chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by dependabot[bot] · Pull Request #6039 · external-secrets/external-secrets

dependabot · 2026-03-09T08:27:16Z

Bumps github/codeql-action from 4.32.4 to 4.32.6.

Release notes

Sourced from github/codeql-action's releases.

v4.32.6

Update default CodeQL bundle version to 2.24.3. #3548

v4.32.5

Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507

Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487

The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515

Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516

Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498

Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512

The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.32.6 - 05 Mar 2026

Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507

Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487

The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515

Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516

Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498

Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512

The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

4.32.4 - 20 Feb 2026

Update default CodeQL bundle version to 2.24.2. #3493

Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473

When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486

Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485

Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

4.32.3 - 13 Feb 2026

Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

4.32.2 - 05 Feb 2026

Update default CodeQL bundle version to 2.24.1. #3460

4.32.1 - 02 Feb 2026

A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422

Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

4.32.0 - 26 Jan 2026

Update default CodeQL bundle version to 2.24.0. #3425

4.31.11 - 23 Jan 2026

When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409

... (truncated)

Commits

0d579ff Merge pull request #3551 from github/update-v4.32.6-72d2d850d
d4c6be7 Update changelog for v4.32.6
72d2d85 Merge pull request #3548 from github/update-bundle/codeql-bundle-v2.24.3
23f983c Merge pull request #3544 from github/dependabot/github_actions/dot-github/wor...
832e97c Merge pull request #3545 from github/dependabot/github_actions/dot-github/wor...
5ef38c0 Merge pull request #3546 from github/dependabot/npm_and_yarn/tar-7.5.10
80c9cda Add changelog note
f2669dd Update default bundle to codeql-bundle-v2.24.3
bd03c44 Merge branch 'main' into dependabot/github_actions/dot-github/workflows/actio...
102d762 Bump tar from 7.5.7 to 7.5.10
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Skarlso · 2026-03-10T20:29:08Z

@dependabot rebase

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.4 to 4.32.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@89a39a4...0d579ff) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

sonarqubecloud · 2026-03-10T20:31:07Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

…l-secrets#6039) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.4 to 4.32.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@89a39a4...0d579ff) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>

…2.2.0 (#4923) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets/external-secrets](https://github.com/external-secrets/external-secrets) | minor | `v2.1.0` → `v2.2.0` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets/external-secrets)</summary> ### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0) [Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0) Image: `ghcr.io/external-secrets/external-secrets:v2.2.0` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl`  #### What's Changed ##### General - chore: release charts v2.1.0 by [@Skarlso](https://github.com/Skarlso) in [#6030](external-secrets/external-secrets#6030) - chore: fix the stability doc by [@Skarlso](https://github.com/Skarlso) in [#6035](external-secrets/external-secrets#6035) - fix(security): Fix vulnerabilities by [@othomann](https://github.com/othomann) in [#6052](external-secrets/external-secrets#6052) - fix(aws): sync tags and resource policy even when secret value unchanged by [@evs-secops](https://github.com/evs-secops) in [#6025](external-secrets/external-secrets#6025) - fix: publish now uses docker build v4 which required some changes by [@Skarlso](https://github.com/Skarlso) in [#6062](external-secrets/external-secrets#6062) - feat(gcpsm): auto-detect projectID from GCP metadata server by [@patjlm](https://github.com/patjlm) in [#5922](external-secrets/external-secrets#5922) - chore(templating): Remove years in license and their checks by [@evrardj-roche](https://github.com/evrardj-roche) in [#5955](external-secrets/external-secrets#5955) - docs: Add Roche to official ADOPTERS by [@evrardj-roche](https://github.com/evrardj-roche) in [#6076](external-secrets/external-secrets#6076) - feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@jaruwat-panturat](https://github.com/jaruwat-panturat) in [#6068](external-secrets/external-secrets#6068) - fix(onepassword): support native item IDs by [@chadxz](https://github.com/chadxz) in [#6073](external-secrets/external-secrets#6073) - feat: extract LGTM processor to external JS file with tests by [@mateenali66](https://github.com/mateenali66) in [#6074](external-secrets/external-secrets#6074) - feat: fail fast if LGTM label does not exist in repository by [@mateenali66](https://github.com/mateenali66) in [#6078](external-secrets/external-secrets#6078) - feat(passbolt): add support for Passbolt V5 API by [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#5919](external-secrets/external-secrets#5919) - fix(infisical): dataFrom.find.path should filter by secret path not name by [@johnvox](https://github.com/johnvox) in [#6086](external-secrets/external-secrets#6086) - fix: disable the priority queue which misbehaves at scale by [@Skarlso](https://github.com/Skarlso) in [#6083](external-secrets/external-secrets#6083) - chore: update go version to 1.26.1 by [@Skarlso](https://github.com/Skarlso) in [#6072](external-secrets/external-secrets#6072) - docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@Br1an67](https://github.com/Br1an67) in [#6056](external-secrets/external-secrets#6056) - fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@Br1an67](https://github.com/Br1an67) in [#6036](external-secrets/external-secrets#6036) - feat(templating): Add certSANs function to extract SANs from certificates by [@mzdeb](https://github.com/mzdeb) in [#6058](external-secrets/external-secrets#6058) - docs: document template.metadata labels/annotations behavior by [@lucpas](https://github.com/lucpas) in [#6102](external-secrets/external-secrets#6102) - fix: CODEOWNERS are seriously out of date by [@Skarlso](https://github.com/Skarlso) in [#6106](external-secrets/external-secrets#6106) - feat(helm): add readinessProbe support for external-secrets deployment by [@AlexOQ](https://github.com/AlexOQ) in [#5831](external-secrets/external-secrets#5831) - fix: update grpc for CVE-2026-33186 by [@Skarlso](https://github.com/Skarlso) in [#6108](external-secrets/external-secrets#6108) - feat(azurekv): add expiration time to azure kv secret by [@muraliavarma](https://github.com/muraliavarma) in [#5935](external-secrets/external-secrets#5935) - feat: add path to cloud.ru provider by [@heavyandrew](https://github.com/heavyandrew) in [#5952](external-secrets/external-secrets#5952) - fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@riccardomc](https://github.com/riccardomc) in [#6113](external-secrets/external-secrets#6113) ##### Dependencies - chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#6038](external-secrets/external-secrets#6038) - chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6047](external-secrets/external-secrets#6047) - chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6050](external-secrets/external-secrets#6050) - chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6049](external-secrets/external-secrets#6049) - chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@dependabot](https://github.com/dependabot)\[bot] in [#6039](external-secrets/external-secrets#6039) - chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6043](external-secrets/external-secrets#6043) - chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6040](external-secrets/external-secrets#6040) - chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6044](external-secrets/external-secrets#6044) - chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6042](external-secrets/external-secrets#6042) - chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6041](external-secrets/external-secrets#6041) - chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6046](external-secrets/external-secrets#6046) - chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6048](external-secrets/external-secrets#6048) - chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6093](external-secrets/external-secrets#6093) - chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@dependabot](https://github.com/dependabot)\[bot] in [#6088](external-secrets/external-secrets#6088) - chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@dependabot](https://github.com/dependabot)\[bot] in [#6087](external-secrets/external-secrets#6087) - chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6096](external-secrets/external-secrets#6096) - chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6094](external-secrets/external-secrets#6094) - chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6095](external-secrets/external-secrets#6095) - chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6089](external-secrets/external-secrets#6089) - chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6092](external-secrets/external-secrets#6092) - chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6090](external-secrets/external-secrets#6090) - chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6091](external-secrets/external-secrets#6091) #### New Contributors - [@othomann](https://github.com/othomann) made their first contribution in [#6052](external-secrets/external-secrets#6052) - [@evs-secops](https://github.com/evs-secops) made their first contribution in [#6025](external-secrets/external-secrets#6025) - [@patjlm](https://github.com/patjlm) made their first contribution in [#5922](external-secrets/external-secrets#5922) - [@jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#6068](external-secrets/external-secrets#6068) - [@chadxz](https://github.com/chadxz) made their first contribution in [#6073](external-secrets/external-secrets#6073) - [@mateenali66](https://github.com/mateenali66) made their first contribution in [#6074](external-secrets/external-secrets#6074) - [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#5919](external-secrets/external-secrets#5919) - [@johnvox](https://github.com/johnvox) made their first contribution in [#6086](external-secrets/external-secrets#6086) - [@Br1an67](https://github.com/Br1an67) made their first contribution in [#6056](external-secrets/external-secrets#6056) - [@mzdeb](https://github.com/mzdeb) made their first contribution in [#6058](external-secrets/external-secrets#6058) - [@lucpas](https://github.com/lucpas) made their first contribution in [#6102](external-secrets/external-secrets#6102) - [@AlexOQ](https://github.com/AlexOQ) made their first contribution in [#5831](external-secrets/external-secrets#5831) - [@muraliavarma](https://github.com/muraliavarma) made their first contribution in [#5935](external-secrets/external-secrets#5935) - [@heavyandrew](https://github.com/heavyandrew) made their first contribution in [#5952](external-secrets/external-secrets#5952) **Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4923 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `2.1.0` → `2.2.0` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0) [Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0) Image: `ghcr.io/external-secrets/external-secrets:v2.2.0` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl`  ##### What's Changed ##### General - chore: release charts v2.1.0 by [@Skarlso](https://github.com/Skarlso) in [#6030](external-secrets/external-secrets#6030) - chore: fix the stability doc by [@Skarlso](https://github.com/Skarlso) in [#6035](external-secrets/external-secrets#6035) - fix(security): Fix vulnerabilities by [@othomann](https://github.com/othomann) in [#6052](external-secrets/external-secrets#6052) - fix(aws): sync tags and resource policy even when secret value unchanged by [@evs-secops](https://github.com/evs-secops) in [#6025](external-secrets/external-secrets#6025) - fix: publish now uses docker build v4 which required some changes by [@Skarlso](https://github.com/Skarlso) in [#6062](external-secrets/external-secrets#6062) - feat(gcpsm): auto-detect projectID from GCP metadata server by [@patjlm](https://github.com/patjlm) in [#5922](external-secrets/external-secrets#5922) - chore(templating): Remove years in license and their checks by [@evrardj-roche](https://github.com/evrardj-roche) in [#5955](external-secrets/external-secrets#5955) - docs: Add Roche to official ADOPTERS by [@evrardj-roche](https://github.com/evrardj-roche) in [#6076](external-secrets/external-secrets#6076) - feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@jaruwat-panturat](https://github.com/jaruwat-panturat) in [#6068](external-secrets/external-secrets#6068) - fix(onepassword): support native item IDs by [@chadxz](https://github.com/chadxz) in [#6073](external-secrets/external-secrets#6073) - feat: extract LGTM processor to external JS file with tests by [@mateenali66](https://github.com/mateenali66) in [#6074](external-secrets/external-secrets#6074) - feat: fail fast if LGTM label does not exist in repository by [@mateenali66](https://github.com/mateenali66) in [#6078](external-secrets/external-secrets#6078) - feat(passbolt): add support for Passbolt V5 API by [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#5919](external-secrets/external-secrets#5919) - fix(infisical): dataFrom.find.path should filter by secret path not name by [@johnvox](https://github.com/johnvox) in [#6086](external-secrets/external-secrets#6086) - fix: disable the priority queue which misbehaves at scale by [@Skarlso](https://github.com/Skarlso) in [#6083](external-secrets/external-secrets#6083) - chore: update go version to 1.26.1 by [@Skarlso](https://github.com/Skarlso) in [#6072](external-secrets/external-secrets#6072) - docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@Br1an67](https://github.com/Br1an67) in [#6056](external-secrets/external-secrets#6056) - fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@Br1an67](https://github.com/Br1an67) in [#6036](external-secrets/external-secrets#6036) - feat(templating): Add certSANs function to extract SANs from certificates by [@mzdeb](https://github.com/mzdeb) in [#6058](external-secrets/external-secrets#6058) - docs: document template.metadata labels/annotations behavior by [@lucpas](https://github.com/lucpas) in [#6102](external-secrets/external-secrets#6102) - fix: CODEOWNERS are seriously out of date by [@Skarlso](https://github.com/Skarlso) in [#6106](external-secrets/external-secrets#6106) - feat(helm): add readinessProbe support for external-secrets deployment by [@AlexOQ](https://github.com/AlexOQ) in [#5831](external-secrets/external-secrets#5831) - fix: update grpc for CVE-2026-33186 by [@Skarlso](https://github.com/Skarlso) in [#6108](external-secrets/external-secrets#6108) - feat(azurekv): add expiration time to azure kv secret by [@muraliavarma](https://github.com/muraliavarma) in [#5935](external-secrets/external-secrets#5935) - feat: add path to cloud.ru provider by [@heavyandrew](https://github.com/heavyandrew) in [#5952](external-secrets/external-secrets#5952) - fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@riccardomc](https://github.com/riccardomc) in [#6113](external-secrets/external-secrets#6113) ##### Dependencies - chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#6038](external-secrets/external-secrets#6038) - chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6047](external-secrets/external-secrets#6047) - chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6050](external-secrets/external-secrets#6050) - chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6049](external-secrets/external-secrets#6049) - chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@dependabot](https://github.com/dependabot)\[bot] in [#6039](external-secrets/external-secrets#6039) - chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6043](external-secrets/external-secrets#6043) - chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6040](external-secrets/external-secrets#6040) - chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6044](external-secrets/external-secrets#6044) - chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6042](external-secrets/external-secrets#6042) - chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6041](external-secrets/external-secrets#6041) - chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6046](external-secrets/external-secrets#6046) - chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6048](external-secrets/external-secrets#6048) - chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6093](external-secrets/external-secrets#6093) - chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@dependabot](https://github.com/dependabot)\[bot] in [#6088](external-secrets/external-secrets#6088) - chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@dependabot](https://github.com/dependabot)\[bot] in [#6087](external-secrets/external-secrets#6087) - chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6096](external-secrets/external-secrets#6096) - chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6094](external-secrets/external-secrets#6094) - chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6095](external-secrets/external-secrets#6095) - chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6089](external-secrets/external-secrets#6089) - chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6092](external-secrets/external-secrets#6092) - chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6090](external-secrets/external-secrets#6090) - chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6091](external-secrets/external-secrets#6091) ##### New Contributors - [@othomann](https://github.com/othomann) made their first contribution in [#6052](external-secrets/external-secrets#6052) - [@evs-secops](https://github.com/evs-secops) made their first contribution in [#6025](external-secrets/external-secrets#6025) - [@patjlm](https://github.com/patjlm) made their first contribution in [#5922](external-secrets/external-secrets#5922) - [@jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#6068](external-secrets/external-secrets#6068) - [@chadxz](https://github.com/chadxz) made their first contribution in [#6073](external-secrets/external-secrets#6073) - [@mateenali66](https://github.com/mateenali66) made their first contribution in [#6074](external-secrets/external-secrets#6074) - [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#5919](external-secrets/external-secrets#5919) - [@johnvox](https://github.com/johnvox) made their first contribution in [#6086](external-secrets/external-secrets#6086) - [@Br1an67](https://github.com/Br1an67) made their first contribution in [#6056](external-secrets/external-secrets#6056) - [@mzdeb](https://github.com/mzdeb) made their first contribution in [#6058](external-secrets/external-secrets#6058) - [@lucpas](https://github.com/lucpas) made their first contribution in [#6102](external-secrets/external-secrets#6102) - [@AlexOQ](https://github.com/AlexOQ) made their first contribution in [#5831](external-secrets/external-secrets#5831) - [@muraliavarma](https://github.com/muraliavarma) made their first contribution in [#5935](external-secrets/external-secrets#5935) - [@heavyandrew](https://github.com/heavyandrew) made their first contribution in [#5952](external-secrets/external-secrets#5952) **Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4927 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

…l-secrets#6039) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.4 to 4.32.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@89a39a4...0d579ff) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 9, 2026

github-project-automation bot added this to External Secrets Mar 9, 2026

github-actions bot added area/deps kind/chore Categorizes Pull Requests for chore activities (like bumping versions) kind/dependency dependabot and upgrades component/github-actions size/xs labels Mar 9, 2026

eso-service-account-app bot approved these changes Mar 9, 2026

View reviewed changes

eso-service-account-app bot enabled auto-merge (squash) March 9, 2026 08:27

Skarlso approved these changes Mar 10, 2026

View reviewed changes

dependabot bot force-pushed the dependabot/github_actions/github/codeql-action-4.32.6 branch from 6ad1a9e to 9313744 Compare March 10, 2026 20:30

eso-service-account-app bot merged commit d0a5040 into main Mar 10, 2026
10 checks passed

eso-service-account-app bot deleted the dependabot/github_actions/github/codeql-action-4.32.6 branch March 10, 2026 20:30

github-project-automation bot moved this to Done in External Secrets Mar 10, 2026

eso-service-account-app bot approved these changes Mar 10, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6#6039

chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6#6039
eso-service-account-app[bot] merged 1 commit intomainfrom
dependabot/github_actions/github/codeql-action-4.32.6

dependabot bot commented on behalf of github Mar 9, 2026 •

edited

Loading

Uh oh!

Skarlso commented Mar 10, 2026

Uh oh!

Uh oh!

sonarqubecloud bot commented Mar 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

dependabot bot commented on behalf of github Mar 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.32.6

v4.32.5

CodeQL Action Changelog

[UNRELEASED]

4.32.6 - 05 Mar 2026

4.32.5 - 02 Mar 2026

4.32.4 - 20 Feb 2026

4.32.3 - 13 Feb 2026

4.32.2 - 05 Feb 2026

4.32.1 - 02 Feb 2026

4.32.0 - 26 Jan 2026

4.31.11 - 23 Jan 2026

Uh oh!

Skarlso commented Mar 10, 2026

Uh oh!

Uh oh!

sonarqubecloud bot commented Mar 10, 2026

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot bot commented on behalf of github Mar 9, 2026 •

edited

Loading