Bump the github-actions group with 6 updates

[dependabot]

Bumps the github-actions group with 6 updates:

Package	From	To
step-security/harden-runner	2.14.1	2.15.0
bazelbuild/continuous-integration	9b7cb1c30e7923069f0b72f7c47a05947f0f0a96	df91d114ca0acb33384683a042313c0f9ebe664a
actions/checkout	4	6
actions/upload-artifact	6.0.0	7.0.0
github/codeql-action	4.32.0	4.32.4
actions/stale	10.1.1	10.2.0

Updates step-security/harden-runner from 2.14.1 to 2.15.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.15.0

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

Commits

• a90bcbc Update readme (#637)
• f0a59d8 Release v2.15.0 (#639)
• 5ef0c07 Merge pull request #635 from step-security/rc-34
• eb43c7b update agent
• See full diff in compare view

Updates bazelbuild/continuous-integration from 9b7cb1c30e7923069f0b72f7c47a05947f0f0a96 to df91d114ca0acb33384683a042313c0f9ebe664a

Changelog

Sourced from bazelbuild/continuous-integration's changelog.

Bazel Release Playbook

This is the guide to conducting a Bazel release. This is especially relevant for release managers, but will be of interest to anyone who is curious about the release process.

Preface

For future reference and release managers - the release manager playbook should be treated like an IKEA manual. That means: Do not try to be smart, optimize / skip / reorder steps, otherwise chaos will ensue. Just follow it and the end result will be.. well, a usable piece of furniture, or a Bazel release (depending on the manual).

Like aviation and workplace safety regulations, the playbook is written in the tears and blood of broken Bazelisks, pipelines, releases and Git branches. Assume that every step is exactly there for a reason, even if it might not be obvious. If you follow them to the letter, they are not error prone. Errors have only happened in the past, when a release manager thought it's ok to follow them by spirit instead. ;)

-- @​philwo

One-time setup

These steps only have to be performed once, ever.

• Make sure you are a member of the Bazel Release Managers team on GitHub.
• Make sure you are a member of the Bazel release-managers group on BuildKite. If that link does not work for you, ask one of the Buildkite org admins to add you to the group.
• Set up github ssh key if you haven't already.
  • https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/
• Generate a new identifier for Google's internal Git mirror: https://bazel.googlesource.com/new-password (and paste the code in your shell).
• Log in to the Gerrit UI to create an account: https://bazel-review.git.corp.google.com/ (without this step, you will see errors such as error_type: PERMISSION_DENIED_BY_GERRIT_ACL and "\'git push\' requires a Gerrit user account." when running the release script.

Preparing a new release

1. Create a release blockers milestone named "X.Y.Z release blockers" (case-sensitive), where we keep track of issues that must be resolved before the release goes out.
   • Set the (tentative) release date.
   • Add this description: Issues that need to be resolved before the X.Y.Z release..
   • Refer to this example
2. Create a release tracking issue to keep the community updated about the progress of the release. See example. Pin this issue.
3. Create the branch for the release. The branch should always be named release-X.Y.Z (the .Z part is important). Cherry-pick PRs will be sent against this branch.
   • The actual creation of the branch can be done via the GitHub UI or via the command line. For minor and patch releases, create the branch from the previous release tag, if possible. How we choose the base commit of the branch depends on the type of the release:
   • For patch releases (X.Y.Z where Z>0), the base commit should simply be X.Y.(Z-1).
   • For minor releases (X.Y.0 where Y>0), the base commit should typically be X.(Y-1).<current max Z>.
   • For major releases (X.0.0), the base commit is some "healthy" commit on the main branch.
     • This means that there's an extra step involved in preparing the release -- "cutting" the release branch, so to speak. For this, check the Bazel@HEAD+Downstream pipeline. The branch cut should happen on a green commit there; if the pipeline is persistently red, work with the Green Team to resolve it first and delay the branch cut as needed.
     • A first release candidate should immediately be created after the release branch is created. See create a release candidate below.

... (truncated)

Commits

• df91d11 Add pre-commit hook to detect leaks of secrets. (#2476)
• 9bc61e6 Add three new features to matrix expansions (#2477)
• 2b59e11 feat: add a helper command to print tasks (#2474)
• d0fb1ad Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#2473)
• f104ead Add terraform workflow (#2472)
• 7b5e90f Revert "Add type annotations for buildkite/*.py" (#2469)
• 680136b Improve docker image build script (#2462)
• 3668115 Delete obsolete MacOS scripts (#2467)
• 8968154 moving back from disabled to downstream pipeline. (#2464)
• 83c1c10 Update bazel slack invite link
• Additional commits viewable in compare view

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates actions/upload-artifact from 6.0.0 to 7.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

Commits

• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• See full diff in compare view

Updates github/codeql-action from 4.32.0 to 4.32.4

Release notes

Sourced from github/codeql-action's releases.

v4.32.4

• Update default CodeQL bundle version to 2.24.2. #3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

v4.32.3

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

v4.32.2

• Update default CodeQL bundle version to 2.24.1. #3460

v4.32.1

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.32.4 - 20 Feb 2026

• Update default CodeQL bundle version to 2.24.2. #3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

4.32.3 - 13 Feb 2026

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

4.32.2 - 05 Feb 2026

• Update default CodeQL bundle version to 2.24.1. #3460

4.32.1 - 02 Feb 2026

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #3421

4.32.0 - 26 Jan 2026

• Update default CodeQL bundle version to 2.24.0. #3425

4.31.11 - 23 Jan 2026

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #3409
• Improved error handling throughout the CodeQL Action. #3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #3403

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #3393

4.31.9 - 16 Dec 2025

No user facing changes.

4.31.8 - 11 Dec 2025

... (truncated)

Commits

• 89a39a4 Merge pull request #3494 from github/update-v4.32.4-39ba80c47
• e5d84c8 Apply remaining review suggestions
• 0c20209 Apply suggestions from code review
• 314172e Fix typo
• cdda72d Add changelog entries
• cfda84c Update changelog for v4.32.4
• 39ba80c Merge pull request #3493 from github/update-bundle/codeql-bundle-v2.24.2
• 00150da Add changelog note
• d97dce6 Update default bundle to codeql-bundle-v2.24.2
• 50fdbb9 Merge pull request #3492 from github/henrymercer/new-repository-properties-ff
• Additional commits viewable in compare view

Updates actions/stale from 10.1.1 to 10.2.0

Release notes

Sourced from actions/stale's releases.

v10.2.0

What's Changed

Bug Fix

• Fix checking state cache (fix #1136) and switch to Octokit helper methods by @​itchyny in actions/stale#1152

Dependency Updates

• Upgrade js-yaml from 4.1.0 to 4.1.1 by @​dependabot in actions/stale#1304
• Upgrade lodash from 4.17.21 to 4.17.23 by @​dependabot in actions/stale#1313
• Upgrade actions/cache from 4.0.3 to 5.0.2 and actions/github from 5.1.1 to 7.0.0 by @​chiranjib-swain in actions/stale#1312

New Contributors

• @​itchyny made their first contribution in actions/stale#1152

Full Changelog: actions/stale@v10...v10.2.0

Commits

• b5d41d4 build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#1313)
• dcd2b94 Fix punycode and url.parse Deprecation Warnings (#1312)
• d6f8a33 build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1304)
• a21a081 Fix checking state cache (fix #1136), also switch to octokit methods (#1152)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions