chore(deps): update ci

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v5.0.0 → v6.0.2
actions/dependency-review-action	action	minor	v4.7.2 → v4.8.2
actions/download-artifact	action	major	v5.0.0 → v7.0.0
actions/setup-node	action	major	v4.4.0 → v6.2.0
actions/upload-artifact	action	major	v4.6.2 → v6.0.0
docker/setup-buildx-action	action	minor	v3.11.1 → v3.12.0
github/codeql-action	action	major	v3.29.11 → v4.32.2
webiny/action-conventional-commits	action	patch	v1.3.0 → v1.3.1

---

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

v6.0.0

Compare Source

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

actions/dependency-review-action (actions/dependency-review-action)

v4.8.2

Compare Source

Minor fixes:

• Fix PURL parsing for scoped packages (#​1008 from @​danielhardej)
• Fix for large summaries (#​1007 from @​gitulisca)
• README includes a working example for allow-dependencies-licenses (#​1009 from @​danielhardej)

v4.8.1: Dependency Review Action v4.8.1

Compare Source

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in #​1000
• Bump version for 4.8.1 release by @​ahpook in #​1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

Compare Source

What's Changed

• Make Ruby Code Scannable by @​ljones140 in #​978
• Batch some contributions for release by @​brrygrdn in #​986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in #​978
• @​jasperkamerling made their first contribution in #​986
• @​MattMencel made their first contribution in #​986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

v4.7.4

Compare Source

v4.7.3: 4.7.3

Compare Source

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in #​966
• Claire153/fix spamming mentioned issue by @​claire153 in #​974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

actions/download-artifact (actions/download-artifact)

v7.0.0

Compare Source

v7 - What's new

[!IMPORTANT]
actions/download-artifact@​v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​440
• Download Artifact Node24 support by @​salmanmkc in #​415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in #​451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in #​452

New Contributors

• @​patrikpolyak made their first contribution in #​440
• @​salmanmkc made their first contribution in #​415

Full Changelog: actions/download-artifact@v6.0.0...v7.0.0

v6.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in #​417
• Update README with artifact extraction details by @​yacaovsnc in #​424
• Readme: spell out the first use of GHES by @​danwkennedy in #​431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in #​438

New Contributors

• @​danwkennedy made their first contribution in #​431

Full Changelog: actions/download-artifact@v5...v6.0.0

actions/setup-node (actions/setup-node)

v6.2.0

Compare Source

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in #​1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in #​1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in #​1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in #​1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1345

New Contributors

• @​priya-kinthali made their first contribution in #​1348
• @​salmanmkc made their first contribution in #​1325

Full Changelog: actions/setup-node@v4...v5.0.0

actions/upload-artifact (actions/upload-artifact)

v6.0.0

Compare Source

v5.0.0

Compare Source

docker/setup-buildx-action (docker/setup-buildx-action)

v3.12.0

Compare Source

• Deprecate install input by @​crazy-max in #​455
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​434
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​436
• Bump form-data from 2.5.1 to 2.5.5 in #​432
• Bump undici from 5.28.4 to 5.29.0 in #​435

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

github/codeql-action (github/codeql-action)

v4.32.2

Compare Source

v4.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v4.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v4.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v4.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

v4.31.9

Compare Source

v4.31.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #​3354

See the full CHANGELOG.md for more information.

v4.31.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #​3343

See the full CHANGELOG.md for more information.

v4.31.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #​3321

See the full CHANGELOG.md for more information.

v4.31.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.4 - 18 Nov 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.3 - 13 Nov 2025

• CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.
• Update default CodeQL bundle version to 2.23.5. #​3288

See the full CHANGELOG.md for more information.

v4.31.2

Compare Source

v4.31.1

Compare Source

v4.31.0

Compare Source

v4.30.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #​3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #​3204

See the full CHANGELOG.md for more information.

v4.30.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.30.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.7 - 06 Oct 2025

• [v4+ only] The CodeQL Action now runs on Node.js v24. #​3169

See the full CHANGELOG.md for more information.

v3.32.2

Compare Source

• Update default CodeQL bundle version to 2.24.1. #​3460

v3.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v3.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v3.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v3.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

v3.31.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.9 - 16 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #​3354

See the full CHANGELOG.md for more information.

v3.31.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #​3343

See the full CHANGELOG.md for more information.

v3.31.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #​3321

See the full CHANGELOG.md for more information.

v3.31.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.4 - 18 Nov 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.3 - 13 Nov 2025

• CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.
• Update default CodeQL bundle version to 2.23.5. #​3288

See the full CHANGELOG.md for more information.

v3.31.2

Compare Source

v3.31.1

Compare Source

v3.31.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.0 - 24 Oct 2025

• Bump minimum CodeQL bundle version to 2.17.6. #​3223
• When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #​3222

See the full CHANGELOG.md for more information.

v3.30.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #​3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #​3204

See the full CHANGELOG.md for more information.

v3.30.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.7 - 06 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.6 - 02 Oct 2025

• Update default CodeQL bundle version to 2.23.2. #​3168

See the full CHANGELOG.md for more information.

v3.30.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.5 - 26 Sep 2025

• We fixed a bug that was introduced in 3.30.4 with upload-sarif which resulted in files without a .sarif extension not getting uploaded. #​3160

See the full CHANGELOG.md for more information.

v3.30.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.4 - 25 Sep 2025

• We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the codeql-action/init step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the codeql-action/init step. #​3099 and #​3100
• We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. #​3107
• You can now run the latest CodeQL nightly bundle by passing tools: nightly to the init action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. #​3130
• Update default CodeQL bundle version to 2.23.1. #​3118

See the full CHANGELOG.md for more information.

v3.30.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.3 - 10 Sep 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.2 - 09 Sep 2025

• Fixed a bug which could cause language autodetection to fail. #​3084
• Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #​3064

See the full CHANGELOG.md for more information.

v3.30.1

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.1 - 05 Sep 2025

• Update default CodeQL bundle version to 2.23.0. #​3077

See the full CHANGELOG.md for more information.

v3.30.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.0 - 01 Sep 2025

• Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #​3054

See the full CHANGELOG.md for more information.

webiny/action-conventional-commits (webiny/action-conventional-commits)

v1.3.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Cloudflare Pages deployment

Latest commit	03eb2c1
Status	🔄 Deploying...
Preview URL	Not available
Type	🔀 Preview