chore(deps): bump the github-actions group across 1 directory with 4 updates

[dependabot]

Bumps the github-actions group with 4 updates in the / directory: actions/checkout, actions/setup-go, github/codeql-action and actions/cache.

Updates actions/checkout from 5.0.0 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

... (truncated)

Commits

• de0fac2 Fix tag handling: preserve annotations and explicit fetch-tags (#2356)
• 064fe7f Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...
• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• See full diff in compare view

Updates actions/setup-go from 6.0.0 to 6.4.0

Release notes

Sourced from actions/setup-go's releases.

v6.4.0

What's Changed

Enhancement

• Add go-download-base-url input for custom Go distributions by @​gdams in actions/setup-go#721

Dependency update

• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in actions/setup-go#727

Documentation update

• Rearrange README.md, add advanced-usage.md by @​priyagupta108 in actions/setup-go#724
• Fix Microsoft build of Go link by @​gdams in actions/setup-go#734

New Contributors

• @​gdams made their first contribution in actions/setup-go#721

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

What's Changed

• Update default Go module caching to use go.mod by @​priyagupta108 in actions/setup-go#705
• Fix golang download url to go.dev by @​178inaba in actions/setup-go#469

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

What's Changed

Enhancements

• Example for restore-only cache in documentation by @​aparnajyothi-y in actions/setup-go#696
• Update Node.js version in action.yml by @​ccoVeille in actions/setup-go#691
• Documentation update of actions/checkout by @​deining in actions/setup-go#683

Dependency updates

• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot in actions/setup-go#682
• Upgrade @​actions/cache to v5 by @​salmanmkc in actions/setup-go#695
• Upgrade actions/checkout from 5 to 6 by @​dependabot in actions/setup-go#686
• Upgrade qs from 6.14.0 to 6.14.1 by @​dependabot in actions/setup-go#703

New Contributors

• @​ccoVeille made their first contribution in actions/setup-go#691
• @​deining made their first contribution in actions/setup-go#683

Full Changelog: actions/setup-go@v6...v6.2.0

v6.1.0

What's Changed

Enhancements

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​nicholasngai in actions/setup-go#665
• Add support for .tool-versions file and update workflow by @​priya-kinthali in actions/setup-go#673
• Add comprehensive breaking changes documentation for v6 by @​mahabaleshwars in actions/setup-go#674

... (truncated)

Commits

• See full diff in compare view

Updates github/codeql-action from 4.35.2 to 4.35.5

Release notes

Sourced from github/codeql-action's releases.

v4.35.5

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• Breaking change: Bump the minimum required CodeQL bundle version to 2.19.4. #3894
• Add support for SHA-256 Git object IDs. #3893

4.35.5 - 15 May 2026

• We have improved how the JavaScript bundles for the CodeQL Action are generated to avoid duplication across bundles and reduce the size of the repository by around 70%. This should have no effect on the runtime behaviour of the CodeQL Action. #3899
• For performance and accuracy reasons, improved incremental analysis will now only be enabled on a pull request when diff-informed analysis is also enabled for that run. If diff-informed analysis is unavailable (for example, because the PR diff ranges could not be computed), the action will fall back to a full analysis. #3791
• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

... (truncated)

Commits

• 9e0d7b8 Merge pull request #3905 from github/update-v4.35.5-d4b485515
• 6d7d599 Add changelog entry for #3899
• 51f7e38 Update changelog for v4.35.5
• d4b4855 Merge pull request #3899 from github/mbg/esbuild/split
• 127de81 Merge remote-tracking branch 'origin/main' into mbg/esbuild/split
• 7fde13f Use src + basename in header to avoid issues on Windows
• dfa61e7 Improve pattern matching and error handling
• 52aafec Import and call runWrapper normally in analyze tests
• 0d08c01 Auto-generate shared bundle
• 14085a6 Auto-generate entry points
• Additional commits viewable in compare view

Updates actions/cache from 4.2.0 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

• Add release instructions and update maintainer docs by @​Link- in actions/cache#1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in actions/cache#1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in actions/cache#1699
• docs: Update examples to use the latest version by @​XZTDean in actions/cache#1690
• Fix proxy integration tests by @​Link- in actions/cache#1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in actions/cache#1722
• Update dependencies & patch security vulnerabilities by @​Link- in actions/cache#1738

New Contributors

• @​XZTDean made their first contribution in actions/cache#1690
• @​RyPeck made their first contribution in actions/cache#1722

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

v5.0.1

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
• e340396 Update RELEASES
• 8a67110 Add licenses
• 1865903 Update dependencies & patch security vulnerabilities
• 5656298 Merge pull request #1722 from RyPeck/patch-1
• 4e380d1 Fix cache key in examples.md for bun.lock
• Additional commits viewable in compare view

[github-actions]

Benchstat (Other)

Base: 2603e3b18151d31770bd0c1a43f16e00c98e99b5
Head: c88f8459a14070a9fdff0d8ead0e168b665e577c

⚠️ 1 regression(s) detected (threshold: >5%)

Benchmark	Base	Head	Change	p-value
InsertionOfConfigsWithProperties-4	2.789m	3.100m	+11.15% 🔴	0.009

Failed: 1 benchmark(s) regressed by more than 5%:
InsertionOfConfigsWithProperties-4: 2.789m -> 3.100m (+11.15%)

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: Intel(R) Xeon(R) Platinum 8370C CPU @ 2.80GHz
                                                       │ bench-base.txt │            bench-head.txt            │
                                                       │     sec/op     │    sec/op      vs base               │
InsertionForRowsWithAliases/external_users.aliases-4      407.4µ ±   5%   409.5µ ±   9%        ~ (p=1.000 n=6)
InsertionForRowsWithAliases/config_items.external_id-4    926.6µ ±  16%   917.1µ ±  17%        ~ (p=0.937 n=6)
InsertionOfConfigsWithProperties-4                        2.789m ±   1%   3.100m ±  10%  +11.15% (p=0.009 n=6)
UpdateOfConfigsWithProperties-4                           5.707m ±   1%   5.677m ±   2%        ~ (p=0.310 n=6)
ResourceSelectorConfigs/name-4                            161.6µ ±   6%   159.4µ ±   5%        ~ (p=0.310 n=6)
ResourceSelectorConfigs/name_and_type-4                   181.6µ ±   3%   180.4µ ±   3%        ~ (p=0.485 n=6)
ResourceSelectorConfigs/tags-4                            31.46m ± 153%   31.01m ± 159%        ~ (p=0.240 n=6)
ResourceSelectorQueryBuild/name-4                         41.40µ ±   0%   41.40µ ±   1%        ~ (p=0.937 n=6)
ResourceSelectorQueryBuild/name_and_type-4                62.01µ ±   7%   62.04µ ±   4%        ~ (p=0.937 n=6)
ResourceSelectorQueryBuild/tags-4                         15.74µ ±   1%   15.74µ ±   3%        ~ (p=0.905 n=6)
geomean                                                   431.6µ          434.2µ          +0.61%

[github-actions]

Benchstat (RLS)

Base: 2603e3b18151d31770bd0c1a43f16e00c98e99b5
Head: c88f8459a14070a9fdff0d8ead0e168b665e577c

⚠️ 5 regression(s) detected (threshold: >5%)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/config_names/Without_RLS-4	13.65m	15.00m	+9.87% 🔴	0.002
RLS/Sample-15000/config_summary/Without_RLS-4	97.15m	101.44m	+4.41%	0.002
RLS/Sample-15000/configs/Without_RLS-4	7.971m	8.109m	+1.72%	0.002
RLS/Sample-15000/config_summary/With_RLS-4	705.0m	715.0m	+1.42%	0.002
RLS/Sample-15000/configs/With_RLS-4	135.5m	136.3m	+0.55%	0.015

✅ 4 improvement(s)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/config_classes/With_RLS-4	139.1m	134.0m	-3.62%	0.002
RLS/Sample-15000/config_detail/Without_RLS-4	4.843m	4.744m	-2.06%	0.002
RLS/Sample-15000/catalog_changes/With_RLS-4	145.1m	143.4m	-1.17%	0.002
RLS/Sample-15000/config_changes/With_RLS-4	144.6m	143.8m	-0.53%	0.026

Failed: 1 benchmark(s) regressed by more than 5%:
RLS/Sample-15000/config_names/Without_RLS-4: 13.65m -> 15.00m (+9.87%)

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                               │ bench-base.txt │           bench-head.txt           │
                                               │     sec/op     │    sec/op     vs base              │
RLS/Sample-15000/catalog_changes/Without_RLS-4      5.337m ± 1%    5.329m ± 1%       ~ (p=0.699 n=6)
RLS/Sample-15000/catalog_changes/With_RLS-4         145.1m ± 1%    143.4m ± 0%  -1.17% (p=0.002 n=6)
RLS/Sample-15000/config_changes/Without_RLS-4       5.292m ± 2%    5.318m ± 1%       ~ (p=0.937 n=6)
RLS/Sample-15000/config_changes/With_RLS-4          144.6m ± 2%    143.8m ± 0%  -0.53% (p=0.026 n=6)
RLS/Sample-15000/config_detail/Without_RLS-4        4.843m ± 1%    4.744m ± 1%  -2.06% (p=0.002 n=6)
RLS/Sample-15000/config_detail/With_RLS-4           137.9m ± 2%    137.3m ± 0%       ~ (p=0.132 n=6)
RLS/Sample-15000/config_names/Without_RLS-4         13.65m ± 1%    15.00m ± 3%  +9.87% (p=0.002 n=6)
RLS/Sample-15000/config_names/With_RLS-4            139.6m ± 1%    139.9m ± 0%       ~ (p=0.818 n=6)
RLS/Sample-15000/config_summary/Without_RLS-4       97.15m ± 1%   101.44m ± 2%  +4.41% (p=0.002 n=6)
RLS/Sample-15000/config_summary/With_RLS-4          705.0m ± 1%    715.0m ± 1%  +1.42% (p=0.002 n=6)
RLS/Sample-15000/configs/Without_RLS-4              7.971m ± 1%    8.109m ± 3%  +1.72% (p=0.002 n=6)
RLS/Sample-15000/configs/With_RLS-4                 135.5m ± 1%    136.3m ± 1%  +0.55% (p=0.015 n=6)
RLS/Sample-15000/analysis_types/Without_RLS-4       3.937m ± 1%    3.946m ± 2%       ~ (p=0.240 n=6)
RLS/Sample-15000/analysis_types/With_RLS-4          4.005m ± 2%    3.964m ± 4%       ~ (p=0.065 n=6)
RLS/Sample-15000/analyzer_types/Without_RLS-4       3.790m ± 2%    3.753m ± 1%       ~ (p=0.310 n=6)
RLS/Sample-15000/analyzer_types/With_RLS-4          3.808m ± 1%    3.796m ± 1%       ~ (p=0.589 n=6)
RLS/Sample-15000/change_types/Without_RLS-4         5.312m ± 1%    5.287m ± 1%       ~ (p=0.699 n=6)
RLS/Sample-15000/change_types/With_RLS-4            5.397m ± 2%    5.348m ± 5%       ~ (p=0.240 n=6)
RLS/Sample-15000/config_classes/Without_RLS-4       4.143m ± 1%    4.140m ± 1%       ~ (p=0.818 n=6)
RLS/Sample-15000/config_classes/With_RLS-4          139.1m ± 1%    134.0m ± 0%  -3.62% (p=0.002 n=6)
RLS/Sample-15000/config_types/Without_RLS-4         4.774m ± 0%    4.764m ± 1%       ~ (p=0.589 n=6)
RLS/Sample-15000/config_types/With_RLS-4            139.3m ± 1%    137.5m ± 2%       ~ (p=0.065 n=6)
geomean                                             21.12m         21.17m       +0.23%

[github-actions]

Gavel results

Gavel exited with code .

View full results

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.