Sourced from step-security/harden-runner's releases.

v2.14.0

What's Changed

• Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
• Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

What's Changed

• Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

• 20cf305 Merge pull request #622 from step-security/feature/custom-property-skip
• c51e8ee feat: skip agent install and post step on subsequent runs for GitHub-hosted r...
• e152b90 feat: skip harden-runner based on repository custom property
• ee1faec feat: replace skip-harden-runner with skip-on-custom-property input
• 1dc7c17 feat: add skip-harden-runner input to conditionally skip execution
• df199fb Merge pull request #620 from step-security/rc-29
• 03d096a update agent
• 4090107 fix: update agent
• See full diff in compare view

Sourced from bazelbuild/continuous-integration's changelog.

Bazel Release Playbook

This is the guide to conducting a Bazel release. This is especially relevant for release managers, but will be of interest to anyone who is curious about the release process.

Preface

For future reference and release managers - the release manager playbook should be treated like an IKEA manual. That means: Do not try to be smart, optimize / skip / reorder steps, otherwise chaos will ensue. Just follow it and the end result will be.. well, a usable piece of furniture, or a Bazel release (depending on the manual).

Like aviation and workplace safety regulations, the playbook is written in the tears and blood of broken Bazelisks, pipelines, releases and Git branches. Assume that every step is exactly there for a reason, even if it might not be obvious. If you follow them to the letter, they are not error prone. Errors have only happened in the past, when a release manager thought it's ok to follow them by spirit instead. ;)

-- @​philwo

One-time setup

These steps only have to be performed once, ever.

• Make sure you are a member of the Bazel Release Managers team on GitHub.
• Make sure you are a member of the Bazel release-managers group on BuildKite. If that link does not work for you, ask one of the Buildkite org admins to add you to the group.
• Set up github ssh key if you haven't already.
  • https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/
• Generate a new identifier for Google's internal Git mirror: https://bazel.googlesource.com/new-password (and paste the code in your shell).
• Log in to the Gerrit UI to create an account: https://bazel-review.git.corp.google.com/ (without this step, you will see errors such as error_type: PERMISSION_DENIED_BY_GERRIT_ACL and "\'git push\' requires a Gerrit user account." when running the release script.

Preparing a new release

1. Create a release blockers milestone named "X.Y.Z release blockers" (case-sensitive), where we keep track of issues that must be resolved before the release goes out.
   • Set the (tentative) release date.
   • Add this description: Issues that need to be resolved before the X.Y.Z release..
   • Refer to this example
2. Create a release tracking issue to keep the community updated about the progress of the release. See example. Pin this issue.
3. Create the branch for the release. The branch should always be named release-X.Y.Z (the .Z part is important). Cherry-pick PRs will be sent against this branch.
   • The actual creation of the branch can be done via the GitHub UI or via the command line. For minor and patch releases, create the branch from the previous release tag, if possible. How we choose the base commit of the branch depends on the type of the release:
   • For patch releases (X.Y.Z where Z>0), the base commit should simply be X.Y.(Z-1).
   • For minor releases (X.Y.0 where Y>0), the base commit should typically be X.(Y-1).<current max Z>.
   • For major releases (X.0.0), the base commit is some "healthy" commit on the main branch.
     • This means that there's an extra step involved in preparing the release -- "cutting" the release branch, so to speak. For this, check the Bazel@HEAD+Downstream pipeline. The branch cut should happen on a green commit there; if the pipeline is persistently red, work with the Green Team to resolve it first and delay the branch cut as needed.
     • A first release candidate should immediately be created after the release branch is created. See create a release candidate below.

... (truncated)

• 9332050 Implement matrix exclude (#2421)
• 45d2158 Fix regex escaping in excluded platforms query (#2420)
• c5142bd Exclude tests incompatible with the current platform using target_compatible_...
• a1dfff1 Bump webpki from 0.22.0 to 0.22.2 in /agent (#1749)
• 2c9b889 Bump mio from 0.8.6 to 0.8.11 in /agent (#1892)
• f3a9fcc Bump urllib3 from 1.26.19 to 2.6.0 in /buildkite/docker/ubuntu1604 (#2415)
• 55e6135 Update Docker image from ubuntu2404 to ubuntu2004 (#2417)
• 80a06a5 Update Docker image to Ubuntu 24.04
• bc92ee7 Fix pagination for fetching PRs, commits, and reviews in bcr-pr-reviewer (#2416)
• 64c9ba2 BCR PR reviewer: add presubmit-auto-run for known module maintainer (#2414)
• Additional commits viewable in compare view

Sourced from actions/checkout's releases.

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• See full diff in compare view

Sourced from actions/upload-artifact's releases.

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in actions/upload-artifact#719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in actions/upload-artifact#744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

• b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
• e516bc8 docs: correct description of Node.js 24 support in README
• ddc45ed docs: update README to correct action name for Node.js 24 support
• 615b319 chore: release v6.0.0 for Node.js 24 support
• 017748b Merge pull request #744 from actions/fix-storage-blob
• 38d4c79 chore: rebuild dist
• 7d27270 chore: add missing license cache files for @​actions/core, @​actions/io, and mi...
• 5f643d3 chore: update license files for @​actions/artifact@​5.0.1 dependencies
• 1df1684 chore: update package-lock.json with @​actions/artifact@​5.0.1
• b5b1a91 fix: update @​actions/artifact to ^5.0.0 for Node.js 24 punycode fix
• Additional commits viewable in compare view

Sourced from github/codeql-action's releases.

v4.31.9

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.9 - 16 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.31.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #3354

See the full CHANGELOG.md for more information.

v4.31.7

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #3343

See the full CHANGELOG.md for more information.

v4.31.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

4.31.9 - 16 Dec 2025

No user facing changes.

4.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #3354

4.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #3343

4.31.6 - 01 Dec 2025

No user facing changes.

4.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #3321

4.31.4 - 18 Nov 2025

No user facing changes.

4.31.3 - 13 Nov 2025

• CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.
• Update default CodeQL bundle version to 2.23.5. #3288

4.31.2 - 30 Oct 2025

No user facing changes.

4.31.1 - 30 Oct 2025

• The add-snippets input has been removed from the analyze action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.

4.31.0 - 24 Oct 2025

• Bump minimum CodeQL bundle version to 2.17.6. #3223
• When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #3222

... (truncated)

• 5d4e8d1 Merge pull request #3371 from github/update-v4.31.9-998798e34
• 1dc115f Update changelog for v4.31.9
• 998798e Merge pull request #3352 from github/nickrolfe/jar-min-ff-cleanup
• 5eb7519 Merge pull request #3358 from github/henrymercer/database-upload-telemetry
• d29eddb Extract version number to constant
• e962687 Merge branch 'main' into henrymercer/database-upload-telemetry
• 19c7f96 Rename isOverlayBase
• ae5de9a Use getErrorMessage in log too
• 0cb8633 Prefer performance.now()
• c07cc0d Merge pull request #3351 from github/henrymercer/ghec-dr-determine-tools-vers...
• Additional commits viewable in compare view

Sourced from actions/stale's releases.

v10.1.1

What's Changed

Bug Fix

• Add Missing Input Reading for only-issue-types by @​Bibo-Joshi in actions/stale#1298

Improvement

• Improves error handling when rate limiting is disabled on GHES. by @​chiranjib-swain in actions/stale#1300

Dependency Upgrades

• Upgrade eslint-config-prettier from 8.10.0 to 10.1.8 by @​dependabot in actions/stale#1276
• Upgrade @​types/node from 20.10.3 to 24.2.0 and document breaking changes in v10 by @​dependabot in actions/stale#1280
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 by @​dependabot in actions/stale#1291
• Upgrade actions/checkout from 4 to 6 by @​dependabot in actions/stale#1306

New Contributors

• @​chiranjib-swain made their first contribution in actions/stale#1300

Full Changelog: actions/stale@v10...v10.1.1

• 9971854 build(deps): bump actions/checkout from 4 to 6 (#1306)
• 5611b9d build(deps): bump actions/publish-action from 0.3.0 to 0.4.0 (#1291)
• fad0de8 Improves error handling when rate limiting is disabled on GHES. (#1300)
• 39bea7d Add Missing Input Reading for only-issue-types (#1298)
• e46bbab build(deps-dev): bump @​types/node from 20.10.3 to 24.2.0 and document breakin...
• 65d1d48 build(deps-dev): bump eslint-config-prettier from 8.10.0 to 10.1.8 (#1276)
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions