Bump the gh-actions-packages group across 3 directories with 10 updates (#8381)

Bumps the gh-actions-packages group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/setup-dotnet](https://github.com/actions/setup-dotnet) |
`5.1.0` | `5.2.0` |
|
[DataDog/dd-octo-sts-action](https://github.com/datadog/dd-octo-sts-action)
| `1.0.3` | `1.0.4` |
|
[softprops/action-gh-release](https://github.com/softprops/action-gh-release)
| `2.5.0` | `2.6.1` |
| [github/codeql-action](https://github.com/github/codeql-action) |
`4.32.4` | `4.34.1` |
|
[advanced-security/filter-sarif](https://github.com/advanced-security/filter-sarif)
| `1.0.1` | `1.1` |
|
[actions/create-github-app-token](https://github.com/actions/create-github-app-token)
| `2.2.1` | `3.0.0` |

Bumps the gh-actions-packages group with 3 updates in the
/.github/actions/create-system-test-docker-base-images directory:
[docker/setup-qemu-action](https://github.com/docker/setup-qemu-action),
[docker/setup-buildx-action](https://github.com/docker/setup-buildx-action)
and
[docker/build-push-action](https://github.com/docker/build-push-action).
Bumps the gh-actions-packages group with 1 update in the
/.github/actions/publish-debug-symbols directory:
[actions/setup-node](https://github.com/actions/setup-node).

Updates `actions/setup-dotnet` from 5.1.0 to 5.2.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-dotnet/releases">actions/setup-dotnet's
releases</a>.</em></p>
<blockquote>
<h2>v5.2.0</h2>
<h2>What's changed</h2>
<h3>Enhancements</h3>
<ul>
<li>Add support for workloads input by <a
href="https://github.com/gowridurgad"><code>@​gowridurgad</code></a> in
<a
href="https://redirect.github.com/actions/setup-dotnet/pull/693">actions/setup-dotnet#693</a></li>
<li>Add support for optional architecture input for cross-architecture
.NET installs by <a
href="https://github.com/priya-kinthali"><code>@​priya-kinthali</code></a>
in <a
href="https://redirect.github.com/actions/setup-dotnet/pull/700">actions/setup-dotnet#700</a></li>
</ul>
<h3>Dependency Updates</h3>
<ul>
<li>Upgrade fast-xml-parser from 4.4.1 to 5.3.6 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-dotnet/pull/671">actions/setup-dotnet#671</a></li>
<li>Upgrade minimatch from 3.1.2 to 3.1.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-dotnet/pull/705">actions/setup-dotnet#705</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-dotnet/compare/v5...v5.2.0">https://github.com/actions/setup-dotnet/compare/v5...v5.2.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/setup-dotnet/commit/c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7"><code>c2fa09f</code></a>
Bump minimatch from 3.1.2 to 3.1.5 (<a
href="https://redirect.github.com/actions/setup-dotnet/issues/705">#705</a>)</li>
<li><a
href="https://github.com/actions/setup-dotnet/commit/02574b18e2dc57a218ee4e11ba1e1603c67236e8"><code>02574b1</code></a>
Add support for optional architecture input for cross-architecture .NET
insta...</li>
<li><a
href="https://github.com/actions/setup-dotnet/commit/16c7b3c2fa55a0e394467d22512b84fda46adf63"><code>16c7b3c</code></a>
Bump fast-xml-parser from 4.4.1 to 5.3.6 (<a
href="https://redirect.github.com/actions/setup-dotnet/issues/671">#671</a>)</li>
<li><a
href="https://github.com/actions/setup-dotnet/commit/131b410979e0b49e2162c0718030257b22d6dc2c"><code>131b410</code></a>
Add support for workloads input (<a
href="https://redirect.github.com/actions/setup-dotnet/issues/693">#693</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/setup-dotnet/compare/baa11fbfe1d6520db94683bd5c7a3818018e4309...c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7">compare
view</a></li>
</ul>
</details>
<br />

Updates `DataDog/dd-octo-sts-action` from 1.0.3 to 1.0.4
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a"><code>96a2546</code></a>
Fix typo in Readme (<a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/18">#18</a>)</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/9691c26e1de0f1f26e1e8708c5c34b4f64e43f5f"><code>9691c26</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/14">#14</a>
from DataDog/improve/parse-jwt-claims</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/b98b59d08d3575cbda7001bddfe86633787536e8"><code>b98b59d</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/13">#13</a>
from DataDog/improve/fetch-error-url-logging</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/e7953d4e870e933635e6afa9172b3957b568c417"><code>e7953d4</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/15">#15</a>
from DataDog/improve/ci-workflow-hardening</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/e47344e9570a80d3a7d333a339ace4a5e88b7646"><code>e47344e</code></a>
Merge pull request <a
href="https://redirect.github.com/datadog/dd-octo-sts-action/issues/16">#16</a>
from DataDog/improve/bump-node24</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/5a7a632cb3be2334cd1515df9c74eb3103942b50"><code>5a7a632</code></a>
Bump Node.js runtime from node20 to node24</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/260fcf964ad38660b2abc359216586af9d31a05d"><code>260fcf9</code></a>
Add parseJwtClaims() function with tests, replace fragile inline
parsing</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/371c4d81ebd5ed74dfcc7bb2ab234d9f1e30fe65"><code>371c4d8</code></a>
Harden CI workflows with least-privilege permissions and credential
controls</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/1fc658893bed0edd73a7e284f6266e3fc4bdc93e"><code>1fc6588</code></a>
Include URL in fetchWithRetry error messages</li>
<li><a
href="https://github.com/DataDog/dd-octo-sts-action/commit/0b31f95da950c7562ef40f6447086e75515897ce"><code>0b31f95</code></a>
Harden CI workflows with least-privilege permissions and credential
controls</li>
<li>Additional commits viewable in <a
href="https://github.com/datadog/dd-octo-sts-action/compare/acaa02eee7e3bb0839e4272dacb37b8f3b58ba80...96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a">compare
view</a></li>
</ul>
</details>
<br />

Updates `softprops/action-gh-release` from 2.5.0 to 2.6.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/softprops/action-gh-release/releases">softprops/action-gh-release's
releases</a>.</em></p>
<blockquote>
<h2>v2.6.1</h2>
<p><code>2.6.1</code> is a patch release focused on restoring linked
discussion thread creation when
<code>discussion_category_name</code> is set. It fixes
<code>[#764](https://github.com/softprops/action-gh-release/issues/764)</code>,
where the draft-first publish flow
stopped carrying the discussion category through the final publish
step.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: preserve discussion category on publish by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/765">softprops/action-gh-release#765</a></li>
</ul>
<h2>v2.6.0</h2>
<p><code>2.6.0</code> is a minor release centered on
<code>previous_tag</code> support for
<code>generate_release_notes</code>,
which lets workflows pin GitHub's comparison base explicitly instead of
relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a
<code>working_directory</code> docs sync,
a checked-bundle freshness guard for maintainers, and clearer
immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset
uploads can be published.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<h3>Exciting New Features 🎉</h3>
<ul>
<li>feat: support previous_tag for generate_release_notes by <a
href="https://github.com/pocesar"><code>@​pocesar</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/372">softprops/action-gh-release#372</a></li>
</ul>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: recover concurrent asset metadata 404s by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/760">softprops/action-gh-release#760</a></li>
</ul>
<h3>Other Changes 🔄</h3>
<ul>
<li>docs: clarify reused draft release behavior by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/759">softprops/action-gh-release#759</a></li>
<li>docs: clarify working_directory input by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/761">softprops/action-gh-release#761</a></li>
<li>ci: verify dist bundle freshness by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/762">softprops/action-gh-release#762</a></li>
<li>fix: clarify immutable prerelease uploads by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/763">softprops/action-gh-release#763</a></li>
</ul>
<h2>v2.5.3</h2>
<!-- raw HTML omitted -->
<p><code>2.5.3</code> is a patch release focused on the remaining
path-handling and release-selection bugs uncovered after
<code>2.5.2</code>.
It fixes
<code>[#639](https://github.com/softprops/action-gh-release/issues/639)</code>,
<code>[#571](https://github.com/softprops/action-gh-release/issues/571)</code>,
<code>[#280](https://github.com/softprops/action-gh-release/issues/280)</code>,
<code>[#614](https://github.com/softprops/action-gh-release/issues/614)</code>,
<code>[#311](https://github.com/softprops/action-gh-release/issues/311)</code>,
<code>[#403](https://github.com/softprops/action-gh-release/issues/403)</code>,
and
<code>[#368](https://github.com/softprops/action-gh-release/issues/368)</code>.
It also adds documentation clarifications for
<code>[#541](https://github.com/softprops/action-gh-release/issues/541)</code>,
<code>[#645](https://github.com/softprops/action-gh-release/issues/645)</code>,
<code>[#542](https://github.com/softprops/action-gh-release/issues/542)</code>,
<code>[#393](https://github.com/softprops/action-gh-release/issues/393)</code>,
and
<code>[#411](https://github.com/softprops/action-gh-release/issues/411)</code>,
where the current behavior is either usage-sensitive or constrained by
GitHub platform limits rather than an action-side runtime bug.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md">softprops/action-gh-release's
changelog</a>.</em></p>
<blockquote>
<h2>2.6.1</h2>
<p><code>2.6.1</code> is a patch release focused on restoring linked
discussion thread creation when
<code>discussion_category_name</code> is set. It fixes
<code>[#764](https://github.com/softprops/action-gh-release/issues/764)</code>,
where the draft-first publish flow
stopped carrying the discussion category through the final publish
step.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: preserve discussion category on publish by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/765">softprops/action-gh-release#765</a></li>
</ul>
<h2>2.6.0</h2>
<p><code>2.6.0</code> is a minor release centered on
<code>previous_tag</code> support for
<code>generate_release_notes</code>,
which lets workflows pin GitHub's comparison base explicitly instead of
relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a
<code>working_directory</code> docs sync,
a checked-bundle freshness guard for maintainers, and clearer
immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset
uploads can be published.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<h2>What's Changed</h2>
<h3>Exciting New Features 🎉</h3>
<ul>
<li>feat: support previous_tag for generate_release_notes by <a
href="https://github.com/pocesar"><code>@​pocesar</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/372">softprops/action-gh-release#372</a></li>
</ul>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix: recover concurrent asset metadata 404s by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/760">softprops/action-gh-release#760</a></li>
</ul>
<h3>Other Changes 🔄</h3>
<ul>
<li>docs: clarify reused draft release behavior by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/759">softprops/action-gh-release#759</a></li>
<li>docs: clarify working_directory input by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/761">softprops/action-gh-release#761</a></li>
<li>ci: verify dist bundle freshness by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/762">softprops/action-gh-release#762</a></li>
<li>fix: clarify immutable prerelease uploads by <a
href="https://github.com/chenrui333"><code>@​chenrui333</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/763">softprops/action-gh-release#763</a></li>
</ul>
<h2>2.5.3</h2>
<p><code>2.5.3</code> is a patch release focused on the remaining
path-handling and release-selection bugs uncovered after
<code>2.5.2</code>.
It fixes
<code>[#639](https://github.com/softprops/action-gh-release/issues/639)</code>,
<code>[#571](https://github.com/softprops/action-gh-release/issues/571)</code>,
<code>[#280](https://github.com/softprops/action-gh-release/issues/280)</code>,
<code>[#614](https://github.com/softprops/action-gh-release/issues/614)</code>,
<code>[#311](https://github.com/softprops/action-gh-release/issues/311)</code>,
<code>[#403](https://github.com/softprops/action-gh-release/issues/403)</code>,
and
<code>[#368](https://github.com/softprops/action-gh-release/issues/368)</code>.
It also adds documentation clarifications for
<code>[#541](https://github.com/softprops/action-gh-release/issues/541)</code>,
<code>[#645](https://github.com/softprops/action-gh-release/issues/645)</code>,
<code>[#542](https://github.com/softprops/action-gh-release/issues/542)</code>,
<code>[#393](https://github.com/softprops/action-gh-release/issues/393)</code>,
and
<code>[#411](https://github.com/softprops/action-gh-release/issues/411)</code>,
where the current behavior is either usage-sensitive or constrained by
GitHub platform limits rather than an action-side runtime bug.</p>
<p>If you still hit an issue after upgrading, please open a report with
the bug template and include a minimal repro or sanitized workflow
snippet where possible.</p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/softprops/action-gh-release/commit/153bb8e04406b158c6c84fc1615b65b24149a1fe"><code>153bb8e</code></a>
release 2.6.1</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/569deb874d08cd8cc0aa24af7c0b21160fe4b0e4"><code>569deb8</code></a>
fix: preserve discussion category when publishing releases (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/765">#765</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/26e8ad27a09a225049a7075d7ec1caa2df6ff332"><code>26e8ad2</code></a>
release 2.6.0</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/b959f31e968fb47fb7bb823087fc092d5613e0a4"><code>b959f31</code></a>
fix: clarify immutable prerelease uploads (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/763">#763</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/8a8510e3a0d8dfc9296171fd405ca8c8ea6206a4"><code>8a8510e</code></a>
ci: verify dist bundle freshness (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/762">#762</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/438c15ddf5b01e992ef98dc29cea3f9992ab54ac"><code>438c15d</code></a>
docs: clarify working_directory input (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/761">#761</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/6ca3b5d96e3a0fac11dc53f0809c2cb029e64902"><code>6ca3b5d</code></a>
fix: recover concurrent asset metadata 404s (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/760">#760</a>)</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/11f917660b31d6d56980ea3261f210556a812bd0"><code>11f9176</code></a>
chore: add RELEASE.md</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/1f3f350167714515d2bcf8a18afcc5e8e0a362a8"><code>1f3f350</code></a>
feat: add AGENTS.md</li>
<li><a
href="https://github.com/softprops/action-gh-release/commit/37819cb191890d306d21cfb5ac4e7a358f0a6e4f"><code>37819cb</code></a>
docs: clarify reused draft release behavior (<a
href="https://redirect.github.com/softprops/action-gh-release/issues/759">#759</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/softprops/action-gh-release/compare/a06a81a03ee405af7f2048a818ed3f03bbf83c7b...153bb8e04406b158c6c84fc1615b65b24149a1fe">compare
view</a></li>
</ul>
</details>
<br />

Updates `github/codeql-action` from 4.32.4 to 4.34.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/releases">github/codeql-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.34.1</h2>
<ul>
<li>Downgrade default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>
due to issues with a small percentage of Actions and JavaScript
analyses. <a
href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li>
</ul>
<h2>v4.34.0</h2>
<ul>
<li>Added an experimental change which disables TRAP caching when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> is enabled, since improved incremental analysis
supersedes TRAP caching. This will improve performance and reduce
Actions cache usage. We expect to roll this change out to everyone in
March. <a
href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li>
<li>We are rolling out improved incremental analysis to C/C++ analyses
that use build mode <code>none</code>. We expect this rollout to be
complete by the end of April 2026. <a
href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li>
</ul>
<h2>v4.33.0</h2>
<ul>
<li>
<p>Upcoming change: Starting April 2026, the CodeQL Action will skip
collecting file coverage information on pull requests to improve
analysis performance. File coverage information will still be computed
on non-PR analyses. Pull request analyses will log a warning about this
upcoming change. <a
href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a></p>
<p>To opt out of this change:</p>
<ul>
<li><strong>Repositories owned by an organization:</strong> Create a
custom repository property with the name
<code>github-codeql-file-coverage-on-prs</code> and the type
&quot;True/false&quot;, then set this property to <code>true</code> in
the repository's settings. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>.
Alternatively, if you are using an advanced setup workflow, you can set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using default setup:</strong> Switch
to an advanced setup workflow and set the
<code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to
<code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using advanced setup:</strong> Set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
</ul>
</li>
<li>
<p>Fixed <a
href="https://redirect.github.com/github/codeql-action/issues/3555">a
bug</a> which caused the CodeQL Action to fail loading repository
properties if a &quot;Multi select&quot; repository property was
configured for the repository. <a
href="https://redirect.github.com/github/codeql-action/pull/3557">#3557</a></p>
</li>
<li>
<p>The CodeQL Action now loads <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">custom
repository properties</a> on GitHub Enterprise Server, enabling the
customization of features such as
<code>github-codeql-disable-overlay</code> that was previously only
available on GitHub.com. <a
href="https://redirect.github.com/github/codeql-action/pull/3559">#3559</a></p>
</li>
<li>
<p>Once <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registries</a> can be configured with OIDC-based authentication
for organizations, the CodeQL Action will now be able to accept such
configurations. <a
href="https://redirect.github.com/github/codeql-action/pull/3563">#3563</a></p>
</li>
<li>
<p>Fixed the retry mechanism for database uploads. Previously this would
fail with the error &quot;Response body object should not be disturbed
or locked&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/3564">#3564</a></p>
</li>
<li>
<p>A warning is now emitted if the CodeQL Action detects a repository
property whose name suggests that it relates to the CodeQL Action, but
which is not one of the properties recognised by the current version of
the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3570">#3570</a></p>
</li>
</ul>
<h2>v4.32.6</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3548">#3548</a></li>
</ul>
<h2>v4.32.5</h2>
<ul>
<li>Repositories owned by an organization can now set up the
<code>github-codeql-disable-overlay</code> custom repository property to
disable <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis for CodeQL</a>. First, create a custom repository
property with the name <code>github-codeql-disable-overlay</code> and
the type &quot;True/false&quot; in the organization's settings. Then in
the repository's settings, set this property to <code>true</code> to
disable improved incremental analysis. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>. This
feature is not yet available on GitHub Enterprise Server. <a
href="https://redirect.github.com/github/codeql-action/pull/3507">#3507</a></li>
<li>Added an experimental change so that when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> fails on a runner — potentially due to
insufficient disk space — the failure is recorded in the Actions cache
so that subsequent runs will automatically skip improved incremental
analysis until something changes (e.g. a larger runner is provisioned or
a new CodeQL version is released). We expect to roll this change out to
everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3487">#3487</a></li>
<li>The minimum memory check for improved incremental analysis is now
skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage.
<a
href="https://redirect.github.com/github/codeql-action/pull/3515">#3515</a></li>
<li>Reduced log levels for best-effort private package registry
connection check failures to reduce noise from workflow annotations. <a
href="https://redirect.github.com/github/codeql-action/pull/3516">#3516</a></li>
<li>Added an experimental change which lowers the minimum disk space
requirement for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a>, enabling it to run on standard GitHub Actions
runners. We expect to roll this change out to everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3498">#3498</a></li>
<li>Added an experimental change which allows the
<code>start-proxy</code> action to resolve the CodeQL CLI version from
feature flags instead of using the linked CLI bundle version. We expect
to roll this change out to everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3512">#3512</a></li>
<li>The previously experimental changes from versions 4.32.3, 4.32.4,
3.32.3 and 3.32.4 are now enabled by default. <a
href="https://redirect.github.com/github/codeql-action/pull/3503">#3503</a>,
<a
href="https://redirect.github.com/github/codeql-action/pull/3504">#3504</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<h2>[UNRELEASED]</h2>
<ul>
<li>Reduced the minimum Git version required for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> from 2.38.0 to 2.11.0. <a
href="https://redirect.github.com/github/codeql-action/pull/3767">#3767</a></li>
</ul>
<h2>4.34.1 - 20 Mar 2026</h2>
<ul>
<li>Downgrade default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>
due to issues with a small percentage of Actions and JavaScript
analyses. <a
href="https://redirect.github.com/github/codeql-action/pull/3762">#3762</a></li>
</ul>
<h2>4.34.0 - 20 Mar 2026</h2>
<ul>
<li>Added an experimental change which disables TRAP caching when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> is enabled, since improved incremental analysis
supersedes TRAP caching. This will improve performance and reduce
Actions cache usage. We expect to roll this change out to everyone in
March. <a
href="https://redirect.github.com/github/codeql-action/pull/3569">#3569</a></li>
<li>We are rolling out improved incremental analysis to C/C++ analyses
that use build mode <code>none</code>. We expect this rollout to be
complete by the end of April 2026. <a
href="https://redirect.github.com/github/codeql-action/pull/3584">#3584</a></li>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0">2.25.0</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3585">#3585</a></li>
</ul>
<h2>4.33.0 - 16 Mar 2026</h2>
<ul>
<li>
<p>Upcoming change: Starting April 2026, the CodeQL Action will skip
collecting file coverage information on pull requests to improve
analysis performance. File coverage information will still be computed
on non-PR analyses. Pull request analyses will log a warning about this
upcoming change. <a
href="https://redirect.github.com/github/codeql-action/pull/3562">#3562</a></p>
<p>To opt out of this change:</p>
<ul>
<li><strong>Repositories owned by an organization:</strong> Create a
custom repository property with the name
<code>github-codeql-file-coverage-on-prs</code> and the type
&quot;True/false&quot;, then set this property to <code>true</code> in
the repository's settings. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>.
Alternatively, if you are using an advanced setup workflow, you can set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using default setup:</strong> Switch
to an advanced setup workflow and set the
<code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable to
<code>true</code> in your workflow.</li>
<li><strong>User-owned repositories using advanced setup:</strong> Set
the <code>CODEQL_ACTION_FILE_COVERAGE_ON_PRS</code> environment variable
to <code>true</code> in your workflow.</li>
</ul>
</li>
<li>
<p>Fixed <a
href="https://redirect.github.com/github/codeql-action/issues/3555">a
bug</a> which caused the CodeQL Action to fail loading repository
properties if a &quot;Multi select&quot; repository property was
configured for the repository. <a
href="https://redirect.github.com/github/codeql-action/pull/3557">#3557</a></p>
</li>
<li>
<p>The CodeQL Action now loads <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">custom
repository properties</a> on GitHub Enterprise Server, enabling the
customization of features such as
<code>github-codeql-disable-overlay</code> that was previously only
available on GitHub.com. <a
href="https://redirect.github.com/github/codeql-action/pull/3559">#3559</a></p>
</li>
<li>
<p>Once <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registries</a> can be configured with OIDC-based authentication
for organizations, the CodeQL Action will now be able to accept such
configurations. <a
href="https://redirect.github.com/github/codeql-action/pull/3563">#3563</a></p>
</li>
<li>
<p>Fixed the retry mechanism for database uploads. Previously this would
fail with the error &quot;Response body object should not be disturbed
or locked&quot;. <a
href="https://redirect.github.com/github/codeql-action/pull/3564">#3564</a></p>
</li>
<li>
<p>A warning is now emitted if the CodeQL Action detects a repository
property whose name suggests that it relates to the CodeQL Action, but
which is not one of the properties recognised by the current version of
the CodeQL Action. <a
href="https://redirect.github.com/github/codeql-action/pull/3570">#3570</a></p>
</li>
</ul>
<h2>4.32.6 - 05 Mar 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3">2.24.3</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3548">#3548</a></li>
</ul>
<h2>4.32.5 - 02 Mar 2026</h2>
<ul>
<li>Repositories owned by an organization can now set up the
<code>github-codeql-disable-overlay</code> custom repository property to
disable <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis for CodeQL</a>. First, create a custom repository
property with the name <code>github-codeql-disable-overlay</code> and
the type &quot;True/false&quot; in the organization's settings. Then in
the repository's settings, set this property to <code>true</code> to
disable improved incremental analysis. For more information, see <a
href="https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization">Managing
custom properties for repositories in your organization</a>. This
feature is not yet available on GitHub Enterprise Server. <a
href="https://redirect.github.com/github/codeql-action/pull/3507">#3507</a></li>
<li>Added an experimental change so that when <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a> fails on a runner — potentially due to
insufficient disk space — the failure is recorded in the Actions cache
so that subsequent runs will automatically skip improved incremental
analysis until something changes (e.g. a larger runner is provisioned or
a new CodeQL version is released). We expect to roll this change out to
everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3487">#3487</a></li>
<li>The minimum memory check for improved incremental analysis is now
skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage.
<a
href="https://redirect.github.com/github/codeql-action/pull/3515">#3515</a></li>
<li>Reduced log levels for best-effort private package registry
connection check failures to reduce noise from workflow annotations. <a
href="https://redirect.github.com/github/codeql-action/pull/3516">#3516</a></li>
<li>Added an experimental change which lowers the minimum disk space
requirement for <a
href="https://redirect.github.com/github/roadmap/issues/1158">improved
incremental analysis</a>, enabling it to run on standard GitHub Actions
runners. We expect to roll this change out to everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3498">#3498</a></li>
<li>Added an experimental change which allows the
<code>start-proxy</code> action to resolve the CodeQL CLI version from
feature flags instead of using the linked CLI bundle version. We expect
to roll this change out to everyone in March. <a
href="https://redirect.github.com/github/codeql-action/pull/3512">#3512</a></li>
<li>The previously experimental changes from versions 4.32.3, 4.32.4,
3.32.3 and 3.32.4 are now enabled by default. <a
href="https://redirect.github.com/github/codeql-action/pull/3503">#3503</a>,
<a
href="https://redirect.github.com/github/codeql-action/pull/3504">#3504</a></li>
</ul>
<h2>4.32.4 - 20 Feb 2026</h2>
<ul>
<li>Update default CodeQL bundle version to <a
href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>.
<a
href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li>
<li>Added an experimental change which improves how certificates are
generated for the authentication proxy that is used by the CodeQL Action
in Default Setup when <a
href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private
package registries are configured</a>. This is expected to generate more
widely compatible certificates and should have no impact on analyses
which are working correctly already. We expect to roll this change out
to everyone in February. <a
href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/38697555549f1db7851b81482ff19f1fa5c4fedc"><code>3869755</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3763">#3763</a>
from github/update-v4.34.1-095e0fe50</li>
<li><a
href="https://github.com/github/codeql-action/commit/20e68ac12bc8d1eb16a56d3ef4e78263197d2e47"><code>20e68ac</code></a>
Update changelog for v4.34.1</li>
<li><a
href="https://github.com/github/codeql-action/commit/095e0fe505bb5ab6198675d021352632c2c69a46"><code>095e0fe</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3762">#3762</a>
from github/henrymercer/downgrade-default-bundle</li>
<li><a
href="https://github.com/github/codeql-action/commit/47b94fe61cd788995769140a7a8adffec0738aa1"><code>47b94fe</code></a>
Add changelog note</li>
<li><a
href="https://github.com/github/codeql-action/commit/51a1d6917f5d33f400200c675401974da443b2ea"><code>51a1d69</code></a>
Downgrade default bundle to codeql-bundle-v2.24.3</li>
<li><a
href="https://github.com/github/codeql-action/commit/510cf736e330d7eb9bc471636d65aaa180118824"><code>510cf73</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3589">#3589</a>
from github/mergeback/v4.34.0-to-main-c6f93110</li>
<li><a
href="https://github.com/github/codeql-action/commit/89f0c86efa3acf01faeff510383f0c4a4152760a"><code>89f0c86</code></a>
Rebuild</li>
<li><a
href="https://github.com/github/codeql-action/commit/c3f90ba975e427c1913b529a89ef97a2442493f2"><code>c3f90ba</code></a>
Update changelog and version after v4.34.0</li>
<li><a
href="https://github.com/github/codeql-action/commit/c6f931105cb2c34c8f901cc885ba1e2e259cf745"><code>c6f9311</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/3588">#3588</a>
from github/update-v4.34.0-30c555a52</li>
<li><a
href="https://github.com/github/codeql-action/commit/eeb9b3f4244c2945a20b9761dfa77f19d468d35f"><code>eeb9b3f</code></a>
Update changelog for v4.34.0</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/89a39a4e59826350b863aa6b6252a07ad50cf83e...38697555549f1db7851b81482ff19f1fa5c4fedc">compare
view</a></li>
</ul>
</details>
<br />

Updates `advanced-security/filter-sarif` from 1.0.1 to 1.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/advanced-security/filter-sarif/releases">advanced-security/filter-sarif's
releases</a>.</em></p>
<blockquote>
<h2>v1.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Specify category in upload by <a
href="https://github.com/felickz"><code>@​felickz</code></a> in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/10">advanced-security/filter-sarif#10</a></li>
<li>Fix minimal example glob by <a
href="https://github.com/aegilops"><code>@​aegilops</code></a> in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/12">advanced-security/filter-sarif#12</a></li>
<li>Update recommended usage to preserve diagnostics for failed runs by
<a href="https://github.com/henrymercer"><code>@​henrymercer</code></a>
in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/13">advanced-security/filter-sarif#13</a></li>
<li>Update filter_sarif.py: use UTF-8 as encoding for reading/writing
SARIF content by <a
href="https://github.com/aibaars"><code>@​aibaars</code></a> in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/14">advanced-security/filter-sarif#14</a></li>
<li>Add optional severity filter for SARIF alerts by <a
href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/17">advanced-security/filter-sarif#17</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/felickz"><code>@​felickz</code></a> made
their first contribution in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/10">advanced-security/filter-sarif#10</a></li>
<li><a
href="https://github.com/henrymercer"><code>@​henrymercer</code></a>
made their first contribution in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/13">advanced-security/filter-sarif#13</a></li>
<li><a href="https://github.com/aibaars"><code>@​aibaars</code></a> made
their first contribution in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/14">advanced-security/filter-sarif#14</a></li>
<li><a href="https://github.com/Copilot"><code>@​Copilot</code></a> made
their first contribution in <a
href="https://redirect.github.com/advanced-security/filter-sarif/pull/17">advanced-security/filter-sarif#17</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/advanced-security/filter-sarif/compare/v1...v1.1">https://github.com/advanced-security/filter-sarif/compare/v1...v1.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/2da736ff05ef065cb2894ac6892e47b5eac2c3c0"><code>2da736f</code></a>
Merge pull request <a
href="https://redirect.github.com/advanced-security/filter-sarif/issues/17">#17</a>
from advanced-security/copilot/add-severity-filter-option</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/b82026b24b33bcb263e8ee8be0e9dc61b95137d7"><code>b82026b</code></a>
Remove [DEBUG] print statements from production code</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/f15e3e496e74f52fd73ef988f9b6692bffde8d7d"><code>f15e3e4</code></a>
Update action.yml</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/f74eb2048e037d62d353dcf15316cbd3fb6338bb"><code>f74eb20</code></a>
Refactor collect_rule_severities to streamline rule processing and
enhance de...</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/da97499204a010ddc00eac572e68ff4c026c76f4"><code>da97499</code></a>
Fix severity filter: results no longer incorrectly filtered when level
is mis...</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/be3128116e74f051368d9cbe782b7e035ead7b7f"><code>be31281</code></a>
Initial plan for severity filter bug fix</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/4bddfd62c6b03e66ae8b8e81c9757e6b3d30c26a"><code>4bddfd6</code></a>
Address code review: use env var for shell safety, fix double strip</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/e304681acdb034e246e8f32c24f8f6f31ae128a9"><code>e304681</code></a>
Add optional severity filter for SARIF alerts</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/36dc0cede241fb8e0885f26bdb054a35fc868e7b"><code>36dc0ce</code></a>
Initial plan</li>
<li><a
href="https://github.com/advanced-security/filter-sarif/commit/59d0a64b3c0a34d787819f6659708915b6210582"><code>59d0a64</code></a>
Merge pull request <a
href="https://redirect.github.com/advanced-security/filter-sarif/issues/14">#14</a>
from aibaars/patch-1</li>
<li>Additional commits viewable in <a
href="https://github.com/advanced-security/filter-sarif/compare/f3b8118a9349d88f7b1c0c488476411145b6270d...2da736ff05ef065cb2894ac6892e47b5eac2c3c0">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/create-github-app-token` from 2.2.1 to 3.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/create-github-app-token/releases">actions/create-github-app-token's
releases</a>.</em></p>
<blockquote>
<h2>v3.0.0</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v2.2.2...v3.0.0">3.0.0</a>
(2026-03-14)</h1>
<ul>
<li>feat!: node 24 support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/275">#275</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/2e564a0bb8e7cc2b907b2401a2afe177882d4325">2e564a0</a>)</li>
<li>fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/4451bcbc139f8124b0bf04f968ea2586b17df458">4451bcb</a>)</li>
</ul>
<h3>Bug Fixes</h3>
<ul>
<li>remove custom proxy handling (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/143">#143</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/dce0ab05f36f30b22fd14289fd36655c618e4e8e">dce0ab0</a>)</li>
</ul>
<h3>BREAKING CHANGES</h3>
<ul>
<li>Custom proxy handling has been removed. If you use HTTP_PROXY or
HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action
step.</li>
<li>Requires <a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
Runner v2.327.1</a> or later if you are using a self-hosted runner.</li>
</ul>
<h2>v3.0.0-beta.6</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.5...v3.0.0-beta.6">3.0.0-beta.6</a>
(2026-03-13)</h1>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump <code>@​actions/core</code> from 1.11.1
to 3.0.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/337">#337</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/b04413352d4644ac2131b9a90c074f5e93ca18a1">b044133</a>)</li>
<li><strong>deps:</strong> bump minimatch from 9.0.5 to 9.0.9 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/335">#335</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/5cbc65624c9ddc4589492bda7c8b146223e8c3e4">5cbc656</a>)</li>
<li><strong>deps:</strong> bump the production-dependencies group with 4
updates (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/336">#336</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/6bda5bc1410576b9a0879ce6076d53345485bba9">6bda5bc</a>)</li>
<li><strong>deps:</strong> bump undici from 7.16.0 to 7.18.2 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/323">#323</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/b4f638f48ee0dcdbb0bc646c48e4cb2a2de847fe">b4f638f</a>)</li>
</ul>
<h2>v3.0.0-beta.5</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.4...v3.0.0-beta.5">3.0.0-beta.5</a>
(2026-03-13)</h1>
<ul>
<li>fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/d53a1cdfde844c958786293adcaf739ecb8b5eb9">d53a1cd</a>)</li>
</ul>
<h3>BREAKING CHANGES</h3>
<ul>
<li>Custom proxy handling has been removed. If you use HTTP_PROXY or
HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action
step.</li>
</ul>
<h2>v3.0.0-beta.4</h2>
<h1><a
href="https://github.com/actions/create-github-app-token/compare/v3.0.0-beta.3...v3.0.0-beta.4">3.0.0-beta.4</a>
(2026-03-13)</h1>
<h3>Bug Fixes</h3>
<ul>
<li><strong>deps:</strong> bump <code>@​octokit/auth-app</code> from
7.2.1 to 8.0.1 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/257">#257</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/bef1eaf1c0ac2b148ee2a0a74c65fbe6db0631f1">bef1eaf</a>)</li>
<li><strong>deps:</strong> bump <code>@​octokit/request</code> from
9.2.3 to 10.0.2 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/256">#256</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/5d7307be63501c0070c634b0ae8fec74e8208130">5d7307b</a>)</li>
<li><strong>deps:</strong> bump glob from 10.4.5 to 10.5.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/305">#305</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/5480f4325a18c025ee16d7e081413854624e9edc">5480f43</a>)</li>
<li><strong>deps:</strong> bump p-retry from 6.2.1 to 7.1.0 (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/294">#294</a>)
(<a
href="https://github.com/actions/create-github-app-token/commit/dce3be8b284f45e65caed11a610e2bef738d15b4">dce3be8</a>)</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/create-github-app-token/commit/f8d387b68d61c58ab83c6c016672934102569859"><code>f8d387b</code></a>
build(release): 3.0.0 [skip ci]</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/d2129bd463d4feb8723edeea9437baa7db58e41e"><code>d2129bd</code></a>
style: remove extra blank line in release workflow</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/77b94efc3e5f99a45abdd163fe04a4ebb95e98d6"><code>77b94ef</code></a>
build: refresh generated artifacts</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/3ab4c6689898955f913a485593b36b197c6dbbdc"><code>3ab4c66</code></a>
chore: move undici to devDependencies</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/739cf66feb937a443e4b6b7626bedd98f9fef6df"><code>739cf66</code></a>
docs: update README action versions</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/db40289976a36527816d4f6f45765fdee71f134b"><code>db40289</code></a>
build(deps): bump actions versions in test.yml</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/496a7ac4eb472eeac44d67818d1ce7f5e9e5fc97"><code>496a7ac</code></a>
test: migrate from AVA to Node.js native test runner (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/346">#346</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/3870dc3051e3f1fc3a2faa17bcbb00f31fe1dd6c"><code>3870dc3</code></a>
Rename end-to-end proxy job in test workflow</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/4451bcbc139f8124b0bf04f968ea2586b17df458"><code>4451bcb</code></a>
fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>)</li>
<li><a
href="https://github.com/actions/create-github-app-token/commit/dce0ab05f36f30b22fd14289fd36655c618e4e8e"><code>dce0ab0</code></a>
fix: remove custom proxy handling (<a
href="https://redirect.github.com/actions/create-github-app-token/issues/143">#143</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/create-github-app-token/compare/29824e69f54612133e76f7eaac726eef6c875baf...f8d387b68d61c58ab83c6c016672934102569859">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/setup-qemu-action` from 3.7.0 to 4.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-qemu-action/releases">docker/setup-qemu-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.0</h2>
<ul>
<li>Node 24 as default runtime (requires <a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
Runner v2.327.1</a> or later) by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/245">docker/setup-qemu-action#245</a></li>
<li>Switch to ESM and update config/test wiring by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/241">docker/setup-qemu-action#241</a></li>
<li>Bump <code>@​actions/core</code> from 1.11.1 to 3.0.0 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/244">docker/setup-qemu-action#244</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.67.0 to 0.77.0 in
<a
href="https://redirect.github.com/docker/setup-qemu-action/pull/243">docker/setup-qemu-action#243</a></li>
<li>Bump <code>@​isaacs/brace-expansion</code> from 5.0.0 to 5.0.1 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/240">docker/setup-qemu-action#240</a></li>
<li>Bump js-yaml from 3.14.1 to 3.14.2 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/231">docker/setup-qemu-action#231</a></li>
<li>Bump lodash from 4.17.21 to 4.17.23 in <a
href="https://redirect.github.com/docker/setup-qemu-action/pull/238">docker/setup-qemu-action#238</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-qemu-action/compare/v3.7.0...v4.0.0">https://github.com/docker/setup-qemu-action/compare/v3.7.0...v4.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/ce360397dd3f832beb865e1373c09c0e9f86d70a"><code>ce36039</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/245">#245</a>
from crazy-max/node24</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/63863443c130689b5b352363f362c820cf73b26d"><code>6386344</code></a>
node 24 as default runtime</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/1ea3db7bfb6d247e5e3511955d6e476a8d400ef3"><code>1ea3db7</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/243">#243</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/b56a0022b9d517f4d4f8f8357e107e587548db78"><code>b56a002</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/c43f02d0c908d30161ad4230a59285d9e442956d"><code>c43f02d</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.67.0 to
0.77.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/ce10c58dd1801e20f2e65c72aff588c6fc5f6609"><code>ce10c58</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/244">#244</a>
from docker/dependabot/npm_and_yarn/actions/core-3.0.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/429fc9dbdab394ec482946ef7f7b60be3a169336"><code>429fc9d</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/060e5f8b59ae7d2a0e4dcf681f8625f0e54e2024"><code>060e5f8</code></a>
build(deps): bump <code>@​actions/core</code> from 1.11.1 to 3.0.0</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/44be13e7d9ba38145b648950e52ac18e2a4efd3a"><code>44be13e</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-qemu-action/issues/231">#231</a>
from docker/dependabot/npm_and_yarn/js-yaml-3.14.2</li>
<li><a
href="https://github.com/docker/setup-qemu-action/commit/1897438ed3baad455b19c89cda913ca4f31dd079"><code>1897438</code></a>
chore: update generated content</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-qemu-action/compare/c7c53464625b32c7a7e944ae62b3e17d2b600130...ce360397dd3f832beb865e1373c09c0e9f86d70a">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/setup-buildx-action` from 3.12.0 to 4.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/setup-buildx-action/releases">docker/setup-buildx-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.0.0</h2>
<ul>
<li>Node 24 as default runtime (requires <a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
Runner v2.327.1</a> or later) by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/483">docker/setup-buildx-action#483</a></li>
<li>Remove deprecated inputs/outputs by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/464">docker/setup-buildx-action#464</a></li>
<li>Switch to ESM and update config/test wiring by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/481">docker/setup-buildx-action#481</a></li>
<li>Bump <code>@​actions/core</code> from 1.11.1 to 3.0.0 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/475">docker/setup-buildx-action#475</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.63.0 to 0.79.0 in
<a
href="https://redirect.github.com/docker/setup-buildx-action/pull/482">docker/setup-buildx-action#482</a>
<a
href="https://redirect.github.com/docker/setup-buildx-action/pull/485">docker/setup-buildx-action#485</a></li>
<li>Bump js-yaml from 4.1.0 to 4.1.1 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/452">docker/setup-buildx-action#452</a></li>
<li>Bump lodash from 4.17.21 to 4.17.23 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/472">docker/setup-buildx-action#472</a></li>
<li>Bump minimatch from 3.1.2 to 3.1.5 in <a
href="https://redirect.github.com/docker/setup-buildx-action/pull/480">docker/setup-buildx-action#480</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/setup-buildx-action/compare/v3.12.0...v4.0.0">https://github.com/docker/setup-buildx-action/compare/v3.12.0...v4.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd"><code>4d04d5d</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/485">#485</a>
from docker/dependabot/npm_and_yarn/docker/actions-to...</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/cd74e05d9bae4eeec789f90ba15dc6fb4b60ae5d"><code>cd74e05</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/eee38ec7b3ed034ee896d3e212e5d11c04562b84"><code>eee38ec</code></a>
build(deps): bump <code>@​docker/actions-toolkit</code> from 0.77.0 to
0.79.0</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/7a83f65b5a215b3c81b210dafdc20362bd2b4e24"><code>7a83f65</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/484">#484</a>
from docker/dependabot/github_actions/docker/setup-qe...</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/a5aa96747d67f62520b42af91aeb306e7374b327"><code>a5aa967</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/464">#464</a>
from crazy-max/rm-deprecated</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/e73d53fa4ed86ff46faaf2b13a228d6e93c51af3"><code>e73d53f</code></a>
build(deps): bump docker/setup-qemu-action from 3 to 4</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/28a438e9ed9ef7ae2ebd0bf839039005c9501312"><code>28a438e</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/setup-buildx-action/issues/483">#483</a>
from crazy-max/node24</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/034e9d37dd436b56b0167bea5a11ab731413e8cf"><code>034e9d3</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/b4664d8fd0ba15ff14560ab001737c666076d5be"><code>b4664d8</code></a>
remove deprecated inputs/outputs</li>
<li><a
href="https://github.com/docker/setup-buildx-action/commit/a8257dec35f244ad06b4ff6c90fdd2ba97f262ba"><code>a8257de</code></a>
node 24 as default runtime</li>
<li>Additional commits viewable in <a
href="https://github.com/docker/setup-buildx-action/compare/8d2750c68a42422c14e847fe6c8ac0403b4cbd6f...4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd">compare
view</a></li>
</ul>
</details>
<br />

Updates `docker/build-push-action` from 6.19.2 to 7.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/build-push-action/releases">docker/build-push-action's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.0</h2>
<ul>
<li>Node 24 as default runtime (requires <a
href="https://github.com/actions/runner/releases/tag/v2.327.1">Actions
Runner v2.327.1</a> or later) by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1470">docker/build-push-action#1470</a></li>
<li>Remove deprecated <code>DOCKER_BUILD_NO_SUMMARY</code> and
<code>DOCKER_BUILD_EXPORT_RETENTION_DAYS</code> envs by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1473">docker/build-push-action#1473</a></li>
<li>Remove legacy export-build tool support for build summary by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1474">docker/build-push-action#1474</a></li>
<li>Switch to ESM and update config/test wiring by <a
href="https://github.com/crazy-max"><code>@​crazy-max</code></a> in <a
href="https://redirect.github.com/docker/build-push-action/pull/1466">docker/build-push-action#1466</a></li>
<li>Bump <code>@​actions/core</code> from 1.11.1 to 3.0.0 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1454">docker/build-push-action#1454</a></li>
<li>Bump <code>@​docker/actions-toolkit</code> from 0.62.1 to 0.79.0 in
<a
href="https://redirect.github.com/docker/build-push-action/pull/1453">docker/build-push-action#1453</a>
<a
href="https://redirect.github.com/docker/build-push-action/pull/1472">docker/build-push-action#1472</a>
<a
href="https://redirect.github.com/docker/build-push-action/pull/1479">docker/build-push-action#1479</a></li>
<li>Bump minimatch from 3.1.2 to 3.1.5 in <a
href="https://redirect.github.com/docker/build-push-action/pull/1463">docker/build-push-action#1463</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.19.2...v7.0.0">https://github.com/docker/build-push-action/compare/v6.19.2...v7.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/docker/build-push-action/commit/d08e5c354a6adb9ed34480a06d141179aa583294"><code>d08e5c3</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1479">#1479</a>
from docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/cbd2dff9a0f0ef650dcce9c635bb2f877ab37be5"><code>cbd2dff</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/build-push-action/commit/f76f51f12900bb84aa9d1a498f35870ef1f76675"><code>f76f51f</code></a>
chore(deps): Bump <code>@​docker/actions-toolkit</code> from 0.78.0 to
0.79.0</li>
<li><a
href="https://github.com/docker/build-push-action/commit/7d03e66b5f24d6b390ab64b132795fd3ef4152c8"><code>7d03e66</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1473">#1473</a>
from crazy-max/rm-deprecated-envs</li>
<li><a
href="https://github.com/docker/build-push-action/commit/98f853d923dd281a3bcbbb98a0712a91aa913322"><code>98f853d</code></a>
chore: update generated content</li>
<li><a
href="https://github.com/docker/build-push-action/commit/cadccf6e8c7385c86d9cb0800cf07672645cc238"><code>cadccf6</code></a>
remove deprecated envs</li>
<li><a
href="https://github.com/docker/build-push-action/commit/03fe8775e325e34fffbda44c73316f8287aea372"><code>03fe877</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1478">#1478</a>
from docker/dependabot/github_actions/docker/setup-b...</li>
<li><a
href="https://github.com/docker/build-push-action/commit/827e36650e1fa7386d09422b5ba3c068fdbe0a1d"><code>827e366</code></a>
chore(deps): Bump docker/setup-buildx-action from 3 to 4</li>
<li><a
href="https://github.com/docker/build-push-action/commit/e25db879d025485a4eebd64fea9bb88a43632da6"><code>e25db87</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1474">#1474</a>
from crazy-max/rm-export-build-tool</li>
<li><a
href="https://github.com/docker/build-push-action/commit/1ac2573b5c8b4e4621d5453ab2a99e83725242bd"><code>1ac2573</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1470">#…

Author: dependabot[bot]

.github/actions/create-system-test-docker-base-images/action.yml

@@ -37,18 +37,18 @@ runs:
         cp ./tracer/build/_build/docker/system-tests.dockerfile ${{inputs.artifacts_path}}
 
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
     - name: Set up Docker Buildx
       id: buildx
-      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3.12.0
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
 
     - name: Login to Docker
       shell: bash
       run: docker login -u publisher -p ${{ inputs.github_token }} ghcr.io
 
     - name: Docker Build linux-x64 and linux-arm64 images
-      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
       with:
         push: true
         tags: ghcr.io/datadog/dd-trace-dotnet/dd-trace-dotnet:${{ inputs.image_tag || 'latest_snapshot' }}

.github/actions/publish-debug-symbols/action.yml

@@ -32,7 +32,7 @@ runs:
   steps:
     # datadog-ci needs the version 20 (https://github.com/DataDog/profiling-backend/blob/prod/debug-symbol-upload/Dockerfile#L6)
     - name: Install Node
-      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
       with:
         node-version: 20
 

.github/workflows/_create_draft_release.yml

@@ -70,7 +70,7 @@ jobs:
           echo "Using sha $commitsha"
           echo "sha=${commitsha}" >> $GITHUB_OUTPUT
 
-      - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
         with:
           global-json-file: global.json
 
@@ -112,7 +112,7 @@ jobs:
 
       - name: Get GitHub Token via dd-octo-sts
         id: generate-token
-        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
           scope: DataDog/dd-trace-dotnet
           policy: self.github.create-draft-release
@@ -152,7 +152,7 @@ jobs:
           GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
 
       - name: Create Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           token: "${{ steps.generate-token.outputs.token }}"
           draft: true

.github/workflows/auto-trigger-aas-release.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: Get GitHub Token via dd-octo-sts
         id: octo-sts
-        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
           scope: DataDog/datadog-aas-extension
           policy: dd-trace-dotnet.github.trigger-aas-release

.github/workflows/auto_add_vnext_milestone_to_pr.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
         with:
           global-json-file: global.json
 

.github/workflows/auto_check_snapshots.yml

@@ -17,7 +17,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
         with:
           global-json-file: global.json
 

.github/workflows/auto_create_version_bump_pr.yml

@@ -25,7 +25,7 @@ jobs:
         run: git config --system core.longpaths true
 
       - name: Get dd-octo-sts token
-        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         id: octo-sts
         with:
           scope: DataDog/dd-trace-dotnet
@@ -52,7 +52,7 @@ jobs:
           git config user.name "${{ github.actor }}"
           git config user.email "${{ github.actor }}@users.noreply.github.com"
 
-      - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
         with:
           global-json-file: global.json
 

.github/workflows/auto_delete_hotfix_branch_post_release.yml

@@ -29,7 +29,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
         with:
           global-json-file: global.json
 

.github/workflows/auto_deploy_aas_test_apps.yml

@@ -51,7 +51,7 @@ jobs:
       - name: Get GitHub Token via dd-octo-sts
         if: env.stop != 'true'
         id: octo-sts
-        uses: DataDog/dd-octo-sts-action@acaa02eee7e3bb0839e4272dacb37b8f3b58ba80 # v1.0.3
+        uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
         with:
           scope: DataDog/datadog-aas-extension
           policy: dd-trace-dotnet.github.deploy-aas-dev-apps

.github/workflows/auto_label_prs.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
+      - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
         with:
           global-json-file: global.json