[depbot] Bump the deps group with 14 updates

[dependabot]

Bumps the deps group with 14 updates:

Package	From	To
actions/checkout	4	6
actions/upload-artifact	6	7
actions/download-artifact	7	8
dawidd6/action-ansible-playbook	7	9
docker/setup-buildx-action	3	4
actions/cache	4	5
docker/login-action	3	4
docker/build-push-action	6	7
softprops/action-gh-release	2	3
hashicorp/setup-terraform	3	4
docker/setup-qemu-action	3	4
styfle/cancel-workflow-action	0.13.0	0.13.1
actions/setup-python	5	6
actions/github-script	8	9

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• Additional commits viewable in compare view

Updates actions/upload-artifact from 6 to 7

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• See full diff in compare view

Updates actions/download-artifact from 7 to 8

Release notes

Sourced from actions/download-artifact's releases.

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• Additional commits viewable in compare view

Updates dawidd6/action-ansible-playbook from 7 to 9

Release notes

Sourced from dawidd6/action-ansible-playbook's releases.

v9

What's Changed

• build(deps): bump undici from 6.23.0 to 6.24.0 by @​dependabot[bot] in dawidd6/action-ansible-playbook#137
• node_modules: update by @​dawidd6 in dawidd6/action-ansible-playbook#138

Full Changelog: dawidd6/action-ansible-playbook@v8...v9

v8

What's Changed

• Update Node.js version from 20 to 24 by @​dawidd6 in dawidd6/action-ansible-playbook#136

Full Changelog: dawidd6/action-ansible-playbook@v7...v8

Commits

• 126642a node_modules: update (#138)
• c1f089f build(deps): bump undici from 6.23.0 to 6.24.0 (#137)
• 7e7e969 Update Node.js version from 20 to 24 (#136)
• See full diff in compare view

Updates docker/setup-buildx-action from 3 to 4

Release notes

Sourced from docker/setup-buildx-action's releases.

v4.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/setup-buildx-action#483
• Remove deprecated inputs/outputs by @​crazy-max in docker/setup-buildx-action#464
• Switch to ESM and update config/test wiring by @​crazy-max in docker/setup-buildx-action#481
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/setup-buildx-action#475
• Bump @​docker/actions-toolkit from 0.63.0 to 0.79.0 in docker/setup-buildx-action#482 docker/setup-buildx-action#485
• Bump js-yaml from 4.1.0 to 4.1.1 in docker/setup-buildx-action#452
• Bump lodash from 4.17.21 to 4.17.23 in docker/setup-buildx-action#472
• Bump minimatch from 3.1.2 to 3.1.5 in docker/setup-buildx-action#480

Full Changelog: docker/setup-buildx-action@v3.12.0...v4.0.0

v3.12.0

• Deprecate install input by @​crazy-max in docker/setup-buildx-action#455
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in docker/setup-buildx-action#434
• Bump brace-expansion from 1.1.11 to 1.1.12 in docker/setup-buildx-action#436
• Bump form-data from 2.5.1 to 2.5.5 in docker/setup-buildx-action#432
• Bump undici from 5.28.4 to 5.29.0 in docker/setup-buildx-action#435

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

v3.11.1

• Fix keep-state not being respected by @​crazy-max in docker/setup-buildx-action#429

Full Changelog: docker/setup-buildx-action@v3.11.0...v3.11.1

v3.11.0

• Keep BuildKit state support by @​crazy-max in docker/setup-buildx-action#427
• Remove aliases created when installing by default by @​hashhar in docker/setup-buildx-action#139
• Bump @​docker/actions-toolkit from 0.56.0 to 0.62.1 in docker/setup-buildx-action#422 docker/setup-buildx-action#425

Full Changelog: docker/setup-buildx-action@v3.10.0...v3.11.0

v3.10.0

• Bump @​docker/actions-toolkit from 0.54.0 to 0.56.0 in docker/setup-buildx-action#408

Full Changelog: docker/setup-buildx-action@v3.9.0...v3.10.0

v3.9.0

• Bump @​docker/actions-toolkit from 0.48.0 to 0.54.0 in docker/setup-buildx-action#402 docker/setup-buildx-action#404

Full Changelog: docker/setup-buildx-action@v3.8.0...v3.9.0

v3.8.0

• Make cloud prefix optional to download buildx if driver is cloud by @​crazy-max in docker/setup-buildx-action#390
• Bump @​actions/core from 1.10.1 to 1.11.1 in docker/setup-buildx-action#370
• Bump @​docker/actions-toolkit from 0.39.0 to 0.48.0 in docker/setup-buildx-action#389
• Bump cross-spawn from 7.0.3 to 7.0.6 in docker/setup-buildx-action#382

Full Changelog: docker/setup-buildx-action@v3.7.1...v3.8.0

... (truncated)

Commits

• 4d04d5d Merge pull request #485 from docker/dependabot/npm_and_yarn/docker/actions-to...
• cd74e05 chore: update generated content
• eee38ec build(deps): bump @​docker/actions-toolkit from 0.77.0 to 0.79.0
• 7a83f65 Merge pull request #484 from docker/dependabot/github_actions/docker/setup-qe...
• a5aa967 Merge pull request #464 from crazy-max/rm-deprecated
• e73d53f build(deps): bump docker/setup-qemu-action from 3 to 4
• 28a438e Merge pull request #483 from crazy-max/node24
• 034e9d3 chore: update generated content
• b4664d8 remove deprecated inputs/outputs
• a8257de node 24 as default runtime
• Additional commits viewable in compare view

Updates actions/cache from 4 to 5

Release notes

Sourced from actions/cache's releases.

v5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

What's Changed

• Upgrade to use node24 by @​salmanmkc in actions/cache#1630
• Prepare v5.0.0 release by @​salmanmkc in actions/cache#1684

Full Changelog: actions/cache@v4.3.0...v5.0.0

v4.3.0

What's Changed

• Add note on runner versions by @​GhadimiR in actions/cache#1642
• Prepare v4.3.0 release by @​Link- in actions/cache#1655

New Contributors

• @​GhadimiR made their first contribution in actions/cache#1642

Full Changelog: actions/cache@v4...v4.3.0

v4.2.4

What's Changed

• Update README.md by @​nebuk89 in actions/cache#1620
• Upgrade @actions/cache to 4.0.5 and move @protobuf-ts/plugin to dev depdencies by @​Link- in actions/cache#1634
• Prepare release 4.2.4 by @​Link- in actions/cache#1636

New Contributors

• @​nebuk89 made their first contribution in actions/cache#1620

Full Changelog: actions/cache@v4...v4.2.4

v4.2.3

What's Changed

• Update to use @​actions/cache 4.0.3 package & prepare for new release by @​salmanmkc in actions/cache#1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

• @​salmanmkc made their first contribution in actions/cache#1577

Full Changelog: actions/cache@v4.2.2...v4.2.3

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
• e340396 Update RELEASES
• 8a67110 Add licenses
• 1865903 Update dependencies & patch security vulnerabilities
• 5656298 Merge pull request #1722 from RyPeck/patch-1
• 4e380d1 Fix cache key in examples.md for bun.lock
• b7e8d49 Merge pull request #1701 from actions/Link-/fix-proxy-integration-tests
• 984a21b Add traffic sanity check step
• acf2f1f Fix resolution
• 95a07c5 Add wait for proxy
• Additional commits viewable in compare view

Updates docker/login-action from 3 to 4

Release notes

Sourced from docker/login-action's releases.

v4.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/login-action#929
• Switch to ESM and update config/test wiring by @​crazy-max in docker/login-action#927
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/login-action#919
• Bump @​aws-sdk/client-ecr from 3.890.0 to 3.1000.0 in docker/login-action#909 docker/login-action#920
• Bump @​aws-sdk/client-ecr-public from 3.890.0 to 3.1000.0 in docker/login-action#909 docker/login-action#920
• Bump @​docker/actions-toolkit from 0.63.0 to 0.77.0 in docker/login-action#910 docker/login-action#928
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in docker/login-action#921
• Bump js-yaml from 4.1.0 to 4.1.1 in docker/login-action#901

Full Changelog: docker/login-action@v3.7.0...v4.0.0

v3.7.0

• Add scope input to set scopes for the authentication token by @​crazy-max in docker/login-action#912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in docker/login-action#914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in docker/login-action#911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in docker/login-action#915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

v3.6.0

• Add registry-auth input for raw authentication to registries by @​crazy-max in docker/login-action#887
• Bump @​aws-sdk/client-ecr to 3.890.0 in docker/login-action#882 docker/login-action#890
• Bump @​aws-sdk/client-ecr-public to 3.890.0 in docker/login-action#882 docker/login-action#890
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in docker/login-action#883
• Bump brace-expansion from 1.1.11 to 1.1.12 in docker/login-action#880
• Bump undici from 5.28.4 to 5.29.0 in docker/login-action#879
• Bump tmp from 0.2.3 to 0.2.4 in docker/login-action#881

Full Changelog: docker/login-action@v3.5.0...v3.6.0

v3.5.0

• Support dual-stack endpoints for AWS ECR by @​Spacefish @​crazy-max in docker/login-action#874 docker/login-action#876
• Bump @​aws-sdk/client-ecr to 3.859.0 in docker/login-action#860 docker/login-action#878
• Bump @​aws-sdk/client-ecr-public to 3.859.0 in docker/login-action#860 docker/login-action#878
• Bump @​docker/actions-toolkit from 0.57.0 to 0.62.1 in docker/login-action#870
• Bump form-data from 2.5.1 to 2.5.5 in docker/login-action#875

Full Changelog: docker/login-action@v3.4.0...v3.5.0

v3.4.0

• Bump @​actions/core from 1.10.1 to 1.11.1 in docker/login-action#791
• Bump @​aws-sdk/client-ecr to 3.766.0 in docker/login-action#789 docker/login-action#856
• Bump @​aws-sdk/client-ecr-public to 3.758.0 in docker/login-action#789 docker/login-action#856
• Bump @​docker/actions-toolkit from 0.35.0 to 0.57.0 in docker/login-action#801 docker/login-action#806 docker/login-action#858
• Bump cross-spawn from 7.0.3 to 7.0.6 in docker/login-action#814
• Bump https-proxy-agent from 7.0.5 to 7.0.6 in docker/login-action#823
• Bump path-to-regexp from 6.2.2 to 6.3.0 in docker/login-action#777

Full Changelog: docker/login-action@v3.3.0...v3.4.0

... (truncated)

Commits

• 4907a6d Merge pull request #930 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• 1e233e6 chore: update generated content
• 6c24ead build(deps): bump the aws-sdk-dependencies group with 2 updates
• ee034d7 Merge pull request #958 from docker/dependabot/npm_and_yarn/lodash-4.18.1
• 1527209 Merge pull request #937 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
• d39362a build(deps): bump lodash from 4.17.23 to 4.18.1
• a6f092b chore: update generated content
• 60953f0 build(deps): bump the proxy-agent-dependencies group with 2 updates
• 62c6885 Merge pull request #936 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 102c0e6 chore: update generated content
• Additional commits viewable in compare view

Updates docker/build-push-action from 6 to 7

Release notes

Sourced from docker/build-push-action's releases.

v7.0.0

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in docker/build-push-action#1470
• Remove deprecated DOCKER_BUILD_NO_SUMMARY and DOCKER_BUILD_EXPORT_RETENTION_DAYS envs by @​crazy-max in docker/build-push-action#1473
• Remove legacy export-build tool support for build summary by @​crazy-max in docker/build-push-action#1474
• Switch to ESM and update config/test wiring by @​crazy-max in docker/build-push-action#1466
• Bump @​actions/core from 1.11.1 to 3.0.0 in docker/build-push-action#1454
• Bump @​docker/actions-toolkit from 0.62.1 to 0.79.0 in docker/build-push-action#1453 docker/build-push-action#1472 docker/build-push-action#1479
• Bump minimatch from 3.1.2 to 3.1.5 in docker/build-push-action#1463

Full Changelog: docker/build-push-action@v6.19.2...v7.0.0

v6.19.2

• Preserve port in GIT_AUTH_TOKEN host by @​crazy-max in docker/build-push-action#1458

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

• Derive GIT_AUTH_TOKEN host from GitHub server URL by @​crazy-max in docker/build-push-action#1456

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

• Scope default git auth token to github.com by @​crazy-max in docker/build-push-action#1451
• Bump brace-expansion from 1.1.11 to 1.1.12 in docker/build-push-action#1396
• Bump form-data from 2.5.1 to 2.5.5 in docker/build-push-action#1391
• Bump js-yaml from 3.14.1 to 3.14.2 in docker/build-push-action#1429
• Bump lodash from 4.17.21 to 4.17.23 in docker/build-push-action#1446
• Bump tmp from 0.2.3 to 0.2.4 in docker/build-push-action#1398
• Bump undici from 5.28.4 to 5.29.0 in docker/build-push-action#1397

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

v6.18.0

• Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1 in docker/build-push-action#1381

[!NOTE] Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

• Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0 by @​crazy-max in docker/build-push-action#1364

[!NOTE] Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

• Handle no default attestations env var by @​crazy-max in docker/build-push-action#1343

... (truncated)

Commits

• bcafcac Merge pull request #1509 from docker/dependabot/npm_and_yarn/vite-7.3.2
• 18e62f1 Merge pull request #1510 from docker/dependabot/npm_and_yarn/lodash-4.18.1
• 46580d2 chore: update generated content
• 3f80b25 chore(deps): Bump lodash from 4.17.23 to 4.18.1
• efeec95 Merge pull request #1505 from crazy-max/refactor-git-context
• ddf04b0 Merge pull request #1511 from docker/dependabot/github_actions/crazy-max-dot-...
• db08d97 chore(deps): Bump the crazy-max-dot-github group with 2 updates
• ef1fb96 Merge pull request #1508 from docker/dependabot/github_actions/docker/login-a...
• 2d8f2a1 chore: update generated content
• 919ac7b fix test since secrets are not written to temp path anymore
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2 to 3

Release notes

Sourced from softprops/action-gh-release's releases.

v3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v2.6.2

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in softprops/action-gh-release#775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in softprops/action-gh-release#777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in softprops/action-gh-release#781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If y...

Description has been truncated

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.github/workflows/benchmarks.yml	1% smaller
.github/workflows/Build-gear-loader-network.yml	0% smaller
.github/workflows/CI-docker-gear.yml	0% smaller
.github/workflows/CI.yaml	0% smaller
.github/workflows/build-node-fuzzer.yaml	0% smaller
.github/workflows/build-unix.yml	0% smaller
.github/workflows/build-windows.yml	0% smaller
.github/workflows/build.yml	0% smaller
.github/workflows/check-node-sync.yml	0% smaller
.github/workflows/claude-code-review.yml	0% smaller
.github/workflows/claude.yml	0% smaller
.github/workflows/comparison-table.yml	0% smaller
.github/workflows/release.yml	0% smaller
.github/workflows/validation.yml	0% smaller

[grishasobol]

@claude opus review

[claude]

Claude finished @grishasobol's task in 2m 11s —— View job

---

Claude Opus PR Review

• Read changed workflow files
• Verify version bumps match PR description
• Check for breaking changes / runner-version requirements
• Post final review

---

Summary

Standard Dependabot bump of 14 GitHub Actions across the workflows. All version bumps in the diff line up with the PR description, no with: blocks reference any of the inputs that were removed in the new majors (e.g. DOCKER_BUILD_NO_SUMMARY, DOCKER_BUILD_EXPORT_RETENTION_DAYS, the deprecated buildx inputs/outputs), and all upload-artifact@v7 ↔ download-artifact@v8 flows are bumped together so the new mandatory digest check stays internally consistent.

Two things worth raising before merge:

---

severity: medium — Composite action still pinned to actions/cache@v4, breaking consistency with the @v5 bump

File: .github/actions/install-cargo-xwin/action.yml line 19

    - name: "Cache MSVC CRT"
      uses: actions/cache@v4

Every workflow actions/cache reference was bumped to @v5, but this composite action — which is invoked from setup-compilation-env and pulled into the build pipeline — was missed. It will still work (v4 isn't deprecated) but the inconsistency is exactly the kind of thing that gets noticed three months from now when v4 gets a runner-side warning. Likely Dependabot isn't scanning .github/actions/**; worth either bumping it in this PR or extending Dependabot's package-ecosystem: github-actions directories config to include it.

Fix this →

---

severity: medium — Self-hosted runners must be on Actions Runner ≥ v2.327.1

Files: .github/workflows/benchmarks.yml (runs-on: [bench]), .github/workflows/build.yml (runs-on: [kuberunner]), .github/workflows/check.yml, .github/workflows/CI-docker-gear.yml, .github/workflows/check-node-sync.yml, .github/workflows/validation.yml, others using [kuberunner] / [bench].

The release notes for actions/checkout@v6, actions/cache@v5, actions/upload-artifact@v7, actions/download-artifact@v8, actions/setup-python@v6, docker/setup-buildx-action@v4, docker/login-action@v4, docker/build-push-action@v7, and softprops/action-gh-release@v3 all flag the same runtime requirement: Node 24 → Actions Runner ≥ 2.327.1. GitHub-hosted runners are fine, but [bench] and [kuberunner] are self-hosted; if their runner binaries haven't been updated, every job that lands on them will fail at startup with "unsupported runtime version". Worth confirming these fleets are on a current runner before merging — otherwise CI on this PR will be the canary.

---

severity: low — actions/download-artifact@v8 defaults digest-mismatch to error

Files: all actions/download-artifact@v8 usages — .github/workflows/build.yml:307,548,604,610, .github/workflows/build-unix.yml:43, .github/workflows/build-windows.yml:94,99, .github/workflows/CI.yaml:37, .github/workflows/Build-gear-loader-network.yml:38.

Previously a hash mismatch was a warning; in v8 it fails the run. Since this PR bumps both upload and download together, in steady state this should be a non-issue, but if you ever see a flaky download failure post-merge that wasn't flaky before, this is the most likely cause. Workaround if it bites: set digest-mismatch: warn on the affected step.

---

severity: low — dawidd6/action-ansible-playbook skips v8

File: .github/workflows/Build-gear-loader-network.yml:43

Bump goes v7 → v9 directly. v8 was the Node 20 → 24 runtime change, v9 is a transitive dep bump on top. No action change in behavior, just noting that the skip is intentional and lines up with the runner-version concern above (this one runs on ubuntu-latest, so it's fine).

---

Out-of-scope note (not part of this PR, but spotted nearby)

.github/workflows/build-node-fuzzer.yaml:31 still pins docker/login-action@master, which is why Dependabot can't bump it. Pre-existing, but worth pinning to a tagged version in a follow-up so it joins the dependency graph.

---

Overall this is a clean, mechanical bump and I'd expect it to be safe to merge once the self-hosted runner version is confirmed and the install-cargo-xwin composite action is brought along.
• Branch: dependabot/github_actions/deps-95d6154766