new release (v3.3.0) by taarikashenafi · Pull Request #243 · github/accessibility-scanner

taarikashenafi · 2026-06-29T18:34:46Z

Cuts a new minor release to ship features and fixes accumulated in main since v3.2.0. This is a minor bump — all changes are additive and backwards-compatible (no inputs/outputs removed or reformatted).

What's new

group_by input — consolidate findings into issues by finding (default), rule, or rule+url
dry_run input — preview what would be filed/closed/reopened without mutating issues or writing the cache
file_best_practice_issues / file_experimental_issues inputs — toggle filing of non-WCAG findings
Finding categorization — Axe violations tagged wcag / best-practice / experimental, surfaced in issue bodies and labels
wontfix label support — closed issues labeled wontfix are no longer reopened on re-runs

Fixes

Reflow-scan messaging reworded and updated to reference WCAG 2.2
Issue acceptance criteria updated from WCAG 2.1 → 2.2
actions/checkout@v6 → v7 across workflows and gh-cache/*
Dependency bumps (@types/node, eslint, typescript-eslint, vitest, playwright, etc.)

Testing

✅ Scorecard manual test against @main passed — run #83, 3-site matrix (storybook, admin, thehub), exercising auth_context + auth-to-github
✅ Automated Test workflow green on main
⚠️ Sandbox-only checks (self-hosted runners, first-run/no-cache, Copilot assignment) were not run due to repo access limitations
⚠️ New inputs (dry_run, group_by, file_*, wontfix) are covered by unit tests but were not exercised in a live sandbox run

closes github/accessibility#10808

Bumps the github-actions group with 1 update in the / directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.307.0 to 1.308.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](ruby/setup-ruby@6aaa311...97ecb7b) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.308.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>

…ies with 3 updates Bumps the npm-minor-and-patch group with 3 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint](https://github.com/eslint/eslint) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Bumps the npm-minor-and-patch group with 1 update in the /.github/actions/auth directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Bumps the npm-minor-and-patch group with 1 update in the /.github/actions/file directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Bumps the npm-minor-and-patch group with 1 update in the /.github/actions/find directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Bumps the npm-minor-and-patch group with 1 update in the /.github/actions/fix directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Updates `@types/node` from 25.7.0 to 25.9.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `eslint` from 10.3.0 to 10.4.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v10.3.0...v10.4.0) Updates `typescript-eslint` from 8.59.3 to 8.59.4 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.4/packages/typescript-eslint) Updates `@types/node` from 25.7.0 to 25.9.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `@types/node` from 25.7.0 to 25.9.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `@types/node` from 25.7.0 to 25.9.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `@types/node` from 25.7.0 to 25.9.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.9.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-and-patch - dependency-name: eslint dependency-version: 10.4.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-and-patch - dependency-name: typescript-eslint dependency-version: 8.59.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-and-patch - dependency-name: "@types/node" dependency-version: 25.9.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-and-patch - dependency-name: "@types/node" dependency-version: 25.9.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-and-patch - dependency-name: "@types/node" dependency-version: 25.9.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-and-patch - dependency-name: "@types/node" dependency-version: 25.9.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>

…ub-actions group across 1 directory (#218) Bumps the github-actions group with 1 update in the / directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.307.0 to 1.308.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/setup-ruby/releases">ruby/setup-ruby's releases</a>.</em></p> <blockquote> <h2>v1.308.0</h2> <h2>What's Changed</h2> <ul> <li>Update CRuby releases on Windows by <a href="https://github.com/ruby-builder-bot"><code>@ruby-builder-bot</code></a> in <a href="https://redirect.github.com/ruby/setup-ruby/pull/912">ruby/setup-ruby#912</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/setup-ruby/compare/v1.307.0...v1.308.0">https://github.com/ruby/setup-ruby/compare/v1.307.0...v1.308.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ruby/setup-ruby/commit/97ecb7b512899eb71ab1bf2310a624c6f1589ac6"><code>97ecb7b</code></a> Update CRuby releases on Windows</li> <li>See full diff in <a href="https://github.com/ruby/setup-ruby/compare/6aaa311d81eba98ae12eaffbcb63296ace0efcde...97ecb7b512899eb71ab1bf2310a624c6f1589ac6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ruby/setup-ruby&package-manager=github_actions&previous-version=1.307.0&new-version=1.308.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details>

…ies with 3 updates (#219) Bumps the npm-minor-and-patch group with 3 updates in the / directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node), [eslint](https://github.com/eslint/eslint) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Bumps the npm-minor-and-patch group with 1 update in the /.github/actions/auth directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Bumps the npm-minor-and-patch group with 1 update in the /.github/actions/file directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Bumps the npm-minor-and-patch group with 1 update in the /.github/actions/find directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Bumps the npm-minor-and-patch group with 1 update in the /.github/actions/fix directory: [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node). Updates `@types/node` from 25.7.0 to 25.9.0 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> Updates `eslint` from 10.3.0 to 10.4.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/eslint/eslint/releases">eslint's releases</a>.</em></p> <blockquote> <h2>v10.4.0</h2> <h2>Features</h2> <ul> <li><a href="https://github.com/eslint/eslint/commit/1a45ec596af1dd5f880e6874cb8f24dafb6a7ecf"><code>1a45ec5</code></a> feat: check sequence expressions in <code>for-direction</code> (<a href="https://redirect.github.com/eslint/eslint/issues/20701">#20701</a>) (kuldeep kumar)</li> <li><a href="https://github.com/eslint/eslint/commit/450040bd89b989b3531824c6be45feb5fe3d936b"><code>450040b</code></a> feat: add <code>includeIgnoreFile()</code> to <code>eslint/config</code> (<a href="https://redirect.github.com/eslint/eslint/issues/20735">#20735</a>) (Kirk Waiblinger)</li> </ul> <h2>Bug Fixes</h2> <ul> <li><a href="https://github.com/eslint/eslint/commit/544c0c3da589166ad8e5d634f35d3d06701c57be"><code>544c0c3</code></a> fix: escape code path DOT labels in debug output (<a href="https://redirect.github.com/eslint/eslint/issues/20866">#20866</a>) (Pixel998)</li> <li><a href="https://github.com/eslint/eslint/commit/6799431203f2579632d0870f98ba132067f4040c"><code>6799431</code></a> fix: update dependency <code>@eslint/config-helpers</code> to ^0.6.0 (<a href="https://redirect.github.com/eslint/eslint/issues/20850">#20850</a>) (renovate[bot])</li> <li><a href="https://github.com/eslint/eslint/commit/f078fef5005dceb14fc162aab7c7200e027688dd"><code>f078fef</code></a> fix: handle non-array deprecated rule replacements (<a href="https://redirect.github.com/eslint/eslint/issues/20825">#20825</a>) (xbinaryx)</li> </ul> <h2>Documentation</h2> <ul> <li><a href="https://github.com/eslint/eslint/commit/7e52a7151fb92eec0e0f67fe4e5ddbd1ccce796f"><code>7e52a71</code></a> docs: add mention of <code>@eslint-react/eslint-plugin</code> (<a href="https://redirect.github.com/eslint/eslint/issues/20869">#20869</a>) (Pavel)</li> <li><a href="https://github.com/eslint/eslint/commit/db3468ba746407d7f286f18f7ea9db6df0e3bc08"><code>db3468b</code></a> docs: tweak wording around ambiguous CJS-vs-ESM config (<a href="https://redirect.github.com/eslint/eslint/issues/20865">#20865</a>) (Kirk Waiblinger)</li> <li><a href="https://github.com/eslint/eslint/commit/90846643ec6e97d447ae0d831fabe6d17b0a998a"><code>9084664</code></a> docs: Update README (GitHub Actions Bot)</li> <li><a href="https://github.com/eslint/eslint/commit/9cc73875046e3c4b8313644cbb1e99e26b36bd3f"><code>9cc7387</code></a> docs: Update README (GitHub Actions Bot)</li> <li><a href="https://github.com/eslint/eslint/commit/3d7b5484407403817aa9071a394d336d8ea96eb5"><code>3d7b548</code></a> docs: Update README (GitHub Actions Bot)</li> <li><a href="https://github.com/eslint/eslint/commit/191ec3c0a3f94ce0f110df761f0b2b8949011ccb"><code>191ec3c</code></a> docs: Update README (GitHub Actions Bot)</li> </ul> <h2>Chores</h2> <ul> <li><a href="https://github.com/eslint/eslint/commit/6616856f28fa514a30f87b5539fc100d739a94bf"><code>6616856</code></a> chore: upgrade knip to v6 (<a href="https://redirect.github.com/eslint/eslint/issues/20875">#20875</a>) (Pixel998)</li> <li><a href="https://github.com/eslint/eslint/commit/d13b084a3ad02f926e9addaa35fc383759ea5554"><code>d13b084</code></a> ci: ensure auto-created PRs run CI (<a href="https://redirect.github.com/eslint/eslint/issues/20860">#20860</a>) (lumir)</li> <li><a href="https://github.com/eslint/eslint/commit/e71c7af86dce9acc1d18cb12d2184309f6841594"><code>e71c7af</code></a> ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (<a href="https://redirect.github.com/eslint/eslint/issues/20862">#20862</a>) (dependabot[bot])</li> <li><a href="https://github.com/eslint/eslint/commit/d84393dea170f54191fd20c8268b52c81c0ccd99"><code>d84393d</code></a> test: add unit tests for SuppressionsService.applySuppressions() (<a href="https://redirect.github.com/eslint/eslint/issues/20863">#20863</a>) (kuldeep kumar)</li> <li><a href="https://github.com/eslint/eslint/commit/24db8cb8e6f07fba667121777a15b1785486be94"><code>24db8cb</code></a> test: add tests for SuppressionsService.save() (<a href="https://redirect.github.com/eslint/eslint/issues/20802">#20802</a>) (kuldeep kumar)</li> <li><a href="https://github.com/eslint/eslint/commit/2ef0549cac4a9537e4c3a26b9f3edd4c99476bf6"><code>2ef0549</code></a> chore: update ecosystem plugins (<a href="https://redirect.github.com/eslint/eslint/issues/20857">#20857</a>) (github-actions[bot])</li> <li><a href="https://github.com/eslint/eslint/commit/a4297918d264d229a06cd96051ef9b91c7b86732"><code>a429791</code></a> ci: remove <code>eslint-webpack-plugin</code> types integration test (<a href="https://redirect.github.com/eslint/eslint/issues/20668">#20668</a>) (Milos Djermanovic)</li> <li><a href="https://github.com/eslint/eslint/commit/9e37386aa7f2ce220b2ef74a6afbac5f6b3527c5"><code>9e37386</code></a> chore: replace <code>recast</code> with range approach in code-sample-minimizer (<a href="https://redirect.github.com/eslint/eslint/issues/20682">#20682</a>) (Copilot)</li> <li><a href="https://github.com/eslint/eslint/commit/0dd1f9ffc9a07704d46e2a4c8d4ccc0d0908b0c0"><code>0dd1f9f</code></a> test: disable warning for <code>vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER</code> (<a href="https://redirect.github.com/eslint/eslint/issues/20845">#20845</a>) (Francesco Trotta)</li> <li><a href="https://github.com/eslint/eslint/commit/9da3c7bc92d9579f8db19ecb56e718538d09db2b"><code>9da3c7b</code></a> refactor: remove deprecated <code>meta.language</code> and migrate <code>meta.dialects</code> (<a href="https://redirect.github.com/eslint/eslint/issues/20716">#20716</a>) (Pixel998)</li> <li><a