deps(actions): bump the github-actions group with 2 updates

[dependabot]

Bumps the github-actions group with 2 updates: actions/dependency-review-action and DavidAnson/markdownlint-cli2-action.

Updates actions/dependency-review-action from 4 to 5

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Dependency Review Action 4.9.0

This feature release contains a couple of notable changes:

• There is a new configuration option show_patched_versions which will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @​felickz!
• Runs which do not display OpenSSF scorecards no longer fetch scorecard information; previously it was fetched regardless of whether or not it was displayed, causing unneccessary slowness. Great catch @​jantiebot!
• There are a couple of fixes to purl parsing which should improve match accuracy for allow-package-dependency lists, including case (in)sensitivity and url-encoded namespaces Thanks @​juxtin!

What's Changed

• Compare normalized purls to account for encoding quirks by @​juxtin in actions/dependency-review-action#1056
• Make purl comparisons case insensitive by @​juxtin in actions/dependency-review-action#1057
• Feat: Add Patched Version to Vulnerabilities summary by @​felickz in actions/dependency-review-action#1045
• fix: only get scorecard levels if user wants to see the OpenSSF scorecard by @​jantiebot in actions/dependency-review-action#1060
• Bump actions/stale from 10.1.0 to 10.2.0 by @​dependabot[bot] in actions/dependency-review-action#1058
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in actions/dependency-review-action#1021
• Updates for release 4.9.0 by @​ahpook in actions/dependency-review-action#1064

New Contributors

• @​jantiebot made their first contribution in actions/dependency-review-action#1060

Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0

4.8.3

Dependency Review Action v4.8.3

This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.

We have also updated the release process to use a long-lived v4 branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.

What's Changed

• GitHub Actions can't push to our protected main by @​dangoor in actions/dependency-review-action#1017
• Bump actions/stale from 9.1.0 to 10.1.0 by @​dependabot[bot] in actions/dependency-review-action#995

... (truncated)

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Updates DavidAnson/markdownlint-cli2-action from 19 to 23

Release notes

Sourced from DavidAnson/markdownlint-cli2-action's releases.

Update markdownlint-cli2 version (markdownlint-cli2 v0.22.1, markdownlint v0.40.0).

No release notes provided.

Update markdownlint-cli2 version (markdownlint-cli2 v0.22.0, markdownlint v0.40.0), update Node.js dependency to 24.

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.20.0, markdownlint v0.40.0).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.19.0, markdownlint v0.39.0).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.18.1, markdownlint v0.38.0).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.17.2, markdownlint v0.37.4).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.17.0, markdownlint v0.37.0).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.15.0, markdownlint v0.36.1).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.14.0, markdownlint v0.35.0).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.13.0, markdownlint v0.34.0).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.12.1, markdownlint v0.33.0).

Update markdownlint version (markdownlint-cli2 v0.11.0, markdownlint v0.32.1), remove deprecated "command" input.

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.10.0, markdownlint v0.31.1).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.9.2, markdownlint v0.30.0).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.8.1, markdownlint v0.29.0), add "config" and "fix" inputs, deprecate "command" input.

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.7.1, markdownlint v0.28.2).

No release notes provided.

Update markdownlint version (markdownlint-cli2 v0.7.0, markdownlint v0.28.1), include link to rule information in title of annotations (clickable in GitHub).

No release notes provided.

... (truncated)

Commits

• ded1f94 Update to version 23.2.0.
• dc5dad9 Add 10-day cooldown period to Dependabot updates.
• 64b1c6a Add package-lock.json for reproducible builds (fixes #362).
• 6c62e06 Bump eslint-plugin-n from 17.24.0 to 18.0.0
• 9b5720c Bump eslint from 10.2.1 to 10.3.0
• 6b51ade Update to version 23.1.0.
• ea6e0da Freshen generated index.js file.
• 3c4c2c8 Bump markdownlint-cli2 from 0.22.0 to 0.22.1
• 3a933d4 Bump @​actions/core from 3.0.0 to 3.0.1
• 648042e Freshen generated index.js file.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow automation tools to newer versions for improved performance and security.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two reusable GitHub Actions workflows are updated to newer versions of their action dependencies. The dependency review workflow is bumped from actions/dependency-review-action@v4 to v5, and the Markdown CI workflow is bumped from markdownlint-cli2-action@v19 to v23.

Changes

Dependency Review Action Update

Layer / File(s)	Summary
Workflow Action Version .github/workflows/reusable-dependency-review.yml	Updates actions/dependency-review-action from v4 to v5.

Markdown Linting Action Update

Layer / File(s)	Summary
Workflow Action Version .github/workflows/reusable-markdown-ci.yml	Updates DavidAnson/markdownlint-cli2-action from v19 to v23.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Two actions upgraded with care,
Dependencies refreshed in the air,
From v4 to v5, and v19 to v23,
The workflows dance in harmony,
Workflows bright, reviewed with glee! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description lacks the required template structure with Missing sections: 'Summary', 'Required Reading', 'Verification', 'Risk', and 'Self-Review' checklist.	Add the missing sections from the repository's PR template including Summary, Required Reading checklist, Verification, Risk assessment, and Self-Review checklist items.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: bumping two GitHub Actions dependencies in the github-actions group.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/github-actions-7e9d1ed959

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}