chore(deps): bump the github-actions group across 1 directory with 6 updates

[dependabot]

Bumps the github-actions group with 6 updates in the / directory:

Package	From	To
graalvm/setup-graalvm	1.5.0	1.5.2
mikepenz/release-changelog-builder-action	6.1.1	6.2.0
anchore/scan-action	7.3.2	7.4.0
github/codeql-action	4.33.0	4.35.1
anthropics/claude-code-action	1.0.75	1.0.85
ruby/setup-ruby	1.295.0	1.299.0

Updates graalvm/setup-graalvm from 1.5.0 to 1.5.2

Release notes

Sourced from graalvm/setup-graalvm's releases.

v1.5.2

What's Changed

• Bump the "all" group with 2 updates across multiple ecosystems by @​dependabot[bot] in graalvm/setup-graalvm#215

Full Changelog: graalvm/setup-graalvm@v1.5.1...v1.5.2

v1.5.1

What's Changed

• Upgrade dependencies and to Node 24 by @​fniephaus in graalvm/setup-graalvm#209
• Remove unused dependencies and refresh lockfile to clear vulnerable transitive packages by @​fniephaus in graalvm/setup-graalvm#210
• Replace DISCO API with GitHub API for Mandrel latest version resolution. by @​zakkak in graalvm/setup-graalvm#213
• Update dependencies by @​fniephaus in graalvm/setup-graalvm#214

Full Changelog: graalvm/setup-graalvm@v1.5.0...v1.5.1

Commits

• 60c2672 Bump version to 1.5.2.
• 51f7fcd Add workflow to check GitHub Actions with Macaron.
• a498fb2 Set rootDir to address rollup warning.
• 840595d Address new lint errors.
• ca0f421 Update devDependencies.
• 2987039 Bump the all group with 2 updates
• 2149f39 Bump version to 1.5.1.
• 05f01b3 Regenerate dist/ files.
• e1a66bd Refresh locked dependencies to resolve npm audit findings 🤖
• 671c7d4 Replace DISCO API with GitHub API for Mandrel latest version resolution. (#213)
• Additional commits viewable in compare view

Updates mikepenz/release-changelog-builder-action from 6.1.1 to 6.2.0

Release notes

Sourced from mikepenz/release-changelog-builder-action's releases.

v6.2.0

💬 Other

• Security hardening: Renovate, SHA-pinned actions, least-privilege permissions
  • PR: #1536
• fix: use PR author for commit-dist job condition
  • PR: #1541

📦 Dependencies

• Bump actions/upload-artifact from 6 to 7
  • PR: #1523
• Bump mikepenz/action-gh-release from 1 to 2
  • PR: #1529
• Bump flatted from 3.3.3 to 3.4.2
  • PR: #1531
• Bump the dev-dependencies group with 4 updates
  • PR: #1532
• Bump vitest from 4.0.18 to 4.1.0
  • PR: #1533
• Bump https-proxy-agent from 7.0.6 to 8.0.0
  • PR: #1534
• Bump picomatch from 4.0.3 to 4.0.4
  • PR: #1535
• chore(deps): update dependency glob to v11.1.0 [security]
  • PR: #1537
• chore(deps): pin mikepenz/release-changelog-builder-action action to d7b8cec
  • PR: #1539
• chore(deps): update dependency undici to v7
  • PR: #1540
• chore: upgrade TypeScript to v6
  • PR: #1543
• chore: pin all dependencies to exact versions
  • PR: #1544
• chore(deps): update mikepenz/release-changelog-builder-action digest to a77ddc5
  • PR: #1545
• chore(deps): update dependency glob to v13
  • PR: #1546

Contributors:

• @​dependabot[bot], @​mikepenz

Commits

• 2cb9bef Merge pull request #1547 from mikepenz/develop
• 0cc2898 Merge pull request #1546 from mikepenz/renovate/glob-13.x
• 5fcdcea Merge pull request #1545 from mikepenz/renovate/github-actions-updates
• 1783230 chore(deps): update dependency glob to v13
• a176e8e chore(deps): update mikepenz/release-changelog-builder-action digest to a77ddc5
• a77ddc5 Merge pull request #1544 from mikepenz/chore/pin-exact-deps
• 3ef87e7 chore: recompile dist
• 27efd72 chore: update undici specifically
• 6a2bae6 chore: pin all dependencies to exact versions
• 72827c1 Merge pull request #1543 from mikepenz/chore/typescript-6
• Additional commits viewable in compare view

Updates anchore/scan-action from 7.3.2 to 7.4.0

Release notes

Sourced from anchore/scan-action's releases.

v7.4.0

• chore: update to node 24 (#629) [@​kzantow]
• fix(dev): move to esbuild (#601) [@​willmurphyscode]
• chore: update to ES modules + update @actions/* (#595) [@​kzantow]

⬆️ Dependencies

• chore(deps): update Grype to v0.110.0 (#618) [@anchore-actions-token-generator[bot]]
• chore(deps-dev): bump tar 7.5.11 (#620) [@dependabot[bot]]
• chore(deps): bump undici 6.24.1 (#622) [@dependabot[bot]]
• chore: bump fast-xml-parser 5.5.7 (#626) [@dependabot[bot]]

Commits

• e116508 chore: bump fast-xml-parser from 5.5.6 to 5.5.7 + setup-node (#631)
• 382a23a chore(deps): update Grype to v0.110.0 (#618)
• 2898213 chore: update to node 24 (#629)
• 4e1eb5b chore: update to modules and bump all deps (required for new @​actions librari...
• 8ed60d1 chore(deps): bump actions/setup-node from 6.2.0 to 6.3.0 (#617)
• 5a271d2 chore(deps-dev): bump lint-staged from 16.3.1 to 16.3.2 (#619)
• 6d37af2 chore(deps-dev): bump jest from 30.2.0 to 30.3.0 (#625)
• 50a8160 chore(deps-dev): bump tar from 7.5.10 to 7.5.11 (#620)
• daeb723 chore(deps): bump undici from 6.23.0 to 6.24.1 (#622)
• 6471a7e chore(deps): bump fast-xml-parser from 5.3.6 to 5.5.6 (#626)
• Additional commits viewable in compare view

Updates github/codeql-action from 4.33.0 to 4.35.1

Release notes

Sourced from github/codeql-action's releases.

v4.35.1

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v4.35.0

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

v4.34.1

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

• Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487

... (truncated)

Commits

• c10b806 Merge pull request #3782 from github/update-v4.35.1-d6d1743b8
• c5ffd06 Update changelog for v4.35.1
• d6d1743 Merge pull request #3781 from github/henrymercer/update-git-minimum-version
• 65d2efa Add changelog note
• 2437b20 Update minimum git version for overlay to 2.36.0
• ea5f719 Merge pull request #3775 from github/dependabot/npm_and_yarn/node-forge-1.4.0
• 45ceeea Merge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f28
• 24448c9 Rebuild
• 7c51060 Update changelog and version after v4.35.0
• b8bb9f2 Merge pull request #3776 from github/update-v4.35.0-0078ad667
• Additional commits viewable in compare view

Updates anthropics/claude-code-action from 1.0.75 to 1.0.85

Release notes

Sourced from anthropics/claude-code-action's releases.

v1.0.85

What's Changed

• fix: fall back to repo default_branch instead of hardcoded "main" by @​ashwin-ant in anthropics/claude-code-action#1143

Full Changelog: anthropics/claude-code-action@v1...v1.0.85

v1.0.84

What's Changed

• Pin Claude Code to 2.1.87 by @​ashwin-ant in anthropics/claude-code-action#1142

Full Changelog: anthropics/claude-code-action@v1...v1.0.84

v1.0.83

What's Changed

• Add subprocess isolation setup and git credential helper by @​OctavianGuzu in anthropics/claude-code-action#1132

Full Changelog: anthropics/claude-code-action@v1...v1.0.83

v1.0.82

Full Changelog: anthropics/claude-code-action@v1...v1.0.82

v1.0.81

Full Changelog: anthropics/claude-code-action@v1...v1.0.81

v1.0.80

Full Changelog: anthropics/claude-code-action@v1...v1.0.80

v1.0.79

Full Changelog: anthropics/claude-code-action@v1...v1.0.79

v1.0.78

Full Changelog: anthropics/claude-code-action@v1...v1.0.78

v1.0.77

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

... (truncated)

Commits

• 58dbe8e chore: bump Claude Code to 2.1.90 and Agent SDK to 0.2.90
• c281e17 fix: fall back to repo default_branch instead of hardcoded "main" (#1143)
• 408a40e Pin Claude Code to 2.1.87 (#1142)
• bee87b3 chore: bump Claude Code to 2.1.89 and Agent SDK to 0.2.89
• 32156b1 Add subprocess isolation setup and git credential helper (#1132)
• 7225f04 chore: bump Claude Code to 2.1.88 and Agent SDK to 0.2.88
• 88c168b chore: bump Claude Code to 2.1.87 and Agent SDK to 0.2.87
• e7b588b chore: bump Claude Code to 2.1.86 and Agent SDK to 0.2.86
• 094bd24 chore: bump Claude Code to 2.1.85 and Agent SDK to 0.2.85
• 3ac52d0 chore: bump Claude Code to 2.1.84 and Agent SDK to 0.2.84
• Additional commits viewable in compare view

Updates ruby/setup-ruby from 1.295.0 to 1.299.0

Release notes

Sourced from ruby/setup-ruby's releases.

v1.299.0

What's Changed

• Update CRuby releases on Windows by @​ruby-builder-bot in ruby/setup-ruby#896

Full Changelog: ruby/setup-ruby@v1.298.0...v1.299.0

v1.298.0

What's Changed

• Add ruby-3.2.11 by @​ruby-builder-bot in ruby/setup-ruby#895

Full Changelog: ruby/setup-ruby@v1.297.0...v1.298.0

v1.297.0

What's Changed

• Update CRuby releases on Windows by @​ruby-builder-bot in ruby/setup-ruby#894

Full Changelog: ruby/setup-ruby@v1.296.0...v1.297.0

v1.296.0

What's Changed

• Add ruby-3.3.11 by @​ruby-builder-bot in ruby/setup-ruby#893

Full Changelog: ruby/setup-ruby@v1.295.0...v1.296.0

Commits

• 3ff19f5 Update CRuby releases on Windows
• 4dc28cf Add ruby-3.2.11
• c515ec1 Update CRuby releases on Windows
• eab2afb Add ruby-3.3.11
• 97b3338 Mention all maintainers in check-new-windows-versions for consistency
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.