chore(deps): update all to v4 (major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	major	v3 → v4
actions/setup-node	action	major	v3 → v4
github/codeql-action	action	major	v2 → v4
google-github-actions/release-please-action	action	major	v3 → v4

---

Release Notes

actions/checkout (actions/checkout)

v4.3.1

Compare Source

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in #​2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236
• Prepare release v4.3.0 by @​salmanmkc in #​2237

New Contributors

• @​motss made their first contribution in #​1971
• @​mouismail made their first contribution in #​1977
• @​benwells made their first contribution in #​2043
• @​nebuk89 made their first contribution in #​2194
• @​salmanmkc made their first contribution in #​2236

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in #​1941
• Expand unit test coverage for isGhes by @​jww3 in #​1946

v4.2.1

Compare Source

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in #​1924

v4.2.0

Compare Source

• Add Ref and Commit outputs by @​lucacome in #​1180
• Dependency updates by @​dependabot- #​1777, #​1872

v4.1.7

Compare Source

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in #​1739
• Bump actions/checkout from 3 to 4 by @​dependabot in #​1697
• Check out other refs/* by commit by @​orhantoy in #​1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in #​1776

v4.1.6

Compare Source

• Check platform to set archive extension appropriately by @​cory-miller in #​1732

v4.1.5

Compare Source

• Update NPM dependencies by @​cory-miller in #​1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in #​1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in #​1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in #​1695
• README: Suggest user.email to be 41898282+github-actions[bot]@​users.noreply.github.com by @​cory-miller in #​1707

v4.1.4

Compare Source

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in #​1692
• Add dependabot config by @​cory-miller in #​1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in #​1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in #​1643

v4.1.3

Compare Source

• Check git version before attempting to disable sparse-checkout by @​jww3 in #​1656
• Add SSH user parameter by @​cory-miller in #​1685
• Update actions/checkout version in update-main-version.yml by @​jww3 in #​1650

v4.1.2

Compare Source

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in #​1598

v4.1.1

Compare Source

• Correct link to GitHub Docs by @​peterbe in #​1511
• Link to release page from what's new section by @​cory-miller in #​1514

v4.1.0

Compare Source

• Add support for partial checkout filters

v4.0.0

Compare Source

• Support fetching without the --progress option
• Update to node20

v4

Compare Source

v3.6.0

Compare Source

• Fix: Mark test scripts with Bash'isms to be run via Bash
• Add option to fetch tags even if fetch-depth > 0

v3.5.3

Compare Source

• Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in
• Fix typos found by codespell
• Add support for sparse checkouts

v3.5.2

Compare Source

• Fix api endpoint for GHES

v3.5.1

Compare Source

• Fix slow checkout on Windows

v3.5.0

Compare Source

• Add new public key for known_hosts

v3.4.0

Compare Source

• Upgrade codeql actions to v2
• Upgrade dependencies
• Upgrade @​actions/io

v3.3.0

Compare Source

• Implement branch list using callbacks from exec function
• Add in explicit reference to private checkout options
• Fix comment typos (that got added in #​770)

v3.2.0

Compare Source

• Add GitHub Action to perform release
• Fix status badge
• Replace datadog/squid with ubuntu/squid Docker image
• Wrap pipeline commands for submoduleForeach in quotes
• Update @​actions/io to 1.1.2
• Upgrading version to 3.2.0

v3.1.0

Compare Source

• Use @​actions/core saveState and getState
• Add github-server-url input

v3.0.2

Compare Source

• Add input set-safe-directory

v3.0.1

Compare Source

• Fixed an issue where checkout failed to run in container jobs due to the new git setting safe.directory
• Bumped various npm package versions

actions/setup-node (actions/setup-node)

v4.4.0

Compare Source

What's Changed

Bug fixes:

• Make eslint-compact matcher compatible with Stylelint by @​FloEdelmann in #​98
• Add support for indented eslint output by @​fregante in #​1245

Enhancement:

• Support private mirrors by @​marco-ippolito in #​1240

Dependency update:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in #​1262

New Contributors

• @​FloEdelmann made their first contribution in #​98
• @​fregante made their first contribution in #​1245
• @​marco-ippolito made their first contribution in #​1240

Full Changelog: actions/setup-node@v4...v4.4.0

v4.3.0

Compare Source

What's Changed

Dependency updates

• Upgrade @​actions/glob from 0.4.0 to 0.5.0 by @​dependabot in #​1200
• Upgrade @​action/cache from 4.0.0 to 4.0.2 by @​gowridurgad in #​1251
• Upgrade @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in #​1203
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot in #​1220

New Contributors

• @​gowridurgad made their first contribution in #​1251

Full Changelog: actions/setup-node@v4...v4.3.0

v4.2.0

Compare Source

What's Changed

• Enhance workflows and upgrade publish-actions from 0.2.2 to 0.3.0 by @​aparnajyothi-y in #​1174
• Add recommended permissions section to readme by @​benwells in #​1193
• Configure Dependabot settings by @​HarithaVattikuti in #​1192
• Upgrade @actions/cache to ^4.0.0 by @​priyagupta108 in #​1191
• Upgrade pnpm/action-setup from 2 to 4 by @​dependabot in #​1194
• Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by @​dependabot in #​1195
• Upgrade semver from 7.6.0 to 7.6.3 by @​dependabot in #​1196
• Upgrade @​types/jest from 29.5.12 to 29.5.14 by @​dependabot in #​1201
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot in #​1205

New Contributors

• @​benwells made their first contribution in #​1193

Full Changelog: actions/setup-node@v4...v4.2.0

v4.1.0

Compare Source

What's Changed

• Resolve High Security Alerts by upgrading Dependencies by @​aparnajyothi-y in #​1132
• Upgrade IA Publish by @​Jcambass in #​1134
• Revise isGhes logic by @​jww3 in #​1148
• Add architecture to cache key by @​pengx17 in #​843
  This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts.
  Note: This change may break previous cache keys as they will no longer be compatible with the new format.

New Contributors

• @​jww3 made their first contribution in #​1148
• @​pengx17 made their first contribution in #​843

Full Changelog: actions/setup-node@v4...v4.1.0

v4.0.4

Compare Source

What's Changed

• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​1125
• Enhance Windows ARM64 Setup and Update micromatch Dependency by @​priyagupta108 in #​1126

Documentation changes:

• Documentation update in the README file by @​suyashgaonkar in #​1106
• Correct invalid 'lts' version string reference by @​fulldecent in #​1124

New Contributors

• @​suyashgaonkar made their first contribution in #​1106
• @​priyagupta108 made their first contribution in #​1126
• @​Jcambass made their first contribution in #​1125
• @​fulldecent made their first contribution in #​1124

Full Changelog: actions/setup-node@v4...v4.0.4

v4.0.3

Compare Source

What's Changed

Bug fixes:

• Fix macos latest check failures by @​HarithaVattikuti in #​1041

Documentation changes:

• Documentation update to update default Node version to 20 by @​bengreeley in #​949

Dependency updates:

• Bump undici from 5.26.5 to 5.28.3 by @​dependabot in #​965
• Bump braces from 3.0.2 to 3.0.3 and other dependency updates by @​dependabot in #​1087

New Contributors

• @​bengreeley made their first contribution in #​949
• @​HarithaVattikuti made their first contribution in #​1041

Full Changelog: actions/setup-node@v4...v4.0.3

v4.0.2

Compare Source

What's Changed

• Add support for volta.extends by @​ThisIsManta in #​921
• Add support for arm64 Windows by @​dmitry-shibanov in #​927

New Contributors

• @​ThisIsManta made their first contribution in #​921

Full Changelog: actions/setup-node@v4.0.1...v4.0.2

v4.0.1

Compare Source

What's Changed

• Ignore engines in Yarn 1 e2e-cache tests by @​trivikr in #​882
• Update setup-node references in the README.md file to setup-node@​v4 by @​jwetzell in #​884
• Update reusable workflows to use Node.js v20 by @​MaksimZhukov in #​889
• Add fix for cache to resolve slow post action step by @​aparnajyothi-y in #​917
• Fix README.md by @​takayamaki in #​898
• Add package.json to node-version-file list of examples. by @​TWiStErRob in #​879
• Fix node-version-file interprets entire package.json as a version by @​NullVoxPopuli in #​865

New Contributors

• @​trivikr made their first contribution in #​882
• @​jwetzell made their first contribution in #​884
• @​aparnajyothi-y made their first contribution in #​917
• @​takayamaki made their first contribution in #​898
• @​TWiStErRob made their first contribution in #​879
• @​NullVoxPopuli made their first contribution in #​865

Full Changelog: actions/setup-node@v4...v4.0.1

v4.0.0

Compare Source

What's Changed

In scope of this release we changed version of node runtime for action from node16 to node20 and updated dependencies in #​866

Besides, release contains such changes as:

• Upgrade actions/checkout to v4 by @​gmembre-zenika in #​868
• Update actions/checkout for documentation and yaml by @​dmitry-shibanov in #​876

New Contributors

• @​gmembre-zenika made their first contribution in #​868

Full Changelog: actions/setup-node@v3...v4.0.0

v4

Compare Source

v3.9.1

Compare Source

What's Changed

• Add workflow file for publishing releases to immutable action package by @​aparnajyothi-y in #​1281

Full Changelog: actions/setup-node@v3...v3.9.1

v3.9.0

Compare Source

What's Changed

• Upgrade @​actions/cache to 4.0.3 by @​gowridurgad in #​1270
  In scope of this release we updated actions/cache package to ensure continued support and compatibility, as older versions of the package are now deprecated. For more information please refer to the toolkit/cache.

Full Changelog: actions/setup-node@v3...v3.9.0

v3.8.2

Compare Source

What's Changed

• Update semver by @​dmitry-shibanov in #​861
• Update temp directory creation by @​nikolai-laevskii in #​859
• Bump @​babel/traverse from 7.15.4 to 7.23.2 by @​dependabot in #​870
• Add notice about binaries not being updated yet by @​nikolai-laevskii in #​872
• Update toolkit cache and core by @​dmitry-shibanov and @​seongwon-privatenote in #​875

Full Changelog: actions/setup-node@v3...v3.8.2

v3.8.1

Compare Source

What's Changed

In scope of this release, the filter was removed within the cache-save step by @​dmitry-shibanov in #​831. It is filtered and checked in the toolkit/cache library.

Full Changelog: actions/setup-node@v3...v3.8.1

v3.8.0

Compare Source

What's Changed

Bug fixes:

• Add check for existing paths by @​dmitry-shibanov in #​803
• Resolve SymbolicLink by @​dmitry-shibanov in #​809
• Change passing logic for cache input by @​dmitry-shibanov in #​816
• Fix armv7 cache issue by @​louislam in #​794
• Update check-dist workflow name by @​sinchang in #​710

Feature implementations:

• feat: handling the case where "node" is used for tool-versions file. by @​xytis in #​812

Documentation changes:

• Refer to semver package name in README.md by @​olleolleolle in #​808

Update dependencies:

• Update toolkit cache to fix zstd by @​dmitry-shibanov in #​804
• Bump tough-cookie and @​azure/ms-rest-js by @​dependabot in #​802
• Bump semver from 6.1.2 to 6.3.1 by @​dependabot in #​807
• Bump word-wrap from 1.2.3 to 1.2.4 by @​dependabot in #​815

New Contributors

• @​olleolleolle made their first contribution in #​808
• @​louislam made their first contribution in #​794
• @​sinchang made their first contribution in #​710
• @​xytis made their first contribution in #​812

Full Changelog: actions/setup-node@v3...v3.8.0

v3.7.0

Compare Source

What's Changed

In scope of this release we added a logic to save an additional cache path for yarn 3 (related pull request and feature request). Moreover, we added functionality to use all the sub directories derived from cache-dependency-path input and add detect all dependencies directories to cache (related pull request and feature request).

Besides, we made such changes as:

• Replace workflow badge with new badge by @​jongwooo in #​653
• Fix a minor typo by @​phanan in #​662
• docs: fix typo in advanced-usage.md by @​remarkablemark in #​697
• bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by @​domdomegg in #​718
• Update to node 18.x by @​feelepxyz in #​751
• Remove implicit dependencies by @​nikolai-laevskii in #​758
• Fix description about ensuring workflow access to private package by @​x86chi in #​704

New Contributors

• @​jongwooo made their first contribution in #​653
• @​phanan made their first contribution in #​662
• @​remarkablemark made their first contribution in #​697
• @​domdomegg made their first contribution in #​718
• @​feelepxyz made their first contribution in #​751
• @​nikolai-laevskii made their first contribution in #​758
• @​x86chi made their first contribution in #​704

Full Changelog: actions/setup-node@v3...v3.7.0

v3.6.0: Add Support for Nightly, Canary and RC builds for Node.js

Compare Source

In scope of this release we added support to download nightly, rc (#​611) and canary (#​619) Node.js distributions.

For nightly versions:

jobs:
  build:
    runs-on: ubuntu-latest
    name: Node sample
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16-nightly'
      - run: npm ci
      - run: npm test

For canary versions:

jobs:
  build:
    runs-on: ubuntu-latest
    name: Node sample
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16-v8-canary’
      - run: npm ci
      - run: npm test

For rc versions:

jobs:
  build:
    runs-on: ubuntu-latest
    name: Node sample
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '16.0.0-rc.1’
      - run: npm ci
      - run: npm test

Note: For more examples please refer to documentation.

Besides, we added the following changes as:

• Updated minimatch: #​608
• Fixed extra newline character in version output when reading from a file: #​625
• Passed the token input through on GHES: #​595
• Fixed issue with scoped registries are duplicated in npmrc: #​637

v3.5.1: Update @​actions/core and Print Node, Npm, Yarn versions

Compare Source

In scope of this release we updated actions/core to 1.10.0. Moreover, we added logic to print Nodejs, Npm, Yarn versions after installation.

v3.5.0: Add support for engines.node and Volta

Compare Source

In scope of this release we add support for engines.node. The action will be able to grab the version form package.json#engines.node. #​485. Moreover, we added support for Volta

Besides, we updated @​actions/core to 1.9.1 and @​actions/cache to 3.0.4

v3.4.1: Fix pnpm output and node-version output issues

Compare Source

In scope of this release we fixed bugs related to the pnpm 7.5.1 output issue from pnpm store path #​545. Moreover we fixed the issue with falling on node-version output #​540.

v3.4.0: Add support for asdf format and update actions/cache version to 3.0.0

Compare Source

In scope of this release we updated actions/cache package as the new version contains fixes for caching error handling. Moreover, we added support for asdf format as Node.js version file #​373. Besides, we introduced new output node-version and added npm-shrinkwrap.json to dependency file patterns: #​439

v3.3.0: Add support for lts/-n aliases

Compare Source

In scope of this release we added support for lts/-n aliases, improve logic for current, latest and node aliases to handle them from toolcache, update ncc package.

Support of lts/-n aliases

• Related pull request: #​481
• Related issue: #​26

steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
  with:
    node-version: lts/-1
- run: npm ci
- run: npm test

Minor improvements

• Update zeit/ncc to vercel/ncc: #​476
• Get latest version from cache if exists: #​496

v3.2.0: Add current, node, latest aliases

Compare Source

In scope of this release we added new aliases to install the latest Node.js version. #​483

steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
  with:
    node-version: current
- run: npm ci
- run: npm test

v3.1.1: Update actions/cache version to 2.0.2

Compare Source

In scope of this release we updated actions/cache package as the new version contains fixes related to GHES 3.5 (#​460)

v3.1.0: Add caching support on GHES 3.5

Compare Source

In scope of this release we added support for caching from GHES 3.5 and fixed download issue for files > 2GB during restore. Besides, we updated actions/cache dependency to 2.0.0 version.

github/codeql-action (github/codeql-action)

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

v4.35.2

Compare Source

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #​3807
• Update default CodeQL bundle version to 2.25.2. #​3823

v4.35.1

Compare Source

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #​3781

v4.35.0

Compare Source

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #​3767
• Update default CodeQL bundle version to 2.25.1. #​3773

v4.34.1

Compare Source

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #​3762

v4.34.0

Compare Source

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #​3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #​3584
• Update default CodeQL bundle version to 2.25.0. #​3585

v4.33.0

Compare Source

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #​3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #​3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #​3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #​3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #​3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #​3570

v4.32.6

Compare Source

• Update default CodeQL bundle version to 2.24.3. #​3548

v4.32.5

Compare Source

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, se

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.