Bump the all-actions group with 9 updates

[dependabot]

Bumps the all-actions group with 9 updates:

Package	From	To
actions/setup-node	6.3.0	6.4.0
actions/setup-python	5.6.0	6.2.0
actions/cache	4.3.0	5.0.5
actions/upload-artifact	6.0.0	7.0.1
advanced-security/reusable-workflows/.github/workflows/codeql-ql.yml	a0e88ede84d03cd069b01d18540db7fc86c52cf8	c803ebcd54d7d848a28a895c465a9df0ecb9c320
advanced-security/codeql-development-mcp-server	2.25.0	2.25.6
actions/download-artifact	7.0.0	8.0.1
softprops/action-gh-release	2.5.0	3.0.0
peter-evans/create-pull-request	8.1.0	8.1.1

Updates actions/setup-node from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in actions/setup-node#1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in actions/setup-node#1533

New Contributors

• @​Copilot made their first contribution in actions/setup-node#1525

Full Changelog: actions/setup-node@v6...v6.4.0

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• See full diff in compare view

Updates actions/setup-python from 5.6.0 to 6.2.0

Release notes

Sourced from actions/setup-python's releases.

v6.2.0

What's Changed

Dependency Upgrades

• Upgrade dependencies to Node 24 compatible versions by @​salmanmkc in actions/setup-python#1259
• Upgrade urllib3 from 2.5.0 to 2.6.3 in /__tests__/data by @​dependabot in actions/setup-python#1253 and actions/setup-python#1264

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

What's Changed

Enhancements:

• Add support for pip-install input by @​gowridurgad in actions/setup-python#1201
• Add graalpy early-access and windows builds by @​timfel in actions/setup-python#880

Dependency and Documentation updates:

• Enhanced wording and updated example usage for allow-prereleases by @​yarikoptic in actions/setup-python#979
• Upgrade urllib3 from 1.26.19 to 2.5.0 and document breaking changes in v6 by @​dependabot in actions/setup-python#1139
• Upgrade typescript from 5.4.2 to 5.9.3 and Documentation update by @​dependabot in actions/setup-python#1094
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pip-install input by @​dependabot in actions/setup-python#1199
• Upgrade requests from 2.32.2 to 2.32.4 by @​dependabot in actions/setup-python#1130
• Upgrade prettier from 3.5.3 to 3.6.2 by @​dependabot in actions/setup-python#1234
• Upgrade @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel by @​dependabot in actions/setup-python#1235

New Contributors

• @​yarikoptic made their first contribution in actions/setup-python#979

Full Changelog: actions/setup-python@v6...v6.1.0

v6.0.0

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in actions/setup-python#1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

• Add support for pip-version by @​priyagupta108 in actions/setup-python#1129
• Enhance reading from .python-version by @​krystof-k in actions/setup-python#787
• Add version parsing from Pipfile by @​aradkdj in actions/setup-python#1067

Bug fixes:

• Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @​aparnajyothi-y in actions/setup-python#1183
• Change missing cache directory error to warning by @​aparnajyothi-y in actions/setup-python#1182
• Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @​aparnajyothi-y in actions/setup-python#1122
• Include python version in PyPy python-version output by @​cdce8p in actions/setup-python#1110
• Update docs: clarification on pip authentication with setup-python by @​priya-kinthali in actions/setup-python#1156

Dependency updates:

• Upgrade idna from 2.9 to 3.7 in /tests/data by @​dependabot[bot] in actions/setup-python#843
• Upgrade form-data to fix critical vulnerabilities #182 & #183 by @​aparnajyothi-y in actions/setup-python#1163
• Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @​aparnajyothi-y in actions/setup-python#1165
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-python#1181
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in actions/setup-python#1095

... (truncated)

Commits

• a309ff8 Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)
• bfe8cc5 Upgrade @​actions dependencies to Node 24 compatible versions (#1259)
• 4f41a90 Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)
• 83679a8 Bump @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...
• bfc4944 Bump prettier from 3.5.3 to 3.6.2 (#1234)
• 97aeb3e Bump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)
• 443da59 Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...
• cfd55ca graalpy: add graalpy early-access and windows builds (#880)
• bba65e5 Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)
• 18566f8 Improve wording and "fix example" (remove 3.13) on testing against pre-releas...
• Additional commits viewable in compare view

Updates actions/cache from 4.3.0 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

• Add release instructions and update maintainer docs by @​Link- in actions/cache#1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in actions/cache#1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in actions/cache#1699
• docs: Update examples to use the latest version by @​XZTDean in actions/cache#1690
• Fix proxy integration tests by @​Link- in actions/cache#1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in actions/cache#1722
• Update dependencies & patch security vulnerabilities by @​Link- in actions/cache#1738

New Contributors

• @​XZTDean made their first contribution in actions/cache#1690
• @​RyPeck made their first contribution in actions/cache#1722

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

v5.0.1

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.0.0

• Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
• Migrated to ESM module system
• Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
• e340396 Update RELEASES
• 8a67110 Add licenses
• 1865903 Update dependencies & patch security vulnerabilities
• 5656298 Merge pull request #1722 from RyPeck/patch-1
• 4e380d1 Fix cache key in examples.md for bun.lock
• Additional commits viewable in compare view

Updates actions/upload-artifact from 6.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• See full diff in compare view

Updates advanced-security/reusable-workflows/.github/workflows/codeql-ql.yml from a0e88ede84d03cd069b01d18540db7fc86c52cf8 to c803ebcd54d7d848a28a895c465a9df0ecb9c320

Commits

• c803ebc chore(security): add cooldown input and deterministic installs (#91)
• 4ef4f3d deps: bump the production-dependencies group with 10 updates (#93)
• 479412f Bump version from 0.3.3 to 0.3.4 - testing version bumps downstream (no changes)
• fc65a06 fix: improve self-release logging and bump to v0.3.3
• a035952 fix: include prereleases when resolving bump base version (#92)
• 1bbf2c8 deps: bump the production-dependencies group with 5 updates (#90)
• 1993dd6 Bump version from 0.3.1 to 0.3.2
• a913739 fix: resolve security review findings (#89)
• 7953983 chore: sync .release.yml to v0.3.1
• 811381e chore: remove utility-reset-tag workflow
• Additional commits viewable in compare view

Updates advanced-security/codeql-development-mcp-server from 2.25.0 to 2.25.6

Release notes

Sourced from advanced-security/codeql-development-mcp-server's releases.

v2.25.6

What's Changed

• Build(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#289
• Upgrade CodeQL CLI dependency to v2.25.6 by @​github-actions[bot] in advanced-security/codeql-development-mcp-server#290

Full Changelog: advanced-security/codeql-development-mcp-server@v2.25.5...v2.25.6

v2.25.5

What's Changed

• Build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#278
• Harden release workflows against cache poisoning by @​data-douser in advanced-security/codeql-development-mcp-server#279
• VS Code extension: ship portable, built-in custom agents (codeql-query-developer, codeql-workshop-author) by @​Copilot in advanced-security/codeql-development-mcp-server#281
• Upgrade CodeQL CLI dependency to v2.25.5 by @​github-actions[bot] in advanced-security/codeql-development-mcp-server#283
• Upgrade NodeJS dependencies for v2.25.5 release prep by @​data-douser in advanced-security/codeql-development-mcp-server#285

Full Changelog: advanced-security/codeql-development-mcp-server@v2.25.4...v2.25.5

v2.25.4

What's Changed

• MaD QL : Improve ql-mcp support for CodeQL Models-as-Data Extensions by @​data-douser in advanced-security/codeql-development-mcp-server#271
• Update on.{pull_request,push}.paths triggers for .github/workflows/build-*.yml by @​data-douser in advanced-security/codeql-development-mcp-server#274
• Upgrade CodeQL CLI dependency to v2.25.4 by @​github-actions[bot] in advanced-security/codeql-development-mcp-server#272
• Build(deps): bump hono from 4.12.14 to 4.12.18 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#273
• [UPDATE PRIMITIVE] Auto-infer codeql_query_run format from @​kind to enable result caching by @​Copilot in advanced-security/codeql-development-mcp-server#275
• Build(deps): bump fast-uri from 3.1.0 to 3.1.2 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#277
• Prep for pending v2.25.4 release of codeql-development-mcp-server by @​Copilot in advanced-security/codeql-development-mcp-server#276

Full Changelog: advanced-security/codeql-development-mcp-server@v2.25.3...v2.25.4

v2.25.3

What's Changed

• Build(deps): bump actions/cache from 5.0.4 to 5.0.5 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#256
• Build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#255
• Build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#253
• Build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#254
• Build(deps): bump the all-npm-dependencies group across 4 directories with 5 updates by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#257
• Supply chain hardening for npm and actions by @​data-douser in advanced-security/codeql-development-mcp-server#258
• Build(deps-dev): bump the all-npm-dependencies group across 4 directories with 3 updates by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#259
• Merge next into main for "next" release prep by @​data-douser in advanced-security/codeql-development-mcp-server#260
• Build(deps): bump actions/setup-node from 6.3.0 to 6.4.0 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#264
• Build(deps): bump actions/setup-go from 5.6.0 to 6.4.0 by @​dependabot[bot] in advanced-security/codeql-development-mcp-server#265
• Fix invalid JSON Schema for query_results_cache_retrieve by @​Copilot in advanced-security/codeql-development-mcp-server#263
• Upgrade CodeQL CLI dependency to v2.25.3 by @​github-actions[bot] in advanced-security/codeql-development-mcp-server#269

Full Changelog: advanced-security/codeql-development-mcp-server@v2.25.2...v2.25.3

... (truncated)

Commits

• b3a4b77 Upgrade CodeQL CLI dependency to v2.25.6 (#290)
• 39511a6 Build(deps): bump actions/checkout from 6.0.2 to 6.0.3 (#289)
• 9dc1522 Upgrade NodeJS dependencies for v2.25.5 release prep (#285)
• d53a392 Upgrade CodeQL CLI dependency to v2.25.5 (#283)
• c54b7f0 VS Code extension: ship portable, built-in custom agents (codeql-query-develo...
• 3fe5254 Harden release workflows against cache poisoning (#279)
• c504306 Build(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 (#278)
• 03c4f76 Prep for pending v2.25.4 release of codeql-development-mcp-server (#276)
• 8a1072b Build(deps): bump fast-uri from 3.1.0 to 3.1.2 (#277)
• eb7e2a6 [UPDATE PRIMITIVE] Auto-infer codeql_query_run format from @​kind to enable re...
• Additional commits viewable in compare view

Updates actions/download-artifact from 7.0.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.5.0 to 3.0.0

Release notes

Sourced from softprops/action-gh-release's releases.

v3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v2.6.2

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in softprops/action-gh-release#775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in softprops/action-gh-release#777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in softprops/action-gh-release#781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in softprops/action-gh-release#765

v2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

3.0.1

• maintenance release with updated dependencies

3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

2.6.2

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in softprops/action-gh-release#775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in softprops/action-gh-release#777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in softprops/action-gh-release#781

2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in softprops/action-gh-release#765

2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

... (truncated)

Commits

• b430933 release: cut v3.0.0 for Node 24 upgrade (#670)
• c2e35e0 chore(deps): bump the npm group across 1 directory with 7 updates (#783)
• 3bb1273 release 2.6.2
• c34030f chore: bump node to 24.14.1
• 8975bd0 chore(deps): bump vite from 8.0.0 to 8.0.5 (#781)
• f71937f chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 (#777)
• 3f0d239 chore(deps): bump picomatch from 4.0.3 to 4.0.4 (#775)
• 153bb8e release 2.6.1
• 569deb8 fix: preserve discussion category when publishing releases (#765)
• 26e8ad2 release 2.6.0
• Additional commits viewable in compare view

Updates peter-evans/create-pull-request from 8.1.0 to 8.1.1

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v8.1.1

What's Changed

• build(deps-dev): bump the npm group with 2 updates by @​dependabot[bot] in peter-evans/create-pull-request#4305
• build(deps): bump minimatch by @​dependabot[bot] in peter-evans/create-pull-request#4311
• build(deps): bump the github-actions group with 2 updates by @​dependabot[bot] in peter-evans/create-pull-request#4316
• build(deps): bump @​tootallnate/once and jest-environment-jsdom by @​dependabot[bot] in peter-evans/create-pull-request#4323
• build(deps-dev): bump undici from 6.23.0 to 6.24.0 by @​dependabot[bot] in peter-evans/create-pull-request#4328
• build(deps-dev): bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in peter-evans/create-pull-request#4334
• build(deps): bump picomatch by @​dependabot[bot] in peter-evans/create-pull-request#4339
• build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 by @​dependabot[bot] in peter-evans/create-pull-request#4344
• build(deps-dev): bump the npm group with 3 updates by @​dependabot[bot] in peter-evans/create-pull-request#4349
• fix: retry post-creation API calls on 422 eventual consistency errors by @​peter-evans in peter-evans/create-pull-request#4356

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1

Commits

• 5f6978f fix: retry post-creation API calls on 422 eventual consistency errors (#4356)
• d32e88d build(deps-dev): bump the npm group with 3 updates (#4349)
• 8170bcc build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#4344)
• 0041819 build(deps): bump picomatch (#4339)
• b993918 build(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#4334)
• 36d7c84 build(deps-dev): bump undici from 6.23.0 to 6.24.0 (#4328)
• a45d1fb build(deps): bump @​tootallnate/once and jest-environment-jsdom (#4323)
• 3499eb6 build(deps): bump the github-actions group with 2 updates (#4316)
• 3f3b473 build(deps): bump minimatch (#4311)
• 6699836 build(deps-dev): bump the npm group with 2 updates (#4305)
• See full diff in compare view

Dependabot will resolve any conflicts with this...

Description has been truncated

[Copilot]

Pull request overview

This PR updates pinned GitHub Actions (and one reusable workflow reference) across the repository’s workflows, aligning them with the latest Dependabot “all-actions” group updates while keeping the repo’s commit-SHA pinning strategy.

Changes:

• Bumps actions/setup-node (v6.x) and peter-evans/create-pull-request in the CodeQL update automation workflow.
• Upgrades artifact and release actions used by the release and test workflows (upload-artifact, download-artifact, softprops/action-gh-release).
• Updates security/scanning workflows to newer setup-python, cache, and reusable workflow SHAs.

Show a summary per file

File	Description
.github/workflows/update-codeql.yml	Updates pinned setup-node and create-pull-request used to create automated CodeQL upgrade PRs.
.github/workflows/release.yml	Updates pinned download-artifact and action-gh-release used to publish releases.
.github/workflows/release-tag.yml	Updates pinned setup-node used during tag/release preparation steps.
.github/workflows/release-codeql.yml	Updates pinned upload-artifact used to publish/bundle and upload pack artifacts.
.github/workflows/ql-unit-tests-windows.yml	Updates pinned setup-node, upload-artifact, and download-artifact used in Windows CI.
.github/workflows/ql-unit-tests-linux.yml	Updates pinned setup-node, upload-artifact, and download-artifact used in Linux CI.
.github/workflows/copilot-setup-steps.yml	Updates pinned setup-node and CodeQL environment setup action used by Copilot setup steps.
.github/workflows/codeql-ql.yml	Updates the pinned reusable workflow SHA used for CodeQL QL runs.
.github/workflows/code_scanning.yml	Updates pinned setup-python, cache, and upload-artifact used during CodeQL scanning and SARIF diff upload.
.github/workflows/cds-extractor-dist-bundle.yml	Updates pinned setup-node used for CDS extractor bundle validation.

Copilot's findings

• Files reviewed: 10/10 changed files
• Comments generated: 0

[data-douser]

LGTM