Update dependencies

[ngcpp-dependency-manager]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/cache	action	major	v4 → v5
actions/checkout	action	major	v4 → v6
actions/create-github-app-token	action	major	v2 → v3
actions/setup-node	action	major	v4 → v6
astral-sh/ruff-pre-commit	repository	patch	v0.15.15 → v0.15.17
bazel		patch	9.1.0 → 9.1.1
bazel_skylib	bazel_dep	minor	1.8.2 → 1.9.0
gcc	container	major	15 → 16
keith/pre-commit-buildifier	repository	minor	8.2.1 → 8.5.1
meson (source)	pre-commit-python	minor	==1.10.1 → ==1.11.1
mkdocs-git-revision-date-localized-plugin		patch	==1.5.1 → ==1.5.3
pymdown-extensions		patch	==10.21.2 → ==10.21.3
python	uses-with	minor	3.13 → 3.14
rhysd/actionlint	repository	patch	v1.7.8 → v1.7.12
rules_cc	bazel_dep	patch	0.2.18 → 0.2.19
softprops/action-gh-release	action	major	v2 → v3

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in #​1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

Compare Source

What's Changed

• Add release instructions and update maintainer docs by @​Link- in #​1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in #​1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in #​1699
• docs: Update examples to use the latest version by @​XZTDean in #​1690
• Fix proxy integration tests by @​Link- in #​1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in #​1722
• Update dependencies & patch security vulnerabilities by @​Link- in #​1738

New Contributors

• @​XZTDean made their first contribution in #​1690
• @​RyPeck made their first contribution in #​1722

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

Compare Source

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2: v.5.0.2

Compare Source

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

Compare Source

[!IMPORTANT]
actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

v5.0.1

What's Changed

• fix: update @​actions/cache for Node.js 24 punycode deprecation by @​salmanmkc in #​1685
• prepare release v5.0.1 by @​salmanmkc in #​1686

v5.0.0

What's Changed

• Upgrade to use node24 by @​salmanmkc in #​1630
• Prepare v5.0.0 release by @​salmanmkc in #​1684

Full Changelog: actions/cache@v5...v5.0.1

v5.0.0

Compare Source

[!IMPORTANT]
actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

What's Changed

• Upgrade to use node24 by @​salmanmkc in #​1630
• Prepare v5.0.0 release by @​salmanmkc in #​1684

Full Changelog: actions/cache@v4.3.0...v5.0.0

v5

Compare Source

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

• Add worktree support for persist-credentials includeIf by @​ericsciple in #​2327

v6.0.0

Compare Source

• Persist creds to a separate file by @​ericsciple in #​2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in #​2248

v6

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

v5.0.1

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

v5.0.0

Compare Source

• Update actions checkout to use node 24 by @​salmanmkc in #​2226

v5

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

actions/create-github-app-token (actions/create-github-app-token)

v3.2.0

Compare Source

Features

• add support for enterprise-level GitHub Apps (#​263) (952a2a7)
• support full repository names in repositories input (#​372) (85eb8dd)

Bug Fixes

• deps: bump @​actions/core from 3.0.0 to 3.0.1 in the production-dependencies group (#​364) (43e5c34)
• validate private-key input (#​376) (f24bbd8)

v3.1.1

Compare Source

Bug Fixes

• improve error message when app identifier is empty (#​362) (07e2b76), closes #​249

v3.1.0

Compare Source

Bug Fixes

• deps: bump p-retry from 7.1.1 to 8.0.0 (#​357) (3bbe07d)

Features

• add client-id input and deprecate app-id (#​353) (e6bd4e6)
• update permission inputs (#​358) (076e948)

v3.0.0

Compare Source

• feat!: node 24 support (#​275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#​342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#​143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3

Compare Source

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in #​1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in #​1533

New Contributors

• @​Copilot made their first contribution in #​1525

Full Changelog: actions/setup-node@v6...v6.4.0

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

What's Changed

Documentation

• Documentation update related to absence of Lockfile by @​mahabaleshwars in #​1454
• Correct mirror option typos by @​MikeMcC399 in #​1442
• Readme update on checkout version v6 by @​deining in #​1446
• Readme typo fixes @​munyari in #​1226
• Advanced document update on checkout version v6 by @​aparnajyothi-y in #​1468

Dependency updates:

• Upgrade @​actions/cache to v5.0.1 by @​salmanmkc in #​1449

New Contributors

• @​mahabaleshwars made their first contribution in #​1454
• @​MikeMcC399 made their first contribution in #​1442
• @​deining made their first contribution in #​1446
• @​munyari made their first contribution in #​1226

Full Changelog: actions/setup-node@v6...v6.2.0

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Limit automatic caching to npm, update workflows and documentation by @​priyagupta108 in #​1374

Dependency Upgrades

• Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by @​dependabot[bot] in #​1336
• Upgrade prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in #​1334
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot[bot] in #​1362

Full Changelog: actions/setup-node@v5...v6.0.0

v6

Compare Source

v5.0.0

Compare Source

What's Changed

Breaking Changes

• Enhance caching in setup-node with automatic package manager detection by @​priya-kinthali in #​1348

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

• Upgrade action to use node24 by @​salmanmkc in #​1325

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

• Upgrade @​octokit/request-error and @​actions/github by @​dependabot[bot] in #​1227
• Upgrade uuid from 9.0.1 to 11.1.0 by @​dependabot[bot] in #​1273
• Upgrade undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​1295
• Upgrade form-data to bring in fix for critical vulnerability by @​gowridurgad in #​1332
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1345

New Contributors

• @​priya-kinthali made their first contribution in #​1348
• @​salmanmkc made their first contribution in #​1325

Full Changelog: actions/setup-node@v4...v5.0.0

v5

Compare Source

astral-sh/ruff-pre-commit (astral-sh/ruff-pre-commit)

v0.15.17

Compare Source

See: https://github.com/astral-sh/ruff/releases/tag/0.15.17

v0.15.16

Compare Source

See: https://github.com/astral-sh/ruff/releases/tag/0.15.16

bazelbuild/bazel (bazel)

v9.1.1

Compare Source

Release Notes:

bazelbuild/bazel-skylib (bazel_skylib)

v1.9.0

Compare Source

What's Changed

• Optimize copy_file and set allow_symlink by default to True if is_executable is False (#​565)
• Give rules/private:is_windows an empty applicable_license (#​600)
• Bump rules_go dependency for compatibility with Bazel 9 (#​601)

Contributors:
@​fdinoff, @​fmeum, @​fweikert, @​susinmotion

Full Changelog: bazelbuild/bazel-skylib@1.8.2...1.9.0

keith/pre-commit-buildifier (keith/pre-commit-buildifier)

v8.5.1

Compare Source

What's Changed

• Unset DISPLAY so that we don't throw a warning on WSL. by @​mkanat in #​41
• feat: update to 8.5.1 by @​dcarp in #​42

New Contributors

• @​mkanat made their first contribution in #​41
• @​dcarp made their first contribution in #​42

Full Changelog: keith/pre-commit-buildifier@8.2.1.1...8.5.1

mesonbuild/meson (meson)

v1.11.1

Compare Source

v1.11.0

Compare Source

v1.10.2

Compare Source

timvink/mkdocs-git-revision-date-localized-plugin (mkdocs-git-revision-date-localized-plugin)

v1.5.3

Compare Source

What's Changed

• Fix paths in MANIFEST.in by @​mitya57 in #​211

New Contributors

• @​mitya57 made their first contribution in #​211

Full Changelog: timvink/mkdocs-git-revision-date-localized-plugin@v1.5.2...v1.5.3

v1.5.2

Compare Source

What's Changed

Bug fixes

• Guard against page is None in mkdocs theme override Jinja2 templates by @​Copilot in #​202

Dependency updates (security)

• Bump requests from 2.32.5 to 2.33.0 by @​dependabot in #​203
• Bump pytest from 8.4.2 to 9.0.3 by @​dependabot in #​204
• Bump gitpython from 3.1.45 to 3.1.50 by @​dependabot in #​205, #​207, #​208
• Bump pygments from 2.19.2 to 2.20.0 by @​dependabot in #​206
• Bump urllib3 from 2.6.3 to 2.7.0 by @​dependabot in #​209

Full Changelog: timvink/mkdocs-git-revision-date-localized-plugin@v1.5.1...v1.5.2

facelessuser/pymdown-extensions (pymdown-extensions)

v10.21.3

Compare Source

10.21.3

• FIX: Fix regression that allows a snippet to be loaded outside of the base path using directory traversal when
  restrict_base_path is enabled (the default). Found by @​gistrec.

actions/python-versions (python)

v3.14.6: 3.14.6

Compare Source

Python 3.14.6

v3.14.5: 3.14.5

Compare Source

Python 3.14.5

v3.14.4: 3.14.4

Compare Source

Python 3.14.4

v3.14.3: 3.14.3

Compare Source

Python 3.14.3

v3.14.2: 3.14.2

Compare Source

Python 3.14.2

v3.14.1: 3.14.1

Compare Source

Python 3.14.1

v3.14.0: 3.14.0

Compare Source

Python 3.14.0

rhysd/actionlint (rhysd/actionlint)

v1.7.12

Compare Source

• Support the timezone configuration in on.schedule with checks for IANA timezone string. See the documentation for more details. Note that actionlint starts to embed the timezone database in the executables from this version so the binary sizes slightly increase. (#​641, thanks @​martincostello)

  on:
    schedule:
      # ERROR: The timezone is not a valid IANA timezone string
      - cron: '*/5 * * * *'
        timezone: 'Asia/Somewhere'

• Support the jobs.<job_name>.environment.deployment configuration. (#​639, thanks @​springmeyer)
• Support the macos-26-intel runner label. (#​629, thanks @​hugovk)
• Fix the table of webhook activity types are outdated by rebuilding the script to scrape the table from scratch.
• Support Go 1.26 and drop the support for Go 1.24. Now supported versions are 1.25 and 1.26.
• Tests are run on arm64 Windows in CI.
• Update the popular actions data set to the latest.

[Changes][v1.7.12]

v1.7.11

Compare Source

• Support the case() function in ${{ }} expressions which was recently added to GitHub Actions. (#​612, #​614, thanks @​heppu)

  env:
    # ERROR: case() requires an odd number of arguments
    ENVIRONMENT: |-
      ${{ case(
        github.ref == 'refs/heads/main', 'production',
        github.ref == 'refs/heads/staging', 'staging'
      ) }}

• Support new macos-26-large and windows-2025-vs2026 runner labels. See the GitHub's announce for more details. (#​615, thanks @​hugovk and @​muzimuzhi)
• Enable Artifact attestations for the released binaries. From v1.7.11 gh command can verify the integrity of the downloaded binaries as follows. The verification is highly recommended in terms of supply chain security. (#​608, thanks @​takaram)

  $ gh release download --repo rhysd/actionlint --pattern '*_darwin_amd64.tar.gz' v1.7.11
  $ gh attestation verify --repo rhysd/actionlint actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded digest sha256:17ffc17fed8f0258ef6ad4aed932d3272464c7ef7d64e1cb0d65aa97c9752107 for file://actionlint_1.7.11_darwin_amd64.tar.gz
  Loaded 1 attestation from GitHub API
  
  The following policy criteria will be enforced:
  - Predicate type must match:................ https://slsa.dev/provenance/v1
  - Source Repository Owner URI must match:... https://github.com/rhysd
  - Source Repository URI must match:......... https://github.com/rhysd/actionlint
  - Subject Alternative Name must match regex: (?i)^https://github.com/rhysd/actionlint/
  - OIDC Issuer must match:................... https://token.actions.githubusercontent.com
  
  ✓ Verification succeeded!
  
  The following 1 attestation matched the policy criteria
  
  - Attestation #​1
    - Build repo:..... rhysd/actionlint
    - Build workflow:. .github/workflows/release.yaml@refs/tags/v1.7.11
    - Signer repo:.... rhysd/actionlint
    - Signer workflow: .github/workflows/release.yaml@refs/tags/v1.7.11

• Report path filters with ./ as error because they never match anything. (#​521)

  on:
    push:
      paths:
        # ERROR: This never matches anything. `foo/bar.txt` is correct.
        - ./foo/bar.txt

• Fix comparing matrix items when an item is a super set of another item. (#​523, #​613, thanks @​michaelgruenewald)
• Fix stack overflow crash by a recursive anchor in matrix items. (#​610)
• Fix an unassigned variable false positive from shellcheck by disabling SC2153 rule. (#​573)
• Reduce the number of memory allocations on resolving anchors.
• Update the popular actions data set to the latest.
• Update Go dependencies to the latest.
• Remove legacy Homebrew formula in rhysd/actionlint repository in favor of the cask package. Note that this change does not affect Homebrew's official formula.
• Add a link to the release page of the version in the playground.

[Changes][v1.7.11]

v1.7.10

Compare Source

• Support YAML anchors and aliases (&anchor and *anchor) in workflow files. In addition to parsing YAML anchors correctly, actionlint checks unused and undefined anchors. See the document for more details. (#​133, thanks @​srz-zumix for the initial implementation at #​568 and @​alexaandru for trying another approach at #​557)

  jobs:
    test:
      runs-on: ubuntu-latest
      services:
        nginx:
          image: nginx:latest
          credentials: &credentials
            username: ${{ secrets.user }}
            password: ${{ secrets.password }}
      steps:
        - run: ./download.sh
          # OK: Valid alias to &credentials
          env: *credentials
        - run: ./check.sh
          # ERROR: Undefined anchor 'credential'
          env: *credential
        - run: ./upload.sh
          # ERROR: Unused anchor 'credentials'
          env: &credentials

• Remove support for *-xl macOS runner labels because they were dropped. (#​592, thanks @​muzimuzhi)
• Remove support for the macOS 13 runner labels because they were dropped on Dec 4, 2025. (#​593, thanks @​muzimuzhi)
  • macos-13
  • macos-13-large
  • macos-13-xlarge
• Increase the maximum number of inputs in the workflow_dispatch event from 10 to 25 because the limitation was recently relaxed. (#​598, thanks @​Haegi)
• Support artifact-metadata permission for workflow permissions. (#​602, thanks @​martincostello)
• Detect more complicated constants at if: conditions as error. See the rule document for more details.
• Refactor the workflow parser with Go iterators. This slightly improves the performance and memory usage.
• Fix parsing extra { and } characters in format string of format() function call. For example v1.7.9 didn't parse "{{0} {1} {2}}" correctly.
• Detect an invalid value at type in workflow call inputs as error.
• Report YAML merge key << as error because GitHub Actions doesn't support the syntax.
• Check available contexts in expressions at jobs.<job_id>.snapshot.if.

  snapshot:
    image-name: my-custom-image
    # ERROR: `env` context is not allowed here
    if: ${{ env.USE_SNAPSHOT == 'true' }}

• Fix the instruction to install actionlint with mise in the installation document. (#​591, thanks @​risu729)
• Update the popular actions data set to the latest to include new major versions of the actions.

[Changes][v1.7.10]

v1.7.9

Compare Source

• Add support for ubuntu-slim runner label. (#​585, thanks @​cestorer)
• Check input deprecation in action by checking deprecationMessage property. Using a deprecated input is reported as error if it is not marked as required. See the document for more details. (#​580)

  - uses: reviewdog/action-actionlint@v1
    with:
      # ERROR: Using a deprecated input
      fail_on_error: true

• Add support for the Custom images feature.
  • Support image_version workflow trigger.

    on:
      image_version:
        names:
          - "MyNewImage"
          - "MyOtherImage"
        versions:
          - 1.*
          - 2.*

  • Support jobs.<job_id>.snapshot syntax. To make actionlint recognize your own image generation runner, use self-hosted-runner.labels config.

    jobs:
      build:
        runs-on: my-image-generation-runner
        snapshot:
            image-name: my-custom-image
            version: 2.*

• Report constant conditions at if: like if: true as error. Only very simple expressions like true or false are detected for now. See the document for more details.
• Check unexpected keys in inputs in action metadata.

  inputs:
    some_input:
      # Error: `type` is not supported for inputs in action metadata
      type: boolean

• Fix some invalid permissions are not reported as error in id-token and models scopes. (#​582, thanks @​holtkampjs)
• Fix args and entrypoint inputs are not recognized at uses: when it's not a Docker action. (#​550)
• Set correct column in source position of YAML parse error.
• Fix credentials cannot be configured with ${{ }}. (#​590)
• Improve messages in syntax errors on parsing steps (run: and uses:). Available keys suggestion is now more accurate and unexpected keys are detected more accurately.
• Fix the order of errors can be non-deterministic when multiple errors are caused at the same source positions.
• Improve error messages showing suggestions on detecting invalid permissions.
• Add instruction for installing actionlint with mise package manager. (#​589, thanks @​jylenhof)
• Fix outdated URLs in the document.
• Add new actionlint.AllContexts map constant in Go API that contains the information about all context availability.
• Update popular actions data set to the latest with several major versions of actions and the following new actions.
  • anthropics/claude-code-action
  • openai/codex-action
  • google-github-actions/run-gemini-cli
• Add make cov task to easily generate a code coverage report.
• Make installing the formula version of actionlint pacakge from tap of this repository with Homebrew a hard error. Install the cask version instead following the instruction in the error message.

[Changes][v1.7.9]

bazelbuild/rules_cc (rules_cc)

v0.2.19

Compare Source

Using bzlmod with Bazel 6 or later:

1. [Bazel 6] Add common --enable_bzlmod to .bazelrc.

2. Add to your MODULE.bazel file:

bazel_dep(name = "rules_cc", version = "0.2.19")

Using WORKSPACE:

load("@​bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

http_archive(
    name = "rules_cc",
    sha256 = "351248f6be41d18694d4d7c390aaebd9f865eea72a4758b2c9d782ae744c97f4",
    strip_prefix = "rules_cc-0.2.19",
    url = "https://github.com/bazelbuild/rules_cc/releases/download/0.2.19/rules_cc-0.2.19.tar.gz",
)

load("@​rules_cc//cc:extensions.bzl", "compatibility_proxy_repo")

compatibility_proxy_repo()

Full Changelog: bazelbuild/rules_cc@0.2.18...0.2.19

softprops/action-gh-release (softprops/action-gh-release)

v3.0.0

Compare Source

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v3

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.