fix(deps): update github-actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/checkout	action	patch	v6.0.0 → v6.0.2
actions/dependency-review-action	action	patch	v4.8.1 → v4.8.2	v4.8.3
actions/setup-node	action	minor	v6.0.0 → v6.2.0
github/codeql-action	action	minor	v4.31.2 → v4.32.3	v4.32.4
lewagon/wait-on-check-action	action	minor	v1.4.1 → v1.5.0
node	uses-with	minor	20.19.5 → 20.20.0
nrwl/nx-set-shas (changelog)	action	digest	826660b → 3e9ad73
step-security/harden-runner	action	minor	v2.13.2 → v2.14.2
tj-actions/changed-files	action	patch	v47.0.0 → v47.0.4

---

Release Notes

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

actions/dependency-review-action (actions/dependency-review-action)

v4.8.2

Compare Source

Minor fixes:

• Fix PURL parsing for scoped packages (#​1008 from @​danielhardej)
• Fix for large summaries (#​1007 from @​gitulisca)
• README includes a working example for allow-dependencies-licenses (#​1009 from @​danielhardej)

actions/setup-node (actions/setup-node)

v6.2.0

Compare Source

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

github/codeql-action (github/codeql-action)

v4.32.3

Compare Source

• Added experimental support for testing connections to private package registries. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. #​3466

v4.32.2

Compare Source

v4.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v4.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v4.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v4.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

v4.31.9

Compare Source

v4.31.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #​3354

See the full CHANGELOG.md for more information.

v4.31.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #​3343

See the full CHANGELOG.md for more information.

v4.31.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #​3321

See the full CHANGELOG.md for more information.

v4.31.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.4 - 18 Nov 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.3 - 13 Nov 2025

• CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.
• Update default CodeQL bundle version to 2.23.5. #​3288

See the full CHANGELOG.md for more information.

lewagon/wait-on-check-action (lewagon/wait-on-check-action)

v1.5.0

Compare Source

Added

• Add fail-on-no-checks option

Fixed

• Bump rexml to 3.4.2

actions/node-versions (node)

v20.20.0: 20.20.0

Compare Source

Node.js 20.20.0

v20.19.6: 20.19.6

Compare Source

Node.js 20.19.6

step-security/harden-runner (step-security/harden-runner)

v2.14.2

Compare Source

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

Compare Source

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed

• Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
• Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

Compare Source

What's Changed

• Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

tj-actions/changed-files (tj-actions/changed-files)

v47.0.4

Compare Source

What's Changed

• update: release-tagger action to version 6.0.6 by @​jackton1 in #​2801

Full Changelog: tj-actions/changed-files@v47.0.3...v47.0.4

v47.0.3

Compare Source

What's Changed

• chore(deps): bump github/codeql-action from 4.31.10 to 4.32.2 by @​dependabot[bot] in #​2790
• update: release-tagger action to version 6.0.0 by @​jackton1 in #​2800

Full Changelog: tj-actions/changed-files@v47.0.2...v47.0.3

v47.0.2

Compare Source

What's Changed

• chore(deps-dev): bump eslint-plugin-jest from 29.2.1 to 29.11.0 by @​dependabot[bot] in #​2751
• chore(deps): bump actions/upload-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​2741
• chore(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 by @​dependabot[bot] in #​2743
• chore(deps): bump @​actions/core from 2.0.0 to 2.0.2 by @​dependabot[bot] in #​2757
• Updated README.md by @​github-actions[bot] in #​2768
• chore: update dist by @​jackton1 in #​2769
• chore: update matrix-example.yml by @​jackton1 in #​2752
• feat: add support for excluding symlinks and fix bug with commit not found by @​jackton1 in #​2770
• chore(deps): bump github/codeql-action from 4.31.7 to 4.31.10 by @​dependabot[bot] in #​2761
• Updated README.md by @​github-actions[bot] in #​2771
• chore(deps-dev): bump eslint-plugin-jest from 29.11.0 to 29.12.1 by @​dependabot[bot] in #​2756
• chore(deps-dev): bump @​types/lodash from 4.17.21 to 4.17.23 by @​dependabot[bot] in #​2759
• fix: Update test.yml by @​jackton1 in #​2781
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in #​2777
• chore(deps): bump @​stdlib/utils-convert-path from 0.2.2 to 0.2.3 by @​dependabot[bot] in #​2795
• chore(deps-dev): bump @​types/node from 25.0.0 to 25.2.2 by @​dependabot[bot] in #​2793
• chore(deps): bump actions/setup-node from 6.1.0 to 6.2.0 by @​dependabot[bot] in #​2766

Full Changelog: tj-actions/changed-files@v47.0.1...v47.0.2

v47.0.1

Compare Source

What's Changed

• Upgraded to v47 by @​github-actions[bot] in #​2663
• chore(deps-dev): bump @​types/node from 24.3.1 to 24.4.0 by @​dependabot[bot] in #​2664
• chore(deps-dev): bump ts-jest from 29.4.1 to 29.4.3 by @​dependabot[bot] in #​2671
• chore(deps-dev): bump @​vercel/ncc from 0.38.3 to 0.38.4 by @​dependabot[bot] in #​2670
• chore(deps-dev): bump @​types/uuid from 10.0.0 to 11.0.0 by @​dependabot[bot] in #​2668
• chore(deps-dev): bump @​types/node from 24.4.0 to 24.5.2 by @​dependabot[bot] in #​2669
• chore(deps): bump github/codeql-action from 3.30.3 to 3.30.4 by @​dependabot[bot] in #​2675
• chore(deps-dev): bump ts-jest from 29.4.3 to 29.4.4 by @​dependabot[bot] in #​2672
• chore(deps): bump github/codeql-action from 3.30.4 to 3.30.5 by @​dependabot[bot] in #​2676
• chore(deps-dev): bump jest from 30.1.3 to 30.2.0 by @​dependabot[bot] in #​2677
• chore(deps-dev): bump @​types/node from 24.5.2 to 24.6.1 by @​dependabot[bot] in #​2679
• chore(deps-dev): bump @​types/node from 24.6.1 to 24.6.2 by @​dependabot[bot] in #​2681
• chore(deps): bump github/codeql-action from 3.30.5 to 3.30.6 by @​dependabot[bot] in #​2680
• chore(deps-dev): bump @​types/node from 24.6.2 to 24.9.1 by @​dependabot[bot] in #​2695
• chore(deps): bump github/codeql-action from 3.30.6 to 4.30.9 by @​dependabot[bot] in #​2693
• chore(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​2690
• chore(deps): bump github/codeql-action from 4.30.9 to 4.31.2 by @​dependabot[bot] in #​2702
• chore(deps-dev): bump @​types/node from 24.9.1 to 24.9.2 by @​dependabot[bot] in #​2700
• chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @​dependabot[bot] in #​2698
• chore(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​2697
• chore(deps-dev): bump @​types/micromatch from 4.0.9 to 4.0.10 by @​dependabot[bot] in #​2699
• chore(deps-dev): bump ts-jest from 29.4.4 to 29.4.5 by @​dependabot[bot] in #​2688
• chore(deps-dev): bump @​types/node from 24.9.2 to 24.10.0 by @​dependabot[bot] in #​2707
• chore(deps): bump @​octokit/rest from 22.0.0 to 22.0.1 by @​dependabot[bot] in #​2705
• chore(deps-dev): bump eslint-plugin-jest from 29.0.1 to 29.1.0 by @​dependabot[bot] in #​2710
• chore(deps-dev): bump @​types/node from 24.10.0 to 24.10.1 by @​dependabot[bot] in #​2711
• chore(deps): bump github/codeql-action from 4.31.2 to 4.31.4 by @​dependabot[bot] in #​2715
• chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 by @​dependabot[bot] in #​2714
• chore(deps): bump nrwl/nx-set-shas from 4.3.3 to 4.4.0 by @​dependabot[bot] in #​2712
• chore(deps-dev): bump prettier from 3.6.2 to 3.7.1 by @​dependabot[bot] in #​2722
• chore(deps): bump github/codeql-action from 4.31.4 to 4.31.5 by @​dependabot[bot] in #​2720
• chore(deps-dev): bump eslint-plugin-jest from 29.1.0 to 29.2.1 by @​dependabot[bot] in #​2719
• chore(deps-dev): bump @​types/lodash from 4.17.20 to 4.17.21 by @​dependabot[bot] in #​2718
• chore(deps): bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 by @​dependabot[bot] in #​2717
• Updated README.md by @​github-actions[bot] in #​2723
• chore(deps): bump yaml from 2.8.1 to 2.8.2 by @​dependabot[bot] in #​2724
• chore(deps-dev): bump @​types/node from 24.10.1 to 25.0.0 by @​dependabot[bot] in #​2738
• chore(deps): bump @​actions/exec from 1.1.1 to 2.0.0 by @​dependabot[bot] in #​2737
• chore(deps-dev): bump ts-jest from 29.4.5 to 29.4.6 by @​dependabot[bot] in #​2727
• chore(deps): bump peter-evans/create-pull-request from 7.0.9 to 8.0.0 by @​dependabot[bot] in #​2735
• chore(deps): bump github/codeql-action from 4.31.5 to 4.31.7 by @​dependabot[bot] in #​2732
• chore(deps): bump actions/setup-node from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​2730
• chore(deps-dev): bump prettier from 3.7.1 to 3.7.4 by @​dependabot[bot] in #​2731
• chore(deps): bump @​actions/core from 1.11.1 to 2.0.0 by @​dependabot[bot] in #​2736
• chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​2729

Full Changelog: tj-actions/changed-files@v47...v47.0.1

---

Configuration

📅 Schedule: Branch creation - "after 10:00 before 19:00 every weekday except after 13:00 before 14:00" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Thank you for following the naming conventions! 🙏