href="https://github.com/eslint/eslint/commit/2099ed12a0a74c3d7f0808514362af2499b4fe2b"><code>2099ed1</code></a> refactor: add <code>meta.defaultOptions</code> to more rules, enable linting (<a href="https://redirect.github.com/eslint/eslint/issues/20800">#20800</a>) (xbinaryx)</li> <li><a href="https://github.com/eslint/eslint/commit/f1dfbc9ca57196de7092e1888cc99427bd6fe06e"><code>f1dfbc9</code></a> chore: update ecosystem plugins (<a href="https://redirect.github.com/eslint/eslint/issues/20836">#20836</a>) (github-actions[bot])</li> <li><a href="https://github.com/eslint/eslint/commit/c75941390c14728806cd4baef4f6072f6de78318"><code>c759413</code></a> ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (<a href="https://redirect.github.com/eslint/eslint/issues/20843">#20843</a>) (dependabot[bot])</li> <li><a href="https://github.com/eslint/eslint/commit/5b817d6fdc9ae2c35b528dc662b2eca8f40f64aa"><code>5b817d6</code></a> test: add unit tests for lib/shared/ast-utils (<a href="https://redirect.github.com/eslint/eslint/issues/20838">#20838</a>) (kuldeep kumar)</li> <li><a href="https://github.com/eslint/eslint/commit/1c13ae3934c198c494e5958fa3a68b33244ff06a"><code>1c13ae3</code></a> test: add unit tests for lib/shared/severity (<a href="https://redirect.github.com/eslint/eslint/issues/20835">#20835</a>) (kuldeep kumar)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/eslint/eslint/commit/452c4010c07dc2e36fe6ec6a8c48298878e86887"><code>452c401</code></a> 10.4.0</li> <li><a href="https://github.com/eslint/eslint/commit/b6417e8b55c9525070d6e168b485ce6ff21688ed"><code>b6417e8</code></a> Build: changelog update for 10.4.0</li> <li><a href="https://github.com/eslint/eslint/commit/6616856f28fa514a30f87b5539fc100d739a94bf"><code>6616856</code></a> chore: upgrade knip to v6 (<a href="https://redirect.github.com/eslint/eslint/issues/20875">#20875</a>)</li> <li><a href="https://github.com/eslint/eslint/commit/d13b084a3ad02f926e9addaa35fc383759ea5554"><code>d13b084</code></a> ci: ensure auto-created PRs run CI (<a href="https://redirect.github.com/eslint/eslint/issues/20860">#20860</a>)</li> <li><a href="https://github.com/eslint/eslint/commit/7e52a7151fb92eec0e0f67fe4e5ddbd1ccce796f"><code>7e52a71</code></a> docs: add mention of <code>@eslint-react/eslint-plugin</code> (<a href="https://redirect.github.com/eslint/eslint/issues/20869">#20869</a>)</li> <li><a href="https://github.com/eslint/eslint/commit/e71c7af86dce9acc1d18cb12d2184309f6841594"><code>e71c7af</code></a> ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (<a href="https://redirect.github.com/eslint/eslint/issues/20862">#20862</a>)</li> <li><a href="https://github.com/eslint/eslint/commit/544c0c3da589166ad8e5d634f35d3d06701c57be"><code>544c0c3</code></a> fix: escape code path DOT labels in debug output (<a href="https://redirect.github.com/eslint/eslint/issues/20866">#20866</a>)</li> <li><a href="https://github.com/eslint/eslint/commit/db3468ba746407d7f286f18f7ea9db6df0e3bc08"><code>db3468b</code></a> docs: tweak wording around ambiguous CJS-vs-ESM config (<a href="https://redirect.github.com/eslint/eslint/issues/20865">#20865</a>)</li> <li><a href="https://github.com/eslint/eslint/commit/d84393dea170f54191fd20c8268b52c81c0ccd99"><code>d84393d</code></a> test: add unit tests for SuppressionsService.applySuppressions() (<a href="https://redirect.github.com/eslint/eslint/issues/20863">#20863</a>)</li> <li><a href="https://github.com/eslint/eslint/commit/90846643ec6e97d447ae0d831fabe6d17b0a998a"><code>9084664</code></a> docs: Update README</li> <li>Additional commits viewable in <a href="https://github.com/eslint/eslint/compare/v10.3.0...v10.4.0">compare view</a></li> </ul> </details> <br /> Updates `typescript-eslint` from 8.59.3 to 8.59.4 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/releases">typescript-eslint's releases</a>.</em></p> <blockquote> <h2>v8.59.4</h2> <h2>8.59.4 (2026-05-18)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>eslint-plugin:</strong> [no-floating-promises] stack overflow when using recursive types (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12294">#12294</a>)</li> <li><strong>project-service:</strong> throw error cause in <code>getParsedConfigFileFromTSServer</code> (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12321">#12321</a>)</li> <li><strong>typescript-eslint:</strong> export Compatible* types from typescript-eslint to resolve pnpm TS error (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12340">#12340</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Evyatar Daud <a href="https://github.com/StyleShit"><code>@StyleShit</code></a></li> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> <li>lumir</li> </ul> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md">typescript-eslint's changelog</a>.</em></p> <blockquote> <h2>8.59.4 (2026-05-18)</h2> <h3>🩹 Fixes</h3> <ul> <li><strong>typescript-eslint:</strong> export Compatible* types from typescript-eslint to resolve pnpm TS error (<a href="https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12340">#12340</a>)</li> </ul> <h3>❤️ Thank You</h3> <ul> <li>Kirk Waiblinger <a href="https://github.com/kirkwaiblinger"><code>@kirkwaiblinger</code></a></li> </ul> <p>See <a href="https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.4">GitHub Releases</a> for more information.</p> <p>You can read about our <a href="https://typescript-eslint.io/users/versioning">versioning strategy</a> and <a href="https://typescript-eslint.io/users/releases">releases</a> on our website.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/typescript-eslint/typescript-eslint/commit/ca6ca1431b6d18235297a7e29feb5d98f012dff2"><code>ca6ca14</code></a> chore(release): publish 8.59.4</li> <li><a href="https://github.com/typescript-eslint/typescript-eslint/commit/4b927c607755b2648d5854b9e928c1dbb2b8e088"><code>4b927c6</code></a> fix(typescript-eslint): export Compatible* types from typescript-eslint to re...</li> <li>See full diff in <a href="https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.4/packages/typescript-eslint">compare view</a></li> </ul> </details> <br /> Updates `@types/node` from 25.7.0 to 25.9.0 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> Updates `@types/node` from 25.7.0 to 25.9.0 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> Updates `@types/node` from 25.7.0 to 25.9.0 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> Updates `@types/node` from 25.7.0 to 25.9.0 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details>

