build(deps): bump the actions group across 1 directory with 4 updates by dependabot[bot] · Pull Request #237 · chainguard-dev/.github

dependabot · 2026-06-03T13:41:50Z

Bumps the actions group with 4 updates in the / directory: step-security/harden-runner, actions/checkout, step-security/action-slack-notify and zizmorcore/zizmor-action.

Updates step-security/harden-runner from 2.19.0 to 2.19.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Default to audit mode when api-key missing with use-policy-store by @varunsh-coder in step-security/harden-runner#665

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

fix: detect ubuntu-slim runners early and bail out by @devantler in step-security/harden-runner#657

What the fix changes

Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).

Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

@devantler made their first contribution in step-security/harden-runner#657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

Commits

9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
485dce8 Update agent to v1.8.6
ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
ec41b78 Default to audit mode when api-key missing with use-policy-store
9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
1dee3df Update agent to v1.8.5
a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
6e92856 build dist and trim ubuntu-slim message
4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
376d25a fix: detect ubuntu-slim runners early and bail out
See full diff in compare view

Updates actions/checkout from 6.0.2 to 6.0.3

Release notes

Sourced from actions/checkout's releases.

v6.0.3

What's Changed

Update changelog by @ericsciple in actions/checkout#2357

fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in actions/checkout#2414

Fix checkout init for SHA-256 repositories by @yaananth in actions/checkout#2439

Update changelog for v6.0.3 by @yaananth in actions/checkout#2446

New Contributors

@yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.3

Fix checkout init for SHA-256 repositories by @yaananth in actions/checkout#2439

fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in actions/checkout#2414

v6.0.2

Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in actions/checkout#2356

v6.0.1

Add worktree support for persist-credentials includeIf by @ericsciple in actions/checkout#2327

v6.0.0

Persist creds to a separate file by @ericsciple in actions/checkout#2286

Update README to include Node.js 24 support details and requirements by @salmanmkc in actions/checkout#2248

v5.0.1

Port v6 cleanup to v5 by @ericsciple in actions/checkout#2301

v5.0.0

Update actions checkout to use node 24 by @salmanmkc in actions/checkout#2226

v4.3.1

Port v6 cleanup to v4 by @ericsciple in actions/checkout#2305

v4.3.0

docs: update README.md by @motss in actions/checkout#1971

Add internal repos for checking out multiple repositories by @mouismail in actions/checkout#1977

Documentation update - add recommended permissions to Readme by @benwells in actions/checkout#2043

Adjust positioning of user email note and permissions heading by @joshmgross in actions/checkout#2044

Update README.md by @nebuk89 in actions/checkout#2194

Update CODEOWNERS for actions by @TingluoHuang in actions/checkout#2224

Update package dependencies by @salmanmkc in actions/checkout#2236

v4.2.2

url-helper.ts now leverages well-known environment variables by @jww3 in actions/checkout#1941

Expand unit test coverage for isGhes by @jww3 in actions/checkout#1946

v4.2.1

Check out other refs/* by commit if provided, fall back to ref by @orhantoy in actions/checkout#1924

v4.2.0

Add Ref and Commit outputs by @lucacome in actions/checkout#1180

Dependency updates by @dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in actions/checkout#1739

Bump actions/checkout from 3 to 4 by @dependabot in actions/checkout#1697

Check out other refs/* by commit by @orhantoy in actions/checkout#1774

... (truncated)

Commits

df4cb1c Update changelog for v6.0.3 (#2446)
1cce339 Fix checkout init for SHA-256 repositories (#2439)
900f221 fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)
0c366fd Update changelog (#2357)
See full diff in compare view

Updates step-security/action-slack-notify from 2.3.5 to 2.3.6

Release notes

Sourced from step-security/action-slack-notify's releases.

v2.3.6

What's Changed

ci: Update action.yml by @Raj-StepSecurity in step-security/action-slack-notify#47

ci: Create claude_review.yml by @Raj-StepSecurity in step-security/action-slack-notify#56

ci: Create auto-cherry-pick.yml by @Raj-StepSecurity in step-security/action-slack-notify#57

feat: added banner and update subscription check to make maintained actions free for public repos by @anurag-stepsecurity in step-security/action-slack-notify#55

feat: Update action.yml by @Raj-StepSecurity in step-security/action-slack-notify#58

New Contributors

@anurag-stepsecurity made their first contribution in step-security/action-slack-notify#55

Full Changelog: step-security/action-slack-notify@v2...v2.3.6

Commits

7210d1a Merge pull request #58 from step-security/Raj-StepSecurity-patch-7
558bd1f feat: Update action.yml
3dd7c5e Merge pull request #55 from step-security/feat/update-subscription-check
741dace Merge branch 'main' into feat/update-subscription-check
e5076bf Merge pull request #57 from step-security/Raj-StepSecurity-patch-6
c6622f7 ci: Create auto-cherry-pick.yml
f42596c Merge branch 'main' into feat/update-subscription-check
bc74c37 Merge pull request #56 from step-security/Raj-StepSecurity-patch-5
6a2b885 ci: Create claude_review.yml
3ce54aa feat: added banner and update subscription check to make maintained actions f...
Additional commits viewable in compare view

Updates zizmorcore/zizmor-action from 0.5.3 to 0.5.6

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.5.6

1.25.2 is now available via the action

1.25.2 is now the default version of zizmor used by the action

v0.5.5

This is a no-op release.

v0.5.4

1.25.0 is now available via the action

1.25.0 is now the default version of zizmor used by the action

Commits

5f14fd0 Sync zizmor versions (#114)
a16621b Bump pins in README (#112)
1c03e04 chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 in the github-ac...
b572f7b Sync zizmor versions (#111)
06928c5 chore(deps): bump github/codeql-action in the github-actions group (#109)
5ea8b96 docs: Update link to GitHub docs (#108)
849ac26 chore(deps): bump the github-actions group with 2 updates (#106)
814f977 Bump pins in README (#103)
See full diff in compare view

Bumps the actions group with 4 updates in the / directory: [step-security/harden-runner](https://github.com/step-security/harden-runner), [actions/checkout](https://github.com/actions/checkout), [step-security/action-slack-notify](https://github.com/step-security/action-slack-notify) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action). Updates `step-security/harden-runner` from 2.19.0 to 2.19.4 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@8d3c67d...9af89fc) Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `step-security/action-slack-notify` from 2.3.5 to 2.3.6 - [Release notes](https://github.com/step-security/action-slack-notify/releases) - [Commits](step-security/action-slack-notify@e04c77a...7210d1a) Updates `zizmorcore/zizmor-action` from 0.5.3 to 0.5.6 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@b1d7e1f...5f14fd0) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: step-security/action-slack-notify dependency-version: 2.3.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: step-security/harden-runner dependency-version: 2.19.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 3, 2026

dependabot Bot force-pushed the dependabot/github_actions/actions-34edae4e64 branch from 762be34 to 93a8aa6 Compare June 8, 2026 22:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the actions group across 1 directory with 4 updates#237

build(deps): bump the actions group across 1 directory with 4 updates#237
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-34edae4e64

dependabot Bot commented on behalf of github Jun 3, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Jun 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v2.19.4

What's Changed

v2.19.3

What's Changed

v2.19.2

What's Changed

v2.19.1

What's Changed

New Contributors

v6.0.3

What's Changed

New Contributors

Changelog

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v2.3.6

What's Changed

New Contributors

v0.5.6

v0.5.5

v0.5.4

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Jun 3, 2026 •

edited

Loading