78

v1.0.77

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

... (truncated)

Commits
  • 58dbe8e chore: bump Claude Code to 2.1.90 and Agent SDK to 0.2.90
  • c281e17 fix: fall back to repo default_branch instead of hardcoded "main" (#1143)
  • 408a40e Pin Claude Code to 2.1.87 (#1142)
  • bee87b3 chore: bump Claude Code to 2.1.89 and Agent SDK to 0.2.89
  • 32156b1 Add subprocess isolation setup and git credential helper (#1132)
  • 7225f04 chore: bump Claude Code to 2.1.88 and Agent SDK to 0.2.88
  • 88c168b chore: bump Claude Code to 2.1.87 and Agent SDK to 0.2.87
  • e7b588b chore: bump Claude Code to 2.1.86 and Agent SDK to 0.2.86
  • 094bd24 chore: bump Claude Code to 2.1.85 and Agent SDK to 0.2.85
  • 3ac52d0 chore: bump Claude Code to 2.1.84 and Agent SDK to 0.2.84
  • Additional commits viewable in compare view

Updates actions/upload-artifact from 4.6.2 to 7.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

... (truncated)

Commits
  • bbbca2d Support direct file uploads (#764)
  • 589182c Upgrade the module to ESM and bump dependencies (#762)
  • 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
  • 02a8460 Add proxy integration test
  • b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
  • e516bc8 docs: correct description of Node.js 24 support in README
  • ddc45ed docs: update README to correct action name for Node.js 24 support
  • 615b319 chore: release v6.0.0 for Node.js 24 support
  • 017748b Merge pull request #744 from actions/fix-storage-blob
  • 38d4c79 chore: rebuild dist
  • Additional commits viewable in compare view

Updates dorny/paths-filter from 2.11.1 to 4.0.1

Release notes

Sourced from dorny/paths-filter's releases.

v4.0.1

What's Changed

New Contributors

Full Changelog: dorny/paths-filter@v4.0.0...v4.0.1

v4.0.0

What's Changed

New Contributors

Full Changelog: dorny/paths-filter@v3.0.3...v4.0.0

v3.0.3

What's Changed

New Contributors

Full Changelog: dorny/paths-filter@v3...v3.0.3

v3.0.2

What's Changed

New Contributors

Full Changelog: dorny/paths-filter@v3...v3.0.2

v3.0.1

What's Changed

New Contributors

Full Changelog: dorny/paths-filter@v3...v3.0.1

v3.0.0

What's Changed

... (truncated)

Changelog

Sourced from dorny/paths-filter's changelog.

Changelog

v4.0.0

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.1

v2.11.0

v2.10.2

v2.10.1

v2.10.0

v2.9.3

v2.9.2

v2.9.1

v2.9.0

... (truncated)

Commits
  • fbd0ab8 feat: add merge_group event support
  • efb1da7 feat: add dist/ freshness check to PR workflow
  • d8f7b06 Merge pull request #302 from dorny/issue-299
  • addbc14 Update README for v4
  • 9d7afb8 Update CHANGELOG for v4.0.0
  • 782470c Merge branch 'releases/v3'
  • d1c1ffe Update CHANGELOG for v3.0.3
  • ce10459 Merge pull request #294 from saschabratton/master
  • 5f40380 feat: update action runtime to node24
  • 668c092 Merge pull request #279 from wardpeet/patch-1
  • Additional commits viewable in compare view

Updates inkeep/pr-commenter-action from 10 to 11

Commits

Updates speakeasy-api/sdk-generation-action from 15.58.9 to 15.60.0

Release notes

Sourced from speakeasy-api/sdk-generation-action's releases.

v15.60.0

What's Changed

Full Changelog: speakeasy-api/sdk-generation-action@v15.59.2...v15.60.0

v15.59.2

What's Changed

Full Changelog: speakeasy-api/sdk-generation-action@v15.59.1...v15.59.2

v15.59.1

What's Changed

Full Changelog: speakeasy-api/sdk-generation-action@v15.59.0...v15.59.1

Commits

Updates peter-evans/create-pull-request from 7.0.8 to 8.1.0

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v8.1.0

What's Changed

New Contributors

Full Changelog: peter-evans/create-pull-request@v8.0.0...v8.1.0

Create Pull Request v8.0.0

What's new in v8

What's Changed

New Contributors

Full Changelog: peter-evans/create-pull-request@v7.0.11...v8.0.0

Create Pull Request v7.0.11

What's Changed

Full Changelog: peter-evans/create-pull-request@v7.0.10...v7.0.11

Create Pull Request v7.0.10

⚙️ Fixes an issue where updating a pull request failed when targeting a forked repository with the same owner as its parent.

What's Changed

New Contributors

Full Changelog: peter-evans/create-pull-request@v7.0.9...v7.0.10

... (truncated)

Commits

@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 2, 2026
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 2, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agents-api Ready Ready Preview, Comment Apr 4, 2026 1:31am
agents-docs Ready Ready Preview, Comment Apr 4, 2026 1:31am
agents-manage-ui Ready Ready Preview, Comment Apr 4, 2026 1:31am

Request Review

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 2, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: ba45c30

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-03fa985380 branch from d0a27c8 to 3306cf5 Compare April 2, 2026 18:51
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-03fa985380 branch from 3306cf5 to 77467b6 Compare April 3, 2026 18:47
@dependabot
chore(deps): bump the github-actions group across 1 directory with 8 …
ba45c30 
…updates

Bumps the github-actions group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `1.12.0` | `3.0.0` |
| [actions/cache](https://github.com/actions/cache) | `4.3.0` | `5.0.4` |
| [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.39` | `1.0.85` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.0` |
| [dorny/paths-filter](https://github.com/dorny/paths-filter) | `2.11.1` | `4.0.1` |
| [inkeep/pr-commenter-action](https://github.com/inkeep/pr-commenter-action) | `10` | `11` |
| [speakeasy-api/sdk-generation-action](https://github.com/speakeasy-api/sdk-generation-action) | `15.58.9` | `15.60.0` |
| [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `7.0.8` | `8.1.0` |



Updates `actions/create-github-app-token` from 1.12.0 to 3.0.0
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](actions/create-github-app-token@d72941d...f8d387b)

Updates `actions/cache` from 4.3.0 to 5.0.4
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@0057852...6682284)

Updates `anthropics/claude-code-action` from 1.0.39 to 1.0.85
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@v1.0.39...58dbe8e)

Updates `actions/upload-artifact` from 4.6.2 to 7.0.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...bbbca2d)

Updates `dorny/paths-filter` from 2.11.1 to 4.0.1
- [Release notes](https://github.com/dorny/paths-filter/releases)
- [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md)
- [Commits](dorny/paths-filter@4512585...fbd0ab8)

Updates `inkeep/pr-commenter-action` from 10 to 11
- [Release notes](https://github.com/inkeep/pr-commenter-action/releases)
- [Commits](inkeep/pr-commenter-action@84ccc7c...bac2033)

Updates `speakeasy-api/sdk-generation-action` from 15.58.9 to 15.60.0
- [Release notes](https://github.com/speakeasy-api/sdk-generation-action/releases)
- [Commits](speakeasy-api/sdk-generation-action@b823adc...fe37b33)

Updates `peter-evans/create-pull-request` from 7.0.8 to 8.1.0
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](peter-evans/create-pull-request@271a8d0...c0f553f)

---
updated-dependencies:
- dependency-name: actions/create-github-app-token
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/cache
  dependency-version: 5.0.4
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.85
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: dorny/paths-filter
  dependency-version: 4.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: inkeep/pr-commenter-action
  dependency-version: '11'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: speakeasy-api/sdk-generation-action
  dependency-version: 15.60.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: peter-evans/create-pull-request
  dependency-version: 8.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-03fa985380 branch from 77467b6 to ba45c30 Compare April 4, 2026 01:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants