chore(deps): update github-actions non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/cache	action	patch	v5 → v5.0.5
actions/checkout	action	patch	v6 → v6.0.2
actions/download-artifact	action	patch	v8 → v8.0.1
actions/setup-node	action	minor	v6 → v6.4.0
cypress-io/github-action	action	minor	v6 → v6.10.9
github/codeql-action	action	patch	v4.35.1 → v4.35.4	v4.35.5

---

Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in #​1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

Compare Source

v5.0.3

Compare Source

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v5.0.2

Compare Source

v5.0.1

Compare Source

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

actions/setup-node (actions/setup-node)

v6.4.0

Compare Source

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

Compare Source

v6.1.0

Compare Source

What's Changed

Enhancement:

• Remove always-auth configuration handling by @​priyagupta108 in #​1436

Dependency updates:

• Upgrade @​actions/cache from 4.0.3 to 4.1.0 by @​dependabot[bot] in #​1384
• Upgrade actions/checkout from 5 to 6 by @​dependabot[bot] in #​1439
• Upgrade js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​1435

Documentation update:

• Add example for restore-only cache in documentation by @​aparnajyothi-y in #​1419

Full Changelog: actions/setup-node@v6...v6.1.0

cypress-io/github-action (cypress-io/github-action)

v6.10.9

Compare Source

Bug Fixes

• deps: update @​actions/* and debug (#​1638) (f790eee)

v6.10.8

Compare Source

Bug Fixes

• deps: update @​octokit/core to 7.0.6 (#​1615) (2ad32e6)

v6.10.7

Compare Source

Bug Fixes

• deps: update GitHub actions/toolkit dependencies (#​1612) (fa1d27a)

v6.10.6

Compare Source

Bug Fixes

• deps: update next to 16.0.10 (#​1607) (d842ab1)

v6.10.5

Compare Source

Bug Fixes

• deps: update next to 16.0.8 (#​1604) (e3ff965)

v6.10.4

Compare Source

Bug Fixes

• deps: update @​vercel/ncc to 0.38.4 (#​1581) (7ef72e2)

v6.10.3

Compare Source

Bug Fixes

• add type commonjs to package.json (#​1544) (e65cba2)

v6.10.2

Compare Source

Bug Fixes

• deps: update form-data to 2.5.5 (CVE-2025-7783) (#​1507) (b8ba51a)

v6.10.1

Compare Source

Bug Fixes

• deps: update brace-expansion (#​1486) (6c143ab)

v6.10.0

Compare Source

Features

• deps: remove node.js 23 (#​1479) (615dcf6)

v6.9.2

Compare Source

Bug Fixes

• ci: update semantic-version to 24.2.3 (#​1465) (be1bab9)

v6.9.1

Compare Source

Bug Fixes

• deps: update undici transitive dependency (#​1463) (a04b1ce)

v6.9.0

Compare Source

Features

• validate other parameters against command parameter when used (#​1445) (0ee1130)

v6.8.0

Compare Source

Features

• deps: remove node.js 18 (#​1446) (6d4f8f5)

v6.7.16

Compare Source

Bug Fixes

• pass baseUrl into Octokit constructor (#​1395) (108b868)

v6.7.15

Compare Source

Bug Fixes

• pass GITHUB_API_URL for GitHub Enterprise (#​1388) (01ab638)

v6.7.14

Compare Source

Bug Fixes

• deps: update @​actions/cache to 4.0.2 (#​1380) (9c318d4)

v6.7.13

Compare Source

Bug Fixes

• deps: refresh lockfile dependencies (#​1369) (1052aa9)

v6.7.12

Compare Source

Bug Fixes

• deps: update @​octokit/core to 6.1.4 (#​1361) (18a6541)

v6.7.11

Compare Source

Bug Fixes

• deps: update @​actions/cache to 4.0.1 (#​1359) (d8ecebb)

v6.7.10

Compare Source

Bug Fixes

• deps: update undici to 5.28.5 (#​1348) (433264a)

v6.7.9

Compare Source

Bug Fixes

• deps: update @​actions/cache to 4.0.0 (#​1342) (b86ab8d)

v6.7.8

Compare Source

Bug Fixes

• deps: update debug to 4.4.0 (#​1329) (6436c09)

v6.7.7

Compare Source

Bug Fixes

• deps: update @​actions/toolkit (#​1294) (f1f0912)

v6.7.6

Compare Source

Bug Fixes

• deps: update debug to 4.3.7 (#​1251) (0da3c06)

v6.7.5

Compare Source

Bug Fixes

• deps: update to semantic-release 24.1.0 (#​1244) (496e7dc)

v6.7.4

Compare Source

Bug Fixes

• republish action (#​1242) (c47c901)

v6.7.3

Compare Source

Bug Fixes

• deps: update micromatch to 4.0.8 (#​1239) (57f6235)

v6.7.2

Compare Source

Bug Fixes

• deps: update debug to 4.3.6 (#​1224) (df7484c)

v6.7.1

Compare Source

Bug Fixes

• deps: update to braces 3.0.3 (#​1199) (8d39186)

v6.7.0

Compare Source

Features

• deps: remove node.js 21 (#​1189) (f88a151)

v6.6.1

Compare Source

Bug Fixes

• deps: update cycjimmy/semantic-release-action to v4 (#​1112) (1b70233)

v6.6.0

Compare Source

Features

• add optional job summary-title parameter (#​1056) (ebe8b24)

v6.5.0

Compare Source

Features

• deps: remove node.js 16 (#​1021) (59810eb)

v6.4.0

Compare Source

Features

• [CYCLOUD-1447] Auto-detect PR numbers (#​1009) (7215fc1), closes #​1005 #​1008 #​1010 #​1012 #​1013

v6.3.0

Compare Source

Features

• recommend v6 as standard action version (#​1014) (fd50b62)

v6.2.0

Compare Source

Features

• deps: update cypress to 13.0.0 (#​1012) (d5d4c90)

v6.1.0

Compare Source

Features

• archive v9 examples (#​999) (a6333aa)

v6.0.1

Compare Source

Bug Fixes

• deps: npm audit fix vulnerabilities (#​1000) (fa88e4a)

github/codeql-action (github/codeql-action)

v4.35.4

Compare Source

• Update default CodeQL bundle version to 2.25.4. #​3881

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

v4.35.2

Compare Source

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #​3807
• Update default CodeQL bundle version to 2.25.2. #​3823

---

Configuration

📅 Schedule: (in timezone Europe/Oslo)

• Branch creation
  • "before 07:00 on Thursday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud