From 46af8973112a4c935c7ac3af5bf6ddfe67fe05c2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Jun 2026 20:35:27 +0000
Subject: [PATCH] ci(deps): bump the actions group across 1 directory with 3
 updates

Bumps the actions group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [changesets/action](https://github.com/changesets/action) and [gitleaks/gitleaks-action](https://github.com/gitleaks/gitleaks-action).


Updates `actions/checkout` from 6 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

Updates `changesets/action` from 1.8.0 to 1.9.0
- [Release notes](https://github.com/changesets/action/releases)
- [Changelog](https://github.com/changesets/action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/changesets/action/compare/63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b...a45c4d594aa4e2c509dc14a9f2b3b67ba3780d0d)

Updates `gitleaks/gitleaks-action` from 2.3.9 to 3.0.0
- [Release notes](https://github.com/gitleaks/gitleaks-action/releases)
- [Commits](https://github.com/gitleaks/gitleaks-action/compare/ff98106e4c7b2bc287b24eaf42907196329070c7...e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: changesets/action
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: gitleaks/gitleaks-action
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/changeset-check.yml |  2 +-
 .github/workflows/ci.yml              |  6 +++---
 .github/workflows/codeql.yml          |  2 +-
 .github/workflows/e2e.yml             |  2 +-
 .github/workflows/lighthouse.yml      |  2 +-
 .github/workflows/load-smoke.yml      |  2 +-
 .github/workflows/mutation.yml        |  2 +-
 .github/workflows/preview-env.yml     |  2 +-
 .github/workflows/release.yml         |  4 ++--
 .github/workflows/security.yml        | 10 +++++-----
 .github/workflows/storybook.yml       |  2 +-
 .github/workflows/supply-chain.yml    |  2 +-
 12 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/changeset-check.yml b/.github/workflows/changeset-check.yml
index bac0612..96e2567 100644
--- a/.github/workflows/changeset-check.yml
+++ b/.github/workflows/changeset-check.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ae9f127..9a1feca 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,7 +18,7 @@ jobs:
     name: Hygiene
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
       - uses: actions/setup-node@v6
@@ -41,7 +41,7 @@ jobs:
     name: Backend
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-node@v6
         with:
           node-version: 20
@@ -72,7 +72,7 @@ jobs:
     name: Frontend
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-node@v6
         with:
           node-version: 20
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 72f4d87..3bea66f 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -28,7 +28,7 @@ jobs:
         language: [javascript-typescript, actions]
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 9a37894..01a5ed2 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -41,7 +41,7 @@ jobs:
           --health-timeout 5s
           --health-retries 6
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-node@v6
         with:
           node-version: 20
diff --git a/.github/workflows/lighthouse.yml b/.github/workflows/lighthouse.yml
index 97aee2a..6d55d03 100644
--- a/.github/workflows/lighthouse.yml
+++ b/.github/workflows/lighthouse.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-node@v6
         with:
           node-version: 20
diff --git a/.github/workflows/load-smoke.yml b/.github/workflows/load-smoke.yml
index 4aef4d2..9f88080 100644
--- a/.github/workflows/load-smoke.yml
+++ b/.github/workflows/load-smoke.yml
@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 20
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       # The compose stack reads .env. We only need the bits the api +
       # worker care about — frontend isn't started in this drill.
diff --git a/.github/workflows/mutation.yml b/.github/workflows/mutation.yml
index 7f630da..ae56417 100644
--- a/.github/workflows/mutation.yml
+++ b/.github/workflows/mutation.yml
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-node@v6
         with:
           node-version: 20
diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml
index 109e299..435ab54 100644
--- a/.github/workflows/preview-env.yml
+++ b/.github/workflows/preview-env.yml
@@ -42,7 +42,7 @@ jobs:
           echo "Configure repo secrets to enable per-PR Railway envs."
           exit 0
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         if: ${{ env.RAILWAY_TOKEN != '' }}
         env:
           RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1ff6f62..6c743e4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
 
@@ -32,7 +32,7 @@ jobs:
         run: npm ci
 
       - name: Create Release PR or publish to GitHub Releases
-        uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1
+        uses: changesets/action@a45c4d594aa4e2c509dc14a9f2b3b67ba3780d0d # v1
         with:
           # `version` updates package.json + CHANGELOG.md from pending changesets
           # and opens / updates a "Version Packages" PR. Merging that PR triggers
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 51cf914..aded055 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -24,12 +24,12 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
 
       - name: Run gitleaks
-        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
+        uses: gitleaks/gitleaks-action@e0c47f4f8be36e29cdc102c57e68cb5cbf0e8d1e # v3.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_CONFIG: .gitleaks.toml
@@ -39,7 +39,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
 
       - name: Run osv-scanner
         # `--skip-git` was removed in osv-scanner v2.x. Default behavior
@@ -56,7 +56,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-node@v6
         with:
           node-version: 20
@@ -94,7 +94,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/dependency-review-action@v5
         with:
           fail-on-severity: high
diff --git a/.github/workflows/storybook.yml b/.github/workflows/storybook.yml
index dc7ed72..ef4c33e 100644
--- a/.github/workflows/storybook.yml
+++ b/.github/workflows/storybook.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
       - uses: actions/setup-node@v6
         with:
           node-version: 20
diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
index eba3aa2..20a2700 100644
--- a/.github/workflows/supply-chain.yml
+++ b/.github/workflows/supply-chain.yml
@@ -45,7 +45,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7
         with:
           # On push.tags this is the tag ref already; on workflow_dispatch
           # we explicitly check out the requested tag so the SBOM matches