chore(deps): update mise tools

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
act	patch	0.2.88 → 0.2.89
gh	minor	2.92.0 → 2.94.0	2.95.0
trivy	minor	0.70.0 → 0.71.0	0.71.2 (+1)
uv	patch	0.11.14 → 0.11.21	0.11.25 (+3)

---

Release Notes

nektos/act (act)

v0.2.89

Compare Source

Changelog

Other

• 4f41128 chore: bump VERSION to 0.2.89
• 123167d build(deps): bump github.com/go-git/go-billy/v5 from 5.6.2 to 5.9.0 (#​6089)

cli/cli (gh)

v2.94.0: GitHub CLI 2.94.0

Compare Source

Issue types, sub-issues, and relationships in gh issue

This release brings GitHub's advanced issue features to gh issue create, edit, view, and list. You can set and view an issue's type, organize work with sub-issues, and track blocked-by and blocking relationships without leaving the command line:

# Set an issue's type
gh issue create --type Bug
gh issue edit 123 --type Bug

# Organize work with sub-issues
gh issue create --parent 100
gh issue edit 100 --add-sub-issue 123

# Track blocked-by and blocking relationships
gh issue create --blocked-by 200
gh issue edit 123 --add-blocking 300

Issue types and sub-issues are available on GitHub.com and GHES 3.17+; relationships require GHES 3.19+.

Manage discussions with gh discussion

This release introduces the discussion command set for working with GitHub Discussions in gh:

# List discussions
gh discussion list

# View a discussion, its comments, or replies to a comment
gh discussion view 123 --comments

# Create a discussion
gh discussion create

# Edit a discussion
gh discussion edit 123

# Comment on a discussion
gh discussion comment 123

# Reply to a comment using its URL
gh discussion comment <url>

Run gh discussion --help for more information.

[!NOTE]
The discussion command set is in preview and is subject to change without notice.

Equip your agents with new gh features

Teach your agents how to leverage new GitHub CLI features on release day by installing the gh skill:

# Install
gh skill install cli/cli gh --scope user

# Or update
gh skill update gh

What's Changed

✨ Features

• Add gh discussion command set (list, view, create, edit) as a preview by @​babakks and @​maxbeizer in #​13541
• Add gh discussion comment to comment on and reply to discussions by @​babakks in #​13620
• Add Issues 2.0 support: issue types, sub-issues, and relationships by @​BagToad in #​13057
• Add gh skill list to inventory installed agent skills by @​tommaso-moro in #​13418
• Add --all flag to gh skill install to install every skill in a repository by @​tommaso-moro in #​13471
• Skip skills without metadata when running gh skill update --all by @​tommaso-moro in #​13469
• Alias gh extension uninstall to gh extension remove by @​BagToad in #​13599
• Auto-install official extensions in CI by @​BagToad in #​13581

🐛 Fixes

• fix(skill): support skill discovery in nested directories by @​tommaso-moro in #​13459

📚 Docs & Chores

• Bump Go to 1.26.4 by @​github-actions[bot] in #​13578
• Clean up deferred issue update helper by @​BagToad in #​13584
• Add terminal-mockup canvas extension for marketing screenshots by @​BagToad in #​13612
• Add gh discussion and Issues 2.0 reference to the gh skill, plus a README note by @​BagToad in #​13631

Dependencies

• chore(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @​dependabot in #​13521
• chore(deps): bump github.com/gdamore/tcell/v2 from 2.13.9 to 2.13.10 by @​dependabot in #​13520
• chore(deps): bump github.com/mattn/go-colorable from 0.1.14 to 0.1.15 by @​dependabot in #​13572
• chore(deps): bump charm.land/bubbletea/v2 from 2.0.6 to 2.0.7 by @​dependabot in #​13595
• chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 by @​dependabot in #​13596
• chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @​dependabot in #​13597

Full Changelog: cli/cli@v2.93.0...v2.94.0

v2.93.0: GitHub CLI 2.93.0

Compare Source

Security

A security vulnerability has been identified, and fixed, that would incorrectly include authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands.

Users are advised to update gh to version v2.93.0 as soon as possible.

For more information see: GHSA-8xvp-7hj6-mcj9

Support agents in gh secret command set

The gh secret command set can now set agent secrets. For more information, see "Configuring secrets and variables for Copilot cloud agent".

What's Changed

✨ Features

• Allow agents as application for secrets by @​tenjaa in #​13421

🐛 Fixes

• fix(pr): remove numberFieldOnly optimization that skips API validation by @​williammartin in #​13327
• Print gh auth refresh for 401 returns by @​333fred in #​13068
• Derive digest algorithm from ref length in release verify commands by @​bdehamer in #​13430

📚 Docs & Chores

• Add missing //go:build integration tag to verify_integration_test.go by @​pdostal in #​13303
• Fix flaky accessible prompter Password test timeout by @​pdostal in #​13304
• Enable extended PR screening for external PRs by @​tidy-dev in #​13312
• Grammar fixes by @​scop in #​13326
• Bump gh copilot telemetry sampling to 100% by @​williammartin in #​13362
• Record accessibility feature state in telemetry by @​williammartin in #​13363
• Poll TTY echo mode instead of sleeping in password tests by @​pdostal in #​13305
• Switch from actions/attest-build-provenance to actions/attest by @​scop in #​13325
• Fix skills acceptance tests by @​williammartin in #​13365
• Bump Go toolchain to 1.26.3 by @​Copilot in #​13367
• Trigger triage check-requirements on ready_for_review by @​BagToad in #​13383
• fix(copilot): hint to run copilot directly when exec fails by @​babakks in #​13393
• Update installation commands for GitHub CLI by @​sassdawe in #​13126
• Update CODEOWNERS for skills directory ownership by @​williammartin in #​13416
• fix(telemetry): prevent tzutil console flash on Windows by @​adehad in #​13353
• Fix bump-go.sh to tolerate missing toolchain directive by @​Copilot in #​12581
• docs: drop --repo gh-cli from dnf install lines by @​c-tonneslan in #​13444
• Remove third-party license debris by @​williammartin in #​13470
• Remove dependency on persistent token by @​williammartin in #​13474
• Remove discussion workflow by @​williammartin in #​13476
• Stop bumping homebrew on release by @​williammartin in #​13479
• build: update golang.org/x/crypto by @​tommaso-moro in #​13486
• Add 3 day dependabot cooldown period by @​williammartin in #​13488
• Run govulncheck daily instead of weekly by @​williammartin in #​13487
• SHA pin first-party GitHub Actions by @​williammartin in #​13491
• Link to Accessibility category for community discussions instead of ACR by @​mxie in #​13481
• docs: fix duplicated "of" in release-process-deep-dive by @​vip892766gma in #​13425
• chore(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 by @​BagToad in #​13510
• docs: note immutable releases starting v2.93.0 by @​BagToad in #​13518
• fix CI attestation integration tests after rename by @​BagToad in #​13536

Dependencies

• chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 by @​dependabot[bot] in #​13297
• chore(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6 by @​dependabot[bot] in #​13328
• chore(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 by @​dependabot[bot] in #​13381
• chore(deps): bump golang.org/x/term from 0.42.0 to 0.43.0 by @​dependabot[bot] in #​13396
• chore(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0 by @​dependabot[bot] in #​13346
• chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @​dependabot[bot] in #​13397
• chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 by @​dependabot[bot] in #​13420
• chore(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 by @​dependabot[bot] in #​13436
• chore(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 by @​dependabot[bot] in #​13461
• chore(deps): bump github/codeql-action from 4 to 4.35.5 by @​dependabot[bot] in #​13489
• chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.4.1 to 2.4.2 by @​dependabot[bot] in #​13462
• chore(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 by @​dependabot[bot] in #​13457

New Contributors

• @​pdostal made their first contribution in #​13303
• @​333fred made their first contribution in #​13068
• @​scop made their first contribution in #​13326
• @​sassdawe made their first contribution in #​13126
• @​adehad made their first contribution in #​13353
• @​c-tonneslan made their first contribution in #​13444
• @​tenjaa made their first contribution in #​13421
• @​mxie made their first contribution in #​13481
• @​vip892766gma made their first contribution in #​13425

Full Changelog: cli/cli@v2.92.0...v2.93.0

aquasecurity/trivy (trivy)

v0.71.0

Compare Source

⚡ Highlights ⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/10767

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0710-2026-06-01

astral-sh/uv (uv)

v0.11.21

Compare Source

Released on 2026-06-11.