Bumps the github-actions group with 1 update in the / directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.308.0 to 1.310.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](ruby/setup-ruby@97ecb7b...afeafc3) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.310.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>

…ub-actions group across 1 directory (#220) Bumps the github-actions group with 1 update in the / directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.308.0 to 1.310.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/setup-ruby/releases">ruby/setup-ruby's releases</a>.</em></p> <blockquote> <h2>v1.310.0</h2> <h2>What's Changed</h2> <ul> <li>Add ruby-4.0.5 by <a href="https://github.com/ruby-builder-bot"><code>@ruby-builder-bot</code></a> in <a href="https://redirect.github.com/ruby/setup-ruby/pull/918">ruby/setup-ruby#918</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/setup-ruby/compare/v1.309.0...v1.310.0">https://github.com/ruby/setup-ruby/compare/v1.309.0...v1.310.0</a></p> <h2>v1.309.0</h2> <h2>What's Changed</h2> <ul> <li>Update CRuby releases on Windows by <a href="https://github.com/ruby-builder-bot"><code>@ruby-builder-bot</code></a> in <a href="https://redirect.github.com/ruby/setup-ruby/pull/917">ruby/setup-ruby#917</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/setup-ruby/compare/v1.308.0...v1.309.0">https://github.com/ruby/setup-ruby/compare/v1.308.0...v1.309.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ruby/setup-ruby/commit/afeafc3d1ab54a631816aba4c914a0081c12ff2f"><code>afeafc3</code></a> Add ruby-4.0.5</li> <li><a href="https://github.com/ruby/setup-ruby/commit/28c65f7bd3231513f1560eb7d7ec44501e65d10b"><code>28c65f7</code></a> Update CRuby releases on Windows</li> <li>See full diff in <a href="https://github.com/ruby/setup-ruby/compare/97ecb7b512899eb71ab1bf2310a624c6f1589ac6...afeafc3d1ab54a631816aba4c914a0081c12ff2f">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ruby/setup-ruby&package-manager=github_actions&previous-version=1.308.0&new-version=1.310.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details>

Bumps the bundler-minor-and-patch group in /sites/site-with-errors with 1 update: [puma](https://github.com/puma/puma). Updates `puma` from 8.0.1 to 8.0.2 - [Release notes](https://github.com/puma/puma/releases) - [Changelog](https://github.com/puma/puma/blob/main/History.md) - [Commits](puma/puma@v8.0.1...v8.0.2) --- updated-dependencies: - dependency-name: puma dependency-version: 8.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: bundler-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>

… in the bundler-minor-and-patch group (#221) Bumps the bundler-minor-and-patch group in /sites/site-with-errors with 1 update: [puma](https://github.com/puma/puma). Updates `puma` from 8.0.1 to 8.0.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/puma/puma/releases">puma's releases</a>.</em></p> <blockquote> <h2>v8.0.2</h2> <ul> <li>Bugfixes <ul> <li>Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies (<a href="https://redirect.github.com/puma/puma/issues/3944">#3944</a>)</li> <li>Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections (<a href="https://redirect.github.com/puma/puma/issues/3944">#3944</a>)</li> </ul> </li> </ul> <h2>Security advisories</h2> <ul> <li><a href="https://github.com/puma/puma/security/advisories/GHSA-qpgp-93vx-g8v8">CVE-2026-47736 / GHSA-qpgp-93vx-g8v8</a>: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion</li> <li><a href="https://github.com/puma/puma/security/advisories/GHSA-2vqw-3mp8-cgmx">CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx</a>: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/puma/puma/blob/main/History.md">puma's changelog</a>.</em></p> <blockquote> <h2>8.0.2 / 2026-05-27</h2> <ul> <li>Bugfixes <ul> <li>Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies (<a href="https://redirect.github.com/puma/puma/issues/3944">#3944</a>)</li> <li>Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections (<a href="https://redirect.github.com/puma/puma/issues/3944">#3944</a>)</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/puma/puma/commit/8085b75e79e3f7f1a96e5b488d74a71f62edd24d"><code>8085b75</code></a> Release v8.0.2 (<a href="https://redirect.github.com/puma/puma/issues/3945">#3945</a>)</li> <li><a href="https://github.com/puma/puma/commit/439c6136d9c2275721b7864db3ee78af7c80889f"><code>439c613</code></a> 8.0.2 backport (<a href="https://redirect.github.com/puma/puma/issues/3944">#3944</a>)</li> <li>See full diff in <a href="https://github.com/puma/puma/compare/v8.0.1...v8.0.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=puma&package-manager=bundler&previous-version=8.0.1&new-version=8.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details>

Bumps the github-actions group with 1 update in the / directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.310.0 to 1.311.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](ruby/setup-ruby@afeafc3...a99ac84) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.311.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>

…ub-actions group across 1 directory (#225) Bumps the github-actions group with 1 update in the / directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.310.0 to 1.311.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/setup-ruby/releases">ruby/setup-ruby's releases</a>.</em></p> <blockquote> <h2>v1.311.0</h2> <h2>What's Changed</h2> <ul> <li>Add jruby-9.4.15.0 by <a href="https://github.com/ruby-builder-bot"><code>@ruby-builder-bot</code></a> in <a href="https://redirect.github.com/ruby/setup-ruby/pull/920">ruby/setup-ruby#920</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/setup-ruby/compare/v1.310.0...v1.311.0">https://github.com/ruby/setup-ruby/compare/v1.310.0...v1.311.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ruby/setup-ruby/commit/a99ac844649df2596b52b4db087cfa0881b172af"><code>a99ac84</code></a> Add jruby-9.4.15.0</li> <li>See full diff in <a href="https://github.com/ruby/setup-ruby/compare/afeafc3d1ab54a631816aba4c914a0081c12ff2f...a99ac844649df2596b52b4db087cfa0881b172af">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ruby/setup-ruby&package-manager=github_actions&previous-version=1.310.0&new-version=1.311.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details>

Bumps the github-actions group with 1 update in the / directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.311.0 to 1.313.0 - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb) - [Commits](ruby/setup-ruby@a99ac84...89f9052) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-version: 1.313.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 8.0.12 to 8.0.16. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v8.0.16/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 8.0.16 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

…ub-actions group across 1 directory (#227) Bumps the github-actions group with 1 update in the / directory: [ruby/setup-ruby](https://github.com/ruby/setup-ruby). Updates `ruby/setup-ruby` from 1.311.0 to 1.313.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ruby/setup-ruby/releases">ruby/setup-ruby's releases</a>.</em></p> <blockquote> <h2>v1.313.0</h2> <h2>What's Changed</h2> <ul> <li>Add jruby-10.0.6.0 by <a href="https://github.com/ruby-builder-bot"><code>@ruby-builder-bot</code></a> in <a href="https://redirect.github.com/ruby/setup-ruby/pull/921">ruby/setup-ruby#921</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/setup-ruby/compare/v1.312.0...v1.313.0">https://github.com/ruby/setup-ruby/compare/v1.312.0...v1.313.0</a></p> <h2>v1.312.0</h2> <h2>What's Changed</h2> <ul> <li>Use BUNDLE_LOCKFILE when detecting the lockfile by <a href="https://github.com/Thomascountz"><code>@Thomascountz</code></a> in <a href="https://redirect.github.com/ruby/setup-ruby/pull/919">ruby/setup-ruby#919</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Thomascountz"><code>@Thomascountz</code></a> made their first contribution in <a href="https://redirect.github.com/ruby/setup-ruby/pull/919">ruby/setup-ruby#919</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ruby/setup-ruby/compare/v1.311.0...v1.312.0">https://github.com/ruby/setup-ruby/compare/v1.311.0...v1.312.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ruby/setup-ruby/commit/89f90524b88a01fe6e0b732220432cc6142926af"><code>89f9052</code></a> Add jruby-10.0.6.0</li> <li><a href="https://github.com/ruby/setup-ruby/commit/12fd324f1d0b43274fdc8130f6980590a667c455"><code>12fd324</code></a> Use BUNDLE_LOCKFILE when detecting the lockfile</li> <li>See full diff in <a href="https://github.com/ruby/setup-ruby/compare/a99ac844649df2596b52b4db087cfa0881b172af...89f90524b88a01fe6e0b732220432cc6142926af">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ruby/setup-ruby&package-manager=github_actions&previous-version=1.311.0&new-version=1.313.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details>

Co-authored-by: Joyce Zhu <joycezhu@github.com>

…rate preview

Co-authored-by: Joyce Zhu <joycezhu@github.com>

Closes #230 Updates the reflow-scan plugin text to improve clarity: - Removes mention of 256 height from comment - Updates `problemShort` to better describe the issue - Updates `problemUrl` to reference WCAG 2.2 instead of 2.1 - Updates `solutionShort` to use more descriptive guidance - Updates `solutionLong` with clearer violation explanation - Updates test strings to match new copy

Tracking issue with context: github/accessibility#10757 Based on feedback from `@joseinthearena`: with many open scanner issues there was no way to preview what a scan would do without actually filing, closing, or reopening issues — and no way to do so without mutating the `gh-cache` branch. This adds a `dry_run` input that runs a normal scan and **logs the issues that would be filed**, while making no changes: no issues are opened, closed, or reopened, no Copilot assignment, and the cache is not written. Because dry runs don't update the cache, the next real run behaves exactly as if the dry run never happened. ## Changes - **`action.yml` (root)** — New `dry_run` input (default `false`); forwarded to the `file` step; skips the `Fix`, `Save screenshots`, `Copy results to cache path`, and `Save cached results` steps when `dry_run` is `true` - **`.github/actions/file/action.yml`** — New `dry_run` input declared - **`file/src/index.ts`** — When `dry_run` is set, each filing is classified via the existing `isNewFiling` / `isRepeatedFiling` / `isResolvedFiling` guards and the intended action is logged (early `continue`, so no Octokit calls are made); grouped/tracking-issue creation is skipped; a summary count is logged; `filings_file` is still written so the output contract is unchanged - **`README.md`** — `dry_run` input documented in the inputs table and getting-started example - **`FAQ.md`** — New entry explaining how to preview a scan and noting that dry runs don't write the cache ### Test Updates - Added `file/tests/dryRun.test.ts` — asserts no issues are opened/closed/reopened in dry run, the correct `[dry run] Would …` lines and summary are logged, and `filings_file` is still written; includes a regression guard that mutations still occur when `dry_run` is `false` ## Usage ```yaml - uses: github/accessibility-scanner@v3 with: urls: | https://example.com repository: owner/repo token: ${{ secrets.GH_TOKEN }} cache_key: cached_results.json dry_run: true # Scan and log what would be filed without creating/closing issues or writing the cache ``` When `dry_run` is not provided, the scanner behaves exactly as before. ## Notes - Design decision: cache *restore* is kept (read-only) so dry-run logs can accurately distinguish "would open (new)" from "would reopen (existing)"; only the cache *save* is skipped. - The `file`-action logic is covered by the new tests. The `action.yml` step gating was verified by inspection but not run end-to-end — flagging for confirmation in CI. - Per the tracking issue's second acceptance criterion, this will need a new minor release (and the `v3` tag re-pointed) cut by a maintainer.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Joyce Zhu <joycezhu@github.com>

…th, naming, docs

Co-authored-by: Joyce Zhu <joycezhu@github.com>

Closes github/accessibility#10756. Closing a scanner-filed issue without merging a fix used to cause it to reopen on the next run. Adding the `wontfix` label now keeps it closed

Co-authored-by: Joyce Zhu <joycezhu@github.com>

…est-practice # Conflicts: # .github/actions/file/src/index.ts

…print

…into group-by-option # Conflicts: # .github/actions/file/src/index.ts

Closes #34 (which closes github/accessibility#10749) ## Problem Every finding was filed as if it were a hard WCAG failure, with no way to differentiate definitive violations and best-practice or experimental checks. There was also no way to stop filing the non-WCAG ones. ## Changes - Classify each Axe finding as `wcag`, `best-practice`, or `experimental` - Surface non-WCAG findings in the filed issue: a "**Note:** …not a hard WCAG failure" line in the body and a `best-practice`/`experimental`label. - Add two action inputs, `file_best_practice_issues` and`file_experimental_issues` (default `true`), to skip filing those categories

…into group-by-option # Conflicts: # .github/actions/file/action.yml # .github/actions/file/src/generateIssueBody.ts # .github/actions/file/tests/generateIssueBody.test.ts # README.md # action.yml

…print # Conflicts: # .github/actions/file/src/generateIssueBody.ts # .github/actions/file/src/types.d.ts # .github/actions/file/tests/generateIssueBody.test.ts # .github/actions/find/src/types.d.ts # .github/actions/find/tests/findForUrl.test.ts

Tracking issue with context: github/accessibility#10753 Based on feedback from `@joseinthearena`: with many open scanner issues across a handful of rules (e.g. color-contrast ×11, heading-order ×6) there was no way to consolidate. The `gh-cache` branch maps each finding's fingerprint → issue URL 1:1, so re-routing N findings to a single "umbrella" issue meant editing `gh-cache` JSON by hand — brittle, and a typo silently breaks dedup. This adds a `group_by` input that controls how findings are consolidated into issues: `finding` (default, current behavior — one issue per violation), `rule` (one issue per rule), or `rule+url` (one issue per rule per scanned URL). When grouping, each duplicate occurrence is appended to the single issue as a checklist item rather than spawning a new issue. Because the default is `finding`, existing workflows behave exactly as before. ## Changes - **`action.yml` (root)** — New `group_by` input (default `finding`); forwarded to the `file` step - **`.github/actions/file/action.yml`** — New `group_by` input declared (default `finding`) - **`file/src/types.d.ts`** — New `GroupBy` type (`'finding' | 'rule' | 'rule+url'`) - **`file/src/updateFilingsWithNewFindings.ts`** — The 1:1 dedup behavior lived entirely in `getFindingKey`; it's now group-aware, computing a coarser key for `rule` / `rule+url` so multiple findings collapse into a single filing carrying multiple findings (a shape the pipeline already supported). New findings in the same group are also de-duplicated into one new filing - **`file/src/index.ts`** — Reads and validates `group_by` (fails fast via `setFailed` on an invalid value), threads it into `updateFilingsWithNewFindings`, and passes each filing's full findings array to the open/reopen helpers - **`file/src/generateIssueBody.ts` / `openIssue.ts` / `reopenIssue.ts`** — When a filing groups multiple findings, each occurrence is rendered as a checklist item under an **Occurrences** section, and the issue title reflects the occurrence count; single-finding output is unchanged - **`README.md`** — `group_by` input documented in the inputs table and getting-started example - **`.github/actions/file/README.md`** — `group_by` input documented ### Test Updates - Added `file/tests/updateFilingsWithNewFindings.test.ts` — asserts `finding` yields one filing per violation (default), `rule` collapses all occurrences of a rule into a single filing, `rule+url` yields one filing per rule per URL, new occurrences attach to an existing cached filing instead of opening a new issue, and distinct rules stay separate - Updated `file/tests/openIssue.test.ts`, `generateIssueBody.test.ts`, and `reopenIssue.test.ts` for the findings-array signature and the **Occurrences** checklist rendering - Updated `file/tests/dryRun.test.ts` to cover grouped dry-run behavior and invalid-`group_by` handling ## Usage ```yaml - uses: github/accessibility-scanner@v3 with: urls: | https://example.com repository: owner/repo token: ${{ secrets.GH_TOKEN }} cache_key: cached_results.json group_by: rule # 'finding' (default, one issue per violation), 'rule' (one per rule), or 'rule+url' (one per rule per scanned URL) ``` When `group_by` is not provided, the scanner behaves exactly as before (one issue per finding). ## Notes - kept the existing `open_grouped_issues` option as-is instead of removing it. It's similar but not the same (it still files every issue and adds a separate tracking issue, while `group_by` files one combined issue). Removing it would be a breaking change, so I left it for a follow-up — happy to go either way. - For a grouped issue, the title shows the occurrence count, e.g. `… (3 occurrences)`, since the findings can span multiple URLs.

…print # Conflicts: # .github/actions/file/src/updateFilingsWithNewFindings.ts # .github/actions/file/tests/generateIssueBody.test.ts # .github/actions/file/tests/updateFilingsWithNewFindings.test.ts

github-advanced-security · 2026-06-29T18:34:48Z

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Copilot

Pull request overview

Cuts a new minor release (v3.3.0) of the accessibility scanner action by introducing new filing controls (grouping, dry-run previews, and category toggles), improving how findings are described/categorized, and updating docs/workflows/dependencies to match.

Changes:

Added new inputs/behavior for filing: group_by, dry_run, file_best_practice_issues, file_experimental_issues, plus wontfix label support to prevent reopening intentionally-closed issues.
Added Axe finding categorization (wcag / best-practice / experimental) and enhanced issue body/title generation to support grouped occurrences.
Updated documentation, tests/fixtures, reflow-scan messaging (WCAG 2.2), workflows, and dependency versions.

Show a summary per file

File	Description
tests/site-with-errors.test.ts	Updates expectations for new finding `category` field and revised reflow-scan messaging/title.
sites/site-with-errors/Gemfile.lock	Bumps Ruby dependencies for the example error site fixture.
README.md	Documents new action inputs and adds `wontfix` behavior guidance.
package.json	Updates root dev dependencies (Node types, ESLint, typescript-eslint).
package-lock.json	Locks updated root dependency graph.
FAQ.md	Adds dry-run FAQ entry describing preview behavior.
action.yml	Exposes new inputs at the main action level and threads them into the internal steps; gates mutating steps on `dry_run`.
.github/workflows/test.yml	Updates `actions/checkout` and pins a newer `ruby/setup-ruby` commit SHA.
.github/workflows/lint.yml	Updates `actions/checkout` to v7.
.github/scanner-plugins/reflow-scan/index.ts	Rewords reflow-scan finding text, updates WCAG link to 2.2, and refines guidance language.
.github/actions/gh-cache/save/action.yml	Updates `actions/checkout` to v7 inside gh-cache save action.
.github/actions/gh-cache/restore/action.yml	Updates `actions/checkout` to v7 inside gh-cache restore action.
.github/actions/gh-cache/delete/action.yml	Updates `actions/checkout` to v7 inside gh-cache delete action.
.github/actions/fix/package.json	Bumps fix action dev dependency versions (Node types).
.github/actions/fix/package-lock.json	Locks updated fix action dependency graph.
.github/actions/find/tests/findForUrl.test.ts	Adds unit tests validating Axe violation categorization rules.
.github/actions/find/src/types.d.ts	Adds `FindingCategory` and optional `category` on findings.
.github/actions/find/src/findForUrl.ts	Implements `categorizeAxeViolation` and attaches `category` to Axe findings.
.github/actions/find/package.json	Bumps find action dev dependency versions (Node types).
.github/actions/find/package-lock.json	Locks updated find action dependency graph.
.github/actions/file/tests/wontfixReopen.test.ts	Adds tests ensuring `wontfix`-labeled closed issues aren’t reopened.
.github/actions/file/tests/updateFilingsWithNewFindings.test.ts	Adds tests for `group_by` behavior across modes.
.github/actions/file/tests/shouldReopenIssue.test.ts	Adds tests for wontfix pagination/filtering and reopen decision logic.
.github/actions/file/tests/reopenIssue.test.ts	Updates reopen behavior/tests to support multiple findings per filing.
.github/actions/file/tests/openIssue.test.ts	Updates open behavior/tests to accept grouped findings and category labels; asserts occurrence-count titles.
.github/actions/file/tests/generateIssueBody.test.ts	Updates/extends tests for WCAG 2.2 criteria text, category notice, and grouped occurrences rendering.
.github/actions/file/tests/dryRun.test.ts	Adds tests for `dry_run` preview behavior and invalid `group_by` handling.
.github/actions/file/src/updateFilingsWithNewFindings.ts	Implements grouping modes and merges new findings into new/cached filings accordingly.
.github/actions/file/src/types.d.ts	Adds `FindingCategory` and optional `category` on findings.
.github/actions/file/src/shouldReopenIssue.ts	Adds `wontfix` label support with paginated closed-issue prefetch and set-based lookups.
.github/actions/file/src/reopenIssue.ts	Updates reopen helper to generate bodies from multiple findings.
.github/actions/file/src/openIssue.ts	Updates open helper to accept multiple findings, add category labels, and include occurrence count in titles when grouped.
.github/actions/file/src/index.ts	Wires new inputs (`group_by`, `dry_run`, category toggles, `wontfix`) into filing control flow; adds dry-run summary.
.github/actions/file/src/groupBy.ts	Adds `GroupBy` type, allowed values, and runtime validator.
.github/actions/file/src/generateIssueBody.ts	Adds category note, WCAG 2.2 wording, and grouped “Occurrences” section support.
.github/actions/file/README.md	Documents new `group_by` behavior and improves JSON examples formatting.
.github/actions/file/package.json	Bumps file action dev dependency versions (Node types).
.github/actions/file/package-lock.json	Locks updated file action dependency graph.
.github/actions/file/action.yml	Adds new inputs to the file action interface and normalizes quoting/style.
.github/actions/auth/package.json	Bumps auth action dev dependency versions (Node types).
.github/actions/auth/package-lock.json	Locks updated auth action dependency graph.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files not reviewed (4)

.github/actions/auth/package-lock.json: Generated file
.github/actions/file/package-lock.json: Generated file
.github/actions/find/package-lock.json: Generated file
.github/actions/fix/package-lock.json: Generated file

Files reviewed: 33/41 changed files
Comments generated: 4
Review effort level: Low

+Set the `dry_run` input to `true`. The scanner will run a normal scan and log the
+issues it _would_ open, reopen, or close — but it won't actually mutate any data or write to the `gh-cache` branch
+assign any issues, and it won't write to the `gh-cache` branch.


  const originalViewport = page.viewportSize()
  const url = page.url()
-  // Check for horizontal scrolling at 320x256 viewport
+  // Check for horizontal scrolling at 320 viewport


+  let occurrencesSection = ''
+  if (findings.length > 1) {
+    const items = findings.map(f => `- [ ] ${f.html ? `\`${f.html}\` on ${f.url}` : f.url}`).join('\n')
+    occurrencesSection = `
+## ${findings.length} Other Occurrences:
+
+${items}
+`
+  }


+      if (dryRun) {
+        if (isResolvedFiling(filing)) {
+          dryRunCounts.close++
+          filing.issue.state = 'closed'
+          core.info(`[dry run] Would CLOSE issue: ${filing.issue.url}`)
+        } else if (isNewFiling(filing)) {
+          dryRunCounts.open++
+          ;(filing as Filing).issue = {state: 'open'} as Issue
+          core.info(
+            `[dry run] Would OPEN a new issue for: ${filing.findings[0].problemShort} (${filing.findings[0].url})`,
+          )
+        } else if (isRepeatedFiling(filing)) {
+          dryRunCounts.reopen++
+          filing.issue.state = 'reopened'
+          core.info(`[dry run] Would REOPEN issue: ${filing.issue.url}`)
+        }


Closes github/accessibility#10754 Axe findings were fingerprinted on a single element's exact HTML, so a small DOM shift changed the key and re-filed issues that were already tracked. Instead, we match axe findings by `url + ruleId` instead of HTML, so re-scans re-link to the existing issue even when surrounding markup changes. Moreover, we capture every element that fails a rule (not just the first) and list them all in the issue body.

dependabot Bot and others added 30 commits May 19, 2026 05:09

Add dry_run input to file action

b526fe6

Gate side effects on dry_run in composite action

045b92b

Make file action log intended actions in dry run

3991556

Add dryRun tests

16383c2

Document dry_run option

f58dfc0

Use console.table for dry-run summary, tighten OPEN assertion

2099da3

Update reflow-scan text to improve clarity and reference WCAG 2.2

ec1334f

Merge branch 'main' into dry-run-option

546190e

Update FAQ.md

0459d86

Co-authored-by: Joyce Zhu <joycezhu@github.com>

Refactor dry-run to else block; update in-memory issue state for accu…

c5538c2

…rate preview

Apply suggestions from code review

571b42c

Co-authored-by: Joyce Zhu <joycezhu@github.com>

Fix solutionShort hyphen in test to match plugin

0aa982f

Classify Axe findings by conformance tier

cc8e4e2

Surface finding category in issue body and label

a753177

taarikashenafi and others added 22 commits June 22, 2026 16:34

Merge branch 'main' into group-by-option

34581d4

Match axe findings by rule and report all failing elements

edc9c3f

Trim verbose comments

d5afdd2

Apply suggestions from code review

b61d801

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Joyce Zhu <joycezhu@github.com>

Address review feedback: scannerType-safe keys, GroupBy source of tru…

8997171

…th, naming, docs

Batch wontfix lookups into a single set check

37b9db9

Update README.md

63eef9a

Co-authored-by: Joyce Zhu <joycezhu@github.com>

Update README.md

33d72ad

Co-authored-by: Joyce Zhu <joycezhu@github.com>

Disable reopen wontfix (#234)

26c8030

Closes github/accessibility#10756. Closing a scanner-filed issue without merging a fix used to cause it to reopen on the next run. Adding the `wontfix` label now keeps it closed

Wording changes

f898bda

Co-authored-by: Joyce Zhu <joycezhu@github.com>

Use GFM note alert, WCAG 2.2, and core.getBooleanInput

1024857

Merge remote-tracking branch 'origin/main' into distinguish-wcag-vs-b…

b41d9f0

…est-practice # Conflicts: # .github/actions/file/src/index.ts

Merge remote-tracking branch 'origin/main' into robust-finding-finger…

ff6f4bc

…print

Merge branch 'main' of https://github.com/github/accessibility-scanner …

165e8cb

…into group-by-option # Conflicts: # .github/actions/file/src/index.ts

Merge branch 'main' of https://github.com/github/accessibility-scanner …

50bc06b

…into group-by-option # Conflicts: # .github/actions/file/action.yml # .github/actions/file/src/generateIssueBody.ts # .github/actions/file/tests/generateIssueBody.test.ts # README.md # action.yml

Fix openIssue array signature and category tests after merge

f9a77a4

Rename describeWhat to describeFinding

03e4818

Merge remote-tracking branch 'origin/main' into robust-finding-finger…

276cac3

…print # Conflicts: # .github/actions/file/src/updateFilingsWithNewFindings.ts # .github/actions/file/tests/generateIssueBody.test.ts # .github/actions/file/tests/updateFilingsWithNewFindings.test.ts

Copilot AI review requested due to automatic review settings June 29, 2026 18:34

taarikashenafi requested a review from a team as a code owner June 29, 2026 18:34

taarikashenafi requested a review from accessibility-bot June 29, 2026 18:34

Copilot started reviewing on behalf of taarikashenafi June 29, 2026 18:35 View session

taarikashenafi requested a review from JoyceZhu June 29, 2026 18:37

Copilot AI reviewed Jun 29, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

new release (v3.3.0)#243

new release (v3.3.0)#243
taarikashenafi wants to merge 72 commits into
v3from
main

taarikashenafi commented Jun 29, 2026

Uh oh!

github-advanced-security AI commented Jun 29, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Uh oh!

Conversation

taarikashenafi commented Jun 29, 2026

What's new

Fixes

Testing

Uh oh!

github-advanced-security AI commented Jun 29, 2026

What Enabling Code Scanning Means:

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Review details

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants