Update ci/cd dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v6 → v7
codecov/codecov-action	action	major	v5 → v7
gradle/actions	action	major	v5 → v6
paulhatch/semantic-version	action	major	v5.4.0 → v6.0.2
softprops/action-gh-release	action	major	v2.5.0 → v3.0.1

---

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

v7

Compare Source

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in #​2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in #​2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in #​2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in #​2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in #​2459
• upgrade module to esm and update dependencies by @​aiqiaoy in #​2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in #​2462

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

⚠️ Due to migration issues with keybase, we are unable to update our keys under the codecovsecurity account. We have deleted the account and are using codecovsecops with the original gpg key

What's Changed

• ci: remove Enforce License Compliance workflow by @​thomasrockhu-codecov in #​1950
• chore(release): 7.0.0 by @​thomasrockhu-codecov in #​1957

Full Changelog: codecov/codecov-action@v6.0.1...v7.0.0

v7

Compare Source

v6.0.2

Compare Source

This is a copy of the v7.0.0 release to make updates easier

What's Changed

• ci: remove Enforce License Compliance workflow by @​thomasrockhu-codecov in #​1950
• chore(release): 7.0.0 by @​thomasrockhu-codecov in #​1957

Full Changelog: codecov/codecov-action@v6.0.1...v6.0.2

v6.0.1

Compare Source

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in #​1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in #​1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

v6.0.0

Compare Source

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️

What's Changed

• Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0"" by @​thomasrockhu-codecov in #​1929
• Th/6.0.0 by @​thomasrockhu-codecov in #​1928

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v6

Compare Source

gradle/actions (gradle/actions)

v6.2.0

Compare Source

Highlights

This release brings significant behaviour improvements to Enhanced caching, improvements to the generated Job Summary, and a number of correctness and security fixes.

1. Improved cache-cleanup mechanism. Cleanup of stale files from the Gradle User Home is now faster, and no longer depends on Gradle or a JVM. It works by inspecting the local file state directly, removing the Gradle invocation from the post-build step.
2. More granular, more stable caching. The local build cache is stored as a separate cache entry, so it can be restored and invalidated independently of the main Gradle User Home entry. Transient Gradle housekeeping files are excluded from the cache, reducing its size and improving stability.
3. Hide obsolete Job summaries in PR commments: When a new Job summary comment is added to a PR, previous outdated Job summaries are now hidden.
4. Improved caching report in the job summary. The cache report now uses a single, consistent layout across all cache states and providers. Provider information is integrated directly into the report, and per-entry details are available in an expandable section. (#​985)
5. Correctness and security fixes. A unique cache key is now used per run attempt, so re-runs no longer collide; the job summary shows the cache key string rather than an internal id; and bundled dependencies have been updated, including a ReDoS fix and a fast-xml CVE fix.

What's Changed

• Remove unnecessary dependency overrides by @​bigdaz in #​981
• Scope CI-integ-test concurrency groups per-branch by @​bigdaz in #​983
• Improve typings by @​Vampire in #​938
• Hide obsolete Job summaries by @​SimonMarquis in #​902
• CI: add requireable aggregate/no-op checks for branch protection by @​bigdaz in #​984
• Redesign the caching Job Summary by @​bigdaz in #​985

New Contributors

• @​Vampire made their first contribution in #​938

Full Changelog: gradle/actions@v6.1.1...v6.2.0

v6.1.1

Compare Source

This release updates various dependency versions, resolving several reported security vulnerabilities.
No functional changes are included

What's Changed

• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /sources/test/init-scripts by @​bot-githubaction in #​961
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/gradle-plugin by @​bot-githubaction in #​962
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/groovy-dsl by @​bot-githubaction in #​963
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/java-toolchain by @​bot-githubaction in #​964
• Bump Gradle Wrapper from 9.4.1 to 9.5.1 in /.github/workflow-samples/kotlin-dsl by @​bot-githubaction in #​965
• Update known wrapper checksums by @​github-actions[bot] in #​937
• Bump the github-actions group across 2 directories with 8 updates by @​dependabot[bot] in #​976
• Bump the npm-dependencies group across 1 directory with 14 updates by @​dependabot[bot] in #​970
• Bump references to Develocity Gradle plugin from 4.4.0 to 4.4.2 by @​bot-githubaction in #​973
• Bump the npm-dependencies group in /sources with 5 updates by @​dependabot[bot] in #​977
• Update @​actions/cache and @​actions/artifact, stop ignoring them in Dependabot by @​bigdaz in #​978
• Resolve npm security vulnerabilities via dependency overrides by @​bigdaz in #​980

Full Changelog: gradle/actions@v6.1.0...v6.1.1

v6.1.0

Compare Source

New: Basic Cache Provider

A new MIT-licensed Basic Caching provider is now available as an alternative to the proprietary Enhanced Caching provided by gradle-actions-caching. Choose Basic Caching by setting cache-provider: basic on setup-gradle or dependency-submission actions.

• Built on @actions/cache -- fully open source
• Caches ~/.gradle/caches and ~/.gradle/wrapper directories
• Cache key derived from build files (*.gradle*, gradle-wrapper.properties, etc.)
• Clean cache on build file changes (no restore keys, preventing stale entry accumulation)

Limitations vs Enhanced Caching: No cache cleanup, no deduplication of cached content, cached content is fixed unless build files change.

Revamped Licensing & Distribution Documentation

• New DISTRIBUTION.md documents the licensing of each component (particularly Basic Caching vs Enhanced Caching)
• Simplified licensing notices in README, docs, and runtime log output
• Clear usage tiers: Enhanced Caching is free for public repos and in Free Preview for private repos

What's Changed

• Use a unique cache entry for wrapper-validation test by @​bigdaz in #​921
• Update Dependencies by @​bigdaz in #​922
• Update dependencies and resolve npm vulnerabilities by @​bigdaz in #​933
• Add open-source 'basic' cache provider and revamp licensing documentation by @​bigdaz in #​930
• Restructure caching documentation for basic and enhanced providers by @​bigdaz in #​934

Full Changelog: gradle/actions@v6.0.1...v6.1.0

v6.0.1

Compare Source

[!IMPORTANT]
The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post.
TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

The license changes in v6 introduced a gradle-actions-caching license notice that is printed in logs and in each job summary.

With this release, the license notice will be muted if build-scan terms have been accepted, or if a Develocity access key is provided.

What's Changed

• Bump actions used in docs by @​Goooler in #​792
• Add typing information for use by typesafegithub by @​bigdaz in #​910
• Mute license warning when terms are accepted by @​bigdaz in #​911
• Mention explicit license acceptance in notice by @​bigdaz in #​912
• Bump com.fasterxml.jackson.dataformat:jackson-dataformat-smile from 2.21.1 to 2.21.2 in /sources/test/init-scripts in the gradle group across 1 directory by @​dependabot[bot] in #​907

Full Changelog: gradle/actions@v6.0.0...v6.0.1

v6.0.0

Compare Source

[!IMPORTANT]
The release of gradle/actions@v6 contains important changes to the license terms. More details in this blog post.
TL;DR: By upgrading to v6, you accept the Terms of Use for the gradle-actions-caching component.

Summary

• Caching functionality of 'gradle-actions' has been extracted into a separate gradle-actions-caching library, and is no longer open-source. See this blog post for more context.
• Existing, rudimentary, configuration-cache support has been removed, pending a fully functional implementation in gradle-actions-caching.
• Dependencies updated to address security vulnerabilities

[!IMPORTANT]

Licensing notice

The caching functionality in `gradle-actions` has been extracted into `gradle-actions-caching`, a proprietary commercial component that is not covered by the MIT License.
The bundled `gradle-actions-caching` component is licensed and governed by a separate license, available at https://gradle.com/legal/terms-of-use/.

The `gradle-actions-caching` component is used only when caching is enabled and is not loaded or used when caching is disabled.

Use of the `gradle-actions-caching` component is subject to a separate license, available at https://gradle.com/legal/terms-of-use/.
If you do not agree to these license terms, do not use the `gradle-actions-caching` component.

What's Changed

• Bump the npm-dependencies group in /sources with 2 updates by @​dependabot[bot] in #​866
• Update known wrapper checksums by @​github-actions[bot] in #​868
• Dependency updates by @​bigdaz in #​876
• Update known wrapper checksums by @​github-actions[bot] in #​878
• Bump @​types/node from 25.3.3 to 25.3.5 in /sources in the npm-dependencies group across 1 directory by @​dependabot[bot] in #​877
• Bump the github-actions group across 3 directories with 3 updates by @​dependabot[bot] in #​867
• Update known wrapper checksums by @​github-actions[bot] in #​881
• Bump the npm-dependencies group in /sources with 6 updates by @​dependabot[bot] in #​879
• Bump the github-actions group across 3 directories with 5 updates by @​dependabot[bot] in #​880
• Remove configuration-cache support by @​bigdaz in #​884
• Extract caching logic into a separate gradle-actions-caching component by @​bigdaz in #​885
• Update gradle-actions-caching library to v0.3.0 by @​bot-githubaction in #​899
• Avoid windows shutdown bug by @​bigdaz in #​900
• Dependency updates by @​bigdaz in #​905
• Fix critical and high npm vulnerabilities by @​bigdaz in #​904
• Fix rendering of job-disabled message by @​bigdaz in #​909

Full Changelog: gradle/actions@v5.0.2...v6.0.0

v6

Compare Source

paulhatch/semantic-version (paulhatch/semantic-version)

v6.0.2

Compare Source

What's Changed

• chore!: update to node 24 by @​krische in PaulHatch#189

New Contributors

• @​krische made their first contribution in PaulHatch#189

Full Changelog: PaulHatch/semantic-version@v6.0.1...v6.0.2

v6.0.1

Compare Source

What's Changed

• feat: change minor pattern to support optional conventional commit scopes by @​BodrickLight in PaulHatch#188
• CLI alias updates, now run with semver or sv

New Contributors

• @​BodrickLight made their first contribution in PaulHatch#188

Full Changelog: PaulHatch/semantic-version@v6.0.0...v6.0.1

v6.0.0

Compare Source

What's Changed

• Change default version patterns to follow Conventional Commits
• Add CLI
• Add ignore_commits_pattern and allow disabling major/minor pattern

Full Changelog: PaulHatch/semantic-version@v5.4.0...v6.0.0

softprops/action-gh-release (softprops/action-gh-release)

v3.0.1

Compare Source

3.0.1

• maintenance release with updated dependencies

v3.0.0

Compare Source

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v3

Compare Source

v2.6.2

Compare Source

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in #​775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in #​777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in #​781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

Compare Source

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in #​765

v2.6.0

Compare Source

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in #​372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in #​760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in #​759
• docs: clarify working_directory input by @​chenrui333 in #​761
• ci: verify dist bundle freshness by @​chenrui333 in #​762
• fix: clarify immutable prerelease uploads by @​chenrui333 in #​763

v2.5.3

Compare Source

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: prefer token input over GITHUB_TOKEN by @​chenrui333 in #​751
• fix: clean up duplicate drafts after canonicalization by @​chenrui333 in #​753
• fix: support Windows-style file globs by @​chenrui333 in #​754
• fix: normalize refs-tag inputs by @​chenrui333 in #​755
• fix: expand tilde file paths by @​chenrui333 in #​756

Other Changes 🔄

• docs: clarify token precedence by @​chenrui333 in #​752
• docs: clarify GitHub release limits by @​chenrui333 in #​758
• documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

v2.5.2

Compare Source

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: canonicalize releases after concurrent create by @​chenrui333 in #​746
• fix: preserve prereleased events for prereleases by @​chenrui333 in #​748
• fix: restore dotfile asset labels by @​chenrui333 in #​749
• fix: handle upload already_exists races across workflows by @​api2062 in #​745
• fix: clean up orphan drafts when tag creation is blocked by @​chenrui333 in #​750

New Contributors

• @​api2062 made their first contribution in #​745

Full Changelog: softprops/action-gh-release@v2...v2.5.2

v2.5.1

Compare Source

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed

Bug fixes 🐛

• fix: fetch correct asset URL after finalization; test; some refactoring by @​pzhlkj6612 in #​738
• fix: release marked as 'latest' despite make_latest: false by @​Boshen in #​715
• fix: use getReleaseByTag API instead of iterating all releases by @​kim-em in #​725

Other Changes 🔄

• dependency updates, including the ESM/runtime compatibility refresh in #​731

New Contributors

• @​autarch made their first contribution in #​716
• @​pzhlkj6612 made their first contribution in #​738
• @​Boshen made their first contribution in #​715
• @​kim-em made their first contribution in #​725

Full Changelog: softprops/action-gh-release@v2...v2.5.1

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.72%. Comparing base (30f8c94) to head (0ab1e08).

Additional details and impacted files

@@            Coverage Diff            @@
##               main     #267   +/-   ##
=========================================
  Coverage     72.72%   72.72%           
  Complexity        4        4           
=========================================
  Files             3        3           
  Lines            11       11           
=========================================
  Hits              8        8           
  Misses            1        1           
  Partials          2        2           

Flag	Coverage Δ
integration-tests-macos-latest	80.00% <ø> (ø)
integration-tests-ubuntu-latest	80.00% <ø> (ø)
integration-tests-windows-latest	80.00% <ø> (ø)
unit-tests-macos-latest	72.72% <ø> (ø)
unit-tests-ubuntu-latest	72.72% <ø> (ø)
unit-tests-windows-latest	72.72% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.