build(deps): bump the github-actions group with 5 updates

[dependabot]

Bumps the github-actions group with 5 updates:

Package	From	To
taiki-e/install-action	2.75.10	2.75.18
taiki-e/upload-rust-binary-action	1.30.0	1.30.2
github/codeql-action	4.35.1	4.35.2
devcontainers/ci	0.3.1900000417	0.3.1900000449
astral-sh/setup-uv	8.0.0	8.1.0

Updates taiki-e/install-action from 2.75.10 to 2.75.18

Release notes

Sourced from taiki-e/install-action's releases.

2.75.18

• Update vacuum@latest to 0.26.1.

• Update wasm-tools@latest to 1.247.0.

• Update mise@latest to 2026.4.16.

• Update espup@latest to 0.17.1.

• Update trivy@latest to 0.70.0.

2.75.17

• Update tombi@latest to 0.9.18.

• Update mise@latest to 2026.4.15.

2.75.16

• Update uv@latest to 0.11.7.

• Update mise@latest to 2026.4.14.

• Update vacuum@latest to 0.25.9.

• Update cargo-machete@latest to 0.9.2.

• Update cargo-deny@latest to 0.19.4.

2.75.15

• Update cargo-nextest@latest to 0.9.133.

• Update biome@latest to 2.4.12.

2.75.14

• Implement potential workaround for windows-11-arm runner bug which sometimes causes installation failure.

  The issue where this bug affected the startup of bash was addressed in 2.71.2, but we received a report that the same problem seems to occur when starting other commands as well.

• Update cargo-deny@latest to 0.19.2.

2.75.13

• Update zizmor@latest to 1.24.1.

2.75.12

• Update typos@latest to 1.45.1.

• Update cargo-xwin@latest to 0.21.5.

• Update cargo-binstall@latest to 1.18.1.

2.75.11

... (truncated)

Changelog

Sourced from taiki-e/install-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

• Update mise@latest to 2026.4.20.

[2.75.22] - 2026-04-25

• Update tombi@latest to 0.9.22.

• Update biome@latest to 2.4.13.

[2.75.21] - 2026-04-24

• Update mise@latest to 2026.4.19.

• Update tombi@latest to 0.9.21.

• Update syft@latest to 1.43.0.

[2.75.20] - 2026-04-23

• Update prek@latest to 0.3.10.

• Update cargo-xwin@latest to 0.22.0.

[2.75.19] - 2026-04-21

• Update wasmtime@latest to 44.0.0.

• Update tombi@latest to 0.9.20.

• Update martin@latest to 1.6.0.

• Update just@latest to 1.50.0.

• Update mise@latest to 2026.4.18.

• Update rclone@latest to 1.73.5.

[2.75.18] - 2026-04-19

... (truncated)

Commits

• 055f5df Release 2.75.18
• eabf603 Add note about unset
• 4637b48 Early handle inputs
• 7a6306e Update vacuum@latest to 0.26.1
• cb13f5e Update mise manifest
• 18cc1a4 Update wasm-tools@latest to 1.247.0
• c7b0507 Update mise@latest to 2026.4.16
• 0ef4e76 Update espup@latest to 0.17.1
• 56ec35f Update trivy@latest to 0.70.0
• 6874db1 Update vacuum manifest
• Additional commits viewable in compare view

Updates taiki-e/upload-rust-binary-action from 1.30.0 to 1.30.2

Release notes

Sourced from taiki-e/upload-rust-binary-action's releases.

1.30.2

• Enhance security when dry-run is true.

1.30.1

• Enhance security against supply chain attacks.

Changelog

Sourced from taiki-e/upload-rust-binary-action's changelog.

Changelog

All notable changes to this project will be documented in this file.

This project adheres to Semantic Versioning.

[Unreleased]

[1.30.2] - 2026-04-17

• Enhance security when dry-run is true.

[1.30.1] - 2026-04-17

• Enhance security against supply chain attacks.

[1.30.0] - 2026-04-04

• upload-rust-binary-action no longer requires token input. This action now uses ${{ github.token }} as the default token, like actions/checkout does.

• Support trailing comma in bin, package, include, asset, and checksum input options.

• Documentation improvements.

[1.29.1] - 2026-03-18

• Fix missing default value for all-features causing build errors. (#114, thanks @​ftnfurina)

[1.29.0] - 2026-03-17

• Add all-features and workspace input options. (#112)

• Accept whitespace or comma separated list in package input option. (#112)

[1.28.1] - 2026-03-08

• Avoid triggering zizmor ref-confusion when using this action in form of uses: taiki-e/upload-rust-binary-action@v1.

[1.28.0] - 2026-02-11

• bin, checksum, include, and asset input options now support whitespace (space, tab, and line) or comma separated list. Previously, only comma-separated list was supported. (#111)

• Enable release immutability.

[1.27.0] - 2025-06-14

... (truncated)

Commits

• f0d45ae Release 1.30.2
• 253eddb Update changelog
• c143fca Do not set tokens if dry-run
• 92dc87a Release 1.30.1
• f5780c3 ci: Update config
• 2008505 Early unset tokens from env
• 489d4ef Update scripts and CI config
• c07b1fd Update readme
• See full diff in compare view

Updates github/codeql-action from 4.35.1 to 4.35.2

Release notes

Sourced from github/codeql-action's releases.

v4.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

... (truncated)

Commits

• 95e58e9 Merge pull request #3824 from github/update-v4.35.2-d2e135a73
• 6f31bfe Update changelog for v4.35.2
• d2e135a Merge pull request #3823 from github/update-bundle/codeql-bundle-v2.25.2
• 60abb65 Add changelog note
• 5a0a562 Update default bundle to codeql-bundle-v2.25.2
• 6521697 Merge pull request #3820 from github/dependabot/github_actions/dot-github/wor...
• 3c45af2 Merge pull request #3821 from github/dependabot/npm_and_yarn/npm-minor-345b93...
• f1c3393 Rebuild
• 1024fc4 Rebuild
• 9dd4cfe Bump the npm-minor group across 1 directory with 6 updates
• Additional commits viewable in compare view

Updates devcontainers/ci from 0.3.1900000417 to 0.3.1900000449

Release notes

Sourced from devcontainers/ci's releases.

Release v0.3.1900000449

What's Changed

• Remove compiled JS content by @​stuartleeks in devcontainers/ci#210
• Retain run-main.js/run-post.js by @​stuartleeks in devcontainers/ci#213
• Update tag to use generated version number by @​stuartleeks in devcontainers/ci#214
• Workflow tidying by @​stuartleeks in devcontainers/ci#216
• Add missing 'v' prefix on release/tag by @​stuartleeks in devcontainers/ci#217
• Update docs to point to v0.3 release by @​stuartleeks in devcontainers/ci#218
• Pass env vars to devcontainer up by @​stuartleeks in devcontainers/ci#211
• Re-enable running subset of tests in forks by @​stuartleeks in devcontainers/ci#220
• re-enable test platform_with_runCmd by @​stuartleeks in devcontainers/ci#203
• Add noCache option by @​trxcllnt in devcontainers/ci#199
• Add additionalMounts for GitHub Action Output Mount by @​andar1an in devcontainers/ci#219
• Update checks action to remove NodeJS version warning by @​stuartleeks in devcontainers/ci#228
• Revert to latest version of tfx-cli by @​stuartleeks in devcontainers/ci#227
• Update to run 'devcontainer exec' without JSON parsing output by @​stuartleeks in devcontainers/ci#226
• Use version 0 to allow for breaking CLI changes in the future. by @​chrmarti in devcontainers/ci#229
• gh: refactor community files by @​SauravMaheshkar in devcontainers/ci#222
• Fix a typo in azdo-task/README.md by @​jiedxu in devcontainers/ci#245
• Update golang for CG by @​chrmarti in devcontainers/ci#260
• Update Debian, go tools, Node, NPM package by @​chrmarti in devcontainers/ci#263
• Bump @​babel/traverse from 7.18.2 to 7.23.2 in /.github/scripts by @​dependabot[bot] in devcontainers/ci#261
• Bump json5 from 2.2.1 to 2.2.3 in /.github/scripts by @​dependabot[bot] in devcontainers/ci#264
• Bump semver from 6.3.0 to 6.3.1 in /.github/scripts by @​dependabot[bot] in devcontainers/ci#266
• Fix scripts by @​chrmarti in devcontainers/ci#265
• Update azure-pipelines-task-lib to avoid security issue in dependency by @​chrmarti in devcontainers/ci#267
• Add configFile option by @​chrmarti in devcontainers/ci#269
• Ignore spaces by @​chrmarti in devcontainers/ci#280
• Add workflow permissions by @​chrmarti in devcontainers/ci#282
• Update QEMU and Buildx steps to resolve Node 16 deprecation warning by @​korverdev in devcontainers/ci#283
• Find Windows executable by @​chrmarti in devcontainers/ci#288
• add inheritEnv action parameter by @​OmarTawfik in devcontainers/ci#295
• Fix permissions by @​chrmarti in devcontainers/ci#297
• Fix permissions by @​chrmarti in devcontainers/ci#298
• Docs: github-action.md: fix wording by @​lolmaus in devcontainers/ci#296
• Add cacheTo argument to ci action by @​sebst in devcontainers/ci#300
• Fix CI by @​chrmarti in devcontainers/ci#308
• Fix CI by @​chrmarti in devcontainers/ci#327
• Bump actions/setup-node from 3 to 4 by @​dependabot[bot] in devcontainers/ci#309
• Bump ghcr.io/devcontainers/features/github-cli from 1.0.11 to 1.0.13 by @​dependabot[bot] in devcontainers/ci#310
• Bump LouisBrunner/checks-action from 1.1.1 to 2.0.0 by @​dependabot[bot] in devcontainers/ci#311
• Bump github/codeql-action from 2 to 3 by @​dependabot[bot] in devcontainers/ci#312
• Bump docker/login-action from 2 to 3 by @​dependabot[bot] in devcontainers/ci#313
• Bump actions/github-script from 6 to 7 by @​dependabot[bot] in devcontainers/ci#314
• Update dependencies by @​chrmarti in devcontainers/ci#328
• Fix AzDO task by @​chrmarti in devcontainers/ci#329
• fix: don't group the actual running of the commands by @​ffMathy in devcontainers/ci#272
• Add note on JIT by @​chrmarti in devcontainers/ci#330
• Fix formatting by @​chrmarti in devcontainers/ci#331
• Update dependencies by @​chrmarti in devcontainers/ci#332

... (truncated)

Commits

• b63b30d release
• ec57048 Comment out AzDO
• dc6d224 Also skip AzDO testing
• 6a9044f Add "Publish the AzDO extension" input
• 71daba9 Merge pull request #438 from Kaniska244/node-upgrade
• b9439a7 Update docker version in test
• 044ddd4 Update go 1.25 for test
• 4f8435d Update debian-12 to debian12 latest base image
• 23d59d3 Update image reference
• 912d727 Node 24 update
• Additional commits viewable in compare view

Updates astral-sh/setup-uv from 8.0.0 to 8.1.0

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.1.0 🌈 New input no-project

Changes

This add the a new boolean input no-project. It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#860)
• Add a release-gate step to the release workflow @​zanieb (#859)
• Draft commitish releases @​eifinger (#858)
• Add action-types.yml to instructions @​eifinger (#857)
• chore: update known checksums for 0.11.7 @github-actions[bot] (#853)
• Refactor version resolving @​eifinger (#852)
• chore: update known checksums for 0.11.6 @github-actions[bot] (#850)
• chore: update known checksums for 0.11.5 @github-actions[bot] (#845)
• chore: update known checksums for 0.11.4 @github-actions[bot] (#843)
• Add a release workflow @​zanieb (#839)
• chore: update known checksums for 0.11.3 @github-actions[bot] (#836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#833)
• Pin setup-uv docs to v8 @​eifinger (#829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @dependabot[bot] (#855)

Commits

• 0880764 fix: grant contents:write to validate-release job (#860)
• 717d6ab Add a release-gate step to the release workflow (#859)
• 5a911eb Draft commitish releases (#858)
• 080c31e Add action-types.yml to instructions (#857)
• b3e97d2 Add input no-project in combination with activate-environment (#856)
• 7dd591d chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 (#855)
• 1541b77 chore: update known checksums for 0.11.7 (#853)
• cdfb2ee Refactor version resolving (#852)
• cb84d12 chore: update known checksums for 0.11.6 (#850)
• 1912cc6 chore: update known checksums for 0.11.5 (#845)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Test Results

    5 files     40 suites   16m 14s ⏱️
2 472 tests 2 472 ✅ 0 💤 0 ❌
7 685 runs  7 685 ✅ 0 💤 0 ❌

Results for commit cd7c1d2.

[github-actions]

Performance Benchmark Report

Benchmark name	Baseline (μs)	Test/PR (μs)	Delta (μs)	Delta %
clone_shell_object	17.26 μs	17.60 μs	0.33 μs	🟠 +1.93%
eval_arithmetic	0.15 μs	0.15 μs	0.00 μs	⚪ Unchanged
expand_one_string	1.53 μs	1.53 μs	-0.00 μs	⚪ Unchanged
for_loop	29.38 μs	29.17 μs	-0.21 μs	⚪ Unchanged
full_peg_complex	57.90 μs	58.12 μs	0.22 μs	⚪ Unchanged
full_peg_for_loop	6.21 μs	6.21 μs	-0.00 μs	⚪ Unchanged
full_peg_nested_expansions	16.29 μs	16.33 μs	0.04 μs	⚪ Unchanged
full_peg_pipeline	4.16 μs	4.27 μs	0.12 μs	🟠 +2.77%
full_peg_simple	1.77 μs	1.78 μs	0.01 μs	⚪ Unchanged
function_call	3.33 μs	3.21 μs	-0.12 μs	⚪ Unchanged
instantiate_shell	53.64 μs	53.42 μs	-0.22 μs	⚪ Unchanged
instantiate_shell_with_init_scripts	27201.99 μs	25669.70 μs	-1532.29 μs	🟢 -5.63%
parse_peg_bash_completion	2078.29 μs	2079.03 μs	0.74 μs	⚪ Unchanged
parse_peg_complex	20.55 μs	20.48 μs	-0.06 μs	⚪ Unchanged
parse_peg_for_loop	2.01 μs	2.00 μs	-0.00 μs	⚪ Unchanged
parse_peg_pipeline	2.12 μs	2.17 μs	0.06 μs	🟠 +2.65%
parse_peg_simple	1.10 μs	1.12 μs	0.01 μs	⚪ Unchanged
run_echo_builtin_command	17.16 μs	17.02 μs	-0.13 μs	⚪ Unchanged
tokenize_sample_script	3.44 μs	3.43 μs	-0.01 μs	⚪ Unchanged

Code Coverage Report: Only Changed Files listed

Package	Base Coverage	New Coverage	Difference
Overall Coverage	🟢 26.17%	🟢 26.17%	⚪ 0%

Minimum allowed coverage is 20%, this run produced 26.17%

Test Summary: bash-completion test suite

Outcome	Count	Percentage
✅ Pass	1578	74.82
❗️ Error	22	1.04
❌ Fail	155	7.35
⏩ Skip	339	16.07
❎ Expected Fail	13	0.62
✔️ Unexpected Pass	2	0.09
📊 Total	2109	100.00