[Github] Update GHA Dependencies (major) #161108

renovate-bot · 2025-09-29T00:04:47Z

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	major	`v1.4.4` -> `v3.0.0`
actions/checkout	action	major	`v4.3.0` -> `v5.0.0`
actions/github-script	action	major	`v7.1.0` -> `v8.0.0`
actions/github-script	action	major	`v6.4.1` -> `v8.0.0`
actions/labeler	action	major	`v4.3.0` -> `v6.0.1`
actions/setup-node	action	major	`v4.4.0` -> `v6.0.0`
actions/setup-python	action	major	`v5.6.0` -> `v6.0.0`
github/codeql-action	action	major	`v2.28.1` -> `v4.31.2`
github/codeql-action	action	major	`v3.31.2` -> `v4.31.2`
node	uses-with	major	`18` -> `24`
tj-actions/changed-files	action	major	`v46.0.5` -> `v47.0.0`

llvmbot · 2025-09-29T00:05:24Z

@llvm/pr-subscribers-libcxx

@llvm/pr-subscribers-github-workflow

Author: Mend Renovate (renovate-bot)

Changes

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/attest-build-provenance	action	major	`v1.0.0` -> `v3.0.0`
actions/checkout	action	major	`v4.1.1` -> `v5.0.0`
actions/github-script	action	major	`v7.0.1` -> `v8.0.0`
actions/github-script	action	major	`v6.4.1` -> `v8.0.0`
actions/labeler	action	major	`v4.3.0` -> `v6.0.1`
actions/setup-node	action	major	`v4.2.0` -> `v5.0.0`
actions/setup-python	action	major	`v5.4.0` -> `v6.0.0`
github/codeql-action	action	major	`v2.20.6` -> `v3.30.4`	`v3.30.5`
macos	github-runner	major	`14` -> `15`
node	uses-with	major	`18` -> `22`
tj-actions/changed-files	action	major	`v46.0.5` -> `v47.0.0`
windows	github-runner	major	`2022` -> `2025`

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

<details>
<summary>actions/attest-build-provenance (actions/attest-build-provenance)</summary>

`v3.0.0`

Compare Source

What's Changed

Adjust node max-http-header-size setting by @bdehamer in #687
Bump actions/attest from v2.4.0 to v3.0.0 by @bdehamer in #691
- Bump to node24 runtime
- Improved checksum parsing
Bump attest-build-provenance/predicate to v2.0.0 by @bdehamer in #693
- Bump to node24 runtime by @bdehamer in #692

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: <actions/attest-build-provenance@v2.4.0...v3.0.0>

`v2.4.0`

Compare Source

What's Changed

Bump undici from 5.28.5 to 5.29.0 by @dependabot in #633
Bump actions/attest from 2.3.0 to 2.4.0 by @bdehamer in #654
- Includes support for the new well-known summary file which will accumulate paths to all attestations generated in a given workflow run

Full Changelog: <actions/attest-build-provenance@v2.3.0...v2.4.0>

`v2.3.0`

Compare Source

What's Changed

Bump actions/attest from 2.2.1 to 2.3.0 by @bdehamer in #615
- Updates @sigstore/oci from 0.4.0 to 0.5.0

Full Changelog: <actions/attest-build-provenance@v2.2.3...v2.3.0>

`v2.2.3`

Compare Source

What's Changed

Pin actions/attest reference by commit SHA by @bdehamer in #493

Full Changelog: <actions/attest-build-provenance@v2.2.2...v2.2.3>

`v2.2.2`

Compare Source

What's Changed

Bump predicate action from 1.1.4 to 1.1.5 by @bdehamer in #485
- Bump @actions/attest from 1.5.0 to 1.6.0 by @bdehamer in #484
  - Update buildSLSAProvenancePredicate to populate workflow.ref field from the ref claim in the OIDC token (actions/toolkit#1969)

Full Changelog: <actions/attest-build-provenance@v2.2.1...v2.2.2>

`v2.2.1`

Compare Source

What's Changed

Bump undici from 5.28.4 to 5.28.5 by @dependabot in #457
Bump @octokit/request-error from 5.0.1 to 5.1.1 by @dependabot in #469
Bump @octokit/request from 8.2.0 to 8.4.1 by @dependabot in #478
Bump actions/attest from 2.2.0 to 2.2.1 by @bdehamer in #481
- Includes @actions/attest [v1.6.0](https://redirect.github.com/actions/toolkit/blob/main/packages/attest/RELEASES.md#160)

Full Changelog: <actions/attest-build-provenance@v2.2.0...v2.2.1>

`v2.2.0`

Compare Source

What's Changed

Bump actions/attest from v2.1.0 to v2.2.0 by @bdehamer in #449
- Includes support for now subject-checksums input parameter

Full Changelog: <actions/attest-build-provenance@v2.1.0...v2.2.0>

`v2.1.0`

Compare Source

What's Changed

Update README w/ note about GH plans supporting attestations by @bdehamer in #414
Add attestation-id and attestation-url outputs by @bdehamer in #415

Full Changelog: <actions/attest-build-provenance@v2.0.1...v2.1.0>

`v2.0.1`

Compare Source

What's Changed

Bump actions/attest from 2.0.0 to 2.0.1 by @bdehamer in #406
- Deduplicate subjects before adding to in-toto statement

Full Changelog: <actions/attest-build-provenance@v2.0.0...v2.0.1>

`v2.0.0`

Compare Source

The attest-build-provenance action now supports attesting multiple subjects simultaneously. When identifying multiple subjects with the subject-path input a single attestation is created with references to each of the supplied subjects, rather than generating separate attestations for each artifact. This reduces the number of attestations that you need to create and manage.

What's Changed

Bump cross-spawn from 7.0.3 to 7.0.6 by @dependabot in #319
Prepare v2.0.0 release by @bdehamer in #321
- Bump actions/attest from 1.4.1 to 2.0.0 (w/ multi-subject attestation support)

Full Changelog: <actions/attest-build-provenance@v1.4.4...v2.0.0>

`v1.4.4`

Compare Source

What's Changed

Bump predicate action from 1.1.3 to 1.1.4 by @bdehamer in #310
- Bump @actions/core from 1.10.1 to 1.11.1 by @dependabot in #275
- Bump @actions/attest from 1.4.2 to 1.5.0 by @bdehamer in #309
  - Fix SLSA provenance bug related to workflow_ref OIDC token claims containing the "@" symbol in the tag name (actions/toolkit#1863)

Full Changelog: <actions/attest-build-provenance@v1.4.3...v1.4.4>

`v1.4.3`

Compare Source

What's Changed

Bump predicate from 1.1.2 to 1.1.3 by @bdehamer in #226
- Bump @actions/attest from 1.3.1 to 1.4.1 by @dependabot in #212
- Bump @actions/attest from 1.4.1 to 1.4.2 by @bdehamer in #225
- Fix bug w/ customized OIDC issuer URL for enterprise accounts (#222)

Full Changelog: <actions/attest-build-provenance@v1.4.2...v1.4.3>

`v1.4.2`

Compare Source

What's Changed

Bump actions/attest from 1.4.0 to 1.4.1 by @bdehamer in #209
- Includes bug fix for issue with authenticated proxies (actions/toolkit#1798)

Full Changelog: <actions/attest-build-provenance@v1.4.1...v1.4.2>

`v1.4.1`

Compare Source

What's Changed

Update predicate action to 1.1.2 by @bdehamer in #197
- Dynamic construction of oidc issuer by @bdehamer in #195

Full Changelog: <actions/attest-build-provenance@v1.4.0...v1.4.1>

`v1.4.0`

Compare Source

What's Changed

Bump predicate action from 1.1.0 to 1.1.1 by @bdehamer in #182
- Fix for JWKS proxy bug
Bump actions/attest from 1.3.3 to 1.4.0 by @bdehamer in #183
- Add show-summary input
- Format summary output as list

Full Changelog: <actions/attest-build-provenance@v1.3.3...v1.4.0>

`v1.3.3`

Compare Source

What's Changed

Bump actions/attest from 1.3.2 to 1.3.3 by @bdehamer in #152
- Bugfix for properly handling glob exclusion patterns in subject-path input

Full Changelog: <actions/attest-build-provenance@v1.3.2...v1.3.3>

`v1.3.2`

Compare Source

What's Changed

Bump actions/attest from 1.3.1 to 1.3.2 by @bdehamer in #123
- Increase timeout for OCI operations

Full Changelog: <actions/attest-build-provenance@v1.3.1...v1.3.2>

`v1.3.1`

Compare Source

What's Changed

Bump actions/attest from 1.3.0 to 1.3.1 by @bdehamer in #117
- Bugfix when detecting support for the referrers API with OCI registries

Full Changelog: <actions/attest-build-provenance@v1.3.0...v1.3.1>

`v1.3.0`

Compare Source

What's Changed

Bump actions/attest-build-provenance/predicate from 1.0.0 to 1.1.0 by @bdehamer in #116
- Switch to new GH provenance build type
Bump actions/attest from 1.2.0 to 1.3.0 by @bdehamer in #116
- Dynamic construction of GitHub API URLs based on GITHUB_SERVER_URL
- Improved handling of Rekor 409 responses
- Bugfix - detection of registries with support for the OCI referrers API

Full Changelog: <actions/attest-build-provenance@v1.2.0...v1.3.0>

`v1.2.0`

Compare Source

What's Changed

Bump actions/attest from 1.1.2 to 1.2.0 by @bdehamer in #101
- Batch processing w/ exponential backoff
- Bugfix when pushing attestation to OCI registry

Full Changelog: <actions/attest-build-provenance@v1.1.2...v1.2.0>

`v1.1.2`

Compare Source

What's Changed

Bump actions/attest from 1.1.1 to 1.1.2 by @bdehamer in #79
- Downcase subject name for OCI images
- Fix accept header when retrieving image manifest
- Support variants of the Docker Hub registry name

Full Changelog: <actions/attest-build-provenance@v1.1.1...v1.1.2>

`v1.1.1`

Compare Source

What's Changed

Bump actions/attest from v1.1.0 to v1.1.1 by @bdehamer in #67
- Bump @sigstore/sign from 2.3.0 to 2.3.1
- Bump @sigstore/oci from 0.3.0 to 0.3.2
- Include more detail in error logging
- Send API errors to GHA debug log
- Fix bug preventing failed API requests from being retried

Full Changelog: <actions/attest-build-provenance@v1.1.0...v1.1.1>

`v1.1.0`

Compare Source

What's Changed

Bump actions/attest to v1.1.0 by @bdehamer in #65
- adds list support for subjectPath input
- limit attestation subject count
- ensure subject globs match only files

Full Changelog: <actions/attest-build-provenance@v1.0.0...v1.1.0>

</details>

<details>
<summary>actions/checkout (actions/checkout)</summary>

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

`v4.3.0`

Compare Source

What's Changed

docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043
Adjust positioning of user email note and permissions heading by @joshmgross in https://github.com/actions/checkout/pull/2044
Update README.md by @nebuk89 in https://github.com/actions/checkout/pull/2194
Update CODEOWNERS for actions by @TingluoHuang in https://github.com/actions/checkout/pull/2224
Update package dependencies by @salmanmkc in https://github.com/actions/checkout/pull/2236
Prepare release v4.3.0 by @salmanmkc in https://github.com/actions/checkout/pull/2237

New Contributors

@motss made their first contribution in https://github.com/actions/checkout/pull/1971
@mouismail made their first contribution in https://github.com/actions/checkout/pull/1977
@benwells made their first contribution in https://github.com/actions/checkout/pull/2043
@nebuk89 made their first contribution in https://github.com/actions/checkout/pull/2194
@salmanmkc made their first contribution in https://github.com/actions/checkout/pull/2236

Full Changelog: actions/checkout@v4...v4.3.0

`v4.2.2`

Compare Source

url-helper.ts now leverages well-known environment variables by @jww3 in #1941
Expand unit test coverage for isGhes by @jww3 in #1946

`v4.2.1`

Compare Source

Check out other refs/* by commit if provided, fall back to ref by @orhantoy in #1924

`v4.2.0`

Compare Source

Add Ref and Commit outputs by @lucacome in #1180
Dependency updates by @dependabot- #1777, #1872

`v4.1.7`

Compare Source

Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in #1739
Bump actions/checkout from 3 to 4 by @dependabot in #1697
Check out other refs/* by commit by @orhantoy in #1774
Pin actions/checkout's own workflows to a known, good, stable version. by @jww3 in #1776

`v4.1.6`

Compare Source

Check platform to set archive extension appropriately by @cory-miller in #1732

`v4.1.5`

Compare Source

Update NPM dependencies by @cory-miller in #1703
Bump github/codeql-action from 2 to 3 by @dependabot in #1694
Bump actions/setup-node from 1 to 4 by @dependabot in #1696
Bump actions/upload-artifact from 2 to 4 by @dependabot in #1695
README: Suggest user.email to be 41898282+github-actions[bot]@&#8203;users.noreply.github.com by @cory-miller in #1707

`v4.1.4`

Compare Source

Disable extensions.worktreeConfig when disabling sparse-checkout by @jww3 in #1692
Add dependabot config by @cory-miller in #1688
Bump the minor-actions-dependencies group with 2 updates by @dependabot in #1693
Bump word-wrap from 1.2.3 to 1.2.5 by @dependabot in #1643

`v4.1.3`

Compare Source

Check git version before attempting to disable sparse-checkout by @jww3 in #1656
Add SSH user parameter by @cory-miller in #1685
Update actions/checkout version in update-main-version.yml by @jww3 in #1650

`v4.1.2`

Compare Source

Fix: Disable sparse checkout whenever sparse-checkout option is not present @dscho in #1598

</details>

<details>
<summary>actions/github-script (actions/github-script)</summary>

`v8.0.0`

Compare Source

`v7.1.0`

Compare Source

What's Changed

Upgrade husky to v9 by @benelan in #482
Add workflow file for publishing releases to immutable action package by @Jcambass in #485
Upgrade IA Publish by @Jcambass in #486
Fix workflow status badges by @joshmgross in #497
Update usage of actions/upload-artifact by @joshmgross in #512
Clear up package name confusion by @joshmgross in #514
Update dependencies with npm audit fix by @joshmgross in #515
Specify that the used script is JavaScript by @timotk in #478
chore: Add Dependabot for NPM and Actions by @nschonni in #472
Define permissions in workflows and update actions by @joshmgross in #531
chore: Add Dependabot for .github/actions/install-dependencies by @nschonni in #532
chore: Remove .vscode settings by @nschonni in #533
ci: Use github/setup-licensed by @nschonni in #473
make octokit instance available as octokit on top of github, to make it easier to seamlessly copy examples from GitHub rest api or octokit documentations by @iamstarkov in #508
Remove octokit README updates for v7 by @joshmgross in #557
docs: add "exec" usage examples by @neilime in #546
Bump ruby/setup-ruby from 1.213.0 to 1.222.0 by @dependabot[bot] in #563
Bump ruby/setup-ruby from 1.222.0 to 1.229.0 by @dependabot[bot] in #575
Clearly document passing inputs to the script by @joshmgross in #603
Update README.md by @nebuk89 in #610

New Contributors

@benelan made their first contribution in #482
@Jcambass made their first contribution in #485
@timotk made their first contribution in #478
@iamstarkov made their first contribution in #508
@neilime made their first contribution in #546
@nebuk89 made their first contribution in #610

Full Changelog: <actions/github-script@v7...v7.1.0>

</details>

<details>
<summary>actions/labeler (actions/labeler)</summary>

`v6.0.1`

Compare Source

What's Changed

Upgrade publish-action from 0.2.2 to 0.4.0 by @aparnajyothi-y in #901

New Contributors

@aparnajyothi-y made their first contribution in #901

Full Changelog: <actions/labeler@v6.0.0...v6.0.1>

`v6.0.0`

Compare Source

What's Changed

Add workflow file for publishing releases to immutable action package by @jcambass in #802

Breaking Changes

Upgrade Node.js version to 24 in action and dependencies @salmanmkc in #891
Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. Release Notes

Dependency Upgrades

Upgrade eslint-config-prettier from 9.0.0 to 9.1.0 by @dependabot[bot] in #711
Upgrade eslint from 8.52.0 to 8.55.0 by @dependabot[bot] in #720
Upgrade @types/jest from 29.5.6 to 29.5.11 by @dependabot[bot] in #719
Upgrade @types/js-yaml from 4.0.8 to 4.0.9 by @dependabot[bot] in #718
Upgrade @typescript-eslint/parser from 6.9.0 to 6.14.0 by @dependabot[bot] in #717
Upgrade prettier from 3.0.3 to 3.1.1 by @dependabot[bot] in #726
Upgrade eslint from 8.55.0 to 8.56.0 by @dependabot[bot] in #725
Upgrade @typescript-eslint/parser from 6.14.0 to 6.19.0 by @dependabot[bot] in #745
Upgrade eslint-plugin-jest from 27.4.3 to 27.6.3 by @dependabot[bot] in #744
Upgrade @typescript-eslint/eslint-plugin from 6.9.0 to 6.20.0 by @dependabot[bot] in #750
Upgrade prettier from 3.1.1 to 3.2.5 by @dependabot[bot] in #752
Upgrade undici from 5.26.5 to 5.28.3 by @dependabot[bot] in #757
Upgrade braces from 3.0.2 to 3.0.3 by @dependabot[bot] in #789
Upgrade minimatch from 9.0.3 to 10.0.1 by @dependabot[bot] in #805
Upgrade @actions/core from 1.10.1 to 1.11.1 by @dependabot[bot] in #811
Upgrade typescript from 5.4.3 to 5.7.2 by @dependabot[bot] in #819
Upgrade @typescript-eslint/parser from 7.3.1 to 8.17.0 by @dependabot[bot] in #824
Upgrade prettier from 3.2.5 to 3.4.2 by @dependabot[bot] in #825
Upgrade @types/jest from 29.5.12 to 29.5.14 by @dependabot[bot] in #827
Upgrade eslint-plugin-jest from 27.9.0 to 28.9.0 by @dependabot[bot] in #832
Upgrade ts-jest from 29.1.2 to 29.2.5 by @dependabot[bot] in #831
Upgrade @vercel/ncc from 0.38.1 to 0.38.3 by @dependabot[bot] in #830
Upgrade typescript from 5.7.2 to 5.7.3 by @dependabot[bot] in #835
Upgrade eslint-plugin-jest from 28.9.0 to 28.11.0 by @dependabot[bot] in #839
Upgrade undici from 5.28.4 to 5.28.5 by @dependabot[bot] in #842
Upgrade @octokit/request-error from 5.0.1 to 5.1.1 by @dependabot[bot] in #846

Documentation changes

Add note regarding pull_request_target to README.md by @silverwind in #669
Update readme with additional examples and important note about pull_request_target event by @IvanZosimov in #721
Document update - permission section by @harithavattikuti in #840
Improvement in documentation for pull_request_target event usage in README by @suyashgaonkar in #871
Fix broken links in documentation by @suyashgaonkar in #822

New Contributors

@silverwind made their first contribution in #669
@Jcambass made their first contribution in #802
@suyashgaonkar made their first contribution in #822
@HarithaVattikuti made their first contribution in #840
@salmanmkc made their first contribution in #891

Full Changelog: <actions/labeler@v5...v6.0.0>

`v5.0.0`

Compare Source

What's Changed

This release contains the following breaking changes:

The ability to apply labels based on the names of base and/or head branches was added (#186 and #54). The match object for changed files was expanded with new combinations in order to make it more intuitive and flexible (#423 and #101). As a result, the configuration file structure was significantly redesigned and is not compatible with the structure of the previous version. Please read the action documentation to find out how to adapt your configuration files for use with the new action version.
The bug related to the sync-labels input was fixed (#112). Now the input value is read correctly.
By default, dot input is set to true. Now, paths starting with a dot (e.g. .github) are matched by default.
Version 5 of this action updated the runtime to Node.js 20. All scripts are now run with Node.js 20 instead of Node.js 16 and are affected by any breaking changes between Node.js 16 and 20.

For more information, please read the action documentation.

New Contributors

@joshdales made their first contribution in #203
@dusan-trickovic made their first contribution in #626
@sungh0lim made their first contribution in #630
@TrianguloY made their first contribution in #629

Full Changelog: <actions/labeler@v4...v5.0.0>

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

`v5.0.0`

Compare Source

What's Changed

Breaking Changes

Enhance caching in setup-node with automatic package manager detection by @priya-kinthali in #1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@<!-- -->v5
- uses: actions/setup-node@<!-- -->v5
  with:
    package-manager-cache: false

Upgrade action to use node24 by @salmanmkc in #1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

Upgrade @octokit/request-error and @actions/github by @dependabot[bot] in #1227
Upgrade uuid from 9.0.1 to 11.1.0 by @dependabot[bot] in #1273
Upgrade undici from 5.28.5 to 5.29.0 by @dependabot[bot] in #1295
Upgrade form-data to bring in fix for critical vulnerability by @gowridurgad in #1332
Upgrade actions/checkout from 4 to 5 by @dependabot[bot] in #1345

New Contributors

@priya-kinthali made their first contribution in #1348
@salmanmkc made their first contribution in #1325

Full Changelog: <actions/setup-node@v4...v5.0.0>

`v4.4.0`

Compare Source

What's Changed

Bug fixes:

Make eslint-compact matcher compatible with Stylelint by @FloEdelmann in #98
Add support for indented eslint output by @fregante in #1245

Enhancement:

Support private mirrors by @marco-ippolito in #1240

Dependency update:

Upgrade @action/cache from 4.0.2 to 4.0.3 by @aparnajyothi-y in #1262

New Contributors

@FloEdelmann made their first contribution in #98
@fregante made their first contribution in #1245
@marco-ippolito made their first contribution in #1240

Full Changelog: <actions/setup-node@v4...v4.4.0>

`v4.3.0`

Compare Source

What's Changed

Dependency updates

Upgrade @actions/glob from 0.4.0 to 0.5.0 by @dependabot in #1200
Upgrade @action/cache from 4.0.0 to 4.0.2 by @gowridurgad in #1251
Upgrade @vercel/ncc from 0.38.1 to 0.38.3 by @dependabot in #1203
Upgrade @actions/tool-cache from 2.0.1 to 2.0.2 by @dependabot in #1220

New Contributors

@gowridurgad made their first contribution in #1251

Full Changelog: <actions/setup-node@v4...v4.3.0>

</details>

<details>
<summary>actions/setup-python (actions/setup-python)</summary>

`v6.0.0`

Compare Source

What's Changed

Breaking Changes

Upgrade to node 24 by @salmanmkc in #1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Add support for pip-version by @priyagupta108 in #1129
Enhance reading from .python-version by @krystof-k in #787
Add version parsing from Pipfile by @aradkdj in #1067

Bug fixes:

Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @aparnajyothi-y in #1183
Change missing cache directory error to warning by @aparnajyothi-y in #1182
Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @aparnajyothi-y in #1122
Include python version in PyPy python-version output by @cdce8p in #1110
Update docs: clarification on pip authentication with setup-python by @priya-kinthali in #1156

Dependency updates:

Upgrade idna from 2.9 to 3.7 in /tests/data by @dependabot[bot] in #843
Upgrade form-data to fix critical vulnerabilities #182 & #183 by @aparnajyothi-y in #1163
Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @aparnajyothi-y in #1165
Upgrade actions/checkout from 4 to 5 by @dependabot[bot] in #1181
Upgrade @actions/tool-cache from 2.0.1 to 2.0.2 by @dependabot[bot] in #1095

New Contributors

@krystof-k made their first contribution in #787
@cdce8p made their first contribution in #1110
@aradkdj made their first contribution in [#1067](https://redirect.github.com/actions/set

</details>

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 12:59 AM, only on Monday ( * 0 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Full diff: https://github.com/llvm/llvm-project/pull/161108.diff

18 Files Affected:

(modified) .github/workflows/build-ci-container-windows.yml (+2-2)
(modified) .github/workflows/check-ci.yml (+1-1)
(modified) .github/workflows/docs.yml (+2-2)
(modified) .github/workflows/issue-write.yml (+1-1)
(modified) .github/workflows/libclang-python-tests.yml (+1-1)
(modified) .github/workflows/libcxx-build-and-test.yaml (+1-1)
(modified) .github/workflows/llvm-bugs.yml (+3-3)
(modified) .github/workflows/new-prs.yml (+1-1)
(modified) .github/workflows/pr-code-format.yml (+2-2)
(modified) .github/workflows/pr-code-lint.yml (+3-3)
(modified) .github/workflows/premerge.yaml (+1-1)
(modified) .github/workflows/release-asset-audit.yml (+1-1)
(modified) .github/workflows/release-binaries.yml (+1-1)
(modified) .github/workflows/release-documentation.yml (+1-1)
(modified) .github/workflows/release-doxygen.yml (+1-1)
(modified) .github/workflows/release-sources.yml (+1-1)
(modified) .github/workflows/scorecard.yml (+1-1)
(modified) .github/workflows/unprivileged-download-artifact/action.yml (+1-1)

diff --git a/.github/workflows/build-ci-container-windows.yml b/.github/workflows/build-ci-container-windows.yml
index 167e7cf06b3b2..b10633a8b9e32 100644
--- a/.github/workflows/build-ci-container-windows.yml
+++ b/.github/workflows/build-ci-container-windows.yml
@@ -18,7 +18,7 @@ on:
 jobs:
   build-ci-container-windows:
     if: github.repository_owner == 'llvm'
-    runs-on: windows-2022
+    runs-on: windows-2025
     outputs:
       container-name: ${{ steps.vars.outputs.container-name }}
       container-name-tag: ${{ steps.vars.outputs.container-name-tag }}
@@ -56,7 +56,7 @@ jobs:
       - build-ci-container-windows
     permissions:
       packages: write
-    runs-on: windows-2022
+    runs-on: windows-2025
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
diff --git a/.github/workflows/check-ci.yml b/.github/workflows/check-ci.yml
index 7e8c15696e344..c0f84285be188 100644
--- a/.github/workflows/check-ci.yml
+++ b/.github/workflows/check-ci.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           sparse-checkout: .ci
       - name: Setup Python
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: 3.13
           cache: 'pip'
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 8cdd39c164cca..e383b7304d8fe 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -60,7 +60,7 @@ jobs:
           fetch-depth: 2
       - name: Get subprojects that have doc changes
         id: docs-changed-subprojects
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
           skip_initial_fetch: true
           base_sha: 'HEAD~1'
@@ -95,7 +95,7 @@ jobs:
             workflow:
               - '.github/workflows/docs.yml'
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.11'
           cache: 'pip'
diff --git a/.github/workflows/issue-write.yml b/.github/workflows/issue-write.yml
index db9389b6afe53..8a083f9143ec6 100644
--- a/.github/workflows/issue-write.yml
+++ b/.github/workflows/issue-write.yml
@@ -40,7 +40,7 @@ jobs:
 
       - name: 'Comment on PR'
         if: steps.download-artifact.outputs.artifact-id != ''
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/libclang-python-tests.yml b/.github/workflows/libclang-python-tests.yml
index e168928325561..06c3cbe5fa9b6 100644
--- a/.github/workflows/libclang-python-tests.yml
+++ b/.github/workflows/libclang-python-tests.yml
@@ -34,7 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Setup Python
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Setup ccache
diff --git a/.github/workflows/libcxx-build-and-test.yaml b/.github/workflows/libcxx-build-and-test.yaml
index 2e6ff7f91b6fc..26b1913a9ba23 100644
--- a/.github/workflows/libcxx-build-and-test.yaml
+++ b/.github/workflows/libcxx-build-and-test.yaml
@@ -236,7 +236,7 @@ jobs:
             **/crash_diagnostics/*
 
   windows:
-    runs-on: windows-2022
+    runs-on: windows-2025
     needs: [ stage2 ]
     strategy:
       fail-fast: false
diff --git a/.github/workflows/llvm-bugs.yml b/.github/workflows/llvm-bugs.yml
index 5470662c97628..174757f689585 100644
--- a/.github/workflows/llvm-bugs.yml
+++ b/.github/workflows/llvm-bugs.yml
@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-24.04
     if: github.repository == 'llvm/llvm-project'
     steps:
-      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 18
+          node-version: 22
           check-latest: true
       - run: npm install mailgun.js form-data
       - name: Send notification
-        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           MAILGUN_API_KEY: ${{ secrets.LLVM_BUGS_KEY }}
         with:
diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
index e1f2e754c1a3d..dc8cd100f3e68 100644
--- a/.github/workflows/new-prs.yml
+++ b/.github/workflows/new-prs.yml
@@ -67,7 +67,7 @@ jobs:
       github.event.pull_request.draft == false &&
       github.event.pull_request.commits < 10
     steps:
-      - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           configuration-path: .github/new-prs-labeler.yml
           # workaround for https://github.com/actions/labeler/issues/112
diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml
index 61c8680cd72a1..98de1062ebb2d 100644
--- a/.github/workflows/pr-code-format.yml
+++ b/.github/workflows/pr-code-format.yml
@@ -25,7 +25,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
           separator: ","
           skip_initial_fetch: true
@@ -48,7 +48,7 @@ jobs:
           clangformat: 21.1.0
 
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.11'
           cache: 'pip'
diff --git a/.github/workflows/pr-code-lint.yml b/.github/workflows/pr-code-lint.yml
index daefc9baacce7..7979b4864823e 100644
--- a/.github/workflows/pr-code-lint.yml
+++ b/.github/workflows/pr-code-lint.yml
@@ -27,13 +27,13 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Fetch LLVM sources
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 2
       
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
           separator: ","
           skip_initial_fetch: true
@@ -56,7 +56,7 @@ jobs:
           clang-tidy: 21.1.0
       
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.12'
 
diff --git a/.github/workflows/premerge.yaml b/.github/workflows/premerge.yaml
index 63ab4a8356971..385e534807960 100644
--- a/.github/workflows/premerge.yaml
+++ b/.github/workflows/premerge.yaml
@@ -139,7 +139,7 @@ jobs:
 
   premerge-check-macos:
     name: MacOS Premerge Checks
-    runs-on: macos-14
+    runs-on: macos-15
     if: >-
       github.repository_owner == 'llvm' &&
       (startswith(github.ref_name, 'release/') ||
diff --git a/.github/workflows/release-asset-audit.yml b/.github/workflows/release-asset-audit.yml
index 6546540a1b547..b658167d1db36 100644
--- a/.github/workflows/release-asset-audit.yml
+++ b/.github/workflows/release-asset-audit.yml
@@ -38,7 +38,7 @@ jobs:
         if: >-
           github.event_name != 'pull_request' &&
           failure()
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}
           script: |
diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index 8f422a0147748..4690200939fd6 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -301,7 +301,7 @@ jobs:
 
     - name: Attest Build Provenance
       id: provenance
-      uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
       with:
         subject-path: ${{ needs.prepare.outputs.release-binary-filename }}
 
diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml
index 712ff1831170e..2f7cdb7a3e636 100644
--- a/.github/workflows/release-documentation.yml
+++ b/.github/workflows/release-documentation.yml
@@ -37,7 +37,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           cache: 'pip'
           cache-dependency-path: './llvm/docs/requirements.txt'
diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml
index 17c677413f744..c31319e47833d 100644
--- a/.github/workflows/release-doxygen.yml
+++ b/.github/workflows/release-doxygen.yml
@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Python env
-        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           cache: 'pip'
           cache-dependency-path: './llvm/docs/requirements.txt'
diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
index 14cc4c4e9b94f..ad9c5a93e56be 100644
--- a/.github/workflows/release-sources.yml
+++ b/.github/workflows/release-sources.yml
@@ -92,7 +92,7 @@ jobs:
       - name: Attest Build Provenance
         if: github.event_name != 'pull_request'
         id: provenance
-        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
           subject-path: "*.xz"
       - if: github.event_name != 'pull_request'
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 40db5504294ef..305d09980d245 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@80f993039571a6de66594ecaa432875a6942e8e0 # v2.20.6
+        uses: github/codeql-action/upload-sarif@303c0aef88fc2fe5ff6d63d3b1596bfd83dfa1f9 # v3.30.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/unprivileged-download-artifact/action.yml b/.github/workflows/unprivileged-download-artifact/action.yml
index 9d8fb59a67c0e..72815b26bcf41 100644
--- a/.github/workflows/unprivileged-download-artifact/action.yml
+++ b/.github/workflows/unprivileged-download-artifact/action.yml
@@ -27,7 +27,7 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+    - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       id: artifact-url
       with:
         script: |

boomanaiden154

Probably want to avoid windows/mac updates given we're often explicitly using old versions and those updates usually manually need intervention anyways. Some of these changes should also probably be pieced out, but the vast majority are probably good.

boomanaiden154

Almost all of these major updates look like they exist solely due to the node 24 bump, which we are fully compatible with.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/attest-build-provenance](https://redirect.github.com/actions/attest-build-provenance) | action | major | `v1.4.4` -> `v3.0.0` | | [actions/checkout](https://redirect.github.com/actions/checkout) | action | major | `v4.3.0` -> `v5.0.0` | | [actions/github-script](https://redirect.github.com/actions/github-script) | action | major | `v7.1.0` -> `v8.0.0` | | [actions/github-script](https://redirect.github.com/actions/github-script) | action | major | `v6.4.1` -> `v8.0.0` | | [actions/labeler](https://redirect.github.com/actions/labeler) | action | major | `v4.3.0` -> `v6.0.1` | | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | major | `v4.4.0` -> `v6.0.0` | | [actions/setup-python](https://redirect.github.com/actions/setup-python) | action | major | `v5.6.0` -> `v6.0.0` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | major | `v2.28.1` -> `v4.31.2` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | major | `v3.31.2` -> `v4.31.2` | | [node](https://redirect.github.com/actions/node-versions) | uses-with | major | `18` -> `24` | | [tj-actions/changed-files](https://redirect.github.com/tj-actions/changed-files) | action | major | `v46.0.5` -> `v47.0.0` |

forking-renovate bot assigned boomanaiden154 Sep 29, 2025

llvmbot added libc++ libc++ C++ Standard Library. Not GNU libstdc++. Not libc++abi. github:workflow labels Sep 29, 2025

boomanaiden154 reviewed Sep 29, 2025

View reviewed changes

renovate-bot force-pushed the renovate/major-github-update-gha-dependencies branch 3 times, most recently from 275faa7 to 327d174 Compare October 5, 2025 16:52

renovate-bot changed the title ~~Update [Github] Update GHA Dependencies (major)~~ chore(deps): update [github] update gha dependencies (major) Oct 6, 2025

renovate-bot changed the title ~~chore(deps): update [github] update gha dependencies (major)~~ Update [Github] Update GHA Dependencies (major) Oct 6, 2025

renovate-bot force-pushed the renovate/major-github-update-gha-dependencies branch 4 times, most recently from 3152b76 to 929b0fa Compare October 13, 2025 16:08

renovate-bot force-pushed the renovate/major-github-update-gha-dependencies branch from 929b0fa to b20f055 Compare October 14, 2025 13:28

renovate-bot changed the title ~~Update [Github] Update GHA Dependencies (major)~~ chore(deps): update [github] update gha dependencies (major) Oct 15, 2025

renovate-bot changed the title ~~chore(deps): update [github] update gha dependencies (major)~~ Update [Github] Update GHA Dependencies (major) Oct 15, 2025

renovate-bot force-pushed the renovate/major-github-update-gha-dependencies branch 4 times, most recently from 185c97e to b10c86b Compare October 24, 2025 03:24

renovate-bot force-pushed the renovate/major-github-update-gha-dependencies branch 2 times, most recently from a5c72ab to 1ee1406 Compare October 28, 2025 00:17

renovate-bot changed the title ~~Update [Github] Update GHA Dependencies (major)~~ chore(deps): update [github] update gha dependencies (major) Oct 31, 2025

renovate-bot changed the title ~~chore(deps): update [github] update gha dependencies (major)~~ Update [Github] Update GHA Dependencies (major) Oct 31, 2025

renovate-bot force-pushed the renovate/major-github-update-gha-dependencies branch 4 times, most recently from ad041d4 to 668ae8f Compare November 3, 2025 17:19

Update [Github] Update GHA Dependencies

9737b82

renovate-bot force-pushed the renovate/major-github-update-gha-dependencies branch from 668ae8f to 9737b82 Compare November 6, 2025 19:20

boomanaiden154 changed the title ~~Update [Github] Update GHA Dependencies (major)~~ [Github] Update GHA Dependencies (major) Nov 6, 2025

boomanaiden154 approved these changes Nov 6, 2025

View reviewed changes

boomanaiden154 merged commit 2fd3bf3 into llvm:main Nov 6, 2025
28 of 29 checks passed

renovate-bot deleted the renovate/major-github-update-gha-dependencies branch November 7, 2025 00:02

[Github] Update GHA Dependencies (major) #161108

[Github] Update GHA Dependencies (major) #161108

Uh oh!

Conversation

renovate-bot commented Sep 29, 2025 • edited by boomanaiden154 Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

llvmbot commented Sep 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

What's Changed

⚠️ Minimum Compatible Runner Version

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

⚠️ Minimum Compatible Runner Version

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

Breaking Changes

Dependency Upgrades

Documentation changes

New Contributors

What's Changed

New Contributors

What's Changed

Breaking Changes

Dependency Upgrades

New Contributors

What's Changed

Bug fixes:

Enhancement:

Dependency update:

New Contributors

What's Changed

Dependency updates

New Contributors

What's Changed

Breaking Changes

Enhancements:

Bug fixes:

Dependency updates:

New Contributors

Configuration

Uh oh!

boomanaiden154 left a comment

Choose a reason for hiding this comment

Uh oh!

boomanaiden154 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

renovate-bot commented Sep 29, 2025 •

edited by boomanaiden154

Loading

llvmbot commented Sep 29, 2025 •

edited

Loading