Bump the github-actions group across 1 directory with 7 updates

[dependabot]

Bumps the github-actions group with 7 updates in the / directory:

Package	From	To
styfle/cancel-workflow-action	0.13.0	0.13.1
mshick/add-pr-comment	2.8.2	3.9.0
github/codeql-action	4.32.5	4.33.0
step-security/harden-runner	2.15.0	2.16.0
actions/dependency-review-action	4.8.3	4.9.0
actions/create-github-app-token	2	3
dorny/paths-filter	3	4

Updates styfle/cancel-workflow-action from 0.13.0 to 0.13.1

Release notes

Sourced from styfle/cancel-workflow-action's releases.

0.13.1

Patches

• Fix: update Node.js runtime from 20 to 24: #217

Commits

• d07a454 0.13.1
• 2838e03 fix: update Node.js runtime from 20 to 24 (#217)
• See full diff in compare view

Updates mshick/add-pr-comment from 2.8.2 to 3.9.0

Release notes

Sourced from mshick/add-pr-comment's releases.

v3.9.0

3.9.0 (2026-03-14)

Features

• add library exports for programmatic usage (#169) (277cebd)

v3.8.0

3.8.0 (2026-03-14)

Features

• automatic message truncation for oversized comments (#167) (38989f3)

v3.7.0

3.7.0 (2026-03-14)

Features

• add file attachments via artifacts (#165) (678e340)

v3.6.0

3.6.0 (2026-03-13)

Features

• add commit comment support (#163) (5906ed7)

v3.5.0

3.5.0 (2026-03-13)

Features

• add "delete on status" option (#126) (adbd107)

v3.4.0

3.4.0 (2026-03-13)

Features

• enable immutable releases (#158) (e9cf45c)

v3.3.0

3.3.0 (2026-03-13)

... (truncated)

Changelog

Sourced from mshick/add-pr-comment's changelog.

Changelog

3.9.0 (2026-03-14)

Features

• add library exports for programmatic usage (#169) (277cebd)

3.8.0 (2026-03-14)

Features

• automatic message truncation for oversized comments (#167) (38989f3)

3.7.0 (2026-03-14)

Features

• add file attachments via artifacts (#165) (678e340)

3.6.0 (2026-03-13)

Features

• add commit comment support (#163) (5906ed7)

3.5.0 (2026-03-13)

Features

• add "delete on status" option (#126) (adbd107)

3.4.0 (2026-03-13)

Features

• enable immutable releases (#158) (e9cf45c)

3.3.0 (2026-03-13)

Features

• modernize build pipeline and CI (#154) (8ea01c7)

... (truncated)

Commits

• ffd016c chore(main): release 3.9.0 (#170)
• 277cebd feat: add library exports for programmatic usage (#169)
• 20d1219 chore(main): release 3.8.0 (#168)
• 38989f3 feat: automatic message truncation for oversized comments (#167)
• 1b31b5c chore(main): release 3.7.0 (#166)
• 678e340 feat: add file attachments via artifacts (#165)
• 9e287fd chore(main): release 3.6.0 (#164)
• 5906ed7 feat: add commit comment support (#163)
• 7c1a3a3 chore(main): release 3.5.0 (#161)
• d134306 docs: add manan-jadhav-ab as a contributor for code (#162)
• Additional commits viewable in compare view

Updates github/codeql-action from 4.32.5 to 4.33.0

Release notes

Sourced from github/codeql-action's releases.

v4.33.0

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v4.32.6

• Update default CodeQL bundle version to 2.24.3. #3548

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.33.0 - 16 Mar 2026

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

• Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #3503, #3504

4.32.4 - 20 Feb 2026

• Update default CodeQL bundle version to 2.24.2. #3493
• Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when private package registries are configured. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. #3473
• When the CodeQL Action is run with debugging enabled in Default Setup and private package registries are configured, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. #3486
• Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. #3485
• Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a nightly CodeQL CLI release instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. #3484

4.32.3 - 13 Feb 2026

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #3466

4.32.2 - 05 Feb 2026

... (truncated)

Commits

• b1bff81 Merge pull request #3574 from github/update-v4.32.7-7dd76e6bf
• e682234 Add changelog entry for #3570
• 95be291 Bump minor version
• 59bcb60 Update changelog for v4.32.7
• 7dd76e6 Merge pull request #3572 from github/mbg/pr-checks/eslint
• e3200e3 Merge pull request #3563 from github/mbg/private-registry/oidc
• 4c356c7 Merge pull request #3570 from github/mbg/repo-props/warn-on-unexpected-props
• b4937c1 Only emit one message with accumulated property names
• 136b8ab Remove cache-dependency-path options as well
• a5aba59 Remove package-lock.json that's no longer needed
• Additional commits viewable in compare view

Updates step-security/harden-runner from 2.15.0 to 2.16.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.16.0

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

What's Changed

• Fixes step-security/harden-runner#642 bug due to which post step was failing on Windows ARM runners
• Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

Commits

• fa2e9d6 Release v2.16.0 (#646)
• 58077d3 Release v2.15.1 (#641)
• See full diff in compare view

Updates actions/dependency-review-action from 4.8.3 to 4.9.0

Release notes

Sourced from actions/dependency-review-action's releases.

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in actions/dependency-review-action#1056
• Make purl comparisons case insensitive by @​juxtin in actions/dependency-review-action#1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in actions/dependency-review-action#1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in actions/dependency-review-action#1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in actions/dependency-review-action#1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in actions/dependency-review-action#1021
• Updates for release 4.9.0 by @​ahpook in actions/dependency-review-action#1064

New Contributors

• @​jantiebot made their first contribution in actions/dependency-review-action#1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

Commits

• 2031cfc Merge pull request #1064 from actions/ahpook/release-4.9.0
• d02fa39 Updates for release 4.9.0
• 4038a34 Merge pull request #1021 from actions/dependabot/github_actions/actions/check...
• a632b83 Merge pull request #1058 from actions/dependabot/github_actions/actions/stale...
• 57a3d46 Merge pull request #1060 from jantiebot/main
• 5ecdc4b Merge pull request #1045 from forks-felickz/main
• e8c2f9a fix: remove inferrable type annotation to pass eslint
• 0e129e1 Prettier - Refactor summary table rendering for improved readability
• aa60746 Add 'show-patched-versions' option to configuration and update summary handling
• e404798 Merge upstream actions/dependency-review-action main
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 2 to 3

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)
• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)
• deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
• deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits

• f8d387b build(release): 3.0.0 [skip ci]
• d2129bd style: remove extra blank line in release workflow
• 77b94ef build: refresh generated artifacts
• 3ab4c66 chore: move undici to devDependencies
• 739cf66 docs: update README action versions
• db40289 build(deps): bump actions versions in test.yml
• 496a7ac test: migrate from AVA to Node.js native test runner (#346)
• 3870dc3 Rename end-to-end proxy job in test workflow
• 4451bcb fix!: require NODE_USE_ENV_PROXY for proxy support (#342)
• dce0ab0 fix: remove custom proxy handling (#143)
• Additional commits viewable in compare view

Updates dorny/paths-filter from 3 to 4

Release notes

Sourced from dorny/paths-filter's releases.

v4.0.0

What's Changed

• feat: update action runtime to node24 by @​saschabratton in dorny/paths-filter#294

New Contributors

• @​saschabratton made their first contribution in dorny/paths-filter#294

Full Changelog: dorny/paths-filter@v3.0.3...v4.0.0

v3.0.3

What's Changed

• Add missing predicate-quantifier by @​wardpeet in dorny/paths-filter#279

New Contributors

• @​wardpeet made their first contribution in dorny/paths-filter#279

Full Changelog: dorny/paths-filter@v3...v3.0.3

v3.0.2

What's Changed

• feat: add config parameter for predicate quantifier by @​petermetz in dorny/paths-filter#224

New Contributors

• @​petermetz made their first contribution in dorny/paths-filter#224

Full Changelog: dorny/paths-filter@v3...v3.0.2

v3.0.1

What's Changed

• Compare base and ref when token is empty by @​frouioui in dorny/paths-filter#133

New Contributors

• @​frouioui made their first contribution in dorny/paths-filter#133

Full Changelog: dorny/paths-filter@v3...v3.0.1

Changelog

Sourced from dorny/paths-filter's changelog.

Changelog

v4.0.0

• Update action runtime to node24

v3.0.3

• Add missing predicate-quantifier

v3.0.2

• Add config parameter for predicate quantifier

v3.0.1

• Compare base and ref when token is empty

v3.0.0

• Update to Node.js 20
• Update all dependencies

v2.11.1

• Update @​actions/core to v1.10.0 - Fixes warning about deprecated set-output
• Document need for pull-requests: read permission
• Updating to actions/checkout@v3

v2.11.0

• Set list-files input parameter as not required
• Update Node.js
• Fix incorrect handling of Unicode characters in exec()
• Use Octokit pagination
• Updates real world links

v2.10.2

• Fix getLocalRef() returns wrong ref

v2.10.1

• Improve robustness of change detection

v2.10.0

• Add ref input parameter
• Fix change detection in PR when pullRequest.changed_files is incorrect

v2.9.3

• Fix change detection when base is a tag

v2.9.2

• Fix fetching git history

v2.9.1

• Fix fetching git history + fallback to unshallow repo

v2.9.0

... (truncated)

Commits

• fbd0ab8 feat: add merge_group event support
• efb1da7 feat: add dist/ freshness check to PR workflow
• d8f7b06 Merge pull request #302 from dorny/issue-299
• addbc14 Update README for v4
• 9d7afb8 Update CHANGELOG for v4.0.0
• 782470c Merge branch 'releases/v3'
• d1c1ffe Update CHANGELOG for v3.0.3
• ce10459 Merge pull request #294 from saschabratton/master
• 5f40380 feat: update action runtime to node24
• 668c092 Merge pull request #279 from wardpeet/patch-1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

CDash for AT2 results [Currently only accessible from Sandia networks]

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.