chore(ci): bump the actions group with 6 updates

[dependabot]

Bumps the actions group with 6 updates:

Package	From	To
dorny/paths-filter	3.0.2	4.0.1
codecov/codecov-action	4.6.0	6.0.0
denoland/setup-deno	2.0.3	2.0.4
sigstore/cosign-installer	4.1.0	4.1.1
actions/setup-python	5.3.0	6.2.0
rhysd/actionlint	1.7.7	1.7.11

Updates dorny/paths-filter from 3.0.2 to 4.0.1

Release notes

Sourced from dorny/paths-filter's releases.

v4.0.1

What's Changed

• Support merge queue by @​masaru-iritani in dorny/paths-filter#255

New Contributors

• @​masaru-iritani made their first contribution in dorny/paths-filter#255

Full Changelog: dorny/paths-filter@v4.0.0...v4.0.1

v4.0.0

What's Changed

• feat: update action runtime to node24 by @​saschabratton in dorny/paths-filter#294

New Contributors

• @​saschabratton made their first contribution in dorny/paths-filter#294

Full Changelog: dorny/paths-filter@v3.0.3...v4.0.0

v3.0.3

What's Changed

• Add missing predicate-quantifier by @​wardpeet in dorny/paths-filter#279

New Contributors

• @​wardpeet made their first contribution in dorny/paths-filter#279

Full Changelog: dorny/paths-filter@v3...v3.0.3

Changelog

Sourced from dorny/paths-filter's changelog.

Changelog

v4.0.0

• Update action runtime to node24

v3.0.3

• Add missing predicate-quantifier

v3.0.2

• Add config parameter for predicate quantifier

v3.0.1

• Compare base and ref when token is empty

v3.0.0

• Update to Node.js 20
• Update all dependencies

v2.11.1

• Update @​actions/core to v1.10.0 - Fixes warning about deprecated set-output
• Document need for pull-requests: read permission
• Updating to actions/checkout@v3

v2.11.0

• Set list-files input parameter as not required
• Update Node.js
• Fix incorrect handling of Unicode characters in exec()
• Use Octokit pagination
• Updates real world links

v2.10.2

• Fix getLocalRef() returns wrong ref

v2.10.1

• Improve robustness of change detection

v2.10.0

• Add ref input parameter
• Fix change detection in PR when pullRequest.changed_files is incorrect

v2.9.3

• Fix change detection when base is a tag

v2.9.2

• Fix fetching git history

v2.9.1

• Fix fetching git history + fallback to unshallow repo

v2.9.0

... (truncated)

Commits

• fbd0ab8 feat: add merge_group event support
• efb1da7 feat: add dist/ freshness check to PR workflow
• d8f7b06 Merge pull request #302 from dorny/issue-299
• addbc14 Update README for v4
• 9d7afb8 Update CHANGELOG for v4.0.0
• 782470c Merge branch 'releases/v3'
• d1c1ffe Update CHANGELOG for v3.0.3
• ce10459 Merge pull request #294 from saschabratton/master
• 5f40380 feat: update action runtime to node24
• 668c092 Merge pull request #279 from wardpeet/patch-1
• Additional commits viewable in compare view

Updates codecov/codecov-action from 4.6.0 to 6.0.0

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.0

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in codecov/codecov-action#1929
• Th/6.0.0 by @​thomasrockhu-codecov in codecov/codecov-action#1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v5.5.4

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in codecov/codecov-action#1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in codecov/codecov-action#1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in codecov/codecov-action#1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in codecov/codecov-action#1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

v5.5.2

What's Changed

• check gpg only when skip-validation = false by @​maxweng-sentry in codecov/codecov-action#1894
• chore: disable_search alignment by @​freemanzMrojo in codecov/codecov-action#1881
• chore(release): 5.5.2 by @​thomasrockhu-codecov in codecov/codecov-action#1902

New Contributors

• @​maxweng-sentry made their first contribution in codecov/codecov-action#1894
• @​freemanzMrojo made their first contribution in codecov/codecov-action#1881

Full Changelog: codecov/codecov-action@v5.5.1...v5.5.2

v5.5.1

What's Changed

• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in codecov/codecov-action#1833
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​dependabot[bot] in codecov/codecov-action#1861
• Document a codecov-cli version reference example by @​webknjaz in codecov/codecov-action#1774
• docs: fix typo in README by @​datalater in codecov/codecov-action#1866
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​dependabot[bot] in codecov/codecov-action#1867
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in codecov/codecov-action#1868
• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871

... (truncated)

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in codecov/codecov-action#1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in codecov/codecov-action#1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• docs: fix typo in README by @​datalater in codecov/codecov-action#1866
• Document a codecov-cli version reference example by @​webknjaz in codecov/codecov-action#1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in codecov/codecov-action#1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in codecov/codecov-action#1864
• Pin actions/github-script by Git SHA by @​martincostello in codecov/codecov-action#1859
• fix: check reqs exist by @​joseph-sentry in codecov/codecov-action#1835
• fix: Typo in README by @​spalmurray in codecov/codecov-action#1838
• docs: Refine OIDC docs by @​spalmurray in codecov/codecov-action#1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in codecov/codecov-action#1822
• fix: OIDC on forks by @​joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

• 57e3a13 Th/6.0.0 (#1928)
• f67d33d Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0""...
• 75cd116 chore(release): 5.5.4 (#1927)
• 87d39f4 Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" (#1926)
• 1af5884 chore(release): bump to 5.5.3 (#1922)
• c143300 build(deps): bump actions/github-script from 7.0.1 to 8.0.0 (#1874)
• 671740a chore(release): 5.5.2 (#1902)
• 96b38e9 chore: disable_search alignment (#1881)
• 9b6d1f8 check gpg only when skip-validation = false (#1894)
• 5a10915 chore(release): 5.5.1 (#1873)
• Additional commits viewable in compare view

Updates denoland/setup-deno from 2.0.3 to 2.0.4

Commits

• 667a34c 2.0.3
• 3f17b4e feat: upgrade Node.js runtime from node20 to node24 (#123)
• 06fd750 docs: fix identifier for latest stable release (#115)
• 587bed9 docs: condense Deno version information in one section (#100)
• 2af9d57 docs: add lts as possible release-channel output (#99)
• 0c3e771 Update actions/checkout (#106)
• See full diff in compare view

Updates sigstore/cosign-installer from 4.1.0 to 4.1.1

Release notes

Sourced from sigstore/cosign-installer's releases.

v4.1.1

What's Changed

• chore: update default cosign-release to v3.0.5 in sigstore/cosign-installer#223

Full Changelog: sigstore/cosign-installer@v4.1.0...v4.1.1

Commits

• cad07c2 chore: update default cosign-release to v3.0.5 (#223)
• See full diff in compare view

Updates actions/setup-python from 5.3.0 to 6.2.0

Release notes

Sourced from actions/setup-python's releases.

v6.2.0

What's Changed

Dependency Upgrades

• Upgrade dependencies to Node 24 compatible versions by @​salmanmkc in actions/setup-python#1259
• Upgrade urllib3 from 2.5.0 to 2.6.3 in /__tests__/data by @​dependabot in actions/setup-python#1253 and actions/setup-python#1264

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

What's Changed

Enhancements:

• Add support for pip-install input by @​gowridurgad in actions/setup-python#1201
• Add graalpy early-access and windows builds by @​timfel in actions/setup-python#880

Dependency and Documentation updates:

• Enhanced wording and updated example usage for allow-prereleases by @​yarikoptic in actions/setup-python#979
• Upgrade urllib3 from 1.26.19 to 2.5.0 and document breaking changes in v6 by @​dependabot in actions/setup-python#1139
• Upgrade typescript from 5.4.2 to 5.9.3 and Documentation update by @​dependabot in actions/setup-python#1094
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pip-install input by @​dependabot in actions/setup-python#1199
• Upgrade requests from 2.32.2 to 2.32.4 by @​dependabot in actions/setup-python#1130
• Upgrade prettier from 3.5.3 to 3.6.2 by @​dependabot in actions/setup-python#1234
• Upgrade @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel by @​dependabot in actions/setup-python#1235

