From cc8d1b32f4e7b65b9687462f21780f77727c9d40 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 21 Jun 2026 04:34:41 +0000
Subject: [PATCH] build(deps): bump the github-actions group across 1 directory
 with 3 updates

Bumps the github-actions group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [jdx/mise-action](https://github.com/jdx/mise-action) and [pnpm/action-setup](https://github.com/pnpm/action-setup).


Updates `actions/checkout` from 6.0.3 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/df4cb1c069e1874edd31b4311f1884172cec0e10...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0)

Updates `jdx/mise-action` from 4.1.0 to 4.2.0
- [Release notes](https://github.com/jdx/mise-action/releases)
- [Changelog](https://github.com/jdx/mise-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jdx/mise-action/compare/dba19683ed58901619b14f395a24841710cb4925...e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d)

Updates `pnpm/action-setup` from 6.0.8 to 6.0.9
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](https://github.com/pnpm/action-setup/compare/0e279bb959325dab635dd2c09392533439d90093...0ebf47130e4866e96fce0953f49152a61190b271)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: jdx/mise-action
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: pnpm/action-setup
  dependency-version: 6.0.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/ci.yml                    | 30 ++++++++++-----------
 .github/workflows/codeql.yml                |  2 +-
 .github/workflows/commitlint.yml            |  4 +--
 .github/workflows/och-self-scan.yml         |  4 +--
 .github/workflows/osv.yml                   |  2 +-
 .github/workflows/pages.yml                 |  4 +--
 .github/workflows/pre-release-gate.yml      | 16 +++++------
 .github/workflows/release.yml               |  8 +++---
 .github/workflows/scorecard.yml             |  2 +-
 .github/workflows/semgrep.yml               |  2 +-
 .github/workflows/verify-global-install.yml |  6 ++---
 11 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e2b49669..36d0be40 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,16 +17,16 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4
       - run: pnpm install --frozen-lockfile --ignore-scripts
       - run: pnpm exec biome ci .
 
   typecheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4
       - run: pnpm install --frozen-lockfile --ignore-scripts
       - name: Build workspace .d.ts so cross-package types resolve
         # Skip @opencodehub/docs — its build runs astro + rehype-mermaid +
@@ -55,8 +55,8 @@ jobs:
     env:
       MISE_NODE_VERSION: ${{ matrix.node-version }}
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4
       - run: pnpm install --frozen-lockfile --ignore-scripts
       # Remove any stale build output before the incremental `tsc -b` build.
       # A `.test.ts` deleted in source leaves its compiled `dist/**/*.test.js`
@@ -98,8 +98,8 @@ jobs:
       MISE_NODE_VERSION: ${{ matrix.node-version }}
       CODEHUB_PLATFORM: "1" # set via env: (not an inline prefix) so it works on Windows cmd too
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4
       - run: pnpm install --frozen-lockfile --ignore-scripts
       # Mirror the `test` lane: prune stale build output so a deleted-in-source
       # `dist/**/*.test.js` can't run against an interface it no longer matches.
@@ -115,8 +115,8 @@ jobs:
   sarif-validate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4
       - run: pnpm install --frozen-lockfile --ignore-scripts
       - run: pnpm -F @opencodehub/sarif build
       - run: pnpm -F @opencodehub/sarif run validate-schema
@@ -124,7 +124,7 @@ jobs:
   banned-strings:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
       - run: bash scripts/check-banned-strings.sh
 
   no-dist-cache:
@@ -134,14 +134,14 @@ jobs:
     # that no longer exists. Cache the pnpm store for speed — never dist/.
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
       - run: bash scripts/check-no-dist-cache.sh
 
   licenses:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4
       - run: pnpm install --frozen-lockfile --ignore-scripts
       - name: license allowlist
         # Root is `private: true` with no runtime deps post-collapse; scan
@@ -171,7 +171,7 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
       - name: Install osv-scanner
         run: |
           curl -sL -o /tmp/osv-scanner \
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 596fc027..ccb59537 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,7 +27,7 @@ jobs:
       matrix:
         language: [javascript-typescript, python]
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
       - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e  # v4
         with:
           languages: ${{ matrix.language }}
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
index 37c2089b..623e9fad 100644
--- a/.github/workflows/commitlint.yml
+++ b/.github/workflows/commitlint.yml
@@ -12,10 +12,10 @@ jobs:
   commitlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           fetch-depth: 0
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4
       - run: pnpm install --frozen-lockfile --ignore-scripts
       - name: Validate PR commit messages
         run: |
diff --git a/.github/workflows/och-self-scan.yml b/.github/workflows/och-self-scan.yml
index 0de00356..ea3307ba 100644
--- a/.github/workflows/och-self-scan.yml
+++ b/.github/workflows/och-self-scan.yml
@@ -24,11 +24,11 @@ jobs:
       security-events: write
       issues: write
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           fetch-depth: 0
 
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4
 
       - name: Cache pnpm store
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
diff --git a/.github/workflows/osv.yml b/.github/workflows/osv.yml
index 14374ab2..c3f5acb3 100644
--- a/.github/workflows/osv.yml
+++ b/.github/workflows/osv.yml
@@ -24,7 +24,7 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
       - name: Install osv-scanner
         run: |
           curl -sL -o /tmp/osv-scanner \
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
index e19df0a1..af6a0685 100644
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@@ -21,8 +21,8 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4.1.0
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4.2.0
       # NOTE: --ignore-scripts removed so sharp's native binary download
       # and Playwright's chromium install (via rehype-mermaid) are allowed.
       - run: pnpm install --frozen-lockfile
diff --git a/.github/workflows/pre-release-gate.yml b/.github/workflows/pre-release-gate.yml
index fdde6838..d41d9bae 100644
--- a/.github/workflows/pre-release-gate.yml
+++ b/.github/workflows/pre-release-gate.yml
@@ -42,10 +42,10 @@ jobs:
     if: startsWith(github.head_ref, 'release-please--')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           persist-credentials: false
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4.1.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4.2.0
       - name: Run pnpm audit at high+ severity
         run: pnpm audit --audit-level=high --prod
 
@@ -54,10 +54,10 @@ jobs:
     if: startsWith(github.head_ref, 'release-please--')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           persist-credentials: false
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4.1.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4.2.0
       # Frozen + ignore-scripts is the strictest install path: any lockfile
       # drift, missing entry, or sneaky postinstall fails the job.
       - name: Install with frozen lockfile and no lifecycle scripts
@@ -68,11 +68,11 @@ jobs:
     if: startsWith(github.head_ref, 'release-please--')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           fetch-depth: 0
           persist-credentials: false
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4.1.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4.2.0
       - name: Sweep working tree
         run: |
           set -euo pipefail
@@ -90,10 +90,10 @@ jobs:
     if: startsWith(github.head_ref, 'release-please--')
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           persist-credentials: false
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4.1.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4.2.0
       - run: pnpm install --frozen-lockfile --ignore-scripts
       - name: license allowlist
         # Root is `private: true` with no runtime deps post-collapse; scan
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e3554db6..59e2d132 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -113,14 +113,14 @@ jobs:
       sarif-sha256: ${{ steps.hashes.outputs.sarif }}
     steps:
       - name: Checkout released SHA
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           ref: ${{ needs.resolve.outputs.sha }}
           fetch-depth: 0
           persist-credentials: false
 
       - name: Provision toolchain (mise)
-        uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4.1.0
+        uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4.2.0
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -376,11 +376,11 @@ jobs:
       contents: read
       id-token: write       # OIDC token for npm trusted publishing AND provenance
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           ref: ${{ needs.resolve.outputs.sha }}
           persist-credentials: false
-      - uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4.1.0
+      - uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4.2.0
       - run: pnpm install --frozen-lockfile
       - run: pnpm --filter '!@opencodehub/docs' -r build
       # Idempotency guard: a stuck/retried release (e.g. the automated chain
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 10c7d794..2e2b7798 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -19,7 +19,7 @@ jobs:
       contents: read
       actions: read
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           persist-credentials: false
       - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a  # v2.4.3
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
index 8e59c9f9..3415c48e 100644
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@@ -26,7 +26,7 @@ jobs:
     container:
       image: semgrep/semgrep
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
       - name: semgrep scan (p/auto + p/owasp-top-ten)
         # `|| true` so the SARIF upload step still runs on findings;
         # gating happens through GitHub code scanning, not the scan's
diff --git a/.github/workflows/verify-global-install.yml b/.github/workflows/verify-global-install.yml
index 9da5f769..c3bd4901 100644
--- a/.github/workflows/verify-global-install.yml
+++ b/.github/workflows/verify-global-install.yml
@@ -103,7 +103,7 @@ jobs:
             node: "24"
             installer: nvm
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0  # v7.0.0
         with:
           persist-credentials: false
 
@@ -115,7 +115,7 @@ jobs:
       # ------------------------------------------------------------------
       - name: Setup Node via mise
         if: matrix.installer == 'mise'
-        uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925  # v4.1.0
+        uses: jdx/mise-action@e6a8b3978addb5a52f2b4cd9d91eafa7f0ab959d  # v4.2.0
         env:
           MISE_NODE_VERSION: ${{ matrix.node }}
 
@@ -171,7 +171,7 @@ jobs:
 
       - name: Install pnpm (non-mise / non-volta paths)
         if: matrix.installer == 'nvm' || matrix.installer == 'homebrew'
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093  # v6.0.8
+        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271  # v6.0.9
         with:
           version: 11.1.0