Update dependabot/fetch-metadata action to v3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
dependabot/fetch-metadata	action	major	v2 → v3

---

Release Notes

dependabot/fetch-metadata (dependabot/fetch-metadata)

v3.1.0

Compare Source

What's Changed

• Add permissions to all workflows by @​truggeri in #​687
• build(deps-dev): bump globals from 16.0.0 to 17.4.0 by @​dependabot[bot] in #​690
• build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 by @​dependabot[bot] in #​693
• build(deps-dev): bump @​hono/node-server from 1.19.10 to 1.19.13 by @​dependabot[bot] in #​694
• build(deps-dev): bump hono from 4.12.7 to 4.12.12 by @​dependabot[bot] in #​695
• Dynamically update the tracking tag in action by @​truggeri in #​696
• fix: handle duplicate dependency names in parseMetadataLinks by @​devantler in #​700
• fix: remove $ anchor from updateFragment regex to handle pip directory suffixes by @​devantler in #​698
• Updates to README for permissions clarification by @​truggeri in #​697
• fix: resolve update-type null for Python, Composer, and Terraform PRs by @​vitorsdcs in #​704
• build(deps-dev): bump globals from 17.4.0 to 17.5.0 by @​dependabot[bot] in #​703
• build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @​dependabot[bot] in #​701
• build(deps): bump @​actions/github from 9.0.0 to 9.1.0 in the dependencies group across 1 directory by @​dependabot[bot] in #​702
• build(deps-dev): bump hono from 4.12.12 to 4.12.14 by @​dependabot[bot] in #​705
• v3.1.0 by @​fetch-metadata-action-automation[bot] in #​692

New Contributors

• @​devantler made their first contribution in #​700
• @​vitorsdcs made their first contribution in #​704

Full Changelog: dependabot/fetch-metadata@v3...v3.1.0

v3

Compare Source

v3.0.0

Compare Source

The breaking change is requiring Node.js version v24 as the Actions runtime.

What's Changed

• feat: Parse versions from metadata links by @​ppkarwasz in #​632
• Upgrade actions core and actions github packages by @​truggeri in #​649
• docs: Add notes for using alert-lookup with App Token by @​sue445 in #​656
• feat!: update Node.js version to v24 by @​sturman in #​671
• Switch build tooling from ncc to esbuild by @​truggeri in #​676
• Add --legal-comments=none to esbuild build commands by @​jeffwidman in #​679
• Bump tsconfig target from es2022 to es2024 by @​jeffwidman in #​680
• Remove vestigial outDir from tsconfig.json by @​jeffwidman in #​681
• Switch tsconfig module resolution to bundler by @​jeffwidman in #​682
• Remove skipLibCheck from tsconfig.json by @​jeffwidman in #​683
• Add typecheck step to CI by @​jeffwidman in #​685
• Enable noImplicitAny in tsconfig.json by @​jeffwidman in #​684
• Upgrade @​actions/core to ^3.0.0 by @​truggeri in #​677
• Upgrade @​actions/github to ^9.0.0 and @​octokit/request-error to ^7.1.0 by @​truggeri in #​678
• Bump qs from 6.14.0 to 6.14.1 by @​dependabot[bot] in #​651
• Bump hono from 4.11.1 to 4.11.4 by @​dependabot[bot] in #​652
• Bump hono from 4.11.4 to 4.11.7 by @​dependabot[bot] in #​653
• Bump hono from 4.11.7 to 4.12.0 by @​dependabot[bot] in #​657
• Bump qs from 6.14.1 to 6.14.2 by @​dependabot[bot] in #​655
• Bump @​modelcontextprotocol/sdk from 1.25.1 to 1.26.0 by @​dependabot[bot] in #​654
• Bump @​hono/node-server from 1.19.9 to 1.19.10 by @​dependabot[bot] in #​665
• Bump hono from 4.12.2 to 4.12.5 by @​dependabot[bot] in #​664
• Bump minimatch from 3.1.2 to 3.1.5 by @​dependabot[bot] in #​667
• Bump hono from 4.12.5 to 4.12.7 by @​dependabot[bot] in #​668
• Bump actions/create-github-app-token from 2.2.1 to 3.0.0 by @​dependabot[bot] in #​669
• Bump flatted from 3.3.3 to 3.4.2 by @​dependabot[bot] in #​670
• build(deps-dev): bump picomatch from 2.3.1 to 2.3.2 by @​dependabot[bot] in #​674

New Contributors

• @​ppkarwasz made their first contribution in #​632
• @​truggeri made their first contribution in #​649
• @​sue445 made their first contribution in #​656
• @​sturman made their first contribution in #​671

Full Changelog: dependabot/fetch-metadata@v2...v3.0.0

v2.5.0

Compare Source

What's Changed

• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot[bot] in #​628
• Bump the dev-dependencies group with 11 updates by @​dependabot[bot] in #​629
• Bump actions/create-github-app-token from 2.0.6 to 2.1.1 by @​dependabot[bot] in #​635
• Bump actions/create-github-app-token from 2.1.1 to 2.1.4 by @​dependabot[bot] in #​638
• Bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​636
• Bump actions/setup-node from 4 to 5 by @​dependabot[bot] in #​637
• Bump actions/setup-node from 5 to 6 by @​dependabot[bot] in #​639
• Bump actions/create-github-app-token from 2.1.4 to 2.2.0 by @​dependabot[bot] in #​643
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​642
• Bump actions/create-github-app-token from 2.2.0 to 2.2.1 by @​dependabot[bot] in #​648
• Bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​644
• Bump express from 5.1.0 to 5.2.1 by @​dependabot[bot] in #​645
• Bump @​modelcontextprotocol/sdk from 1.11.2 to 1.24.0 by @​dependabot[bot] in #​647
• v2.5.0 by @​fetch-metadata-action-automation[bot] in #​631

Full Changelog: dependabot/fetch-metadata@v2...v2.5.0

v2.4.0

Compare Source

What's Changed

• Bump actions/create-github-app-token from 1.11.0 to 1.11.3 by @​dependabot in #​598
• Bump @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in #​578
• Add missing @octokit/request-error to package.json by @​jeffwidman in #​605
• Bump to ESLint 9 by @​jeffwidman in #​606
• Stop using a node16 devcontainer image by @​jeffwidman in #​608
• Make typescript compile to "es2022" by @​jeffwidman in #​609
• Bump the dev-dependencies group across 1 directory with 8 updates by @​dependabot in #​607
• Tidy up examples slightly by @​jeffwidman in #​611
• Fixup some anchor tags that weren't deeplinking by @​jeffwidman in #​614
• Remove unnecessary hardcoding of ref by @​jeffwidman in #​617
• Bump actions/create-github-app-token from 1.11.3 to 2.0.2 by @​dependabot in #​616
• Enable caching of npm install/npm ci for setup-node action by @​jeffwidman in #​618
• Add workflow to publish new version of immutable action on every release by @​jeffwidman in #​623
• Bump actions/create-github-app-token from 2.0.2 to 2.0.6 by @​dependabot in #​621
• v2.4.0 by @​fetch-metadata-action-automation in #​594

Full Changelog: dependabot/fetch-metadata@v2...v2.4.0

v2.3.0

Compare Source

What's Changed

• Bump actions/create-github-app-token from 1.10.2 to 1.10.3 by @​dependabot in #​537
• Update readme to include an if conditional by @​Nishnha in #​548
• Silence audit and funding messages from npm by @​jeffwidman in #​550
• Bump actions/create-github-app-token from 1.10.3 to 1.11.0 by @​dependabot in #​554
• fix readme action example by @​CloudNStoyan in #​563
• Fixed missing outputs in action.yml by @​CatChen in #​564
• Handle branch names containing dependency group by @​CloudNStoyan in #​565
• v2.3.0 by @​fetch-metadata-action-automation in #​543

New Contributors

• @​CloudNStoyan made their first contribution in #​563
• @​CatChen made their first contribution in #​564

Full Changelog: dependabot/fetch-metadata@v2...v2.3.0

v2.2.0

Compare Source

What's Changed

• Bump actions/create-github-app-token from 1.9.0 to 1.10.0 by @​dependabot in #​523
• Bump actions/create-github-app-token from 1.10.0 to 1.10.2 by @​dependabot in #​534
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot in #​532
• v2.2.0 by @​fetch-metadata-action-automation in #​520

Full Changelog: dependabot/fetch-metadata@v2...v2.2.0

v2.1.0

Compare Source

What's Changed

• Relax engine-strict=true by @​jeffwidman in #​510
• Handle branch names containing hyphen separators by @​tspencer244 in #​450
• Switch to monthly release cadence by @​jeffwidman in #​509
• v2.1.0 by @​fetch-metadata-action-automation in #​518

New Contributors

• @​tspencer244 made their first contribution in #​450

Full Changelog: dependabot/fetch-metadata@v2.0.0...v2.1.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cr-gpt]

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 846b7e7.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/dependbot-fetch-metadata.yml

Package	Version	License	Issue Type
dependabot/fetch-metadata	3.*.*	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/dependabot/fetch-metadata	3.*.*	🟢 7.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9

Scanned Files

• .github/workflows/dependbot-fetch-metadata.yml