chore(deps): bump the github-actions group across 1 directory with 6 updates

[dependabot]

Bumps the github-actions group with 6 updates in the / directory:

Package	From	To
step-security/harden-runner	2.16.0	2.17.0
actions/upload-artifact	7.0.0	7.0.1
anthropics/claude-code-action	1.0.78	1.0.96
github/codeql-action	4.34.1	4.35.1
actions/create-github-app-token	3.0.0	3.1.1
marocchino/sticky-pull-request-comment	3.0.2	3.0.4

Updates step-security/harden-runner from 2.16.0 to 2.17.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.17.0

What's Changed

Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

What's Changed

Enterprise tier: Added support for direct IP addresses in the allow list Community tier: Migrated Harden Runner telemetry to a new endpoint

Full Changelog: step-security/harden-runner@v2.16.0...v2.16.1

Commits

• f808768 Feature/policy store (#656)
• fe10465 v2.16.1 (#654)
• See full diff in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• See full diff in compare view

Updates anthropics/claude-code-action from 1.0.78 to 1.0.96

Release notes

Sourced from anthropics/claude-code-action's releases.

v1.0.96

What's Changed

• fix: handle fork PRs by fetching via refs/pull/N/head by @​stakeswky in anthropics/claude-code-action#963

New Contributors

• @​stakeswky made their first contribution in anthropics/claude-code-action#963

Full Changelog: anthropics/claude-code-action@v1...v1.0.96

v1.0.95

Full Changelog: anthropics/claude-code-action@v1...v1.0.95

v1.0.94

What's Changed

• Prepend system bin dirs to PATH when allowed_non_write_users is set by @​OctavianGuzu in anthropics/claude-code-action#1208

Full Changelog: anthropics/claude-code-action@v1...v1.0.94

v1.0.93

Full Changelog: anthropics/claude-code-action@v1...v1.0.93

v1.0.92

Full Changelog: anthropics/claude-code-action@v1...v1.0.92

v1.0.91

What's Changed

• Use pinned bun binary for post-steps when allowed_non_write_users is set by @​OctavianGuzu in anthropics/claude-code-action#1190

Full Changelog: anthropics/claude-code-action@v1...v1.0.91

v1.0.90

What's Changed

• fix: forward MCP_TIMEOUT, MCP_TOOL_TIMEOUT, MAX_MCP_OUTPUT_TOKENS to action step by @​qozle in anthropics/claude-code-action#1162
• security: reject PATH_TO_CLAUDE_CODE_EXECUTABLE with control characters by @​qozle in anthropics/claude-code-action#1185

Full Changelog: anthropics/claude-code-action@v1...v1.0.90

v1.0.89

What's Changed

• fix: skip token revocation when no token was acquired by @​Dave-London in anthropics/claude-code-action#918
• Use env vars for workflow_run context values in example workflows by @​ddworken in anthropics/claude-code-action#1125
• docs: document include/exclude_comments_by_actor inputs by @​yuribodo in anthropics/claude-code-action#1130
• fix: use correct fallback type for reviewData in fetcher by @​MaxwellCalkin in anthropics/claude-code-action#1034
• Strip OIDC token request env vars from Claude session by @​chyipin in anthropics/claude-code-action#1011
• fix: skip retries for non-retryable errors in retryWithBackoff by @​ei-grad in anthropics/claude-code-action#1082
• fix: restore ripgrep execute bits after bun install --production by @​qozle in anthropics/claude-code-action#1163
• fix: allow # in branch names for PR checkout and base restore by @​qozle in anthropics/claude-code-action#1167

... (truncated)

Commits

• 5fb8995 chore: bump Claude Code to 2.1.109 and Agent SDK to 0.2.109
• c3bf66d fix: handle fork PRs by fetching via refs/pull/N/head (#962) (#963)
• 3943183 chore: bump Claude Code to 2.1.108 and Agent SDK to 0.2.108
• 65f29cf chore: bump Claude Code to 2.1.107 and Agent SDK to 0.2.107
• 1c8b699 chore: bump Claude Code to 2.1.105 and Agent SDK to 0.2.105
• ff49ec5 Prepend system bin dirs to PATH when allowed_non_write_users is set (#1208)
• 25474bf chore: bump Claude Code to 2.1.104 and Agent SDK to 0.2.104
• b47fd72 chore: bump Claude Code to 2.1.101 and Agent SDK to 0.2.101
• c26cb64 chore: bump Claude Code to 2.1.100 and Agent SDK to 0.2.98
• 657fb7c chore: bump Claude Code to 2.1.98 and Agent SDK to 0.2.98
• Additional commits viewable in compare view

Updates github/codeql-action from 4.34.1 to 4.35.1

Release notes

Sourced from github/codeql-action's releases.

v4.35.1

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

v4.35.0

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

• Update default CodeQL bundle version to 2.24.3. #3548

4.32.5 - 02 Mar 2026

... (truncated)

Commits

• c10b806 Merge pull request #3782 from github/update-v4.35.1-d6d1743b8
• c5ffd06 Update changelog for v4.35.1
• d6d1743 Merge pull request #3781 from github/henrymercer/update-git-minimum-version
• 65d2efa Add changelog note
• 2437b20 Update minimum git version for overlay to 2.36.0
• ea5f719 Merge pull request #3775 from github/dependabot/npm_and_yarn/node-forge-1.4.0
• 45ceeea Merge pull request #3777 from github/mergeback/v4.35.0-to-main-b8bb9f28
• 24448c9 Rebuild
• 7c51060 Update changelog and version after v4.35.0
• b8bb9f2 Merge pull request #3776 from github/update-v4.35.0-0078ad667
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 3.0.0 to 3.1.1

Release notes

Sourced from actions/create-github-app-token's releases.

v3.1.1

3.1.1 (2026-04-11)

Bug Fixes

• improve error message when app identifier is empty (#362) (07e2b76), closes #249

v3.1.0

3.1.0 (2026-04-11)

Bug Fixes

• deps: bump p-retry from 7.1.1 to 8.0.0 (#357) (3bbe07d)

Features

• add client-id input and deprecate app-id (#353) (e6bd4e6)
• update permission inputs (#358) (076e948)

Commits

• 1b10c78 build(release): 3.1.1 [skip ci]
• 07e2b76 fix: improve error message when app identifier is empty (#362)
• ea01216 ci: remove publish-immutable-action workflow (#361)
• 7bd0371 build(release): 3.1.0 [skip ci]
• e6bd4e6 feat: add client-id input and deprecate app-id (#353)
• 076e948 feat: update permission inputs (#358)
• 3bbe07d fix(deps): bump p-retry from 7.1.1 to 8.0.0 (#357)
• 28a99e3 build(deps-dev): bump c8 from 10.1.3 to 11.0.0
• 4df5060 build(deps-dev): bump open-cli from 8.0.0 to 9.0.0
• 4843c53 build(deps-dev): bump the development-dependencies group with 3 updates
• See full diff in compare view

Updates marocchino/sticky-pull-request-comment from 3.0.2 to 3.0.4

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v3.0.4

What's Changed

• build(deps-dev): Bump vite from 8.0.3 to 8.0.5 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1679
• build(deps-dev): Bump vitest from 4.1.2 to 4.1.3 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1680
• build(deps-dev): Bump @​types/node from 25.5.2 to 25.6.0 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1684
• build(deps): Bump @​actions/github from 9.0.0 to 9.1.0 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1683
• build(deps-dev): Bump vitest from 4.1.3 to 4.1.4 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1682
• build(deps-dev): Bump @​biomejs/biome from 2.4.10 to 2.4.11 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1681

Full Changelog: marocchino/sticky-pull-request-comment@v3.0.3...v3.0.4

v3.0.3

What's Changed

• Move validateExclusiveModes before getBody for fail-fast validation by @​Copilot in marocchino/sticky-pull-request-comment#1663
• Add number_force that overrides pull_request number by @​rossjrw in marocchino/sticky-pull-request-comment#1652
• build(deps-dev): Bump @​biomejs/biome from 2.4.6 to 2.4.7 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1666
• build(deps): Bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1673
• build(deps-dev): Bump vitest from 4.1.0 to 4.1.2 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1674
• build(deps-dev): Bump rollup from 4.59.0 to 4.60.1 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1676
• build(deps-dev): Bump @​types/node from 25.5.0 to 25.5.2 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1677
• build(deps-dev): Bump @​biomejs/biome from 2.4.7 to 2.4.10 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1675
• build(deps): Bump brace-expansion by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1678
• build(deps-dev): Bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1670

New Contributors

• @​rossjrw made their first contribution in marocchino/sticky-pull-request-comment#1652

Full Changelog: marocchino/sticky-pull-request-comment@v3.0.2...v3.0.3

Commits

• 0ea0beb 📦️ Build
• df6c1bd build(deps-dev): Bump @​biomejs/biome from 2.4.10 to 2.4.11 (#1681)
• 3ad213f build(deps-dev): Bump vitest from 4.1.3 to 4.1.4 (#1682)
• 58072e5 build(deps): Bump @​actions/github from 9.0.0 to 9.1.0 (#1683)
• 313a938 build(deps-dev): Bump @​types/node from 25.5.2 to 25.6.0 (#1684)
• 159c677 build(deps-dev): Bump vitest from 4.1.2 to 4.1.3 (#1680)
• b37c1a1 build(deps-dev): Bump vite from 8.0.3 to 8.0.5 (#1679)
• d4d6b09 📦️ Build
• 3868baa build(deps-dev): Bump typescript from 5.9.3 to 6.0.2 (#1670)
• 26f73b0 build(deps): Bump brace-expansion (#1678)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Test Results: Windows

    2 files      2 suites   16s ⏱️
4 052 tests 4 033 ✅ 19 💤 0 ❌
4 054 runs  4 035 ✅ 19 💤 0 ❌

Results for commit 2448cd0.

[github-actions]

Test Results: Ubuntu

    2 files      2 suites   51s ⏱️
4 044 tests 4 025 ✅ 19 💤 0 ❌
4 046 runs  4 027 ✅ 19 💤 0 ❌

Results for commit 2448cd0.

[github-actions]

Package	Line Rate	Branch Rate	Complexity	Health
Yubico.Core	52%	41%	1519	➖
Yubico.YubiKey	50%	46%	7180	➖
Summary	50% (12811 / 25443)	45% (3070 / 6854)	8699	➖

Minimum allowed line rate is 40%

[github-actions]

Test Results: MacOS

    4 files      4 suites   33s ⏱️
4 026 tests 4 026 ✅ 0 💤 0 ❌
4 028 runs  4 028 ✅ 0 💤 0 ❌

Results for commit 2448cd0.