chore(deps): bump the github-actions group across 1 directory with 4 updates

[dependabot]

Bumps the github-actions group with 4 updates in the / directory: actions/checkout, actions/setup-go, actions/cache and codfish/semantic-release-action.

Updates actions/checkout from 6.0.3 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

• block checking out fork pr for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462
• getting ready for checkout v7 release by @​aiqiaoy in actions/checkout#2464
• update error wording by @​aiqiaoy in actions/checkout#2467

New Contributors

• @​aiqiaoy made their first contribution in actions/checkout#2454

Full Changelog: actions/checkout@v6.0.3...v7.0.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

... (truncated)

Commits

• 9c091bb update error wording (#2467)
• 1044a6d getting ready for checkout v7 release (#2464)
• f028218 Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)
• d914b26 upgrade module to esm and update dependencies (#2463)
• 537c7ef Bump @​actions/core and @​actions/tool-cache and Remove uuid (#2459)
• 130a169 Bump js-yaml from 4.1.0 to 4.2.0 (#2461)
• 7d09575 Bump flatted from 3.3.1 to 3.4.2 (#2460)
• 0f9f3aa Bump actions/publish-immutable-action (#2458)
• f9e715a block checking out fork pr for pull_request_target and workflow_run (#2454)
• See full diff in compare view

Updates actions/setup-go from 6.4.0 to 6.5.0

Release notes

Sourced from actions/setup-go's releases.

v6.5.0

What's Changed

Dependency update

• Upgrade actions dependencies by @​priyagupta108 with @​Copilot in actions/setup-go#744
• Upgrade @​types/node and typescript-eslint dependencies to resolve npm audit findings by @​HarithaVattikuti in actions/setup-go#755
• Upgrade @​actions/cache to 5.1.0, log cache write denied by @​jasongin in actions/setup-go#758
• Upgrade version to 6.5.0 in package.json and package-lock.json by @​HarithaVattikuti in actions/setup-go#762

New Contributors

• @​priyagupta108 with @​Copilot made their first contribution in actions/setup-go#744
• @​jasongin made their first contribution in actions/setup-go#758

Full Changelog: actions/setup-go@v6...v6.5.0

Commits

• 924ae3a chore: bump version to 6.5.0 in package.json and package-lock.json (#762)
• e91cc3b Bump @​actions/cache to 5.1.0, log cache write denied (#758)
• 4a2405e chore: update @​types/node and @​typescript-eslint dependencies to latest versi...
• 78961f6 chore: update @​actions dependencies and refresh license cache (#744)
• See full diff in compare view

Updates actions/cache from 5.0.5 to 6.0.0

Release notes

Sourced from actions/cache's releases.

v6.0.0

What's Changed

• Update packages, migrate to ESM by @​Samirat in actions/cache#1760

Full Changelog: actions/cache@v5...v6.0.0

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE] Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.1.0

• Bump @actions/cache to v6.1.0 to pick up actions/toolkit#2435 Handle cache write error due to read-only token
• Switch redundant "Cache save failed" warning to debug log in save-only

6.0.0

• Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
• Migrated to ESM module system
• Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

... (truncated)

Commits

• 2c8a9bd Merge pull request #1760 from actions/samirat/esm_migration_and_package_update
• e9b91fd Prettier fixes
• e4884b8 Rebuild dist
• 10baf01 Fixed licenses
• e39b386 Fix test mock return order
• b692820 PR feedback
• 6074912 Rebuild dist bundles as ESM to match type:module
• 5a912e8 Fix lint and jest issues
• b9bf592 Update documentation for v6 release
• 80f7777 Update packages, migrate to ESM
• See full diff in compare view

Updates codfish/semantic-release-action from 6abd188d2458e2fd6c99073454f6cc49196362e8 to f6f2622572bfeb3df6e39dd4f1018672aa0e1ef6

Changelog

Sourced from codfish/semantic-release-action's changelog.

v5.0.0 Release Notes Draft

Breaking Changes

Upgraded to semantic-release v25 with breaking changes in the GitHub plugin. Any breaking changes from v25 apply to this GitHub action version except for Node version requirements. Because this is a Docker-based github action, the version of Node.js in use is defined inside of the Docker image, not by the consuming runner or your code.

What Changed

• @​semantic-release/github v12: The GitHub plugin no longer uses the GitHub Search API (/search/issues endpoint). It now uses GraphQL queries exclusively for issue retrieval. This architectural change may affect issue management in edge cases. See GitHub plugin v12 release notes.

• semantic-release v25: Upgraded from v24.2.7 to v25.0.3

  • @​semantic-release/npm upgraded to v13
  • @​semantic-release/commit-analyzer and @​semantic-release/release-notes-generator moved from beta to stable
  • Dependency updates (yargs v18, hosted-git-info v9)
  • See semantic-release v25 release notes

• npm OIDC Trusted Publishing Support: The upgrade to @​semantic-release/npm v13 enables support for npm's new OIDC-based trusted publishing. This allows publishing to npm without long-lived access tokens by using GitHub's OIDC token provider. This is more secure and eliminates the need to store NPM_TOKEN as a repository secret when publishing from GitHub Actions. See npm documentation for configuration details.

• Node.js: Upgraded to v24.13.0 (bundled in Docker, not a breaking change for users)

• @​actions/core: Upgraded to v3.0.0 (internal implementation only)

Migration Steps

1. Test in a separate branch first - the GitHub plugin's architectural change could affect issue management behavior
2. Review semantic-release v25 changes
3. Review @​semantic-release/github v12 changes
4. Update your workflows to use @v5
5. (Optional) Migrate to npm OIDC Trusted Publishing:
   • Configure your package on npmjs.com to enable trusted publishing from GitHub Actions
   • Add id-token: write permission to your workflow job
   • Remove the NPM_TOKEN secret (you won't need it anymore!)
   • See npm's trusted publishing guide

Version History

• v5 uses semantic-release v25 & Node.js v24.13.0
• v4 uses semantic-release v24 & Node.js v22.18.0
• v3 uses semantic-release v22 & Node.js v20.9
• v2 uses semantic-release v20 & Node.js v18.7

Full Changelog

... (truncated)

Commits

• f6f2622 ci: fix release workflow
• dfbc517 fix: address issue (#258)
• 8f9a58f chore(deps): update dependency eslint to v10.0.3 (#236)
• 68a5f64 chore(deps): update dependency vitest to v4.1.0 (#245)
• 57eefa6 chore(deps): update docker/build-push-action action to v7 (#244)
• 2f8b1b8 chore(deps): update docker/setup-buildx-action action to v4 (#243)
• 8e0ca2e Merge pull request #242 from codfish/renovate/docker-setup-qemu-action-4.x
• d5f8214 chore(deps): update docker/setup-qemu-action action to v4
• 1357118 chore(deps): update dependency @​codfish/eslint-config to v13.1.2 (#239)
• 898a913 Merge pull request #241 from codfish/renovate/cosmiconfig-9.x-lockfile
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Benchstat (Other)

Base: 0e3531198b5881d9aa9a7976f131184f38475bcc
Head: 28688cc34cc78418c1b21b6ad0467bda385bffb1

✅ 3 improvement(s)

Benchmark	Base	Head	Change	p-value
ResourceSelectorQueryBuild/tags-4	17.21µ	16.93µ	-1.61%	0.002
ResourceSelectorQueryBuild/name-4	42.91µ	42.55µ	-0.84%	0.041
ResourceSelectorQueryBuild/name_and_type-4	62.79µ	62.31µ	-0.76%	0.004

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                                       │ bench-base.txt │           bench-head.txt           │
                                                       │     sec/op     │    sec/op     vs base              │
InsertionForRowsWithAliases/external_users.aliases-4       586.9µ ± 17%   585.9µ ±  6%       ~ (p=0.818 n=6)
InsertionForRowsWithAliases/config_items.external_id-4     1.091m ± 11%   1.096m ± 11%       ~ (p=0.937 n=6)
InsertionOfConfigsWithProperties-4                         3.700m ±  2%   3.702m ±  2%       ~ (p=0.699 n=6)
UpdateOfConfigsWithProperties-4                            7.382m ±  1%   7.348m ±  1%       ~ (p=0.589 n=6)
ResourceSelectorConfigs/name-4                             210.1µ ±  1%   206.4µ ±  3%       ~ (p=0.180 n=6)
ResourceSelectorConfigs/name_and_type-4                    226.4µ ±  4%   221.0µ ±  4%       ~ (p=0.093 n=6)
ResourceSelectorConfigs/tags-4                             28.67m ±  8%   28.55m ±  3%       ~ (p=0.937 n=6)
ResourceSelectorQueryBuild/name-4                          42.91µ ±  1%   42.55µ ±  1%  -0.84% (p=0.041 n=6)
ResourceSelectorQueryBuild/name_and_type-4                 62.79µ ±  1%   62.31µ ±  1%  -0.76% (p=0.004 n=6)
ResourceSelectorQueryBuild/tags-4                          17.21µ ±  1%   16.93µ ±  1%  -1.61% (p=0.002 n=6)
geomean                                                    506.2µ         502.2µ        -0.79%

[github-actions]

Benchstat (RLS)

Base: 0e3531198b5881d9aa9a7976f131184f38475bcc
Head: 28688cc34cc78418c1b21b6ad0467bda385bffb1

📊 3 minor regression(s) (all within 5% threshold)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/config_summary/Without_RLS-4	96.45m	99.00m	+2.64%	0.002
RLS/Sample-15000/config_types/Without_RLS-4	4.715m	4.786m	+1.50%	0.002
RLS/Sample-15000/config_classes/Without_RLS-4	4.112m	4.132m	+0.47%	0.015

✅ 9 improvement(s)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/config_changes/With_RLS-4	144.8m	141.0m	-2.62%	0.002
RLS/Sample-15000/change_types/With_RLS-4	5.388m	5.268m	-2.22%	0.041
RLS/Sample-15000/analyzer_types/Without_RLS-4	3.832m	3.748m	-2.20%	0.002
RLS/Sample-15000/config_types/With_RLS-4	140.5m	137.7m	-1.96%	0.002
RLS/Sample-15000/config_detail/Without_RLS-4	4.834m	4.750m	-1.72%	0.002
RLS/Sample-15000/configs/With_RLS-4	140.5m	138.7m	-1.33%	0.002
RLS/Sample-15000/analysis_types/With_RLS-4	3.968m	3.924m	-1.10%	0.041
RLS/Sample-15000/config_names/With_RLS-4	140.7m	139.7m	-0.75%	0.041
RLS/Sample-15000/catalog_changes/With_RLS-4	145.1m	144.1m	-0.65%	0.009

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                               │ bench-base.txt │          bench-head.txt           │
                                               │     sec/op     │   sec/op     vs base              │
RLS/Sample-15000/catalog_changes/Without_RLS-4      5.334m ± 1%   5.330m ± 0%       ~ (p=1.000 n=6)
RLS/Sample-15000/catalog_changes/With_RLS-4         145.1m ± 0%   144.1m ± 0%  -0.65% (p=0.009 n=6)
RLS/Sample-15000/config_changes/Without_RLS-4       5.256m ± 2%   5.299m ± 2%       ~ (p=0.180 n=6)
RLS/Sample-15000/config_changes/With_RLS-4          144.8m ± 1%   141.0m ± 1%  -2.62% (p=0.002 n=6)
RLS/Sample-15000/config_detail/Without_RLS-4        4.834m ± 3%   4.750m ± 0%  -1.72% (p=0.002 n=6)
RLS/Sample-15000/config_detail/With_RLS-4           138.4m ± 0%   138.2m ± 1%       ~ (p=0.589 n=6)
RLS/Sample-15000/config_names/Without_RLS-4         13.40m ± 3%   13.56m ± 1%       ~ (p=0.065 n=6)
RLS/Sample-15000/config_names/With_RLS-4            140.7m ± 1%   139.7m ± 1%  -0.75% (p=0.041 n=6)
RLS/Sample-15000/config_summary/Without_RLS-4       96.45m ± 0%   99.00m ± 1%  +2.64% (p=0.002 n=6)
RLS/Sample-15000/config_summary/With_RLS-4          714.0m ± 1%   710.2m ± 1%       ~ (p=0.093 n=6)
RLS/Sample-15000/configs/Without_RLS-4              7.979m ± 2%   8.006m ± 1%       ~ (p=0.937 n=6)
RLS/Sample-15000/configs/With_RLS-4                 140.5m ± 0%   138.7m ± 1%  -1.33% (p=0.002 n=6)
RLS/Sample-15000/analysis_types/Without_RLS-4       3.924m ± 1%   3.926m ± 5%       ~ (p=1.000 n=6)
RLS/Sample-15000/analysis_types/With_RLS-4          3.968m ± 4%   3.924m ± 2%  -1.10% (p=0.041 n=6)
RLS/Sample-15000/analyzer_types/Without_RLS-4       3.832m ± 1%   3.748m ± 1%  -2.20% (p=0.002 n=6)
RLS/Sample-15000/analyzer_types/With_RLS-4          3.771m ± 1%   3.764m ± 0%       ~ (p=0.699 n=6)
RLS/Sample-15000/change_types/Without_RLS-4         5.285m ± 1%   5.290m ± 1%       ~ (p=0.485 n=6)
RLS/Sample-15000/change_types/With_RLS-4            5.388m ± 2%   5.268m ± 3%  -2.22% (p=0.041 n=6)
RLS/Sample-15000/config_classes/Without_RLS-4       4.112m ± 0%   4.132m ± 0%  +0.47% (p=0.015 n=6)
RLS/Sample-15000/config_classes/With_RLS-4          138.3m ± 1%   139.2m ± 1%       ~ (p=0.093 n=6)
RLS/Sample-15000/config_types/Without_RLS-4         4.715m ± 1%   4.786m ± 2%  +1.50% (p=0.002 n=6)
RLS/Sample-15000/config_types/With_RLS-4            140.5m ± 1%   137.7m ± 0%  -1.96% (p=0.002 n=6)
geomean                                             21.12m        21.04m       -0.36%

[github-actions]

Gavel results

Gavel exited with code .

View full results