Skip to content

chore(deps): bump the actions group with 5 updates#290

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-16016706dd
Open

chore(deps): bump the actions group with 5 updates#290
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-16016706dd

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 26, 2026

Copy link
Copy Markdown
Contributor

Bumps the actions group with 5 updates:

Package From To
actions/cache 5.0.5 6.0.0
actions/attest-build-provenance 2.4.0 4.1.0
taiki-e/install-action 2.82.0 2.82.4
dawidd6/action-send-mail 6e502825a508b867ab2954ad6343b68787624c01 994f270325d4f7257aff241a35488ef54ba364a4
hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml 3f7d0bbed133629b62052fd181a84e4e1c774f9a 1c38f3379a3491504c3ea8bf80c3ddc48a497af7

Updates actions/cache from 5.0.5 to 6.0.0

Release notes

Sourced from actions/cache's releases.

v6.0.0

What's Changed

Full Changelog: actions/cache@v5...v6.0.0

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE] Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.1.0

6.0.0

  • Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
  • Migrated to ESM module system
  • Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

... (truncated)

Commits

Updates actions/attest-build-provenance from 2.4.0 to 4.1.0

Release notes

Sourced from actions/attest-build-provenance's releases.

v4.1.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

v3.2.0

What's Changed

Full Changelog: actions/attest-build-provenance@v3.1.0...v3.2.0

v3.1.0

What's Changed

New Contributors

... (truncated)

Commits
  • a2bbfa2 bump actions/attest from 4.0.0 to 4.1.0 (#838)
  • 0856891 update RELEASE.md docs (#836)
  • e4d4f7c prepare v4 release (#835)
  • 02a49bd Bump github/codeql-action in the actions-minor group (#824)
  • 7c757df Bump the npm-development group with 2 updates (#825)
  • c44148e Bump github/codeql-action in the actions-minor group (#818)
  • 3234352 Bump @​types/node from 25.0.10 to 25.2.0 in the npm-development group (#819)
  • 18db129 Bump tar from 7.5.6 to 7.5.7 (#816)
  • 90fadfa Bump @​actions/core from 2.0.1 to 2.0.2 in the npm-production group (#799)
  • 57db8ba Bump the npm-development group across 1 directory with 3 updates (#808)
  • Additional commits viewable in compare view

Updates taiki-e/install-action from 2.82.0 to 2.82.4

Release notes

Sourced from taiki-e/install-action's releases.

2.82.4

  • Update uv@latest to 0.11.24.

  • Update mise@latest to 2026.6.13.

  • Update just@latest to 1.54.0.

  • Update biome@latest to 2.5.1.

2.82.3

  • Update zizmor@latest to 1.26.1.

  • Update wasmtime@latest to 46.0.0.

  • Update tombi@latest to 1.1.5.

  • Update mise@latest to 2026.6.12.

  • Update kingfisher@latest to 1.104.0.

  • Update cargo-tarpaulin@latest to 0.35.5.

  • Update cargo-nextest@latest to 0.9.138.

  • Update cargo-crap@latest to 0.3.0.

  • Update cargo-binstall@latest to 1.20.1.

  • Update cargo-rdme@latest to 2.0.1.

2.82.2

  • Update xh@latest to 0.26.1.

  • Update uv@latest to 0.11.23.

  • Update trivy@latest to 0.71.2.

  • Update sccache@latest to 0.16.0.

2.82.1

  • Update vacuum@latest to 0.29.4.

  • Update uv@latest to 0.11.22.

  • Update osv-scanner@latest to 2.4.0.

  • Update mise@latest to 2026.6.11.

  • Update martin@latest to 1.11.0.

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

[2.82.4] - 2026-06-25

  • Update uv@latest to 0.11.24.

  • Update mise@latest to 2026.6.13.

  • Update just@latest to 1.54.0.

  • Update biome@latest to 2.5.1.

[2.82.3] - 2026-06-24

  • Update zizmor@latest to 1.26.1.

  • Update wasmtime@latest to 46.0.0.

  • Update tombi@latest to 1.1.5.

  • Update mise@latest to 2026.6.12.

  • Update kingfisher@latest to 1.104.0.

  • Update cargo-tarpaulin@latest to 0.35.5.

  • Update cargo-nextest@latest to 0.9.138.

  • Update cargo-crap@latest to 0.3.0.

  • Update cargo-binstall@latest to 1.20.1.

  • Update cargo-rdme@latest to 2.0.1.

[2.82.2] - 2026-06-21

  • Update xh@latest to 0.26.1.

  • Update uv@latest to 0.11.23.

... (truncated)

Commits

Updates dawidd6/action-send-mail from 6e502825a508b867ab2954ad6343b68787624c01 to 994f270325d4f7257aff241a35488ef54ba364a4

Commits

Updates hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml from 3f7d0bbed133629b62052fd181a84e4e1c774f9a to 1c38f3379a3491504c3ea8bf80c3ddc48a497af7

Changelog

Sourced from hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml's changelog.

Changelog

[Unreleased]

Added — attestation unforgeability proof (Idris2, PROOF-PROGRAMME §3.2)

  • src/abi/AttestationUnforgeability.idr: Idris2 proof that the intent→evidence→seal attestation chain is unforgeable. Models chain_hash = H(intent‖evidence‖report) + the Ed25519 signature with the cryptographic facts (chain-hash collision-resistance, Ed25519 EUF-CMA message- and signer-binding, signature correctness) as a parameters block — hypotheses, not postulate (PA021 bans escape hatches), so it is an honest conditional theorem. Under %default total it Qed-closes integrity (tampering any phase invalidates the seal), authenticity (a verifying seal comes from the matching key), and nonRepudiation (a genuine seal verifies), plus two corollaries. Typechecks under Idris2 0.8.0. Closes #123.

Added — contractile registry (INDEX.a2ml)

  • .machine_readable/contractiles/INDEX.a2ml: the previously-missing contractile registry, modelled on echidna's canonical INDEX. Catalogues all six verbs (must / trust / intend / adjust / bust / dust) with their actual current locations across the three pre-consolidation trees, flags the duplicate trust Trustfile, and records the canonical trident target. The physical consolidation of the three trees stays in #124 — it couples to the contractile gen-just generator (which reads the root contractiles/ tree) and needs the standards CONTRACTILE-SPEC to do safely.

Added — assay / assimilate / aggregate proof-integration subcommands

Three new a-themed subcommands that wire panic-attack into the PROOF-PROGRAMME loop (survey → swap → fold-in-proofs):

  • panic-attack assay [TARGET] [--proven DIR]… (src/assay/mod.rs): surveys a target for code that has a formally proven drop-in equivalent in a proven / proven-servers library and reports each candidate with the proof artifact that backs it — operationalising the "Proven cross-fit" table in PROOF-PROGRAMME.md mechanically instead of by hand. Built-in catalogue: SafePath (canonicalize/unwrap pattern) and SafeUrl (VERISIMDB_URL). On this repo: safe-path Offered (port present in src/safe_path.rs, call sites still to rewire), safe-url NoReplacementSource (not yet ported).
  • panic-attack assimilate [TARGET] --candidate ID [--proven DIR] [--from FILE] [--all] [--dry-run]: performs a swap — stages the proven module into the tree, backs up the original (*.orig), and writes a provenance record (source BLAKE3 hash + proof backing + pending call-site rewires) under .assimilated/. Module swaps are automatic; call-site rewiring is reported, never auto-edited

... (truncated)

Commits
  • 1c38f33 chore(clade): backfill [status] lifecycle block (#144)
  • c3bae9f chore(ci): add dormant push-email notification workflow (#145)
  • 7b0a08b chore(licence): normalise to MPL-2.0 + CC-BY-SA-4.0 (canonical pair) (#143)
  • 25f32b1 chore(ci): bump standards reusable workflow pins (#142)
  • 07902dc chore: extend owner SPDX header to all non-.rs sources (.md/.adoc/.idr/.zig) ...
  • 479bf2d chore: add owner SPDX header to all .rs (satisfy licence-enforcer hook) (#139)
  • 3cffe67 chore(nix->guix): remove flake.nix (Guix-only) (#140)
  • 826d541 test(aggregate): ideal Idris2 proof fixture + end-to-end fold test (#138)
  • 0d89586 docs: complete audience→axial rename drift in man page + docs (#137)
  • b26acb0 Claude/unbounded severity v2 (#135)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the actions group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/cache](https://github.com/actions/cache) | `5.0.5` | `6.0.0` |
| [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `2.4.0` | `4.1.0` |
| [taiki-e/install-action](https://github.com/taiki-e/install-action) | `2.82.0` | `2.82.4` |
| [dawidd6/action-send-mail](https://github.com/dawidd6/action-send-mail) | `6e502825a508b867ab2954ad6343b68787624c01` | `994f270325d4f7257aff241a35488ef54ba364a4` |
| [hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml](https://github.com/hyperpolymath/panic-attack) | `3f7d0bbed133629b62052fd181a84e4e1c774f9a` | `1c38f3379a3491504c3ea8bf80c3ddc48a497af7` |


Updates `actions/cache` from 5.0.5 to 6.0.0
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...2c8a9bd)

Updates `actions/attest-build-provenance` from 2.4.0 to 4.1.0
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](actions/attest-build-provenance@e8998f9...a2bbfa2)

Updates `taiki-e/install-action` from 2.82.0 to 2.82.4
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](taiki-e/install-action@b8cecb8...682e7d9)

Updates `dawidd6/action-send-mail` from 6e502825a508b867ab2954ad6343b68787624c01 to 994f270325d4f7257aff241a35488ef54ba364a4
- [Release notes](https://github.com/dawidd6/action-send-mail/releases)
- [Commits](dawidd6/action-send-mail@6e50282...994f270)

Updates `hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml` from 3f7d0bbed133629b62052fd181a84e4e1c774f9a to 1c38f3379a3491504c3ea8bf80c3ddc48a497af7
- [Release notes](https://github.com/hyperpolymath/panic-attack/releases)
- [Changelog](https://github.com/hyperpolymath/panic-attack/blob/main/CHANGELOG.md)
- [Commits](hyperpolymath/panic-attack@3f7d0bb...1c38f33)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/attest-build-provenance
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: taiki-e/install-action
  dependency-version: 2.82.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: dawidd6/action-send-mail
  dependency-version: 994f270325d4f7257aff241a35488ef54ba364a4
  dependency-type: direct:production
  dependency-group: actions
- dependency-name: hyperpolymath/panic-attack/.github/workflows/scan-and-report.yml
  dependency-version: 1c38f3379a3491504c3ea8bf80c3ddc48a497af7
  dependency-type: direct:production
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants