[llvm] Update [Github] Update GHA Dependencies (major) (PR #161108)

Sun Sep 28 17:05:32 PDT 2025

llvmbot wrote:




@llvm/pr-subscribers-github-workflow

Author: Mend Renovate (renovate-bot)

<details>
<summary>Changes</summary>

This PR contains the following updates:

| Package | Type | Update | Change | Pending |
|---|---|---|---|---|
| [actions/attest-build-provenance](https://redirect.github.com/actions/attest-build-provenance) | action | major | `v1.0.0` -> `v3.0.0` |  |
| [actions/checkout](https://redirect.github.com/actions/checkout) | action | major | `v4.1.1` -> `v5.0.0` |  |
| [actions/github-script](https://redirect.github.com/actions/github-script) | action | major | `v7.0.1` -> `v8.0.0` |  |
| [actions/github-script](https://redirect.github.com/actions/github-script) | action | major | `v6.4.1` -> `v8.0.0` |  |
| [actions/labeler](https://redirect.github.com/actions/labeler) | action | major | `v4.3.0` -> `v6.0.1` |  |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | major | `v4.2.0` -> `v5.0.0` |  |
| [actions/setup-python](https://redirect.github.com/actions/setup-python) | action | major | `v5.4.0` -> `v6.0.0` |  |
| [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | major | `v2.20.6` -> `v3.30.4` | `v3.30.5` |
| [macos](https://redirect.github.com/actions/runner-images) | github-runner | major | `14` -> `15` |  |
| [node](https://redirect.github.com/actions/node-versions) | uses-with | major | `18` -> `22` |  |
| [tj-actions/changed-files](https://redirect.github.com/tj-actions/changed-files) | action | major | `v46.0.5` -> `v47.0.0` |  |
| [windows](https://redirect.github.com/actions/runner-images) | github-runner | major | `2022` -> `2025` |  |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/attest-build-provenance (actions/attest-build-provenance)</summary>

### [`v3.0.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v3.0.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v2.4.0...v3.0.0)

#### What's Changed

- Adjust node max-http-header-size setting by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;687](https://redirect.github.com/actions/attest-build-provenance/pull/687)
- Bump actions/attest from v2.4.0 to [v3.0.0](https://redirect.github.com/actions/attest/releases/tag/v3.0.0) by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;691](https://redirect.github.com/actions/attest-build-provenance/pull/691)
  - Bump to node24 runtime
  - Improved checksum parsing
- Bump attest-build-provenance/predicate to v2.0.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;693](https://redirect.github.com/actions/attest-build-provenance/pull/693)
  - Bump to node24 runtime by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;692](https://redirect.github.com/actions/attest-build-provenance/pull/692)

#### ⚠️ Minimum Compatible Runner Version

v2.327.1
[Release Notes](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)

Make sure your runner is updated to this version or newer to use this release.

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v2.4.0...v3.0.0>

### [`v2.4.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v2.4.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v2.3.0...v2.4.0)

##### What's Changed

- Bump undici from 5.28.5 to 5.29.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;633](https://redirect.github.com/actions/attest-build-provenance/pull/633)
- Bump actions/attest from 2.3.0 to [2.4.0](https://redirect.github.com/actions/attest/releases/tag/v2.4.0) by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;654](https://redirect.github.com/actions/attest-build-provenance/pull/654)
  - Includes support for the new well-known summary file which will accumulate paths to all attestations generated in a given workflow run

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v2.3.0...v2.4.0>

### [`v2.3.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v2.3.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v2.2.3...v2.3.0)

##### What's Changed

- Bump `actions/attest` from 2.2.1 to 2.3.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;615](https://redirect.github.com/actions/attest-build-provenance/pull/615)
  - Updates `@sigstore/oci` from 0.4.0 to 0.5.0

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v2.2.3...v2.3.0>

### [`v2.2.3`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v2.2.3)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v2.2.2...v2.2.3)

##### What's Changed

- Pin actions/attest reference by commit SHA by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;493](https://redirect.github.com/actions/attest-build-provenance/pull/493)

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v2.2.2...v2.2.3>

### [`v2.2.2`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v2.2.2)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v2.2.1...v2.2.2)

##### What's Changed

- Bump predicate action from 1.1.4 to 1.1.5 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;485](https://redirect.github.com/actions/attest-build-provenance/pull/485)
  - Bump [@&#8203;actions/attest](https://redirect.github.com/actions/attest) from 1.5.0 to 1.6.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;484](https://redirect.github.com/actions/attest-build-provenance/pull/484)
    - Update buildSLSAProvenancePredicate to populate `workflow.ref` field from the `ref` claim in the OIDC token ([actions/toolkit#1969](https://redirect.github.com/actions/toolkit/pull/1969))

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v2.2.1...v2.2.2>

### [`v2.2.1`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v2.2.1)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v2.2.0...v2.2.1)

##### What's Changed

- Bump undici from 5.28.4 to 5.28.5 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;457](https://redirect.github.com/actions/attest-build-provenance/pull/457)
- Bump [@&#8203;octokit/request-error](https://redirect.github.com/octokit/request-error) from 5.0.1 to 5.1.1 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;469](https://redirect.github.com/actions/attest-build-provenance/pull/469)
- Bump [@&#8203;octokit/request](https://redirect.github.com/octokit/request) from 8.2.0 to 8.4.1 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;478](https://redirect.github.com/actions/attest-build-provenance/pull/478)
- Bump actions/attest from 2.2.0 to 2.2.1 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;481](https://redirect.github.com/actions/attest-build-provenance/pull/481)
  - Includes `@actions/attest` [v1.6.0](https://redirect.github.com/actions/toolkit/blob/main/packages/attest/RELEASES.md#160)

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v2.2.0...v2.2.1>

### [`v2.2.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v2.2.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v2.1.0...v2.2.0)

##### What's Changed

- Bump actions/attest from v2.1.0 to v2.2.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;449](https://redirect.github.com/actions/attest-build-provenance/pull/449)
  - Includes support for now `subject-checksums` input parameter

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v2.1.0...v2.2.0>

### [`v2.1.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v2.1.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v2.0.1...v2.1.0)

##### What's Changed

- Update README w/ note about GH plans supporting attestations by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;414](https://redirect.github.com/actions/attest-build-provenance/pull/414)
- Add `attestation-id` and `attestation-url` outputs by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;415](https://redirect.github.com/actions/attest-build-provenance/pull/415)

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v2.0.1...v2.1.0>

### [`v2.0.1`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v2.0.1)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v2.0.0...v2.0.1)

##### What's Changed

- Bump actions/attest from 2.0.0 to 2.0.1 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;406](https://redirect.github.com/actions/attest-build-provenance/pull/406)
  - Deduplicate subjects before adding to in-toto statement

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v2.0.0...v2.0.1>

### [`v2.0.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v2.0.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.4.4...v2.0.0)

The `attest-build-provenance` action now supports attesting multiple subjects simultaneously. When identifying multiple subjects with the `subject-path` input a single attestation is created with references to each of the supplied subjects, rather than generating separate attestations for each artifact. This reduces the number of attestations that you need to create and manage.

##### What's Changed

- Bump cross-spawn from 7.0.3 to 7.0.6 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;319](https://redirect.github.com/actions/attest-build-provenance/pull/319)
- Prepare v2.0.0 release by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;321](https://redirect.github.com/actions/attest-build-provenance/pull/321)
  - Bump `actions/attest` from 1.4.1 to 2.0.0 (w/ multi-subject attestation support)

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.4.4...v2.0.0>

### [`v1.4.4`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.4.4)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.4.3...v1.4.4)

##### What's Changed

- Bump predicate action from 1.1.3 to 1.1.4 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;310](https://redirect.github.com/actions/attest-build-provenance/pull/310)
  - Bump [@&#8203;actions/core](https://redirect.github.com/actions/core) from 1.10.1 to 1.11.1 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;275](https://redirect.github.com/actions/attest-build-provenance/pull/275)
  - Bump [@&#8203;actions/attest](https://redirect.github.com/actions/attest) from 1.4.2 to 1.5.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;309](https://redirect.github.com/actions/attest-build-provenance/pull/309)
    - Fix SLSA provenance bug related to `workflow_ref` OIDC token claims containing the "@&#8203;" symbol in the tag name ([actions/toolkit#1863](https://redirect.github.com/actions/toolkit/pull/1863))

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.4.3...v1.4.4>

### [`v1.4.3`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.4.3)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.4.2...v1.4.3)

##### What's Changed

- Bump predicate from 1.1.2 to 1.1.3 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;226](https://redirect.github.com/actions/attest-build-provenance/pull/226)
  - Bump [@&#8203;actions/attest](https://redirect.github.com/actions/attest) from 1.3.1 to 1.4.1 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;212](https://redirect.github.com/actions/attest-build-provenance/pull/212)
  - Bump [@&#8203;actions/attest](https://redirect.github.com/actions/attest) from 1.4.1 to 1.4.2 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;225](https://redirect.github.com/actions/attest-build-provenance/pull/225)
  - Fix bug w/ customized OIDC issuer URL for enterprise accounts ([#&#8203;222](https://redirect.github.com/actions/attest-build-provenance/issues/222))

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.4.2...v1.4.3>

### [`v1.4.2`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.4.2)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.4.1...v1.4.2)

##### What's Changed

- Bump actions/attest from 1.4.0 to 1.4.1 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;209](https://redirect.github.com/actions/attest-build-provenance/pull/209)
  - Includes bug fix for issue with authenticated proxies ([actions/toolkit#1798](https://redirect.github.com/actions/toolkit/issues/1798))

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.4.1...v1.4.2>

### [`v1.4.1`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.4.1)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.4.0...v1.4.1)

##### What's Changed

- Update predicate action to 1.1.2 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;197](https://redirect.github.com/actions/attest-build-provenance/pull/197)
  - Dynamic construction of oidc issuer by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;195](https://redirect.github.com/actions/attest-build-provenance/pull/195)

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.4.0...v1.4.1>

### [`v1.4.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.4.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.3.3...v1.4.0)

##### What's Changed

- Bump predicate action from 1.1.0 to 1.1.1 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;182](https://redirect.github.com/actions/attest-build-provenance/pull/182)
  - Fix for JWKS proxy bug
- Bump actions/attest from 1.3.3 to 1.4.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;183](https://redirect.github.com/actions/attest-build-provenance/pull/183)
  - Add `show-summary` input
  - Format summary output as list

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.3.3...v1.4.0>

### [`v1.3.3`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.3.3)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.3.2...v1.3.3)

##### What's Changed

- Bump actions/attest from 1.3.2 to 1.3.3 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;152](https://redirect.github.com/actions/attest-build-provenance/pull/152)
  - Bugfix for properly handling glob exclusion patterns in `subject-path` input

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.3.2...v1.3.3>

### [`v1.3.2`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.3.2)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.3.1...v1.3.2)

##### What's Changed

- Bump actions/attest from 1.3.1 to 1.3.2 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;123](https://redirect.github.com/actions/attest-build-provenance/pull/123)
  - Increase timeout for OCI operations

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.3.1...v1.3.2>

### [`v1.3.1`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.3.1)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.3.0...v1.3.1)

##### What's Changed

- Bump actions/attest from 1.3.0 to 1.3.1 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;117](https://redirect.github.com/actions/attest-build-provenance/pull/117)
  - Bugfix when detecting support for the referrers API with OCI registries

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.3.0...v1.3.1>

### [`v1.3.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.3.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.2.0...v1.3.0)

##### What's Changed

- Bump actions/attest-build-provenance/predicate from 1.0.0 to 1.1.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;116](https://redirect.github.com/actions/attest-build-provenance/pull/116)
  - Switch to new GH provenance [build type](https://actions.github.io/buildtypes/workflow/v1)
- Bump actions/attest from 1.2.0 to 1.3.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;116](https://redirect.github.com/actions/attest-build-provenance/pull/116)
  - Dynamic construction of GitHub API URLs based on GITHUB\_SERVER\_URL
  - Improved handling of Rekor 409 responses
  - Bugfix - detection of registries with support for the OCI referrers API

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.2.0...v1.3.0>

### [`v1.2.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.2.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.1.2...v1.2.0)

##### What's Changed

- Bump actions/attest from 1.1.2 to 1.2.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;101](https://redirect.github.com/actions/attest-build-provenance/pull/101)
  - Batch processing w/ exponential backoff
  - Bugfix when pushing attestation to OCI registry

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.1.2...v1.2.0>

### [`v1.1.2`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.1.2)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.1.1...v1.1.2)

##### What's Changed

- Bump actions/attest from 1.1.1 to 1.1.2 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;79](https://redirect.github.com/actions/attest-build-provenance/pull/79)
  - Downcase subject name for OCI images
  - Fix accept header when retrieving image manifest
  - Support variants of the Docker Hub registry name

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.1.1...v1.1.2>

### [`v1.1.1`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.1.1)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.1.0...v1.1.1)

##### What's Changed

- Bump actions/attest from v1.1.0 to v1.1.1 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;67](https://redirect.github.com/actions/attest-build-provenance/pull/67)
  - Bump [@&#8203;sigstore/sign](https://redirect.github.com/sigstore/sign) from 2.3.0 to 2.3.1
  - Bump [@&#8203;sigstore/oci](https://redirect.github.com/sigstore/oci) from 0.3.0 to 0.3.2
  - Include more detail in error logging
  - Send API errors to GHA debug log
  - Fix bug preventing failed API requests from being retried

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.1.0...v1.1.1>

### [`v1.1.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v1.1.0)

[Compare Source](https://redirect.github.com/actions/attest-build-provenance/compare/v1.0.0...v1.1.0)

##### What's Changed

- Bump actions/attest to v1.1.0 by [@&#8203;bdehamer](https://redirect.github.com/bdehamer) in [#&#8203;65](https://redirect.github.com/actions/attest-build-provenance/pull/65)
  - adds list support for `subjectPath` input
  - limit attestation subject count
  - ensure subject globs match only files

**Full Changelog**: <https://github.com/actions/attest-build-provenance/compare/v1.0.0...v1.1.0>

</details>

<details>
<summary>actions/checkout (actions/checkout)</summary>

### [`v5.0.0`](https://redirect.github.com/actions/checkout/releases/tag/v5.0.0)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.3.0...v5.0.0)

##### What's Changed

- Update actions checkout to use node 24 by [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [https://github.com/actions/checkout/pull/2226](https://redirect.github.com/actions/checkout/pull/2226)
- Prepare v5.0.0 release by [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [https://github.com/actions/checkout/pull/2238](https://redirect.github.com/actions/checkout/pull/2238)

##### ⚠️ Minimum Compatible Runner Version

**v2.327.1**\
[Release Notes](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)

Make sure your runner is updated to this version or newer to use this release.

**Full Changelog**: https://github.com/actions/checkout/compare/v4...v5.0.0

### [`v4.3.0`](https://redirect.github.com/actions/checkout/releases/tag/v4.3.0)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.2...v4.3.0)

##### What's Changed

- docs: update README.md by [@&#8203;motss](https://redirect.github.com/motss) in [https://github.com/actions/checkout/pull/1971](https://redirect.github.com/actions/checkout/pull/1971)
- Add internal repos for checking out multiple repositories by [@&#8203;mouismail](https://redirect.github.com/mouismail) in [https://github.com/actions/checkout/pull/1977](https://redirect.github.com/actions/checkout/pull/1977)
- Documentation update - add recommended permissions to Readme by [@&#8203;benwells](https://redirect.github.com/benwells) in [https://github.com/actions/checkout/pull/2043](https://redirect.github.com/actions/checkout/pull/2043)
- Adjust positioning of user email note and permissions heading by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/checkout/pull/2044](https://redirect.github.com/actions/checkout/pull/2044)
- Update README.md by [@&#8203;nebuk89](https://redirect.github.com/nebuk89) in [https://github.com/actions/checkout/pull/2194](https://redirect.github.com/actions/checkout/pull/2194)
- Update CODEOWNERS for actions by [@&#8203;TingluoHuang](https://redirect.github.com/TingluoHuang) in [https://github.com/actions/checkout/pull/2224](https://redirect.github.com/actions/checkout/pull/2224)
- Update package dependencies by [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [https://github.com/actions/checkout/pull/2236](https://redirect.github.com/actions/checkout/pull/2236)
- Prepare release v4.3.0 by [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [https://github.com/actions/checkout/pull/2237](https://redirect.github.com/actions/checkout/pull/2237)

##### New Contributors

- [@&#8203;motss](https://redirect.github.com/motss) made their first contribution in [https://github.com/actions/checkout/pull/1971](https://redirect.github.com/actions/checkout/pull/1971)
- [@&#8203;mouismail](https://redirect.github.com/mouismail) made their first contribution in [https://github.com/actions/checkout/pull/1977](https://redirect.github.com/actions/checkout/pull/1977)
- [@&#8203;benwells](https://redirect.github.com/benwells) made their first contribution in [https://github.com/actions/checkout/pull/2043](https://redirect.github.com/actions/checkout/pull/2043)
- [@&#8203;nebuk89](https://redirect.github.com/nebuk89) made their first contribution in [https://github.com/actions/checkout/pull/2194](https://redirect.github.com/actions/checkout/pull/2194)
- [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) made their first contribution in [https://github.com/actions/checkout/pull/2236](https://redirect.github.com/actions/checkout/pull/2236)

**Full Changelog**: https://github.com/actions/checkout/compare/v4...v4.3.0

### [`v4.2.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v422)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.1...v4.2.2)

- `url-helper.ts` now leverages well-known environment variables by [@&#8203;jww3](https://redirect.github.com/jww3) in [#&#8203;1941](https://redirect.github.com/actions/checkout/pull/1941)
- Expand unit test coverage for `isGhes` by [@&#8203;jww3](https://redirect.github.com/jww3) in [#&#8203;1946](https://redirect.github.com/actions/checkout/pull/1946)

### [`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1)

- Check out other refs/\* by commit if provided, fall back to ref by [@&#8203;orhantoy](https://redirect.github.com/orhantoy) in [#&#8203;1924](https://redirect.github.com/actions/checkout/pull/1924)

### [`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0)

- Add Ref and Commit outputs by [@&#8203;lucacome](https://redirect.github.com/lucacome) in [#&#8203;1180](https://redirect.github.com/actions/checkout/pull/1180)
- Dependency updates by [@&#8203;dependabot-](https://redirect.github.com/dependabot-) [#&#8203;1777](https://redirect.github.com/actions/checkout/pull/1777), [#&#8203;1872](https://redirect.github.com/actions/checkout/pull/1872)

### [`v4.1.7`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.6...v4.1.7)

- Bump the minor-npm-dependencies group across 1 directory with 4 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1739](https://redirect.github.com/actions/checkout/pull/1739)
- Bump actions/checkout from 3 to 4 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1697](https://redirect.github.com/actions/checkout/pull/1697)
- Check out other refs/\* by commit by [@&#8203;orhantoy](https://redirect.github.com/orhantoy) in [#&#8203;1774](https://redirect.github.com/actions/checkout/pull/1774)
- Pin actions/checkout's own workflows to a known, good, stable version. by [@&#8203;jww3](https://redirect.github.com/jww3) in [#&#8203;1776](https://redirect.github.com/actions/checkout/pull/1776)

### [`v4.1.6`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.5...v4.1.6)

- Check platform to set archive extension appropriately by [@&#8203;cory-miller](https://redirect.github.com/cory-miller) in [#&#8203;1732](https://redirect.github.com/actions/checkout/pull/1732)

### [`v4.1.5`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v415)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.4...v4.1.5)

- Update NPM dependencies by [@&#8203;cory-miller](https://redirect.github.com/cory-miller) in [#&#8203;1703](https://redirect.github.com/actions/checkout/pull/1703)
- Bump github/codeql-action from 2 to 3 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1694](https://redirect.github.com/actions/checkout/pull/1694)
- Bump actions/setup-node from 1 to 4 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1696](https://redirect.github.com/actions/checkout/pull/1696)
- Bump actions/upload-artifact from 2 to 4 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1695](https://redirect.github.com/actions/checkout/pull/1695)
- README: Suggest `user.email` to be `41898282+github-actions[bot]@&#8203;users.noreply.github.com` by [@&#8203;cory-miller](https://redirect.github.com/cory-miller) in [#&#8203;1707](https://redirect.github.com/actions/checkout/pull/1707)

### [`v4.1.4`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.3...v4.1.4)

- Disable `extensions.worktreeConfig` when disabling `sparse-checkout` by [@&#8203;jww3](https://redirect.github.com/jww3) in [#&#8203;1692](https://redirect.github.com/actions/checkout/pull/1692)
- Add dependabot config by [@&#8203;cory-miller](https://redirect.github.com/cory-miller) in [#&#8203;1688](https://redirect.github.com/actions/checkout/pull/1688)
- Bump the minor-actions-dependencies group with 2 updates by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1693](https://redirect.github.com/actions/checkout/pull/1693)
- Bump word-wrap from 1.2.3 to 1.2.5 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1643](https://redirect.github.com/actions/checkout/pull/1643)

### [`v4.1.3`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v413)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.2...v4.1.3)

- Check git version before attempting to disable `sparse-checkout` by [@&#8203;jww3](https://redirect.github.com/jww3) in [#&#8203;1656](https://redirect.github.com/actions/checkout/pull/1656)
- Add SSH user parameter by [@&#8203;cory-miller](https://redirect.github.com/cory-miller) in [#&#8203;1685](https://redirect.github.com/actions/checkout/pull/1685)
- Update `actions/checkout` version in `update-main-version.yml` by [@&#8203;jww3](https://redirect.github.com/jww3) in [#&#8203;1650](https://redirect.github.com/actions/checkout/pull/1650)

### [`v4.1.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412)

[Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.1...v4.1.2)

- Fix: Disable sparse checkout whenever `sparse-checkout` option is not present [@&#8203;dscho](https://redirect.github.com/dscho) in [#&#8203;1598](https://redirect.github.com/actions/checkout/pull/1598)

</details>

<details>
<summary>actions/github-script (actions/github-script)</summary>

### [`v8.0.0`](https://redirect.github.com/actions/github-script/compare/v7.1.0...v8.0.0)

[Compare Source](https://redirect.github.com/actions/github-script/compare/v7.1.0...v8.0.0)

### [`v7.1.0`](https://redirect.github.com/actions/github-script/releases/tag/v7.1.0)

[Compare Source](https://redirect.github.com/actions/github-script/compare/v7.0.1...v7.1.0)

#### What's Changed

- Upgrade husky to v9 by [@&#8203;benelan](https://redirect.github.com/benelan) in [#&#8203;482](https://redirect.github.com/actions/github-script/pull/482)
- Add workflow file for publishing releases to immutable action package by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in [#&#8203;485](https://redirect.github.com/actions/github-script/pull/485)
- Upgrade IA Publish by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in [#&#8203;486](https://redirect.github.com/actions/github-script/pull/486)
- Fix workflow status badges by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [#&#8203;497](https://redirect.github.com/actions/github-script/pull/497)
- Update usage of `actions/upload-artifact` by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [#&#8203;512](https://redirect.github.com/actions/github-script/pull/512)
- Clear up package name confusion by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [#&#8203;514](https://redirect.github.com/actions/github-script/pull/514)
- Update dependencies with `npm audit fix` by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [#&#8203;515](https://redirect.github.com/actions/github-script/pull/515)
- Specify that the used script is JavaScript by [@&#8203;timotk](https://redirect.github.com/timotk) in [#&#8203;478](https://redirect.github.com/actions/github-script/pull/478)
- chore: Add Dependabot for NPM and Actions by [@&#8203;nschonni](https://redirect.github.com/nschonni) in [#&#8203;472](https://redirect.github.com/actions/github-script/pull/472)
- Define `permissions` in workflows and update actions by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [#&#8203;531](https://redirect.github.com/actions/github-script/pull/531)
- chore: Add Dependabot for .github/actions/install-dependencies by [@&#8203;nschonni](https://redirect.github.com/nschonni) in [#&#8203;532](https://redirect.github.com/actions/github-script/pull/532)
- chore: Remove .vscode settings by [@&#8203;nschonni](https://redirect.github.com/nschonni) in [#&#8203;533](https://redirect.github.com/actions/github-script/pull/533)
- ci: Use github/setup-licensed by [@&#8203;nschonni](https://redirect.github.com/nschonni) in [#&#8203;473](https://redirect.github.com/actions/github-script/pull/473)
- make octokit instance available as octokit on top of github, to make it easier to seamlessly copy examples from GitHub rest api or octokit documentations by [@&#8203;iamstarkov](https://redirect.github.com/iamstarkov) in [#&#8203;508](https://redirect.github.com/actions/github-script/pull/508)
- Remove `octokit` README updates for v7 by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [#&#8203;557](https://redirect.github.com/actions/github-script/pull/557)
- docs: add "exec" usage examples by [@&#8203;neilime](https://redirect.github.com/neilime) in [#&#8203;546](https://redirect.github.com/actions/github-script/pull/546)
- Bump ruby/setup-ruby from 1.213.0 to 1.222.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;563](https://redirect.github.com/actions/github-script/pull/563)
- Bump ruby/setup-ruby from 1.222.0 to 1.229.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;575](https://redirect.github.com/actions/github-script/pull/575)
- Clearly document passing inputs to the `script` by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in [#&#8203;603](https://redirect.github.com/actions/github-script/pull/603)
- Update README.md by [@&#8203;nebuk89](https://redirect.github.com/nebuk89) in [#&#8203;610](https://redirect.github.com/actions/github-script/pull/610)

#### New Contributors

- [@&#8203;benelan](https://redirect.github.com/benelan) made their first contribution in [#&#8203;482](https://redirect.github.com/actions/github-script/pull/482)
- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [#&#8203;485](https://redirect.github.com/actions/github-script/pull/485)
- [@&#8203;timotk](https://redirect.github.com/timotk) made their first contribution in [#&#8203;478](https://redirect.github.com/actions/github-script/pull/478)
- [@&#8203;iamstarkov](https://redirect.github.com/iamstarkov) made their first contribution in [#&#8203;508](https://redirect.github.com/actions/github-script/pull/508)
- [@&#8203;neilime](https://redirect.github.com/neilime) made their first contribution in [#&#8203;546](https://redirect.github.com/actions/github-script/pull/546)
- [@&#8203;nebuk89](https://redirect.github.com/nebuk89) made their first contribution in [#&#8203;610](https://redirect.github.com/actions/github-script/pull/610)

**Full Changelog**: <https://github.com/actions/github-script/compare/v7...v7.1.0>

</details>

<details>
<summary>actions/labeler (actions/labeler)</summary>

### [`v6.0.1`](https://redirect.github.com/actions/labeler/releases/tag/v6.0.1)

[Compare Source](https://redirect.github.com/actions/labeler/compare/v6.0.0...v6.0.1)

#### What's Changed

- Upgrade publish-action from 0.2.2 to 0.4.0 by [@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in [#&#8203;901](https://redirect.github.com/actions/labeler/pull/901)

#### New Contributors

- [@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) made their first contribution in [#&#8203;901](https://redirect.github.com/actions/labeler/pull/901)

**Full Changelog**: <https://github.com/actions/labeler/compare/v6.0.0...v6.0.1>

### [`v6.0.0`](https://redirect.github.com/actions/labeler/releases/tag/v6.0.0)

[Compare Source](https://redirect.github.com/actions/labeler/compare/v5.0.0...v6.0.0)

#### What's Changed

- Add workflow file for publishing releases to immutable action package by [@&#8203;jcambass](https://redirect.github.com/jcambass) in [#&#8203;802](https://redirect.github.com/actions/labeler/pull/802)

##### Breaking Changes

- Upgrade Node.js version to 24 in action and dependencies [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [#&#8203;891](https://redirect.github.com/actions/labeler/pull/891)
  Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. [Release Notes](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)

##### Dependency Upgrades

- Upgrade eslint-config-prettier from 9.0.0 to 9.1.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;711](https://redirect.github.com/actions/labeler/pull/711)
- Upgrade eslint from 8.52.0 to 8.55.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;720](https://redirect.github.com/actions/labeler/pull/720)
- Upgrade [@&#8203;types/jest](https://redirect.github.com/types/jest) from 29.5.6 to 29.5.11 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;719](https://redirect.github.com/actions/labeler/pull/719)
- Upgrade [@&#8203;types/js-yaml](https://redirect.github.com/types/js-yaml) from 4.0.8 to 4.0.9 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;718](https://redirect.github.com/actions/labeler/pull/718)
- Upgrade [@&#8203;typescript-eslint/parser](https://redirect.github.com/typescript-eslint/parser) from 6.9.0 to 6.14.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;717](https://redirect.github.com/actions/labeler/pull/717)
- Upgrade prettier from 3.0.3 to 3.1.1 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;726](https://redirect.github.com/actions/labeler/pull/726)
- Upgrade eslint from 8.55.0 to 8.56.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;725](https://redirect.github.com/actions/labeler/pull/725)
- Upgrade [@&#8203;typescript-eslint/parser](https://redirect.github.com/typescript-eslint/parser) from 6.14.0 to 6.19.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;745](https://redirect.github.com/actions/labeler/pull/745)
- Upgrade eslint-plugin-jest from 27.4.3 to 27.6.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;744](https://redirect.github.com/actions/labeler/pull/744)
- Upgrade [@&#8203;typescript-eslint/eslint-plugin](https://redirect.github.com/typescript-eslint/eslint-plugin) from 6.9.0 to 6.20.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;750](https://redirect.github.com/actions/labeler/pull/750)
- Upgrade prettier from 3.1.1 to 3.2.5 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;752](https://redirect.github.com/actions/labeler/pull/752)
- Upgrade undici from 5.26.5 to 5.28.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;757](https://redirect.github.com/actions/labeler/pull/757)
- Upgrade braces from 3.0.2 to 3.0.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;789](https://redirect.github.com/actions/labeler/pull/789)
- Upgrade minimatch from 9.0.3 to 10.0.1 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;805](https://redirect.github.com/actions/labeler/pull/805)
- Upgrade [@&#8203;actions/core](https://redirect.github.com/actions/core) from 1.10.1 to 1.11.1 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;811](https://redirect.github.com/actions/labeler/pull/811)
- Upgrade typescript from 5.4.3 to 5.7.2 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;819](https://redirect.github.com/actions/labeler/pull/819)
- Upgrade [@&#8203;typescript-eslint/parser](https://redirect.github.com/typescript-eslint/parser) from 7.3.1 to 8.17.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;824](https://redirect.github.com/actions/labeler/pull/824)
- Upgrade prettier from 3.2.5 to 3.4.2 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;825](https://redirect.github.com/actions/labeler/pull/825)
- Upgrade [@&#8203;types/jest](https://redirect.github.com/types/jest) from 29.5.12 to 29.5.14 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;827](https://redirect.github.com/actions/labeler/pull/827)
- Upgrade eslint-plugin-jest from 27.9.0 to 28.9.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;832](https://redirect.github.com/actions/labeler/pull/832)
- Upgrade ts-jest from 29.1.2 to 29.2.5 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;831](https://redirect.github.com/actions/labeler/pull/831)
- Upgrade [@&#8203;vercel/ncc](https://redirect.github.com/vercel/ncc) from 0.38.1 to 0.38.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;830](https://redirect.github.com/actions/labeler/pull/830)
- Upgrade typescript from 5.7.2 to 5.7.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;835](https://redirect.github.com/actions/labeler/pull/835)
- Upgrade eslint-plugin-jest from 28.9.0 to 28.11.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;839](https://redirect.github.com/actions/labeler/pull/839)
- Upgrade undici from 5.28.4 to 5.28.5 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;842](https://redirect.github.com/actions/labeler/pull/842)
- Upgrade [@&#8203;octokit/request-error](https://redirect.github.com/octokit/request-error) from 5.0.1 to 5.1.1 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;846](https://redirect.github.com/actions/labeler/pull/846)

##### Documentation changes

- Add note regarding `pull_request_target` to README.md by [@&#8203;silverwind](https://redirect.github.com/silverwind) in [#&#8203;669](https://redirect.github.com/actions/labeler/pull/669)
- Update readme with additional examples and important note about `pull_request_target` event by [@&#8203;IvanZosimov](https://redirect.github.com/IvanZosimov) in [#&#8203;721](https://redirect.github.com/actions/labeler/pull/721)
- Document update - permission section  by [@&#8203;harithavattikuti](https://redirect.github.com/harithavattikuti) in [#&#8203;840](https://redirect.github.com/actions/labeler/pull/840)
- Improvement in documentation for pull\_request\_target event usage in README by [@&#8203;suyashgaonkar](https://redirect.github.com/suyashgaonkar) in [#&#8203;871](https://redirect.github.com/actions/labeler/pull/871)
- Fix broken links in documentation by [@&#8203;suyashgaonkar](https://redirect.github.com/suyashgaonkar) in [#&#8203;822](https://redirect.github.com/actions/labeler/pull/822)

#### New Contributors

- [@&#8203;silverwind](https://redirect.github.com/silverwind) made their first contribution in [#&#8203;669](https://redirect.github.com/actions/labeler/pull/669)
- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [#&#8203;802](https://redirect.github.com/actions/labeler/pull/802)
- [@&#8203;suyashgaonkar](https://redirect.github.com/suyashgaonkar) made their first contribution in [#&#8203;822](https://redirect.github.com/actions/labeler/pull/822)
- [@&#8203;HarithaVattikuti](https://redirect.github.com/HarithaVattikuti) made their first contribution in [#&#8203;840](https://redirect.github.com/actions/labeler/pull/840)
- [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) made their first contribution in [#&#8203;891](https://redirect.github.com/actions/labeler/pull/891)

**Full Changelog**: <https://github.com/actions/labeler/compare/v5...v6.0.0>

### [`v5.0.0`](https://redirect.github.com/actions/labeler/releases/tag/v5.0.0)

[Compare Source](https://redirect.github.com/actions/labeler/compare/v4.3.0...v5.0.0)

#### What's Changed

This release contains the following breaking changes:

1. The ability to apply labels based on the names of base and/or head branches was added ([#&#8203;186](https://redirect.github.com/actions/labeler/issues/186) and [#&#8203;54](https://redirect.github.com/actions/labeler/issues/54)). The match object for changed files was expanded with new combinations in order to make it more intuitive and flexible ([#&#8203;423](https://redirect.github.com/actions/labeler/issues/423) and [#&#8203;101](https://redirect.github.com/actions/labeler/issues/101)). As a result, the configuration file structure was significantly redesigned and is not compatible with the structure of the previous version. Please read the [action documentation](https://redirect.github.com/actions/labeler/tree/main#pull-request-labeler) to find out how to adapt your configuration files for use with the new action version.

2. The bug related to the `sync-labels` input was fixed ([#&#8203;112](https://redirect.github.com/actions/labeler/issues/112)). Now the input value is read correctly.

3. By default, `dot` input is set to `true`. Now, paths starting with a dot (e.g. `.github`) are matched by default.

4. Version 5 of this action updated the [runtime to Node.js 20](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions). All scripts are now run with Node.js 20 instead of Node.js 16 and are affected by any breaking changes between Node.js 16 and 20.

For more information, please read the [action documentation](https://redirect.github.com/actions/labeler/tree/main#pull-request-labeler).

#### New Contributors

- [@&#8203;joshdales](https://redirect.github.com/joshdales) made their first contribution in [#&#8203;203](https://redirect.github.com/actions/labeler/pull/203)
- [@&#8203;dusan-trickovic](https://redirect.github.com/dusan-trickovic) made their first contribution in [#&#8203;626](https://redirect.github.com/actions/labeler/pull/626)
- [@&#8203;sungh0lim](https://redirect.github.com/sungh0lim) made their first contribution in [#&#8203;630](https://redirect.github.com/actions/labeler/pull/630)
- [@&#8203;TrianguloY](https://redirect.github.com/TrianguloY) made their first contribution in [#&#8203;629](https://redirect.github.com/actions/labeler/pull/629)

**Full Changelog**: <https://github.com/actions/labeler/compare/v4...v5.0.0>

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

### [`v5.0.0`](https://redirect.github.com/actions/setup-node/releases/tag/v5.0.0)

[Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.4.0...v5.0.0)

##### What's Changed

##### Breaking Changes

- Enhance caching in setup-node with automatic package manager detection by [@&#8203;priya-kinthali](https://redirect.github.com/priya-kinthali) in [#&#8203;1348](https://redirect.github.com/actions/setup-node/pull/1348)

This update, introduces automatic caching when a valid `packageManager` field is present in your `package.json`. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set `package-manager-cache: false`

```yaml
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false
```

- Upgrade action to use node24 by [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [#&#8203;1325](https://redirect.github.com/actions/setup-node/pull/1325)

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. [See Release Notes](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)

##### Dependency Upgrades

- Upgrade [@&#8203;octokit/request-error](https://redirect.github.com/octokit/request-error) and [@&#8203;actions/github](https://redirect.github.com/actions/github) by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;1227](https://redirect.github.com/actions/setup-node/pull/1227)
- Upgrade uuid from 9.0.1 to 11.1.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;1273](https://redirect.github.com/actions/setup-node/pull/1273)
- Upgrade undici from 5.28.5 to 5.29.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;1295](https://redirect.github.com/actions/setup-node/pull/1295)
- Upgrade form-data to bring in fix for critical vulnerability by [@&#8203;gowridurgad](https://redirect.github.com/gowridurgad) in [#&#8203;1332](https://redirect.github.com/actions/setup-node/pull/1332)
- Upgrade actions/checkout from 4 to 5 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;1345](https://redirect.github.com/actions/setup-node/pull/1345)

##### New Contributors

- [@&#8203;priya-kinthali](https://redirect.github.com/priya-kinthali) made their first contribution in [#&#8203;1348](https://redirect.github.com/actions/setup-node/pull/1348)
- [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) made their first contribution in [#&#8203;1325](https://redirect.github.com/actions/setup-node/pull/1325)

**Full Changelog**: <https://github.com/actions/setup-node/compare/v4...v5.0.0>

### [`v4.4.0`](https://redirect.github.com/actions/setup-node/releases/tag/v4.4.0)

[Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.3.0...v4.4.0)

##### What's Changed

##### Bug fixes:

- Make eslint-compact matcher compatible with Stylelint by [@&#8203;FloEdelmann](https://redirect.github.com/FloEdelmann) in [#&#8203;98](https://redirect.github.com/actions/setup-node/pull/98)
- Add support for indented eslint output by [@&#8203;fregante](https://redirect.github.com/fregante) in [#&#8203;1245](https://redirect.github.com/actions/setup-node/pull/1245)

##### Enhancement:

- Support private mirrors by [@&#8203;marco-ippolito](https://redirect.github.com/marco-ippolito) in [#&#8203;1240](https://redirect.github.com/actions/setup-node/pull/1240)

##### Dependency update:

- Upgrade [@&#8203;action/cache](https://redirect.github.com/action/cache) from 4.0.2 to 4.0.3 by [@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in [#&#8203;1262](https://redirect.github.com/actions/setup-node/pull/1262)

##### New Contributors

- [@&#8203;FloEdelmann](https://redirect.github.com/FloEdelmann) made their first contribution in [#&#8203;98](https://redirect.github.com/actions/setup-node/pull/98)
- [@&#8203;fregante](https://redirect.github.com/fregante) made their first contribution in [#&#8203;1245](https://redirect.github.com/actions/setup-node/pull/1245)
- [@&#8203;marco-ippolito](https://redirect.github.com/marco-ippolito) made their first contribution in [#&#8203;1240](https://redirect.github.com/actions/setup-node/pull/1240)

**Full Changelog**: <https://github.com/actions/setup-node/compare/v4...v4.4.0>

### [`v4.3.0`](https://redirect.github.com/actions/setup-node/releases/tag/v4.3.0)

[Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.2.0...v4.3.0)

#### What's Changed

##### Dependency updates

- Upgrade [@&#8203;actions/glob](https://redirect.github.com/actions/glob) from 0.4.0 to 0.5.0 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1200](https://redirect.github.com/actions/setup-node/pull/1200)
- Upgrade [@&#8203;action/cache](https://redirect.github.com/action/cache) from 4.0.0 to 4.0.2 by [@&#8203;gowridurgad](https://redirect.github.com/gowridurgad) in [#&#8203;1251](https://redirect.github.com/actions/setup-node/pull/1251)
- Upgrade [@&#8203;vercel/ncc](https://redirect.github.com/vercel/ncc) from 0.38.1 to 0.38.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1203](https://redirect.github.com/actions/setup-node/pull/1203)
- Upgrade [@&#8203;actions/tool-cache](https://redirect.github.com/actions/tool-cache) from 2.0.1 to 2.0.2 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in [#&#8203;1220](https://redirect.github.com/actions/setup-node/pull/1220)

#### New Contributors

- [@&#8203;gowridurgad](https://redirect.github.com/gowridurgad) made their first contribution in [#&#8203;1251](https://redirect.github.com/actions/setup-node/pull/1251)

**Full Changelog**: <https://github.com/actions/setup-node/compare/v4...v4.3.0>

</details>

<details>
<summary>actions/setup-python (actions/setup-python)</summary>

### [`v6.0.0`](https://redirect.github.com/actions/setup-python/releases/tag/v6.0.0)

[Compare Source](https://redirect.github.com/actions/setup-python/compare/v5.6.0...v6.0.0)

##### What's Changed

##### Breaking Changes

- Upgrade to node 24 by [@&#8203;salmanmkc](https://redirect.github.com/salmanmkc) in [#&#8203;1164](https://redirect.github.com/actions/setup-python/pull/1164)

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. [See Release Notes](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)

##### Enhancements:

- Add support for `pip-version`  by [@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) in [#&#8203;1129](https://redirect.github.com/actions/setup-python/pull/1129)
- Enhance reading from .python-version by [@&#8203;krystof-k](https://redirect.github.com/krystof-k) in [#&#8203;787](https://redirect.github.com/actions/setup-python/pull/787)
- Add version parsing from Pipfile by [@&#8203;aradkdj](https://redirect.github.com/aradkdj) in [#&#8203;1067](https://redirect.github.com/actions/setup-python/pull/1067)

##### Bug fixes:

- Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by [@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in [#&#8203;1183](https://redirect.github.com/actions/setup-python/pull/1183)
- Change missing cache directory error to warning  by [@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in [#&#8203;1182](https://redirect.github.com/actions/setup-python/pull/1182)
- Add Architecture-Specific PATH Management for Python with --user Flag on Windows by [@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in [#&#8203;1122](https://redirect.github.com/actions/setup-python/pull/1122)
- Include python version in PyPy python-version output by [@&#8203;cdce8p](https://redirect.github.com/cdce8p) in [#&#8203;1110](https://redirect.github.com/actions/setup-python/pull/1110)
- Update docs: clarification on pip authentication with setup-python by [@&#8203;priya-kinthali](https://redirect.github.com/priya-kinthali) in [#&#8203;1156](https://redirect.github.com/actions/setup-python/pull/1156)

##### Dependency updates:

- Upgrade idna from 2.9 to 3.7 in /**tests**/data by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;843](https://redirect.github.com/actions/setup-python/pull/843)
- Upgrade form-data to fix critical vulnerabilities [#&#8203;182](https://redirect.github.com/actions/setup-python/issues/182) & [#&#8203;183](https://redirect.github.com/actions/setup-python/issues/183) by [@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in [#&#8203;1163](https://redirect.github.com/actions/setup-python/pull/1163)
- Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by [@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in [#&#8203;1165](https://redirect.github.com/actions/setup-python/pull/1165)
- Upgrade actions/checkout from 4 to 5 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;1181](https://redirect.github.com/actions/setup-python/pull/1181)
- Upgrade [@&#8203;actions/tool-cache](https://redirect.github.com/actions/tool-cache) from 2.0.1 to 2.0.2 by [@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in [#&#8203;1095](https://redirect.github.com/actions/setup-python/pull/1095)

##### New Contributors

- [@&#8203;krystof-k](https://redirect.github.com/krystof-k) made their first contribution in [#&#8203;787](https://redirect.github.com/actions/setup-python/pull/787)
- [@&#8203;cdce8p](https://redirect.github.com/cdce8p) made their first contribution in [#&#8203;1110](https://redirect.github.com/actions/setup-python/pull/1110)
- [@&#8203;aradkdj](https://redirect.github.com/aradkdj) made their first contribution in [#&#8203;1067](https://redirect.github.com/actions/set

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 12:59 AM, only on Monday ( * 0 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/llvm/llvm-project).



---
Full diff: https://github.com/llvm/llvm-project/pull/161108.diff


18 Files Affected:

- (modified) .github/workflows/build-ci-container-windows.yml (+2-2) 
- (modified) .github/workflows/check-ci.yml (+1-1) 
- (modified) .github/workflows/docs.yml (+2-2) 
- (modified) .github/workflows/issue-write.yml (+1-1) 
- (modified) .github/workflows/libclang-python-tests.yml (+1-1) 
- (modified) .github/workflows/libcxx-build-and-test.yaml (+1-1) 
- (modified) .github/workflows/llvm-bugs.yml (+3-3) 
- (modified) .github/workflows/new-prs.yml (+1-1) 
- (modified) .github/workflows/pr-code-format.yml (+2-2) 
- (modified) .github/workflows/pr-code-lint.yml (+3-3) 
- (modified) .github/workflows/premerge.yaml (+1-1) 
- (modified) .github/workflows/release-asset-audit.yml (+1-1) 
- (modified) .github/workflows/release-binaries.yml (+1-1) 
- (modified) .github/workflows/release-documentation.yml (+1-1) 
- (modified) .github/workflows/release-doxygen.yml (+1-1) 
- (modified) .github/workflows/release-sources.yml (+1-1) 
- (modified) .github/workflows/scorecard.yml (+1-1) 
- (modified) .github/workflows/unprivileged-download-artifact/action.yml (+1-1) 


``````````diff

diff --git a/.github/workflows/build-ci-container-windows.yml b/.github/workflows/build-ci-container-windows.yml
index 167e7cf06b3b2..b10633a8b9e32 100644
--- a/.github/workflows/build-ci-container-windows.yml
+++ b/.github/workflows/build-ci-container-windows.yml
@@ -18,7 +18,7 @@ on:
 jobs:
   build-ci-container-windows:
     if: github.repository_owner == 'llvm'
-    runs-on: windows-2022
+    runs-on: windows-2025
     outputs:
       container-name: ${{ steps.vars.outputs.container-name }}
       container-name-tag: ${{ steps.vars.outputs.container-name-tag }}
@@ -56,7 +56,7 @@ jobs:
       - build-ci-container-windows
     permissions:
       packages: write
-    runs-on: windows-2022
+    runs-on: windows-2025
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
diff --git a/.github/workflows/check-ci.yml b/.github/workflows/check-ci.yml
index 7e8c15696e344..c0f84285be188 100644
--- a/.github/workflows/check-ci.yml
+++ b/.github/workflows/check-ci.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           sparse-checkout: .ci
       - name: Setup Python
-        uses: actions/setup-python at 42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python at e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: 3.13
           cache: 'pip'
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 8cdd39c164cca..e383b7304d8fe 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -60,7 +60,7 @@ jobs:
           fetch-depth: 2
       - name: Get subprojects that have doc changes
         id: docs-changed-subprojects
-        uses: tj-actions/changed-files at ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files at 24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
           skip_initial_fetch: true
           base_sha: 'HEAD~1'
@@ -95,7 +95,7 @@ jobs:
             workflow:
               - '.github/workflows/docs.yml'
       - name: Setup Python env
-        uses: actions/setup-python at 42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python at e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.11'
           cache: 'pip'
diff --git a/.github/workflows/issue-write.yml b/.github/workflows/issue-write.yml
index db9389b6afe53..8a083f9143ec6 100644
--- a/.github/workflows/issue-write.yml
+++ b/.github/workflows/issue-write.yml
@@ -40,7 +40,7 @@ jobs:
 
       - name: 'Comment on PR'
         if: steps.download-artifact.outputs.artifact-id != ''
-        uses: actions/github-script at 60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script at ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/.github/workflows/libclang-python-tests.yml b/.github/workflows/libclang-python-tests.yml
index e168928325561..06c3cbe5fa9b6 100644
--- a/.github/workflows/libclang-python-tests.yml
+++ b/.github/workflows/libclang-python-tests.yml
@@ -34,7 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Setup Python
-        uses: actions/setup-python at 42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python at e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Setup ccache
diff --git a/.github/workflows/libcxx-build-and-test.yaml b/.github/workflows/libcxx-build-and-test.yaml
index 2e6ff7f91b6fc..26b1913a9ba23 100644
--- a/.github/workflows/libcxx-build-and-test.yaml
+++ b/.github/workflows/libcxx-build-and-test.yaml
@@ -236,7 +236,7 @@ jobs:
             **/crash_diagnostics/*
 
   windows:
-    runs-on: windows-2022
+    runs-on: windows-2025
     needs: [ stage2 ]
     strategy:
       fail-fast: false
diff --git a/.github/workflows/llvm-bugs.yml b/.github/workflows/llvm-bugs.yml
index 5470662c97628..174757f689585 100644
--- a/.github/workflows/llvm-bugs.yml
+++ b/.github/workflows/llvm-bugs.yml
@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-24.04
     if: github.repository == 'llvm/llvm-project'
     steps:
-      - uses: actions/setup-node at 1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+      - uses: actions/setup-node at a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
-          node-version: 18
+          node-version: 22
           check-latest: true
       - run: npm install mailgun.js form-data
       - name: Send notification
-        uses: actions/github-script at d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
+        uses: actions/github-script at ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           MAILGUN_API_KEY: ${{ secrets.LLVM_BUGS_KEY }}
         with:
diff --git a/.github/workflows/new-prs.yml b/.github/workflows/new-prs.yml
index e1f2e754c1a3d..dc8cd100f3e68 100644
--- a/.github/workflows/new-prs.yml
+++ b/.github/workflows/new-prs.yml
@@ -67,7 +67,7 @@ jobs:
       github.event.pull_request.draft == false &&
       github.event.pull_request.commits < 10
     steps:
-      - uses: actions/labeler at ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
+      - uses: actions/labeler at 634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           configuration-path: .github/new-prs-labeler.yml
           # workaround for https://github.com/actions/labeler/issues/112
diff --git a/.github/workflows/pr-code-format.yml b/.github/workflows/pr-code-format.yml
index 61c8680cd72a1..98de1062ebb2d 100644
--- a/.github/workflows/pr-code-format.yml
+++ b/.github/workflows/pr-code-format.yml
@@ -25,7 +25,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files at ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files at 24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
           separator: ","
           skip_initial_fetch: true
@@ -48,7 +48,7 @@ jobs:
           clangformat: 21.1.0
 
       - name: Setup Python env
-        uses: actions/setup-python at 42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python at e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.11'
           cache: 'pip'
diff --git a/.github/workflows/pr-code-lint.yml b/.github/workflows/pr-code-lint.yml
index daefc9baacce7..7979b4864823e 100644
--- a/.github/workflows/pr-code-lint.yml
+++ b/.github/workflows/pr-code-lint.yml
@@ -27,13 +27,13 @@ jobs:
       cancel-in-progress: true
     steps:
       - name: Fetch LLVM sources
-        uses: actions/checkout at b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 2
       
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files at ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files at 24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
         with:
           separator: ","
           skip_initial_fetch: true
@@ -56,7 +56,7 @@ jobs:
           clang-tidy: 21.1.0
       
       - name: Setup Python env
-        uses: actions/setup-python at 42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python at e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.12'
 
diff --git a/.github/workflows/premerge.yaml b/.github/workflows/premerge.yaml
index 63ab4a8356971..385e534807960 100644
--- a/.github/workflows/premerge.yaml
+++ b/.github/workflows/premerge.yaml
@@ -139,7 +139,7 @@ jobs:
 
   premerge-check-macos:
     name: MacOS Premerge Checks
-    runs-on: macos-14
+    runs-on: macos-15
     if: >-
       github.repository_owner == 'llvm' &&
       (startswith(github.ref_name, 'release/') ||
diff --git a/.github/workflows/release-asset-audit.yml b/.github/workflows/release-asset-audit.yml
index 6546540a1b547..b658167d1db36 100644
--- a/.github/workflows/release-asset-audit.yml
+++ b/.github/workflows/release-asset-audit.yml
@@ -38,7 +38,7 @@ jobs:
         if: >-
           github.event_name != 'pull_request' &&
           failure()
-        uses: actions/github-script at 60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+        uses: actions/github-script at ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}
           script: |
diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
index 8f422a0147748..4690200939fd6 100644
--- a/.github/workflows/release-binaries.yml
+++ b/.github/workflows/release-binaries.yml
@@ -301,7 +301,7 @@ jobs:
 
     - name: Attest Build Provenance
       id: provenance
-      uses: actions/attest-build-provenance at 897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+      uses: actions/attest-build-provenance at 977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
       with:
         subject-path: ${{ needs.prepare.outputs.release-binary-filename }}
 
diff --git a/.github/workflows/release-documentation.yml b/.github/workflows/release-documentation.yml
index 712ff1831170e..2f7cdb7a3e636 100644
--- a/.github/workflows/release-documentation.yml
+++ b/.github/workflows/release-documentation.yml
@@ -37,7 +37,7 @@ jobs:
         uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Python env
-        uses: actions/setup-python at 42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python at e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           cache: 'pip'
           cache-dependency-path: './llvm/docs/requirements.txt'
diff --git a/.github/workflows/release-doxygen.yml b/.github/workflows/release-doxygen.yml
index 17c677413f744..c31319e47833d 100644
--- a/.github/workflows/release-doxygen.yml
+++ b/.github/workflows/release-doxygen.yml
@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout at 08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup Python env
-        uses: actions/setup-python at 42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        uses: actions/setup-python at e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           cache: 'pip'
           cache-dependency-path: './llvm/docs/requirements.txt'
diff --git a/.github/workflows/release-sources.yml b/.github/workflows/release-sources.yml
index 14cc4c4e9b94f..ad9c5a93e56be 100644
--- a/.github/workflows/release-sources.yml
+++ b/.github/workflows/release-sources.yml
@@ -92,7 +92,7 @@ jobs:
       - name: Attest Build Provenance
         if: github.event_name != 'pull_request'
         id: provenance
-        uses: actions/attest-build-provenance at 897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        uses: actions/attest-build-provenance at 977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
           subject-path: "*.xz"
       - if: github.event_name != 'pull_request'
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 40db5504294ef..305d09980d245 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif at 80f993039571a6de66594ecaa432875a6942e8e0 # v2.20.6
+        uses: github/codeql-action/upload-sarif at 303c0aef88fc2fe5ff6d63d3b1596bfd83dfa1f9 # v3.30.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/unprivileged-download-artifact/action.yml b/.github/workflows/unprivileged-download-artifact/action.yml
index 9d8fb59a67c0e..72815b26bcf41 100644
--- a/.github/workflows/unprivileged-download-artifact/action.yml
+++ b/.github/workflows/unprivileged-download-artifact/action.yml
@@ -27,7 +27,7 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/github-script at 60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+    - uses: actions/github-script at ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       id: artifact-url
       with:
         script: |

``````````

</details>


https://github.com/llvm/llvm-project/pull/161108