New Contributors

• @​yarikoptic made their first contribution in actions/setup-python#979

Full Changelog: actions/setup-python@v6...v6.1.0

v6.0.0

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in actions/setup-python#1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

• Add support for pip-version by @​priyagupta108 in actions/setup-python#1129
• Enhance reading from .python-version by @​krystof-k in actions/setup-python#787
• Add version parsing from Pipfile by @​aradkdj in actions/setup-python#1067

Bug fixes:

• Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @​aparnajyothi-y in actions/setup-python#1183
• Change missing cache directory error to warning by @​aparnajyothi-y in actions/setup-python#1182
• Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @​aparnajyothi-y in actions/setup-python#1122
• Include python version in PyPy python-version output by @​cdce8p in actions/setup-python#1110
• Update docs: clarification on pip authentication with setup-python by @​priya-kinthali in actions/setup-python#1156

Dependency updates:

• Upgrade idna from 2.9 to 3.7 in /tests/data by @​dependabot[bot] in actions/setup-python#843
• Upgrade form-data to fix critical vulnerabilities #182 & #183 by @​aparnajyothi-y in actions/setup-python#1163
• Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @​aparnajyothi-y in actions/setup-python#1165
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-python#1181
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in actions/setup-python#1095

... (truncated)

Commits

• a309ff8 Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)
• bfe8cc5 Upgrade @​actions dependencies to Node 24 compatible versions (#1259)
• 4f41a90 Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)
• 83679a8 Bump @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...
• bfc4944 Bump prettier from 3.5.3 to 3.6.2 (#1234)
• 97aeb3e Bump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)
• 443da59 Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...
• cfd55ca graalpy: add graalpy early-access and windows builds (#880)
• bba65e5 Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)
• 18566f8 Improve wording and "fix example" (remove 3.13) on testing against pre-releas...
• Additional commits viewable in compare view

Updates rhysd/actionlint from 1.7.7 to 1.7.11

Release notes

Sourced from rhysd/actionlint's releases.

v1.7.11

• Support the case() function in ${{ }} expressions which was recently added to GitHub Actions. (#612, #614, thanks @​heppu)

  env:
    # ERROR: case() requires an odd number of arguments
    ENVIRONMENT: |-
      ${{ case(
        github.ref == 'refs/heads/main', 'production',
        github.ref == 'refs/heads/staging', 'staging'
      ) }}

• Support new macos-26-large and windows-2025-vs2026 runner labels. See the GitHub's announce for more details. (#615, thanks @​hugovk and @​muzimuzhi)
• Enable Artifact attestations for the released binaries. From v1.7.11 gh command can verify the integrity of the downloaded binaries as follows. The verification is highly recommended in terms of supply chain security. (#608, thanks @​takaram)

  $ gh release download --repo rhysd/actionlint --pattern '*_darwin_amd64.tar.gz' v1.7.11
  $ gh attestation verify --repo rhysd/actionlint actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded digest sha256:17ffc17fed8f0258ef6ad4aed932d3272464c7ef7d64e1cb0d65aa97c9752107 for file://actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded 1 attestation from GitHub API
  The following policy criteria will be enforced:
  
  Predicate type must match:................ https://slsa.dev/provenance/v1
  Source Repository Owner URI must match:... https://github.com/rhysd
  Source Repository URI must match:......... https://github.com/rhysd/actionlint
  Subject Alternative Name must match regex: (?i)^https://github.com/rhysd/actionlint/
  OIDC Issuer must match:................... https://token.actions.githubusercontent.com
  
  ✓ Verification succeeded!
  The following 1 attestation matched the policy criteria
  
  Attestation #1
  
  Build repo:..... rhysd/actionlint
  Build workflow:. .github/workflows/release.yaml@refs/tags/v1.7.11
  Signer repo:.... rhysd/actionlint
  Signer workflow: .github/workflows/release.yaml@refs/tags/v1.7.11

Report path filters with ./ as error because they never match anything. (#521)

on:
  push:
    paths:
      # ERROR: This never matches anything. `foo/bar.txt` is correct.
      - ./foo/bar.txt

Fix comparing matrix items when an item is a super set of another item. (#523, #613, thanks @​michaelgruenewald)

Fix stack overflow crash by a recursive anchor in matrix items. (#610)

Fix an unassigned variable false positive from shellcheck by disabling SC2153 rule. (#573)

Reduce the number of memory allocations on resolving anchors.

Update the popular actions data set to the latest.

Update Go dependencies to the latest.

... (truncated)

Changelog

Sourced from rhysd/actionlint's changelog.

v1.7.11 - 2026-02-14

• Support the case() function in ${{ }} expressions which was recently added to GitHub Actions. (#612, #614, thanks @​heppu)

  env:
    # ERROR: case() requires an odd number of arguments
    ENVIRONMENT: |-
      ${{ case(
        github.ref == 'refs/heads/main', 'production',
        github.ref == 'refs/heads/staging', 'staging'
      ) }}

• Support new macos-26-large and windows-2025-vs2026 runner labels. See the GitHub's announce for more details. (#615, thanks @​hugovk and @​muzimuzhi)
• Enable Artifact attestations for the released binaries. From v1.7.11 gh command can verify the integrity of the downloaded binaries as follows. The verification is highly recommended in terms of supply chain security. (#608, thanks @​takaram)

  $ gh release download --repo rhysd/actionlint --pattern '*_darwin_amd64.tar.gz' v1.7.11
  $ gh attestation verify --repo rhysd/actionlint actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded digest sha256:17ffc17fed8f0258ef6ad4aed932d3272464c7ef7d64e1cb0d65aa97c9752107 for file://actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded 1 attestation from GitHub API
  The following policy criteria will be enforced:
  
  Predicate type must match:................ https://slsa.dev/provenance/v1
  Source Repository Owner URI must match:... https://github.com/rhysd
  Source Repository URI must match:......... https://github.com/rhysd/actionlint
  Subject Alternative Name must match regex: (?i)^https://github.com/rhysd/actionlint/
  OIDC Issuer must match:................... https://token.actions.githubusercontent.com
  
  ✓ Verification succeeded!
  The following 1 attestation matched the policy criteria
  
  Attestation #1
  
  Build repo:..... rhysd/actionlint
  Build workflow:. .github/workflows/release.yaml@refs/tags/v1.7.11
  Signer repo:.... rhysd/actionlint
  Signer workflow: .github/workflows/release.yaml@refs/tags/v1.7.11

Report path filters with ./ because they never match anything. (#521)

on:
  push:
    paths:
      # ERROR: This never matches anything. `foo/bar.txt` is correct.
      - ./foo/bar.txt

Fix comparing matrix items when an item is a super set of another item. (#523, #613, thanks @​michaelgruenewald)

Fix stack overflow crash by a recursive anchor in matrix items. (#610)

Fix a unassigned variable false positive from shellcheck by disabling SC2153 rule. (#573)

Reduce the number of memory allocations on resolving anchors.

... (truncated)

Commits

• 393031a bump up version to v1.7.11
• 63589e8 add link to the release note of the version in playground heading
• 58a2626 remove legacy Homebrew formula
• d22c104 fix test script for download script to check error case failures
• 50d2134 describe how to download and verify artifact using gh (fix #617)
• 226bb4a update playground npm deps including jsdom v28
• 1e85edb disable SC2153 shellcheck rule to avoid unassigned variable false positive (f...
• 8776d64 Merge pull request #619 from takaram/patch-1
• e3eb8cb reduce memory allocations on resolving anchors
• db08cec Fix variable name in release workflow
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions