chore(deps): bump github-actions

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	minor	v2.1.0 → v2.4.0
actions/checkout	action	minor	v4.2.2 → v4.3.1
actions/download-artifact	action	minor	v4.1.8 → v4.3.0
actions/setup-node	action	minor	v4.1.0 → v4.4.0
actions/upload-artifact	action	minor	v4.4.3 → v4.6.2
ghcr.io/charmbracelet/vhs	container	minor	v0.10.0 → v0.11.0
googleapis/release-please-action	action	minor	v4.1.3 → v4.4.1
pnpm/action-setup	action	minor	v4.1.0 → v4.4.0
softprops/action-gh-release	action	minor	v2.0.9 → v2.6.2

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v2.4.0

Compare Source

What's Changed

• Bump undici from 5.28.5 to 5.29.0 by @​dependabot in #​633
• Bump actions/attest from 2.3.0 to 2.4.0 by @​bdehamer in #​654
  • Includes support for the new well-known summary file which will accumulate paths to all attestations generated in a given workflow run

Full Changelog: actions/attest-build-provenance@v2.3.0...v2.4.0

v2.3.0

Compare Source

What's Changed

• Bump actions/attest from 2.2.1 to 2.3.0 by @​bdehamer in #​615
  • Updates @sigstore/oci from 0.4.0 to 0.5.0

Full Changelog: actions/attest-build-provenance@v2.2.3...v2.3.0

v2.2.3

Compare Source

What's Changed

• Pin actions/attest reference by commit SHA by @​bdehamer in #​493

Full Changelog: actions/attest-build-provenance@v2.2.2...v2.2.3

v2.2.2

Compare Source

What's Changed

• Bump predicate action from 1.1.4 to 1.1.5 by @​bdehamer in #​485
  • Bump @​actions/attest from 1.5.0 to 1.6.0 by @​bdehamer in #​484
    • Update buildSLSAProvenancePredicate to populate workflow.ref field from the ref claim in the OIDC token (actions/toolkit#1969)

Full Changelog: actions/attest-build-provenance@v2.2.1...v2.2.2

v2.2.1

Compare Source

What's Changed

• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in #​457
• Bump @​octokit/request-error from 5.0.1 to 5.1.1 by @​dependabot in #​469
• Bump @​octokit/request from 8.2.0 to 8.4.1 by @​dependabot in #​478
• Bump actions/attest from 2.2.0 to 2.2.1 by @​bdehamer in #​481
  • Includes @actions/attest v1.6.0

Full Changelog: actions/attest-build-provenance@v2.2.0...v2.2.1

v2.2.0

Compare Source

What's Changed

• Bump actions/attest from v2.1.0 to v2.2.0 by @​bdehamer in #​449
  • Includes support for now subject-checksums input parameter

Full Changelog: actions/attest-build-provenance@v2.1.0...v2.2.0

actions/checkout (actions/checkout)

v4.3.1

Compare Source

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in #​2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236
• Prepare release v4.3.0 by @​salmanmkc in #​2237

New Contributors

• @​motss made their first contribution in #​1971
• @​mouismail made their first contribution in #​1977
• @​benwells made their first contribution in #​2043
• @​nebuk89 made their first contribution in #​2194
• @​salmanmkc made their first contribution in #​2236

Full Changelog: actions/checkout@v4...v4.3.0

actions/download-artifact (actions/download-artifact)

v4.3.0

Compare Source

What's Changed

• feat: implement new artifact-ids input by @​GrantBirki in #​401
• Fix workflow example for downloading by artifact ID by @​joshmgross in #​402
• Prep for v4.3.0 release by @​robherley in #​404

New Contributors

• @​GrantBirki made their first contribution in #​401

Full Changelog: actions/download-artifact@v4.2.1...v4.3.0

v4.2.1

Compare Source

What's Changed

• Add unit tests by @​GhadimiR in #​392
• Fix bug introduced in 4.2.0 by @​GhadimiR in #​391

Full Changelog: actions/download-artifact@v4.2.0...v4.2.1

v4.2.0

Compare Source

What's Changed

• Update README.md by @​lkfortuna in #​384
• Bump artifact version, do digest check by @​GhadimiR in #​383

New Contributors

• @​lkfortuna made their first contribution in #​384
• @​GhadimiR made their first contribution in #​383

Full Changelog: actions/download-artifact@v4.1.9...v4.2.0

v4.1.9

Compare Source

What's Changed

• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​354
• docs: small migration fix by @​froblesmartin in #​370
• Update MIGRATION.md by @​andyfeller in #​372
• Update artifact package to 2.2.2 by @​yacaovsnc in #​380

New Contributors

• @​Jcambass made their first contribution in #​354
• @​froblesmartin made their first contribution in #​370
• @​andyfeller made their first contribution in #​372
• @​yacaovsnc made their first contribution in #​380

Full Changelog: actions/download-artifact@v4.1.8...v4.1.9

actions/setup-node (actions/setup-node)

v4.4.0

Compare Source

What's Changed

Bug fixes:

• Make eslint-compact matcher compatible with Stylelint by @​FloEdelmann in #​98
• Add support for indented eslint output by @​fregante in #​1245

Enhancement:

• Support private mirrors by @​marco-ippolito in #​1240

Dependency update:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in #​1262

New Contributors

• @​FloEdelmann made their first contribution in #​98
• @​fregante made their first contribution in #​1245
• @​marco-ippolito made their first contribution in #​1240

Full Changelog: actions/setup-node@v4...v4.4.0

v4.3.0

Compare Source

What's Changed

Dependency updates

• Upgrade @​actions/glob from 0.4.0 to 0.5.0 by @​dependabot in #​1200
• Upgrade @​action/cache from 4.0.0 to 4.0.2 by @​gowridurgad in #​1251
• Upgrade @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in #​1203
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot in #​1220

New Contributors

• @​gowridurgad made their first contribution in #​1251

Full Changelog: actions/setup-node@v4...v4.3.0

v4.2.0

Compare Source

What's Changed

• Enhance workflows and upgrade publish-actions from 0.2.2 to 0.3.0 by @​aparnajyothi-y in #​1174
• Add recommended permissions section to readme by @​benwells in #​1193
• Configure Dependabot settings by @​HarithaVattikuti in #​1192
• Upgrade @actions/cache to ^4.0.0 by @​priyagupta108 in #​1191
• Upgrade pnpm/action-setup from 2 to 4 by @​dependabot in #​1194
• Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot in #​1195
• Upgrade semver from 7.6.0 to 7.6.3 by @​dependabot in #​1196
• Upgrade @​types/jest from 29.5.12 to 29.5.14 by @​dependabot in #​1201
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot in #​1205

New Contributors

• @​benwells made their first contribution in #​1193

Full Changelog: actions/setup-node@v4...v4.2.0

actions/upload-artifact (actions/upload-artifact)

v4.6.2

Compare Source

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685

New Contributors

• @​salmanmkc made their first contribution in #​685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in #​673

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

Compare Source

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in #​662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

Compare Source

What's Changed

• fix: deprecated Node.js version in action by @​hamirmahal in #​578
• Add new artifact-digest output by @​bdehamer in #​656

New Contributors

• @​hamirmahal made their first contribution in #​578
• @​bdehamer made their first contribution in #​656

Full Changelog: actions/upload-artifact@v4.4.3...v4.5.0

charmbracelet/vhs (ghcr.io/charmbracelet/vhs)

v0.11.0

Compare Source

Scroll? More keys?

This release includes two nice features that include scrolling the viewport and supporting Ctrl+<arrow> keys. You can now use the ScrollUp and ScrollDown commands to scroll the viewport. VHS will also now recognize Ctrl+Left/Up/Right/Down keys.

Thanks to @​joshka-oai and @​sectore for their gracious contributions and support 🙂

Changelog

New!

• bae3eb0: feat: add viewport scroll commands to tapes (#​707) (@​joshka-oai)
• 9e27976: feat: support ctrl + arrow keys (#​673) (@​sectore)

Fixed

• 55f824a: fix(docker): remove ubuntu font which is no longer available in alpine (@​aymanbagabas)
• b8a1d86: fix(docker): update env variables to use '=' (@​aymanbagabas)
• 9c80359: fix: lint issues (@​aymanbagabas)

Other stuff

• 9efc235: Fix lexer regex escaping (#​678) (@​raphamorim)
• 0a14d2c: ci: sync dependabot config (#​660) (@​charmcli)
• 0bb2251: ci: sync dependabot config (#​668) (@​charmcli)
• a94d725: ci: sync golangci-lint config (@​caarlos0)
• be49219: ci: sync golangci-lint config (#​650) (@​github-actions[bot])

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/vhs/releases/download/v0.11.0/checksums.txt'
wget 'https://github.com/charmbracelet/vhs/releases/download/v0.11.0/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

googleapis/release-please-action (googleapis/release-please-action)

v4.4.1

Compare Source

v4.4.0

Compare Source

Features

• add ability to select versioning-strategy and release-as (#​1121) (ee0f5ba)

Bug Fixes

• changelog-host parameter ignored when using manifest configuration (#​1151) (535c413)
• bump mocha from 11.7.1 to 11.7.2 in the npm_and_yarn group across 1 directory (#​1149) (3612a99)
• bump release-please from 17.1.2 to 17.1.3 (#​1158) (66fbfe9)

v4.4

Compare Source

v4.3.0

Compare Source

Features

• deps: update release-please to 17.1.2 (f07192c)

v4.3

Compare Source

v4.2.0

Compare Source

Features

• support for skip-labeling parameter for GitHub action (#​1066) (fb7f385)

v4.2

Compare Source

v4.1.5

Compare Source

Bug Fixes

• deps: update release-please to 16.18.0 (#​1083) (aeb7f8d)

v4.1.4

Compare Source

Bug Fixes

• bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group (#​1015) (5ec1cbd)
• bump release-please from 16.12.0 to 16.13.0 (#​1030) (caa0464)
• bump release-please from 16.13.0 to 16.14.0 (#​1032) (b2a986c)
• deps: update release-please to 16.14.1 (#​1036) (2942e51)

pnpm/action-setup (pnpm/action-setup)

v4.4.0

Compare Source

Updated the action to use Node.js 24.

v4.3.0

Compare Source

What's Changed

• docs: fix the run_install example in the Readme by @​dreyks in #​175
• chore: remove unused @types/node-fetch dependency by @​silverwind in #​186
• Clarify that package_json_file is relative to GITHUB_WORKSPACE by @​chris-martin in #​184
• feat: store caching by @​jrmajor in #​188
• refactor: remove star imports by @​KSXGitHub in #​196
• fix(ci): exclude macos by @​KSXGitHub in #​197

New Contributors

• @​dreyks made their first contribution in #​175
• @​silverwind made their first contribution in #​186
• @​chris-martin made their first contribution in #​184
• @​jrmajor made their first contribution in #​188
• @​Boosted-Bonobo made their first contribution in #​199

Full Changelog: pnpm/action-setup@v4.2.0...v4.3.0

v4.2.0

Compare Source

When there's a .npmrc file at the root of the repository, pnpm will be fetched from the registry that is specified in that .npmrc file #​179

softprops/action-gh-release (softprops/action-gh-release)

v2.6.2

Compare Source

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in #​775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in #​777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in #​781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

Compare Source

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in #​765

v2.6.0

Compare Source

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in #​372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in #​760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in #​759
• docs: clarify working_directory input by @​chenrui333 in #​761
• ci: verify dist bundle freshness by @​chenrui333 in #​762
• fix: clarify immutable prerelease uploads by @​chenrui333 in #​763

v2.5.3

Compare Source

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: prefer token input over GITHUB_TOKEN by @​chenrui333 in #​751
• fix: clean up duplicate drafts after canonicalization by @​chenrui333 in #​753
• fix: support Windows-style file globs by @​chenrui333 in #​754
• fix: normalize refs-tag inputs by @​chenrui333 in #​755
• fix: expand tilde file paths by @​chenrui333 in #​756

Other Changes 🔄

• docs: clarify token precedence by @​chenrui333 in #​752
• docs: clarify GitHub release limits by @​chenrui333 in #​758
• documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

v2.5.2

Compare Source

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: canonicalize releases after concurrent create by @​chenrui333 in #​746
• fix: preserve prereleased events for prereleases by @​chenrui333 in #​748
• fix: restore dotfile asset labels by @​chenrui333 in #​749
• fix: handle upload already_exists races across workflows by @​api2062 in #​745
• fix: clean up orphan drafts when tag creation is blocked by @​chenrui333 in #​750

New Contributors

• @​api2062 made their first contribution in #​745

Full Changelog: softprops/action-gh-release@v2...v2.5.2

v2.5.1

Compare Source

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed

Bug fixes 🐛

• fix: fetch correct asset URL after finalization; test; some refactoring by @​pzhlkj6612 in #​738
• fix: release marked as 'latest' despite make_latest: false by @​Boshen in #​715
• fix: use getReleaseByTag API instead of iterating all releases by @​kim-em in #​725

Other Changes 🔄

• dependency updates, including the ESM/runtime compatibility refresh in #​731

New Contributors

• @​autarch made their first contribution in #​716
• @​pzhlkj6612 made their first contribution in #​738
• @​Boshen made their first contribution in #​715
• @​kim-em made their first contribution in #​725

Full Changelog: softprops/action-gh-release@v2...v2.5.1

v2.5.0

Compare Source

What's Changed

Exciting New Features 🎉

• feat: mark release as draft until all artifacts are uploaded by @​dumbmoron in #​692

Other Changes 🔄

• chore(deps): bump the npm group across 1 directory with 5 updates by @​dependabot[bot] in #​697
• chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 in the github-actions group by @​dependabot[bot] in #​689

New Contributors

• @​dumbmoron made their first contribution in #​692

Full Changelog: softprops/action-gh-release@v2.4.2...v2.5.0

v2.4.2

Compare Source

What's Changed

Exciting New Features 🎉

• feat: Ensure generated release notes cannot be over 125000 characters by @​BeryJu in #​684

Other Changes 🔄

• dependency updates

New Contributors

• @​BeryJu made their first contribution in #​684

Full Changelog: softprops/action-gh-release@v2.4.1...v2.4.2

v2.4.1

Compare Source

What's Changed

Other Changes 🔄

• fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in #​672
• fix: gracefully fallback to body when body_path cannot be read by @​Copilot in #​671

Full Changelog: softprops/action-gh-release@v2...v2.4.1

v2.4.0

Compare Source

What's Changed

Exciting New Features 🎉

• feat(action): respect working_directory for files globs by @​stephenway in #​667

Other Changes 🔄

• chore(deps): bump the npm group with 2 updates by @​dependabot[bot] in #​668

Full Changelog: softprops/action-gh-release@v2.3.4...v2.4.0

v2.3.4

Compare Source

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in #​665

Other Changes 🔄

• chore(deps): bump actions/setup-node from 4.4.0 to 5.0.0 in the github-actions group by @​dependabot[bot] in #​656
• chore(deps): bump @​types/node from 20.19.11 to 20.19.13 in the npm group by @​dependabot[bot] in #​655
• chore(deps): bump vite from 7.0.0 to 7.1.5 by @​dependabot[bot] in #​657
• chore(deps): bump the npm group across 1 directory with 2 updates by @​dependabot[bot] in #​662
• chore(deps): bump the npm group with 3 updates by @​dependabot[bot] in #​666

Full Changelog: softprops/action-gh-release@v2...v2.3.4

v2.3.3

Compare Source

What's Changed

Exciting New Features 🎉

• feat: add input option overwrite_files by @​asfernandes in #​343

Other Changes 🔄

• dependency updates

New Contributors

• @​asfernandes made their first contribution in #​343

Full Changelog: softprops/action-gh-release@v2...v2.3.3

v2.3.2

Compare Source

• fix: revert fs readableWebStream change

v2.3.1

Compare Source

What's Changed

Bug fixes 🐛

• fix: fix file closing issue by @​WailGree in #​629

New Contributors

• @​WailGree made their first contribution in #​629

Full Changelog: softprops/action-gh-release@v2.3.0...v2.3.1

v2.3.0

Compare Source

• Migrate from jest to vitest
• Replace mime with mime-types
• Bump to use node 24
• Dependency updates

Full Changelog: softprops/action-gh-release@v2.2.2...v2.3.0

v2.2.2

Compare Source

What's Changed

Bug fixes 🐛

• fix: updating release draft status from true to false by @​galargh in #​316

Other Changes 🔄

• chore: simplify ref_type test by @​steinybot in #​598
• fix(docs): clarify the default for tag_name by @​muzimuzhi in #​599
• test(release): add unit tests when searching for a release by @​rwaskiewicz in #​603
• dependency updates

New Contributors

• @​steinybot made their first contribution in #​598
• @​muzimuzhi made their first contribution in #​599
• @​galargh made their first contribution in #​316
• @​rwaskiewicz made their first contribution in #​603

Full Changelog: softprops/action-gh-release@v2.2.1...v2.2.2

v2.2.1

Compare Source

What's Changed

Bug fixes 🐛

• fix: big file uploads by @​xen0n in #​562

Other Changes 🔄

• chore(deps): bump @​types/node from 22.10.1 to 22.10.2 by @​dependabot in #​559
• chore(deps): bump @​types/node from 22.10.2 to 22.10.5 by @​dependabot in #​569
• chore: update error and warning messages for not matching files in files field by @​ytimocin in #​568

New Contributors

• @​ytimocin made their first contribution in #​568

Full Changelog: softprops/action-gh-release@v2.2.0...v2.2.1

v2.2.0

Compare Source

What's Change

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • "before 6am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.