Python

• Add CPython 3.13.14 and 3.14.6 (#​19787)

Preview features

• Add environment.root to uv workspace metadata --sync (#​19760)
• Allow uv upgrade to update a single dependency constraint (#​19738)
• Compute and pass uv workspace metadata payload in ty check (#​19763)
• Make packaged applications the default for uv init (#​17841)

Performance

• Add parallel discovery of Python versions for uv python list (#​18684)
• Avoid normalizing source distribution names twice (#​19784)

Bug fixes

• Improve cache robustness and pruning behavior
  • Allow CI cache pruning without an sdist bucket (#​19802)
  • Avoid overflow when reading malformed cache entries (#​19799)
  • Preserve cached Python downloads during cache pruning (#​19795)
  • Reject running inside the cache (#​19659)
• Fix Python discovery and version request edge cases
  • Avoid panics for Unicode Python version requests (#​19797)
  • Fix handling of non-critical errors in uv python list with path requests (#​19774)
  • Fix stop-discovery-at regression (#​19769)
• Harden parsing and validation for package metadata, requirements, markers, URLs, and conflict sets
  • Allow trailing commas in version specifiers (#​19806)
  • Avoid panics for invalid UTF-8 URL credentials (#​19800)
  • Avoid panics for malformed source distribution filenames (#​19776)
  • Avoid panics for trailing extra separators (#​19779)
  • Avoid stack overflow for recursive requirements path aliases (#​19777)
  • Ignore reversed string compatible-release markers (#​19782)
  • Reject duplicate entries in conflict sets (#​19801)
  • Reject malformed hash options in requirements files (#​19783)
  • Reject source distribution filenames without a separator (#​19803)
  • Use UTF-8 lengths for requirement errors (#​19781)
  • Use UTF-8 lengths for trailing marker errors (#​19796)
  • Use byte offsets when peeking over requirements (#​19780)
  • Validate GraalPy ABI suffixes (#​19805)
• Improve wheel entry-point error handling and virtual environment activation quoting
  • Propagate errors when reading wheel entry points (#​19794)
  • Quote virtual environment activation paths with shell metacharacters (#​19798)

v0.11.20

Compare Source

Released on 2026-06-10.

Enhancements

• Add --emit-index-url and --emit-find-links to uv export (#​18370)
• Add --find-links support for uv pip list (#​16103)
• Group executable install errors during uv python install (#​19691)
• Use ICF in macOS release builds to reduce binary sizes (#​19615)

Preview features

• Add initial hidden uv upgrade command (#​19678)
• Reject Git revisions in uv upgrade (#​19742)

Configuration

• Recognize UV_NO_INSTALL_PROJECT, UV_NO_INSTALL_WORKSPACE, UV_NO_INSTALL_LOCAL (#​19323)

Performance

• Speed up discovery of large workspaces (#​18311)

Bug fixes

• Allow unknown preview flags with a warning again (#​19669)
• Apply dependency exclusions to direct requirements (#​19699)
• Avoid following external symlinks during cache clean (#​19682)
• Avoid following symlinks during cache prune (#​19543)
• Fix Git cache keys for worktrees and packed refs (#​19706)
• Make resolver error handling iterative to avoid stack overflows (#​19695)
• Pass VIRTUAL_ENV through cygpath inside fish on Windows (#​19703)
• Rebuild explicit local directory tool installs (#​19591)
• Validate egg top-level entries as identifiers (#​19679)

Documentation

• Document --find-links caching behavior (#​19585)
• Add a small section for malware checks (#​19680)

v0.11.19

Compare Source

Released on 2026-06-03.

Python

• Add CPython 3.15.0b2 (#​19531)

Enhancements

• Always compute SHA256 for remote distributions (#​19662)
• Add PyEmscripten platform (PEP 783) (#​19629)
• Add Pyodide 2025 target triple (#​19653)

Preview features

• Make preview features for commands have names that aren't ambiguous with the command (#​19645)
• Respect --isolated in uv check (#​19666)

Bug fixes

• Continue tool uninstall after dangling receipts (#​19623)
• Skip Unix-specific installation steps when cross-installing Windows Python distributions (#​19424)

v0.11.18

Compare Source

Released on 2026-06-01.

Performance

• Fix performance regression in unzip of local wheels (#​19637)

Preview

• Add uv check to run ty from uv (#​19605)

Bug fixes

• Update activation scripts with upstream fixes (#​19628)

Other changes

• Bump MSRV to 1.94 (#​19600)

v0.11.17

Compare Source

Released on 2026-05-28.

Enhancements

• Add a diagnostic for uv add with standard library modules (#​19572)
• Expose uv workspace and its list subcommand in help output (#​19533)
• Improve the "403 forbidden" hint to suggest ignore-error-codes when applicable (#​19521)
• Skip direct URL lock freshness checks while offline (#​19596)
• Add import-names and import-namespaces support to uv-build (PEP 794) (#​19380)
• Add a --no-editable-package flag to various commands (#​19584)
• Infer Python version requests from source trees in uv tool invocations (#​19577)

Preview features

• Add module owners to uv workspace metadata (#​19122)
• Do not allow uv venv --clear to remove non-virtual environments (#​19595)

Bug fixes

• Improve the performance of large entries in tool.uv.conflicts (#​19538)
• Avoid modifying the parent process' env with --env-file in uv run (#​19567)
• Fix script environment creation for scripts with long filenames (#​19539)
• Fix transitive Git archive dependencies in lockfiles (#​19589)
• Preserve Git repository URLs in direct URL metadata (#​19590)
• Support redirects in --check-url (#​19594)
• Accept case-insensitive HTML tags in --find-links parsing (#​19537)
• Reject duplicate script metadata blocks (#​19544)
• Ban names like "python3" as script entry points (#​19535, #​19536)
• Validate Git LFS artifacts for Git archives (#​19592)
• Use a relative path when creating symlinks in cache to improve relocatability (#​19033)

Documentation

• Fix malformed positional anchors in the CLI reference (#​19575)

v0.11.16

Compare Source

Released on 2026-05-21.

Enhancements

• Add support for direct archive dependencies in Git (#​10072)
• Adjust hint rendering (#​18090)

Preview features

• uv audit: specialize malformed OSV error (#​19515)
• Reject locked malware installations (#​18936)

Configuration

• Allow disabling reading the system config with UV_NO_SYSTEM_CONFIG (#​19476)

Bug fixes

• Allow environment variables that take a list to be empty (#​19503)
• Ensure that incompatible wheel hints do not leak secrets (#​19504)
• Reject unsafe entry points in uv-build (#​19495)
• Restrict delimiters in entry point parsing (#​19471)
• uv-netrc: fix multi-word no-space comment lines causing parse errors (#​19494)

Documentation

• Document and test relative exclude-newer support for uv pip (#​19475)

v0.11.15

Compare Source

Released on 2026-05-18.

Security

• Fix a TAR parser differential, see GHSA-3cv2-h65g-fgmm (#​19463)
• Enforce that entry points cannot escape in the scripts directory, see GHSA-4gg8-gxpx-9rph (#​19464)

Enhancements

• Add TOML v1.1 -> v1.0 backwards compatibility for source distributions (#​18741)
• Add support for Azure request signing (#​19421)
• Apply stricter validation to all wheel filename segments (#​19364)
• Reject empty strings as an invalid package name (#​19435)
• Use structured errors for signing authentication failures (#​19422)

Preview

• uv audit: Add JSON output (#​19305)

Configuration

• Respect required-environments in uv pip compile (#​19378)

Performance

• Avoid parsing JSON manifest when local Python is available (#​19398)
• Avoid walking nested directories in linker conflict registration (#​19382)
• Optimize async wheel ZIP writing (#​19383)
• Fix dead "already trimmed" fast-path in Version::only_release_trimmed (#​19425)

Bug fixes

• Apply workspace-member [tool.uv.sources] credentials under uv sync --frozen (#​19423)
• Skip empty directories in uv build outputs (#​19437)
• Fix Git submodule handling when using relative paths (#​12156)
• Fix line number reporting in netrc parsing (#​19452)

Documentation

• Move Bazel auth helper setup into integration guide (#​19392)

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud