chore(deps): bump the actions-updates group across 1 directory with 3 updates

[dependabot]

Bumps the actions-updates group with 3 updates in the / directory: step-security/harden-runner, actions/create-github-app-token and release-plz/action.

Updates step-security/harden-runner from 2.13.1 to 2.16.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.16.0

What's Changed

• Updated action.yml to use node24
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-46g3-37rh-v698 for details.
• Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See GHSA-g699-3x6g-wm3g for details.

Full Changelog: step-security/harden-runner@v2.15.1...v2.16.0

v2.15.1

What's Changed

• Fixes step-security/harden-runner#642 bug due to which post step was failing on Windows ARM runners
• Updates npm packages

Full Changelog: step-security/harden-runner@v2.15.0...v2.15.1

v2.15.0

What's Changed

Windows and macOS runner support

We are excited to announce that Harden Runner now supports Windows and macOS runners, extending runtime security beyond Linux for the first time.

Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.

Full Changelog: step-security/harden-runner@v2.14.2...v2.15.0

v2.14.2

What's Changed

Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See GHSA-cpmj-h4f6-r6pq for details.

Full Changelog: step-security/harden-runner@v2.14.1...v2.14.2

v2.14.1

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

What's Changed

• Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
• Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

... (truncated)

Commits

• fa2e9d6 Release v2.16.0 (#646)
• 58077d3 Release v2.15.1 (#641)
• a90bcbc Update readme (#637)
• f0a59d8 Release v2.15.0 (#639)
• 5ef0c07 Merge pull request #635 from step-security/rc-34
• eb43c7b update agent
• e3f713f Merge pull request #631 from step-security/rc-31
• 423acdd chore: fix npm audit vulnerabilities
• 0ddb86c update agent
• 20cf305 Merge pull request #622 from step-security/feature/custom-property-skip
• Additional commits viewable in compare view

Updates actions/create-github-app-token from 2.2.1 to 3.0.0

Release notes

Sourced from actions/create-github-app-token's releases.

v3.0.0

3.0.0 (2026-03-14)

• feat!: node 24 support (#275) (2e564a0)
• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (4451bcb)

Bug Fixes

• remove custom proxy handling (#143) (dce0ab0)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
• Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v3.0.0-beta.6

3.0.0-beta.6 (2026-03-13)

Bug Fixes

• deps: bump @​actions/core from 1.11.1 to 3.0.0 (#337) (b044133)
• deps: bump minimatch from 9.0.5 to 9.0.9 (#335) (5cbc656)
• deps: bump the production-dependencies group with 4 updates (#336) (6bda5bc)
• deps: bump undici from 7.16.0 to 7.18.2 (#323) (b4f638f)

v3.0.0-beta.5

3.0.0-beta.5 (2026-03-13)

• fix!: require NODE_USE_ENV_PROXY for proxy support (#342) (d53a1cd)

BREAKING CHANGES

• Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.

v3.0.0-beta.4

3.0.0-beta.4 (2026-03-13)

Bug Fixes

• deps: bump @​octokit/auth-app from 7.2.1 to 8.0.1 (#257) (bef1eaf)
• deps: bump @​octokit/request from 9.2.3 to 10.0.2 (#256) (5d7307b)
• deps: bump glob from 10.4.5 to 10.5.0 (#305) (5480f43)
• deps: bump p-retry from 6.2.1 to 7.1.0 (#294) (dce3be8)

... (truncated)

Commits

• f8d387b build(release): 3.0.0 [skip ci]
• d2129bd style: remove extra blank line in release workflow
• 77b94ef build: refresh generated artifacts
• 3ab4c66 chore: move undici to devDependencies
• 739cf66 docs: update README action versions
• db40289 build(deps): bump actions versions in test.yml
• 496a7ac test: migrate from AVA to Node.js native test runner (#346)
• 3870dc3 Rename end-to-end proxy job in test workflow
• 4451bcb fix!: require NODE_USE_ENV_PROXY for proxy support (#342)
• dce0ab0 fix: remove custom proxy handling (#143)
• Additional commits viewable in compare view

Updates release-plz/action from 0.5.118 to 0.5.128

Release notes

Sourced from release-plz/action's releases.

v0.5.128

What's Changed

• fix action ci by accepting 422 error by @​marcoieni in release-plz/action#264
• chore(deps): update github actions by @​renovate[bot] in release-plz/action#245
• chore(deps): update rust crate clap to v4.5.59 by @​renovate[bot] in release-plz/action#246
• chore(deps): lock file maintenance by @​renovate[bot] in release-plz/action#254
• fix(deps): update rust crate git_cmd to 0.6.0 by @​renovate[bot] in release-plz/action#247
• update cargo-semver-checks version automatically by @​marcoieni in release-plz/action#266
• fix(deps): update rust crate next_version to 0.3.0 by @​renovate[bot] in release-plz/action#250
• renovate: update github actions in action.yml file by @​marcoieni in release-plz/action#268
• fix(deps): update rust crate inquire to 0.9.0 by @​renovate[bot] in release-plz/action#248
• renovate: update cargo-binstall in action.yml file by @​marcoieni in release-plz/action#269
• chore(deps): update dependency cargo-bins/cargo-binstall to v1.17.5 by @​renovate[bot] in release-plz/action#270
• renovate: fix cargo-semver-checks update by @​marcoieni in release-plz/action#271
• renovate: update config by @​marcoieni in release-plz/action#273
• chore(deps): update dependency taiki-e/install-action to v2.68.1 by @​renovate[bot] in release-plz/action#274
• chore(deps): update dependency taiki-e/install-action to v2.68.2 by @​renovate[bot] in release-plz/action#275
• chore(deps): update dependency taiki-e/install-action to v2.68.3 by @​renovate[bot] in release-plz/action#276
• chore(deps): update dependency taiki-e/install-action to v2.68.4 by @​renovate[bot] in release-plz/action#277
• chore(deps): update dependency taiki-e/install-action to v2.68.5 by @​renovate[bot] in release-plz/action#278
• chore(deps): update dependency taiki-e/install-action to v2.68.6 by @​renovate[bot] in release-plz/action#279
• chore(deps): update dependency taiki-e/install-action to v2.68.7 by @​renovate[bot] in release-plz/action#281
• chore(deps): lock file maintenance by @​renovate[bot] in release-plz/action#282
• chore(deps): update dependency taiki-e/install-action to v2.68.8 by @​renovate[bot] in release-plz/action#283
• chore(deps): update dependency taiki-e/install-action to v2.68.9 by @​renovate[bot] in release-plz/action#284
• chore(deps): update dependency taiki-e/install-action to v2.68.10 by @​renovate[bot] in release-plz/action#285
• chore(deps): update dependency taiki-e/install-action to v2.68.11 by @​renovate[bot] in release-plz/action#286
• chore(deps): update dependency taiki-e/install-action to v2.68.12 by @​renovate[bot] in release-plz/action#287
• chore(deps): update dependency taiki-e/install-action to v2.68.13 by @​renovate[bot] in release-plz/action#288
• chore(deps): update dependency taiki-e/install-action to v2.68.14 by @​renovate[bot] in release-plz/action#289
• chore(deps): update cargo-bins/cargo-binstall action to v1.17.6 by @​renovate[bot] in release-plz/action#280
• chore(deps): update dependency cargo-bins/cargo-binstall to v1.17.6 by @​renovate[bot] in release-plz/action#290
• chore(deps): update dependency taiki-e/install-action to v2.68.15 by @​renovate[bot] in release-plz/action#291
• chore(deps): lock file maintenance by @​renovate[bot] in release-plz/action#293
• chore(deps): update dependency taiki-e/install-action to v2.68.16 by @​renovate[bot] in release-plz/action#294
• chore(deps): update dependency taiki-e/install-action to v2.68.17 by @​renovate[bot] in release-plz/action#295
• chore(deps): update dependency taiki-e/install-action to v2.68.18 by @​renovate[bot] in release-plz/action#296
• chore(deps): update dependency taiki-e/install-action to v2.68.19 by @​renovate[bot] in release-plz/action#297
• chore(deps): update dependency taiki-e/install-action to v2.68.20 by @​renovate[bot] in release-plz/action#298
• chore(deps): update dependency taiki-e/install-action to v2.68.21 by @​renovate[bot] in release-plz/action#299
• Update to 0.3.157 by @​marcoieni in release-plz/action#300
• chore(deps): update cargo-bins/cargo-binstall action to v1.17.7 by @​renovate[bot] in release-plz/action#292

Full Changelog: release-plz/action@v0.5...v0.5.128

v0.5.127

What's Changed

• Update to 0.3.156 by @​marcoieni in release-plz/action#263

... (truncated)

Commits

• 1528104 chore(deps): update cargo-bins/cargo-binstall action to v1.17.7 (#292)
• 7ae6a1e Update to 0.3.157 (#300)
• 9872b1d chore(deps): update dependency taiki-e/install-action to v2.68.21 (#299)
• 1f68a2f chore(deps): update dependency taiki-e/install-action to v2.68.20 (#298)
• 747e375 chore(deps): update dependency taiki-e/install-action to v2.68.19 (#297)
• 5efa360 chore(deps): update dependency taiki-e/install-action to v2.68.18 (#296)
• d92a286 chore(deps): update dependency taiki-e/install-action to v2.68.17 (#295)
• d5a6bf3 chore(deps): update dependency taiki-e/install-action to v2.68.16 (#294)
• 357de01 chore(deps): lock file maintenance (#293)
• 38c172f chore(deps): update dependency taiki-e/install-action to v2.68.15 (#291)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions