build(deps): bump the actions group across 1 directory with 13 updates

[dependabot]

Bumps the actions group with 13 updates in the / directory:

Package	From	To
actions/create-github-app-token	2.0.6	3.2.0
actions/add-to-project	1.0.2	2.0.0
actions/checkout	6.0.2	6.0.3
actions/setup-node	6.3.0	6.4.0
pnpm/action-setup	5.0.0	6.0.8
peaceiris/actions-gh-pages	4.0.0	4.1.0
actions/dependency-review-action	4.9.0	5.0.0
shivammathur/setup-php	2.37.0	2.37.2
actions/cache	5.0.4	5.0.5
actions/upload-artifact	7.0.0	7.0.1
docker/setup-buildx-action	4.0.0	4.1.0
codecov/codecov-action	6.0.0	7.0.0
peter-evans/create-pull-request	7.0.8	8.1.1

Updates actions/create-github-app-token from 2.0.6 to 3.2.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.2.0

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

• improve error message when app identifier is empty (#362) (07e2b76), closes #249

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

• deps: bump p-retry from 7.1.1 to 8.0.0 (#357) (3bbe07d)

Features

• add client-id input and deprecate app-id (#353) (e6bd4e6)
• update permission inputs (#358) (076e948)

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

... (truncated)

Changelog

Sourced from actions/create-github-app-token's changelog.

Changelog

3.2.0 (2026-05-12)

Features

• add support for enterprise-level GitHub Apps (#263) (952a2a7)
• support full repository names in repositories input (#372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#364) (43e5c34)
• validate private-key input (#376) (f24bbd8)

Commits

• bcd2ba4 chore(main): release 3.2.0 (#370)
• f24bbd8 fix: validate private-key input (#376)
• 363531b docs: capitalize Git as a proper noun in README (#374)
• fd28011 docs: update procedure to configure Git (#287)
• 85eb8dd feat: support full repository names in repositories input (#372)
• c9aabb8 build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...
• e02e816 build(deps-dev): bump undici from 7.24.6 to 8.2.0 (#366)
• 8d835bf build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...
• 952a2a7 feat: add support for enterprise-level GitHub Apps (#263)
• 43e5c34 fix(deps): bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependenc...
• Additional commits viewable in compare view

Updates actions/add-to-project from 1.0.2 to 2.0.0

Release notes

Sourced from actions/add-to-project's releases.

v2

What's Changed

• Update instructions for fine grained PAT by @​talune in actions/add-to-project#596
• build(deps-dev): bump prettier from 3.2.5 to 3.3.2 by @​dependabot[bot] in actions/add-to-project#594
• build(deps-dev): bump eslint-plugin-github from 4.10.2 to 5.0.1 by @​dependabot[bot] in actions/add-to-project#593
• Resolve Regular Expression syntax checking errors by @​talune in actions/add-to-project#598
• build(deps-dev): bump typescript from 5.4.5 to 5.5.2 by @​dependabot[bot] in actions/add-to-project#595
• build(deps-dev): bump ts-jest from 29.1.5 to 29.3.0 by @​dependabot[bot] in actions/add-to-project#675
• Batch updating some dependencies for vulns by @​TylerDixon in actions/add-to-project#679
• build(deps): bump undici from 5.28.4 to 5.28.5 by @​dependabot[bot] in actions/add-to-project#662
• build(deps-dev): bump eslint-plugin-prettier from 5.1.3 to 5.2.5 by @​dependabot[bot] in actions/add-to-project#682
• Have dependabot also run builds as another commit when creating PRs by @​TylerDixon in actions/add-to-project#684
• build(deps): bump @​octokit/request-error from 5.1.1 to 6.1.7 by @​dependabot[bot] in actions/add-to-project#683
• build(deps): bump @​octokit/request from 8.4.1 to 9.2.2 by @​dependabot[bot] in actions/add-to-project#681
• Bump eslint-plugin-jest from 28.6.0 to 28.11.0 by @​dependabot[bot] in actions/add-to-project#685
• Bump @​types/node from 16.18.101 to 22.13.14 by @​dependabot[bot] in actions/add-to-project#686
• Bump @​types/jest from 29.5.12 to 29.5.14 by @​dependabot[bot] in actions/add-to-project#687
• Bump @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot[bot] in actions/add-to-project#688
• Bump ts-jest from 29.3.0 to 29.3.2 by @​dependabot[bot] in actions/add-to-project#694
• chore: removes sourcemap-register from build step by @​andrialexandrou in actions/add-to-project#696
• Bump @​octokit/plugin-paginate-rest from 9.2.2 to 13.0.1 by @​dependabot[bot] in actions/add-to-project#699
• Bump ts-jest from 29.3.2 to 29.4.0 by @​dependabot[bot] in actions/add-to-project#703
• Bump @​types/node from 22.13.14 to 24.0.12 by @​dependabot[bot] in actions/add-to-project#709
• Potential fix for code scanning alert no. 6: Workflow does not contain permissions by @​wiinci in actions/add-to-project#715
• Potential fix for code scanning alert no. 5: Workflow does not contain permissions by @​wiinci in actions/add-to-project#716
• Potential fix for code scanning alert no. 7: Workflow does not contain permissions by @​wiinci in actions/add-to-project#717
• Fix code scanning alert:missing regex anchor by @​wiinci in actions/add-to-project#719
• Add Missing Languages to CodeQL Advanced Configuration by @​KyFaSt in actions/add-to-project#710
• Bump @​octokit/request from 9.2.2 to 10.0.3 by @​dependabot[bot] in actions/add-to-project#705
• Bump concurrently from 8.2.2 to 9.2.0 by @​dependabot[bot] in actions/add-to-project#707
• Bump prettier from 3.3.2 to 3.6.2 by @​dependabot[bot] in actions/add-to-project#721
• Bump concurrently from 9.2.0 to 9.2.1 by @​dependabot[bot] in actions/add-to-project#722
• Bump @​types/node from 24.0.12 to 24.5.2 by @​dependabot[bot] in actions/add-to-project#730
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in actions/add-to-project#714
• Bump actions/setup-node from 4 to 5 by @​dependabot[bot] in actions/add-to-project#726
• build(deps-dev): bump @​typescript-eslint/parser from 7.14.1 to 7.18.0 by @​dependabot[bot] in actions/add-to-project#616
• Bump ts-jest from 29.4.1 to 29.4.5 by @​dependabot[bot] in actions/add-to-project#742
• Bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in actions/add-to-project#750
• Bump actions/upload-artifact from 4 to 5 by @​dependabot[bot] in actions/add-to-project#748
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in actions/add-to-project#741
• Bump jest and @​types/jest by @​dependabot[bot] in actions/add-to-project#743
• Bump actions/setup-node from 5 to 6 by @​dependabot[bot] in actions/add-to-project#744
• Consolidate ESLint 9 and TypeScript ESLint 8 dependency updates by @​Copilot in actions/add-to-project#751
• Bump @​octokit/request-error from 6.1.8 to 7.1.0 by @​dependabot[bot] in actions/add-to-project#757
• Bump globals from 15.15.0 to 16.5.0 by @​dependabot[bot] in actions/add-to-project#756
• Bump @​octokit/plugin-paginate-rest from 13.1.1 to 14.0.0 by @​dependabot[bot] in actions/add-to-project#754
• Bump @​vercel/ncc from 0.38.3 to 0.38.4 by @​dependabot[bot] in actions/add-to-project#753
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in actions/add-to-project#752
• Bump eslint from 9.39.1 to 9.39.2 by @​dependabot[bot] in actions/add-to-project#759
• Bump ts-jest from 29.4.5 to 29.4.6 by @​dependabot[bot] in actions/add-to-project#760

... (truncated)

Commits

• 5afcf98 Merge pull request #712 from salmanmkc/node24
• ffed68f Merge main and update action runtime to Node 24
• 27022a1 Merge pull request #777 from actions/dependabot/npm_and_yarn/types/node-25.5.0
• cc89d2e Merge pull request #778 from actions/dependabot/npm_and_yarn/globals-17.4.0
• ef8e6ff Merge pull request #779 from actions/dependabot/npm_and_yarn/eslint-plugin-je...
• eb406b3 Merge pull request #780 from actions/dependabot/npm_and_yarn/handlebars-4.7.9
• bb8d4d7 Bump handlebars from 4.7.8 to 4.7.9
• a6fcf8b Bump eslint-plugin-jest from 29.12.1 to 29.15.1
• b35f5d3 Bump globals from 17.0.0 to 17.4.0
• 036fea0 Bump @​types/node from 25.0.3 to 25.5.0
• Additional commits viewable in compare view

Updates actions/checkout from 6.0.2 to 6.0.3

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

• Update changelog by @​ericsciple in actions/checkout#2357
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414
• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• Update changelog for v6.0.3 by @​yaananth in actions/checkout#2446

New Contributors

• @​yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774

... (truncated)

Commits

• df4cb1c Update changelog for v6.0.3 (#2446)
• 1cce339 Fix checkout init for SHA-256 repositories (#2439)
• 900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
• 0c366fd Update changelog (#2357)
• See full diff in compare view

Updates actions/setup-node from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in actions/setup-node#1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in actions/setup-node#1533

New Contributors

• @​Copilot made their first contribution in actions/setup-node#1525

Full Changelog: actions/setup-node@v6...v6.4.0

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• See full diff in compare view

Updates pnpm/action-setup from 5.0.0 to 6.0.8

Release notes

Sourced from pnpm/action-setup's releases.

v6.0.8

What's Changed

• docs(README): fix cache_dependency_path type by @​haines in pnpm/action-setup#257
• fix: drop patchPnpmEnv so standalone+self-update works on Windows by @​zkochan in pnpm/action-setup#258
• fix: update pnpm to 11.1.1 by @​mungodewar in pnpm/action-setup#248

New Contributors

• @​mungodewar made their first contribution in pnpm/action-setup#248

Full Changelog: pnpm/action-setup@v6.0.7...v6.0.8

v6.0.7

What's Changed

• fix: honor devEngines.packageManager.onFail=error (#252) by @​zkochan in pnpm/action-setup#254
• fix: restore inputs from state in post by @​haines in pnpm/action-setup#255
• fix: self-update bootstrap to packageManager-pinned version (#233) by @​zkochan in pnpm/action-setup#256

New Contributors

• @​haines made their first contribution in pnpm/action-setup#255

Full Changelog: pnpm/action-setup@v6.0.6...v6.0.7

v6.0.6

What's Changed

• fix: bin_dest output points to self-updated pnpm, not bootstrap by @​zkochan in pnpm/action-setup#249

Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6

v6.0.5

What's Changed

• fix: append (not prepend) action node dir to PATH for npm bootstrap by @​zkochan in pnpm/action-setup#241

Full Changelog: pnpm/action-setup@v6.0.4...v6.0.5

v6.0.4

What's Changed

• fix: use npm co-located with the action node binary by @​benquarmby in pnpm/action-setup#239

New Contributors

• @​benquarmby made their first contribution in pnpm/action-setup#239

Full Changelog: pnpm/action-setup@v6.0.3...v6.0.4

v6.0.3

Updated pnpm to v11.0.0-rc.5

Full Changelog: pnpm/action-setup@v6.0.2...v6.0.3

... (truncated)

Commits

• 0e279bb fix: update pnpm to 11.1.1 (#248)
• 3e83581 fix: drop patchPnpmEnv so standalone+self-update works on Windows (#258)
• 551b42e docs(README): fix cache_dependency_path type (#257)
• 739bfe4 fix: self-update bootstrap to packageManager-pinned version (#233) (#256)
• f61705d chore: add CODEOWNERS
• 7a5507b fix: restore inputs from state in post (#255)
• 1155470 fix: honor devEngines.packageManager.onFail=error (#252) (#254)
• 91ab88e fix: bin_dest output points to self-updated pnpm, not bootstrap (#249)
• e578e19 fix: update pnpm to 11.0.4
• 8912a91 fix: append (not prepend) action node dir to PATH for npm bootstrap (#241)
• Additional commits viewable in compare view

Updates peaceiris/actions-gh-pages from 4.0.0 to 4.1.0

Release notes

Sourced from peaceiris/actions-gh-pages's releases.

actions-github-pages v4.1.0

See CHANGELOG.md for more details.

What's Changed

• Actions examples: update to modern versions of actions by @​clintonsteiner in peaceiris/actions-gh-pages#1117
• chore: update Node runtime and dependencies by @​peaceiris in peaceiris/actions-gh-pages#1147
• ci: harden GitHub Actions workflows by @​peaceiris in peaceiris/actions-gh-pages#1156

New Contributors

• @​clintonsteiner made their first contribution in peaceiris/actions-gh-pages#1117

Full Changelog: peaceiris/actions-gh-pages@v4.0.0...v4.1.0

Changelog

Sourced from peaceiris/actions-gh-pages's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

4.1.0 (2026-05-12)

chore

• add .codex/ (94ae2d2)
• add hasInstallScript true (494ec9b)
• update Node runtime and dependencies (#1147) (954f6bf), closes #1147

ci

• change automerge to false (4b09552)
• harden GitHub Actions workflows (#1156) (aa0466c), closes #1156

docs

• add repository guidelines (a1f94b5)
• bump to v4 from v3 (a16b61f)
• fix note style (0b7567f)
• update versions of actions (#1117) (aa83d0c), closes #1117

4.0.0 (2024-04-08)

build

• node 20.11.1 (5049354)

chore

• bump node16 to node20 (#1067) (4eb285e), closes #1067
• downgrade engines.npm to 8.0.0 (87231bc)

ci

• pin node-version to 18 (#981) (65ebf11), closes #981

docs

• add Release Strategy (67f80d9)
• fix link to Nuxt github-pages (#980) (88b4d2a), closes #980
• remove braces in if conditions (#920) (0fbd122), closes #920

... (truncated)

Commits

• 84c30a8 chore(release): 4.1.0
• 6fa0f50 chore(release): Add build assets
• 3b7506a chore(deps): update dependency trim-newlines to v5 (#1158)
• aa0466c ci: harden GitHub Actions workflows (#1156)
• 31835fb chore(deps): update actions/labeler action to v6 (#1153)
• f4f1bc4 chore(deps): update peaceiris/actions-mdbook action to v2 (#1161)
• a5e4979 chore(deps): update dependency ubuntu to v24 (#1159)
• 6cc3bac chore(deps): update github/codeql-action action to v4 (#1160)
• 0d6e9f4 chore(deps): update actions/setup-node action to v6 (#1154)
• d70c101 chore(deps): update actions/upload-artifact action to v7 (#1155)
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.9.0 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Updates shivammathur/setup-php from 2.37.0 to 2.37.2

Release notes

Sourced from shivammathur/setup-php's releases.

2.37.2

Changelog

• Fixed macOS setup by marking shivammathur/php and shivammathur/extensions as trusted taps.

• Switched to Visual Studio 18 (vs18) builds for PHP 8.6 on Windows.

• Improved looking up environment variables.

• Tightened security in internal GitHub action workflows.

• Updated Node.js dependencies.

For the complete list of changes, please refer to the Full Changelog

2.37.1

Changelog

Security Updates

• Fixed shell command escaping and PHP version input validation. (GHSA-pqwm-q9pv-ph8r / CVE-2026-46420)

[!NOTE] This can affect workflows that pass values from users or pull requests to setup-php, for example from comments, dispatch inputs, PR titles/branches, generated matrices, or files such as .php-version and composer.json. Be especially careful with pull_request_target workflows that use any value from the pull request. Workflows that only use fixed trusted values are not expected to be affected, but updating to 2.37.1 is recommended.

• Fixed GitHub auth handling for Composer versions affected by GHSA-f9f8-rm49-7jv2. It should now skip configuring GitHub OAuth if affected Composer versions are installed and show a warning to upgrade. (GHSA-5wxr-w449-57cm / CVE-2026-45793)

[!NOTE]
This only affects workflows where the composer version is pinned like composer:2.9.7, workflows that do not pin the version or use composer:v2 are not affected as those get automatic updates. In case you pin the version, it is highly recommended to upgrade and have automation to do such timely upgrades in your workflows.

Fixes and Improvements

• Fixed support for phalcon on Windows.

• Fixed restoring tools when using cached using previous runs.

• Improved enabling gearman extension on Linux.

• Fixed fallback when installing PhpManager and VcRedist modules on Windows.

• Fixed parsing extension inputs with backslash line continuation.

• Improved workflow examples

  • Added workflow examples for Drupal 11 composer-managed projects and WordPress plugins.

... (truncated)

Commits

• f3e473d Bump version to 2.37.2
• 8be473c Trust brew taps
• 083d523 Bump the github-actions group with 2 updates (#1085)
• a919ff5 Update FUNDING.yml
• deb2299 Harden GitHub Actions workflows
• 5825be4 Harden environment lookup
• 8d45593 Add CODEOWNERS
• ba8d163 Update PHP versions in SECURITY.md
• 7c071df Bump version to 2.37.1
• eeef37e GHSA-pqwm-q9pv-ph8r - Fix CWE-78 [skip ci]
• Additional commits viewable in compare view

Updates actions/cache from 5.0.4 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.
    ...

    Description has been truncated

[github-actions]

E2E API Test Results

35 tests   35 ✅  3s ⏱️
17 suites   0 💤
 1 files     0 ❌

Results for commit 9aaaa19.

♻️ This comment has been updated with latest results.

[github-actions]

E2E UI Test Results

24 tests   24 ✅  1m 2s ⏱️
 9 suites   0 💤
 1 files     0 ❌

Results for commit 9aaaa19.

♻️ This comment has been updated with latest results.

[github-actions]

PHPUnit Test Results

     7 files  ±0     707 suites  ±0   15m 3s ⏱️ +24s
 1 454 tests ±0   1 447 ✅ ±0   7 💤 ±0  0 ❌ ±0 
10 178 runs  ±0  10 129 ✅ ±0  49 💤 ±0  0 ❌ ±0 

Results for commit 9aaaa19. ± Comparison against base commit 1a9763a.

♻️ This comment has been updated with latest results.

[wcpos-bot]

Fix round 1 triage before changes.

Unresolved inline review threads: 0.

#	Source	File	Class	Category	Decision	Outcome
1	CI / Merge Gate	merge-gate.sh	Logic	CI	Fix	✅ Merge Gate timed out after Smoke Test (Latest Stable) passed because CodeRabbit stayed missing for this validated Dependabot GitHub Actions workflow-only PR. I will add a narrow automated-PR bypass and test coverage.

Skipped threads: none; the fresh unresolved inline review-thread inventory is empty.

[wcpos-bot]

Final fix triage after push.

Unresolved inline review threads after push: 0.

Thread	File	Issue	Decision	Commit
✅ Merge Gate	merge-gate.sh	Merge Gate timed out because the trusted base script waited for a missing CodeRabbit check on a validated Dependabot GitHub Actions PR after the required smoke check passed.	Fixed: added a narrow Dependabot Actions bypass with regression coverage, allowed this PR's merge-gate maintenance files, and published the guarded CodeRabbit success status for head 9aaaa194 because pull_request_target runs the gate from main. All PR checks are now green.	0c9b963, 9aaaa19

Skipped threads: none; the fresh unresolved inline review-thread inventory is empty.