6 files changed, 31 insertions, 15 deletions

diff --git a/.github/workflows/check_sast.yml b/.github/workflows/check_sast.yml
index 5b1e84408c..091f98ef34 100644
--- a/.github/workflows/check_sast.yml
+++ b/.github/workflows/check_sast.yml
@@ -78,14 +78,14 @@ jobs:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           build-mode: none
           config-file: .github/codeql/codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: '/language:${{ matrix.language }}'
           upload: False
@@ -126,7 +126,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: sarif-results/${{ matrix.language }}.sarif
         continue-on-error: true
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 0cbfcd09e4..74c13f98fa 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -73,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/tarball-test.yml b/.github/workflows/tarball-test.yml
index db49977cbf..e99c4515c8 100644
--- a/.github/workflows/tarball-test.yml
+++ b/.github/workflows/tarball-test.yml
@@ -35,19 +35,32 @@ jobs:
       BRANCH: master
     outputs:
       branch: ${{ env.BRANCH }}
+      skip: ${{ steps.skipping.outputs.skip }}
     steps:
+      - id: skipping
+        run:
+          echo 'skip=true' >> $GITHUB_OUTPUT
+        if: >-
+          ${{(false
+          || contains(github.event.head_commit.message, '[DOC]')
+          || contains(github.event.pull_request.title, '[DOC]')
+          || contains(github.event.pull_request.labels.*.name, 'Documentation')
+          || (github.event.pull_request.user.login == 'dependabot[bot]')
+          )}}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          fetch-depth: 0
+          fetch-depth: 1 # actions/checkout fetches all heads/tags unless > 0
       # tool/make-snapshot derives the branch name from HEAD and looks up
       # the upstream during ChangeLog generation. Detached checkouts
       # (pull_request, merge_group) lack a local branch with tracking, so
       # pin one to HEAD and connect it to the matching origin ref.
       - name: Materialize local branch
         run: |
-          git fetch --no-tags --depth=1 origin "+refs/heads/$BRANCH:refs/remotes/origin/$BRANCH"
+          git fetch --no-tags --depth=1 origin "+refs/heads/$BASE:refs/remotes/origin/$BASE"
           git checkout -B "$BRANCH" HEAD
-          git branch --set-upstream-to="origin/$BRANCH" "$BRANCH"
+          git branch --set-upstream-to="origin/$BASE" "$BRANCH"
+        env:
+          BASE: ${{ github.base_ref || env.BRANCH }}
       - uses: ./.github/actions/make-snapshot
         with:
           archname: snapshot-${{ env.BRANCH }}
@@ -55,6 +68,7 @@ jobs:
 
   ubuntu:
     needs: tarball
+    if: ${{ ! needs.tarball.outputs.skip }}
     uses: ./.github/workflows/tarball-ubuntu.yml
     with:
       archname: snapshot-${{ needs.tarball.outputs.branch }}
@@ -63,6 +77,7 @@ jobs:
 
   macos:
     needs: tarball
+    if: ${{ ! needs.tarball.outputs.skip }}
     uses: ./.github/workflows/tarball-macos.yml
     with:
       archname: snapshot-${{ needs.tarball.outputs.branch }}
@@ -71,6 +86,7 @@ jobs:
 
   windows:
     needs: tarball
+    if: ${{ ! needs.tarball.outputs.skip }}
     uses: ./.github/workflows/tarball-windows.yml
     with:
       archname: snapshot-${{ needs.tarball.outputs.branch }}
diff --git a/.github/workflows/tarball-ubuntu.yml b/.github/workflows/tarball-ubuntu.yml
index 13606c7eee..f0e773b526 100644
--- a/.github/workflows/tarball-ubuntu.yml
+++ b/.github/workflows/tarball-ubuntu.yml
@@ -69,16 +69,16 @@ jobs:
           [
             Dir.home,
           ].each do |dir|
-            Pathname(dir).each_child do |pn|
-              st = pn.stat
+            Dir.each_child(dir) do |pn|
+              st = File.stat(pn)
               if st.file?
-                content = Digest::SHA1.hexdigest(pn.read)
+                content = Digest::SHA1.file(pn).hexdigest
               elsif st.directory? && st.nlink <= 10
-                content = pn.children.map(&:basename).map(&:to_s).sort
+                content = Dir.children(pn).sort
               end
-              out << [pn.to_s, "%o"%st.mode, st.nlink, st.uid, st.gid, st.size, content].to_s
+              out << [pn, "%o"%st.mode, st.nlink, st.uid, st.gid, st.size, content].to_s
             rescue
-              out << [pn.to_s, $!.inspect].to_s
+              out << [pn, $!.inspect].to_s
             end
           end
           File.open(ARGV.shift, "w") do |io|
diff --git a/.github/workflows/zjit-macos.yml b/.github/workflows/zjit-macos.yml
index ca6087d0da..b629219bef 100644
--- a/.github/workflows/zjit-macos.yml
+++ b/.github/workflows/zjit-macos.yml
@@ -93,7 +93,7 @@ jobs:
           rustup install ${{ matrix.rust_version }} --profile minimal
           rustup default ${{ matrix.rust_version }}
 
-      - uses: taiki-e/install-action@e0eafa9a0d485c37f97c0f7beb930a58a2facbac # v2.79.4
+      - uses: taiki-e/install-action@920ab1831fbf4fb3ef75c8ead83556c918bb7290 # v2.79.8
         with:
           tool: nextest@0.9
         if: ${{ matrix.test_task == 'zjit-check' }}
diff --git a/.github/workflows/zjit-ubuntu.yml b/.github/workflows/zjit-ubuntu.yml
index f599120016..896a743305 100644
--- a/.github/workflows/zjit-ubuntu.yml
+++ b/.github/workflows/zjit-ubuntu.yml
@@ -119,7 +119,7 @@ jobs:
           ruby-version: '3.1'
           bundler: none
 
-      - uses: taiki-e/install-action@e0eafa9a0d485c37f97c0f7beb930a58a2facbac # v2.79.4
+      - uses: taiki-e/install-action@920ab1831fbf4fb3ef75c8ead83556c918bb7290 # v2.79.8
         with:
           tool: nextest@0.9
         if: ${{ matrix.test_task == 'zjit-check' }}