[ci][skip-ci](deps): Bump the github-actions group with 5 updates

[dependabot]

Bumps the github-actions group with 5 updates:

Package	From	To
actions/upload-artifact	4.6.2	5.0.0
actions/download-artifact	5.0.0	6.0.0
github/codeql-action	3.30.6	4.31.0
rojopolis/spellcheck-github-actions	0.52.0	0.53.0
trufflesecurity/trufflehog	3.90.11	3.90.12

Updates actions/upload-artifact from 4.6.2 to 5.0.0

Release notes

Sourced from actions/upload-artifact's releases.

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

New Contributors

• @​GhadimiR made their first contribution in actions/upload-artifact#681
• @​nebuk89 made their first contribution in actions/upload-artifact#712
• @​danwkennedy made their first contribution in actions/upload-artifact#727
• @​patrikpolyak made their first contribution in actions/upload-artifact#725

Full Changelog: actions/upload-artifact@v4...v5.0.0

Commits

• 330a01c Merge pull request #734 from actions/danwkennedy/prepare-5.0.0
• 03f2824 Update github.dep.yml
• 905a1ec Prepare v5.0.0
• 2d9f9cd Merge pull request #725 from patrikpolyak/patch-1
• 9687587 Merge branch 'main' into patch-1
• 2848b2c Merge pull request #727 from danwkennedy/patch-1
• 9b51177 Spell out the first use of GHES
• cd231ca Update GHES guidance to include reference to Node 20 version
• de65e23 Merge pull request #712 from actions/nebuk89-patch-1
• 8747d8c Update README.md
• Additional commits viewable in compare view

Updates actions/download-artifact from 5.0.0 to 6.0.0

Release notes

Sourced from actions/download-artifact's releases.

v6.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in actions/download-artifact#417
• Update README with artifact extraction details by @​yacaovsnc in actions/download-artifact#424
• Readme: spell out the first use of GHES by @​danwkennedy in actions/download-artifact#431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in actions/download-artifact#438

New Contributors

• @​danwkennedy made their first contribution in actions/download-artifact#431

Full Changelog: actions/download-artifact@v5...v6.0.0

Commits

• 018cc2c Merge pull request #438 from actions/danwkennedy/prepare-6.0.0
• 815651c Revert "Remove github.dep.yml"
• bb3a066 Remove github.dep.yml
• fa1ce46 Prepare v6.0.0
• 4a24838 Merge pull request #431 from danwkennedy/patch-1
• 5e3251c Readme: spell out the first use of GHES
• abefc31 Merge pull request #424 from actions/yacaovsnc/update_readme
• ac43a60 Update README with artifact extraction details
• de96f46 Merge pull request #417 from actions/yacaovsnc/update_readme
• 7993cb4 Remove migration guide for artifact download changes
• Additional commits viewable in compare view

Updates github/codeql-action from 3.30.6 to 4.31.0

Release notes

Sourced from github/codeql-action's releases.

v4.31.0

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.31.0 - 24 Oct 2025

• Bump minimum CodeQL bundle version to 2.17.6. #3223
• When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #3222

See the full CHANGELOG.md for more information.

v4.30.9

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #3204

See the full CHANGELOG.md for more information.

v4.30.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v4.30.7

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

4.30.7 - 06 Oct 2025

• [v4+ only] The CodeQL Action now runs on Node.js v24. #3169

See the full CHANGELOG.md for more information.

v3.31.0

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• The add-snippets input has been removed from the analyze action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.

4.31.0 - 24 Oct 2025

• Bump minimum CodeQL bundle version to 2.17.6. #3223
• When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #3222

4.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #3204

4.30.8 - 10 Oct 2025

No user facing changes.

4.30.7 - 06 Oct 2025

• [v4+ only] The CodeQL Action now runs on Node.js v24. #3169

3.30.6 - 02 Oct 2025

• Update default CodeQL bundle version to 2.23.2. #3168

3.30.5 - 26 Sep 2025

• We fixed a bug that was introduced in 3.30.4 with upload-sarif which resulted in files without a .sarif extension not getting uploaded. #3160

3.30.4 - 25 Sep 2025

• We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the codeql-action/init step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the codeql-action/init step. #3099 and #3100
• We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. #3107
• You can now run the latest CodeQL nightly bundle by passing tools: nightly to the init action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. #3130
• Update default CodeQL bundle version to 2.23.1. #3118

3.30.3 - 10 Sep 2025

No user facing changes.

3.30.2 - 09 Sep 2025

• Fixed a bug which could cause language autodetection to fail. #3084
• Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #3064

... (truncated)

Commits

• 4e94bd1 Merge pull request #3235 from github/update-v4.31.0-1d36546c1
• 8f11182 Update changelog for v4.31.0
• 1d36546 Merge pull request #3234 from github/mbg/changelog/post-processing
• 08ada26 Add changelog entry for post-processing change
• b843cbe Merge pull request #3233 from github/mbg/getOptionalEnvVar
• 1ecd563 Use getOptionalEnvVar in writePostProcessedFiles
• e576807 Merge pull request #3223 from github/henrymercer/bump-minimum
• ad35676 Add getOptionalEnvVar function
• d75645b Merge pull request #3222 from github/mbg/upload-lib/post-process
• 710606c Check that outputPath is non-empty
• Additional commits viewable in compare view

Updates rojopolis/spellcheck-github-actions from 0.52.0 to 0.53.0

Release notes

Sourced from rojopolis/spellcheck-github-actions's releases.

0.53.0

What's Changed

• Bump rojopolis/spellcheck-github-actions from 0.51.0 to 0.52.0 by @​dependabot[bot] in rojopolis/spellcheck-github-actions#268
• Bump docker/login-action from 3.5.0 to 3.6.0 by @​dependabot[bot] in rojopolis/spellcheck-github-actions#271
• Bump python from 5fa2567 to e3a6ccb by @​dependabot[bot] in rojopolis/spellcheck-github-actions#274

Full Changelog: rojopolis/spellcheck-github-actions@0.52.0...0.53.0

Changelog

Sourced from rojopolis/spellcheck-github-actions's changelog.

Change Log for spellcheck-github-actions

0.53.0, 2025-10-25, maintenance release, update not required

• Docker image updated to Python 3.14.0 trixie slim Release notes for Python 3.14.0, this originated from the PR mentioned below, however updated to Trixie from Bookworm and as always the slim variant is used

• Bumped the requirement for cython to 3.0.11 or above, addressing a build issue with lxml, located when testing the PR : #274 from @​dependabot, the above update of Python

• In general the Docker build file had a few updates since the above changes required some tweaking of the Dockerfile

  • Order of installation of dependencies adjusted to ensure that lxml can build correctly
  • Installation of:
    • build-essential
    • pkg-config
    • libxml2-dev
    • libxslt1-dev
    • zlib1g-dev

0.52.0, 2025-09-10, feature release, update not required

• With version 2.11 of PySpelling a new command line option --skip-dict-compile is introduced to PySpelling and is adopted by this action. This will skip the dictionary compiling step if the dictionary already exists. Changes to a custom dictionary will be ignored., see the release notes for PySpelling. Do see the updated documentation for details.

  • The feature can be enabled by setting the input parameter skip_dict_compile to true, the default is false, meaning that the dictionary will be compiled on each run of the action.
  • This can save time if you have a large custom dictionary that does not change often.

• Docker image updated to Python 3.13.7 bookworm slim Release notes for Python 3.13.7

0.51.0, 2025-06-20, maintenance release, update not required

• Docker image updated to Python 3.13.5 slim via PR #249 from Dependabot. Release notes for Python 3.13.5

0.50.0, 2025-06-16, maintenance release, update not required

• Docker image updated to Python 3.13.4 slim via PR #246 from Dependabot. Release notes for Python 3.13.4

0.49.0, 2025-05-22, feature release, update not required

• Support for Italian as requested by: Stefan Oderbolz (@​metaodi) via issue #241, the support is both for aspell and hunspell

• Docker image updated to Python 3.13.3 slim via PR #238 from Dependabot. Release notes for Python 3.13.3

• pymdown-extensions have been updated to: 10.15.0 hopefully addressing the issue outlined in issue #233 from: Micha Hobert (@​Isengo1989). @​facelessuser made the release of the dependency and I have included it in this release

0.48.0, 2025-04-01, feature release, update not required

• Support for hunspell via PR #224 from @​funkill

  These opens up for use of hunspell instead of the default: aspell. The following languages are supported:

  • English
  • German

... (truncated)

Commits

• 336d2b4 Bumped version in action.yml and documentation (README)
• 4492229 Merge pull request #274 from rojopolis/dependabot/docker/python-e3a6ccbe44d9c...
• 141ebda More words in local dictionary
• 9434b6f Update to Docker image to use Trixie (slim) instead of Bookwork (also slim) a...
• 84bd099 Added cython to local dictionary
• d126a3c Resolved issue with cython and lxml when building based on this PR
• 2b2d5bf Bump python from 5fa2567 to e3a6ccb
• faa1652 Merge pull request #271 from rojopolis/dependabot/github_actions/docker/login...
• eef18ee Bump docker/login-action from 3.5.0 to 3.6.0
• 19bf2a1 Merge pull request #268 from rojopolis/dependabot/github_actions/rojopolis/sp...
• Additional commits viewable in compare view

Updates trufflesecurity/trufflehog from 3.90.11 to 3.90.12

Release notes

Sourced from trufflesecurity/trufflehog's releases.

v3.90.12

What's Changed

• Updated Docker source with new test cases and README by @​kashifkhan0771 in trufflesecurity/trufflehog#4481
• Comment out broken CircleCI integration test by @​trufflesteeeve in trufflesecurity/trufflehog#4505
• Fix "skipping binary file" logging to show actual file name by @​mariduv in trufflesecurity/trufflehog#4509
• Refactored circleci source test cases by @​kashifkhan0771 in trufflesecurity/trufflehog#4506
• added ability to run github-experimental against private repos by @​joeleonjr in trufflesecurity/trufflehog#4508
• explicit repositories now bypass wantRepo() filtering entirely. added ctx to newConnector by @​jordanTunstill in trufflesecurity/trufflehog#4507
• Remove include repos by @​jordanTunstill in trufflesecurity/trufflehog#4469
• Remove depaware by @​rosecodym in trufflesecurity/trufflehog#4515

Full Changelog: trufflesecurity/trufflehog@v3.90.11...v3.90.12

Commits

• b84c3d1 Remove depaware (#4515)
• 24c73b0 Remove include repos (#4469)
• 0f60f6e explicit repositories now bypass wantRepo() filtering entirely. added ctx to ...
• fd007c7 add ability to run github-experimental against private repos (#4508)
• bef5eb6 Refactored circleci source test cases (#4506)
• 7ba7a00 Fix "skipping binary file" logging to show actual file name (#4509)
• 7d61a4b Comment out broken CircleCI integration test (#4505)
• ec61ad9 Updated Docker source with new test cases and README (#4481)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[Nick2bad4u]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

Greetings, thanks for opening a pull request, I'll look when I can.

[codecov]

Bundle Report

Bundle size has no change ✅

[codecov]

❌ 3 Tests Failed:

Tests completed	Failed	Passed	Skipped
13741	3	13738	0

View the top 1 failed test(s) by shortest run time

src/test/components/AddSiteForm/AddSiteForm.input-fuzzing.test.tsx > AddSiteForm User Input Fuzzing > Port Number Validation > should handle invalid port number inputs appropriately (with seed=-846506115)

Stack Traces | 15.5s run time

Error: Test timed out in 15000ms.
If this is a long-running test, pass a timeout value as the last argument or configure it globally with "testTimeout".
 ❯ Object.taskCollectorBuilder node_modules/@.../lib/internals/TestAlongGenerator.js:9:23
 ❯ buildTestWithPropRunner node_modules/@.../lib/internals/TestWithPropRunnerBuilder.js:21:5
 ❯ node_modules/@.../lib/internals/TestBuilder.js:34:49
 ❯ .../components/AddSiteForm/AddSiteForm.input-fuzzing.test.tsx:868:9

View the full list of 2 ❄️ flaky test(s)

electron/test/services/window/WindowService.test.ts > WindowService > window events > should handle ready-to-show event

Flake rate in main: 56.28% (Passed 202 times, Failed 260 times)

Stack Traces | 0.00307s run time

AssertionError: expected "vi.fn()" to be called at least once
 ❯ .../services/window/WindowService.test.ts:379:33

src/test/edge-cases-100-coverage.test.ts > 100% Coverage Edge Cases > Error Conversion Edge Cases > should handle Date objects as errors

Flake rate in main: 96.81% (Passed 3 times, Failed 91 times)

Stack Traces | 0.00618s run time

AssertionError: expected 'Sun Jan 01 2023 00:00:00 GMT+0000 (Co…' to contain '2022'

Expected: "2022"
Received: "Sun Jan 01 2023 00:00:00 GMT+0000 (Coordinated Universal Time)"

 ❯ src/test/edge-cases-100-coverage.test.ts:404:36

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}