Bump the actions group across 1 directory with 7 updates

[dependabot]

Bumps the actions group with 7 updates in the / directory:

Package	From	To
github/codeql-action	4.35.2	4.36.0
eps1lon/actions-label-merge-conflict	3.0.3	3.1.0
actions/labeler	6.0.1	6.1.0
j178/prek-action	2.0.2	2.0.4
plbstl/first-contribution	4.3.0	4.3.1
actions/stale	10.2.0	10.3.0
codecov/codecov-action	6.0.0	6.0.1

Updates github/codeql-action from 4.35.2 to 4.36.0

Release notes

Sourced from github/codeql-action's releases.

v4.36.0

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

v4.35.5

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.36.0 - 22 May 2026

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893
• Update default CodeQL bundle version to 2.25.5. #3926

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

... (truncated)

Commits

• 7211b7c Merge pull request #3927 from github/update-v4.36.0-ebc2d9e2b
• 7740f2f Update changelog for v4.36.0
• ebc2d9e Merge pull request #3926 from github/update-bundle/codeql-bundle-v2.25.5
• d1f74b7 Add changelog note
• 2dc40ce Update default bundle to codeql-bundle-v2.25.5
• 8449852 Merge pull request #3910 from github/henrymercer/repo-size-diff-check
• 72ac23c Update excluded required check list
• c5297a2 Merge pull request #3919 from github/henrymercer/workflow-concurrency
• 8ffeae7 CI: Automatically cancel non-generated workflows
• f3f52bf Revert getErrorMessage import
• Additional commits viewable in compare view

Updates eps1lon/actions-label-merge-conflict from 3.0.3 to 3.1.0

Release notes

Sourced from eps1lon/actions-label-merge-conflict's releases.

v3.1.0

What's Changed

• Add better permissions defaults for the example by @​oliviertassinari in eps1lon/actions-label-merge-conflict#151
• Update Node.js to 24 by @​oliviertassinari in eps1lon/actions-label-merge-conflict#152
• release: 3.1.0 by @​eps1lon in eps1lon/actions-label-merge-conflict#153

New Contributors

• @​oliviertassinari made their first contribution in eps1lon/actions-label-merge-conflict#151

Full Changelog: eps1lon/actions-label-merge-conflict@v3.0.3...v3.1.0

Changelog

Sourced from eps1lon/actions-label-merge-conflict's changelog.

Changelog

3.1.0

• Update Node.js to 24 (#152)

3.0.3

• Ensure outputs is populated (#136)

3.0.2

• Handle error when label is not available (part 2) (#126)

3.0.1

• Handle error when label is not available (#123)

3.0.0

• Update to node20 (#115)

2.1.0

• Address set-output deprecation (#92 by @​NotMyFault)
• Fix CVE-2022-35954 (#92 by @​NotMyFault)

2.0.1

• Improve retry logic (#31 by @​eps1lon)

2.0.0

• Only update PRs based off of the branch in the push event Previously we checked every open PR. Since a push to a branch can only create merge conflicts with that branch we can limit the set of checked PRs. This should help repositories with lots of PRs targetting different branches with rate limiting.
• Only leave comments if the dirtyLabel was added or removed

1.4.0

• Allow warning only if secrets aren't available (#22 by @​baywet)
• Remove requirement for removeOnDirtyLabel (#21 by @​baywet)

1.3.0

• set PRs and their dirty state as output (#17 by @​baywet)

Commits

• 0273be7 release: 3.1.0 (#153)
• 9d4606b Update Node.js to 24 (#152)
• 62d0db0 docs: Add better permissions defaults for the example (#151)
• See full diff in compare view

Updates actions/labeler from 6.0.1 to 6.1.0

Release notes

Sourced from actions/labeler's releases.

v6.1.0

Enhancements

• Add changed-files-labels-limit and max-files-changed configuration options to cap the number of labels added by @​bluca in actions/labeler#923

Bug Fixes

• Improve Labeler Action documentation and permission error handling by @​chiranjib-swain in actions/labeler#897
• Preserve manually added labels during workflow runs and refine label synchronization logic by @​chiranjib-swain in actions/labeler#917

Dependency Updates

• Upgrade brace-expansion from 1.1.11 to 1.1.12 and document breaking changes in v6 by @​dependabot in actions/labeler#877
• Upgrade minimatch from 10.0.1 to 10.2.3 by @​dependabot in actions/labeler#926
• Upgrade dependencies (@​actions/core, @​actions/github, js-yaml, minimatch, @​typescript-eslint) by @​Copilot in actions/labeler#934

New Contributors

• @​chiranjib-swain made their first contribution in actions/labeler#897
• @​bluca made their first contribution in actions/labeler#923
• @​Copilot made their first contribution in actions/labeler#934

Full Changelog: actions/labeler@v6...v6.1.0

Commits

• f27b608 chore: upgrade dependencies (@​actions/core, @​actions/github, js-yaml, minimat...
• c5dadc2 Add 'changed-files-labels-limit' and 'max-files-changed' configs to allow cap...
• e52e4fb Bump minimatch from 10.0.1 to 10.2.3 (#926)
• 77a4082 Fix: Preserve manually added labels during workflow run and refine label sync...
• 25abb3c Improve Labeler Action Documentation and Error Handling for Permissions (#897)
• 395c8cf Bump brace-expansion from 1.1.11 to 1.1.12 and document breaking changes in v...
• See full diff in compare view

Updates j178/prek-action from 2.0.2 to 2.0.4

Release notes

Sourced from j178/prek-action's releases.

v2.0.4

What's Changed

• Update known versions for prek 0.3.12 by @​j178 in j178/prek-action#131
• Update known versions for prek 0.3.13 by @​j178 in j178/prek-action#132
• Update known versions for prek 0.4.0 by @​j178 in j178/prek-action#133

Full Changelog: j178/prek-action@v2...v2.0.4

v2.0.3

What's Changed

• Use single action entrypoint by @​j178 in j178/prek-action#128
• Update known versions for prek 0.3.10 by @​j178 in j178/prek-action#123
• Update known versions for prek 0.3.11 by @​j178 in j178/prek-action#124

Full Changelog: j178/prek-action@v2...v2.0.3

Commits

• bdca6f1 Update actions/setup-node action to v6.4.0 (#137)
• 3230ac7 Update dependency vitest to v4.1.5 (#134)
• 9a332a1 Update pre-commit hook biomejs/pre-commit to v2.4.13 (#136)
• 8b56901 Update known versions for prek 0.4.0 (#133)
• 4a83041 Update known versions for prek 0.3.13 (#132)
• fe60983 Update known versions for prek 0.3.12 (#131)
• 6f2f302 Update pre-commit hook biomejs/pre-commit to v2.4.12 (#130)
• 6ad8027 Use single action entrypoint (#128)
• f8c977a Update dependency typescript to v6 (#122)
• 7c137cf Update npm dev dependencies (#125)
• Additional commits viewable in compare view

Updates plbstl/first-contribution from 4.3.0 to 4.3.1

Release notes

Sourced from plbstl/first-contribution's releases.

v4.3.1

What's Changed

• fix: actually use the skip-internal-contributors action input by @​plbstl in plbstl/first-contribution#107
• chore(deps): bump pnpm/action-setup from 4.2.0 to 5.0.0 by @​dependabot[bot] in plbstl/first-contribution#95
• migrate to pnpm v11 in 88fec1a73f171bc229198fd070eca4541a680e10
• update deps in 8ca3e8a4d8d858222066e59521e0387d86faa100

Full Changelog: plbstl/first-contribution@v4.3.0...v4.3.1

Commits

• 5e84b16 update package.json version from 4.3.0 to 4.3.1
• 975c446 regenerate dist
• 8ca3e8a update deps to latest
• 88fec1a upgrade pnpm to version 11
• 4e0330c fix: actually use the skip-internal-contributors action input
• 096dcea chore(deps): bump pnpm/action-setup from 4.2.0 to 5.0.0
• 5de46ca improve docs for skipping internal contributors
• 2a6c3dc set sha and version in README
• 1ecc17a update version in README examples to 4.3.0
• See full diff in compare view

Updates actions/stale from 10.2.0 to 10.3.0

Release notes

Sourced from actions/stale's releases.

v10.3.0

What's Changed

Bug Fix

• Enhancement: ignore stale labeling events by @​shamoon in actions/stale#1311

Dependency Updates

• Upgrade dependencies (@​actions/core, @​octokit/plugin-retry, @​typescript-eslint) by @​Copilot in actions/stale#1335

New Contributors

• @​shamoon made their first contribution in actions/stale#1311

Full Changelog: actions/stale@v10...v10.3.0

Commits

• eb5cf3a chore: upgrade dependencies and bump version to 10.3.0 (#1335)
• db5d06a Enhancement: ignore stale labeling events (#1311)
• See full diff in compare view

Updates codecov/codecov-action from 6.0.0 to 6.0.1

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.1

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in codecov/codecov-action#1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in codecov/codecov-action#1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in codecov/codecov-action#1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in codecov/codecov-action#1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• docs: fix typo in README by @​datalater in codecov/codecov-action#1866
• Document a codecov-cli version reference example by @​webknjaz in codecov/codecov-action#1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in codecov/codecov-action#1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in codecov/codecov-action#1864
• Pin actions/github-script by Git SHA by @​martincostello in codecov/codecov-action#1859
• fix: check reqs exist by @​joseph-sentry in codecov/codecov-action#1835
• fix: Typo in README by @​spalmurray in codecov/codecov-action#1838
• docs: Refine OIDC docs by @​spalmurray in codecov/codecov-action#1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in codecov/codecov-action#1822
• fix: OIDC on forks by @​joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

• e79a696 chore(release): 6.0.1 (#1949)
• 51e6422 fix: prevent template injection in run: steps (VULN-1652) (#1947)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions