chore(deps): update github actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout (changelog)	action	digest	de0fac2 → df4cb1c
actions/checkout	action	patch	v6.0.2 → v6.0.3
actions/dependency-review-action	action	minor	v4.8.3 → v4.9.0
actions/setup-java	action	minor	v5.2.0 → v5.3.0
benc-uk/workflow-dispatch	action	patch	v1.3.0 → v1.3.2
gradle/actions (changelog)	action	digest	f29f5a9 → 0723195
gradle/actions	action	patch	v5.0.1 → v5.0.2
softprops/action-gh-release	action	minor	v2.5.0 → v2.6.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

actions/dependency-review-action (actions/dependency-review-action)

v4.9.0: Dependency Review Action 4.9.0

Compare Source

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in #​1056
• Make purl comparisons case insensitive by @​juxtin in #​1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in #​1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in #​1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in #​1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in #​1021
• Updates for release 4.9.0 by @​ahpook in #​1064

New Contributors

• @​jantiebot made their first contribution in #​1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

actions/setup-java (actions/setup-java)

v5.3.0

Compare Source

What's Changed

• chore: update Java version to 25 in setup examples by @​alaahong in #​969
• Bump minimatch from 3.1.2 to 3.1.5 by @​dependabot[bot] in #​984
• Refactor error handling and improve test logging for installers by @​chiranjib-swain in #​989
• chore: upgrade dependencies (@​actions/core, cache, glob, http-client, tool-cache, xmlbuilder2) by @​Copilot in #​999
• Add Oracle JDK 17 licensing limitation note by @​mahabaleshwars in #​1001
• Update readme for ubuntu sudo java_home behavior by @​mahabaleshwars in #​1013
• temurin: add support for Alpine Linux by @​gdams in #​674
• fix: resolve npm audit vulnerabilities in fast-xml-builder and fast-xml-parser by @​gdams in #​1015
• Bump @​typescript-eslint/eslint-plugin from 8.35.1 to 8.48.0 by @​dependabot[bot] in #​952
• Bump eslint-config-prettier from 8.10.0 to 10.1.8 by @​dependabot[bot] in #​881
• Bump picomatch, @​types/jest, jest, jest-circus and ts-jest by @​dependabot[bot] in #​1016
• Bump @​types/node from 24.1.0 to 25.9.3 by @​dependabot[bot] in #​950
• Implement pagination with link headers for Adoptium based apis by @​johnoliver in #​1014
• Make the Adoptopenjdk package type look at the Temurin repo first for latest assets by @​johnoliver in #​522
• Bump @​vercel/ncc from 0.38.1 to 0.44.0 by @​dependabot[bot] in #​1018

New Contributors

• @​alaahong made their first contribution in #​969
• @​Copilot made their first contribution in #​999
• @​johnoliver made their first contribution in #​1014

Full Changelog: actions/setup-java@v5...v5.3.0

benc-uk/workflow-dispatch (benc-uk/workflow-dispatch)

v1.3.2

Compare Source

What's changed since v1.3.1

Added

• New wait-interval-seconds input to control how often the action polls when wait-for-completion: true. (#​98)

Fixed

• Pass X-GitHub-Api-Version: 2026-03-10 on the dispatch and run-status REST calls. Removes the GitHub REST API deprecation warning emitted on every run and makes behaviour deterministic against future default-version changes. (#​103, fixes #​99)

Docs

• Document the existing sync-status input. (#​93)
• Document wait-interval-seconds in the README. (#​100)
• Fix typo in README for the wait-for-completion option. (#​101)

Notes

• No breaking changes. No changes to action.yaml inputs/outputs beyond what was already in v1.3.1.
• The floating v1 and v1.3 tags have been moved to point at v1.3.2.

Full changelog: benc-uk/workflow-dispatch@v1.3.1...v1.3.2

v1.3.1

Compare Source

Features

• New sync-status input — when used with wait-for-completion, mirrors the triggered workflow's conclusion (failure/cancelled) back to this action's status (#​84)
• Alternate ref default for PRs — automatically uses github.head_ref when running in a pull request context, avoiding refs/pull/.../merge errors (#​79)

Bug Fixes

• Safer JSON input parsing — invalid inputs JSON now logs an error instead of throwing an unhandled exception (#​84)
• Improved timeout handling — timeout now sets a distinct timed_out status and emits a warning instead of silently breaking (#​84)
• Improved warning message formatting for workflow run timeout

Internal Changes & Chores

• Replaced console.log calls with core.info for proper Actions log integration (#​84)
• Removed stale ref/inputs parameters from the workflow list API call (#​84)
• Expanded CI test matrix from 3 sequential steps to 9 parallel test jobs covering workflow lookup, output assertions, wait-for-completion, sync-status, and error handling (#​84)
• Added CI path filters to skip docs-only changes (#​84)
• Changed echo-3 test fixture from workflow_call to workflow_dispatch with deterministic failure (#​84)
• Removed unused .vscode/settings.json (#​84)
• Added .github/copilot-instructions.md (#​84)
• General project chores

Documentation Updates

• No documentation updates in this release

gradle/actions (gradle/actions)

v5.0.2

Compare Source

Summary

This release contains no functional changes. It updates dependencies and known Gradle wrapper checksums.

What's Changed

• Update dependencies by @​bigdaz in #​851
• Bump the github-actions group across 2 directories with 3 updates by @​dependabot[bot] in #​850
• Update DV config by @​bigdaz in #​848
• Convert project to ESM and update dependencies by @​bigdaz in #​854
• Workflow fixes by @​bigdaz in #​856
• Remove superfluous text from log message by @​bigdaz in #​861
• Bump the github-actions group across 1 directory with 2 updates by @​dependabot[bot] in #​860
• Bump the npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​859
• Update known wrapper checksums by @​github-actions[bot] in #​857
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.0 to 2.21.1 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​862
• Bump the npm-dependencies group in /sources with 2 updates by @​dependabot[bot] in #​863
• Bump github/codeql-action from 4.32.3 to 4.32.4 in the github-actions group across 1 directory by @​dependabot[bot] in #​864

Full Changelog: gradle/actions@v5.0.1...v5.0.2

softprops/action-gh-release (softprops/action-gh-release)

v2.6.2

Compare Source

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in #​775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in #​777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in #​781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

Compare Source

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in #​765

v2.6.0

Compare Source

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in #​372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in #​760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in #​759
• docs: clarify working_directory input by @​chenrui333 in #​761
• ci: verify dist bundle freshness by @​chenrui333 in #​762
• fix: clarify immutable prerelease uploads by @​chenrui333 in #​763

v2.5.3

Compare Source

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: prefer token input over GITHUB_TOKEN by @​chenrui333 in #​751
• fix: clean up duplicate drafts after canonicalization by @​chenrui333 in #​753
• fix: support Windows-style file globs by @​chenrui333 in #​754
• fix: normalize refs-tag inputs by @​chenrui333 in #​755
• fix: expand tilde file paths by @​chenrui333 in #​756

Other Changes 🔄

• docs: clarify token precedence by @​chenrui333 in #​752
• docs: clarify GitHub release limits by @​chenrui333 in #​758
• documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

v2.5.2

Compare Source

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: canonicalize releases after concurrent create by @​chenrui333 in #​746
• fix: preserve prereleased events for prereleases by @​chenrui333 in #​748
• fix: restore dotfile asset labels by @​chenrui333 in #​749
• fix: handle upload already_exists races across workflows by @​api2062 in #​745
• fix: clean up orphan drafts when tag creation is blocked by @​chenrui333 in #​750

New Contributors

• @​api2062 made their first contribution in #​745

Full Changelog: softprops/action-gh-release@v2...v2.5.2

v2.5.1

Compare Source

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed

Bug fixes 🐛

• fix: fetch correct asset URL after finalization; test; some refactoring by @​pzhlkj6612 in #​738
• fix: release marked as 'latest' despite make_latest: false by @​Boshen in #​715
• fix: use getReleaseByTag API instead of iterating all releases by @​kim-em in #​725

Other Changes 🔄

• dependency updates, including the ESM/runtime compatibility refresh in #​731

New Contributors

• @​autarch made their first contribution in #​716
• @​pzhlkj6612 made their first contribution in #​738
• @​Boshen made their first contribution in #​715
• @​kim-em made their first contribution in #​725

Full Changelog: softprops/action-gh-release@v2...v2.5.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.