ci(deps): bump softprops/action-gh-release from 1 to 3

[dependabot]

Bumps softprops/action-gh-release from 1 to 3.

Release notes

Sourced from softprops/action-gh-release's releases.

v3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

• Move the action runtime and bundle target to Node 24
• Update @types/node to the Node 24 line and allow future Dependabot updates
• Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v2.6.2

What's Changed

Other Changes 🔄

• chore(deps): bump picomatch from 4.0.3 to 4.0.4 by @​dependabot[bot] in softprops/action-gh-release#775
• chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by @​dependabot[bot] in softprops/action-gh-release#777
• chore(deps): bump vite from 8.0.0 to 8.0.5 by @​dependabot[bot] in softprops/action-gh-release#781

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in softprops/action-gh-release#765

v2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

0.1.13

• fix issue with multiple runs concatenating release bodies #145

0.1.12

• fix bug leading to empty strings substituted for inputs users don't provide breaking api calls #144

0.1.11

• better error message on release create failed #143

0.1.10

• fixed error message formatting for file uploads

0.1.9

• add support for linking release to GitHub discussion #136

0.1.8

• address recent warnings in assert upload api as well as introduce asset upload overrides, allowing for multiple runs for the same release with the same named asserts #134
• fix backwards compatibility with GITHUB_TOKEN resolution. GITHUB_TOKEN is now resolved first from an env variable and then from an input #133
• trim white space in provided tag_name #130

0.1.7

• allow creating draft releases without a tag #95
• Set default token for simpler setup #83
• fix regression with action yml #126

0.1.6

This is a release catch up have a hiatus. Future releases will happen more frequently

• Add 'fail_on_unmatched_files' input, useful for catching cases where your files input does not actually match what you expect #55
• Add repository input, useful for creating a release in an external repository #61
• Add release id to outputs, useful for referring to release in workflow steps following the step that uses this action #60
• Add upload_url as action output, useful for managing uploads separately #75
• Support custom target_commitish value, useful to customize the default #76
• fix body_path input first then fall back on body input. This was the originally documented precedence but was implemented in the opposite order! #85
• Retain original release info if the keys are not set, useful for filling in blanks for a release you've already started separately #109
• Limit number of times github api request to create a release is retried, useful for avoiding eating up your rate limit and action minutes due to either an invalid token or other circumstance causing the api call to fail #111

0.1.5

• Added support for specifying tag name #39

0.1.4

... (truncated)

Commits

• b430933 release: cut v3.0.0 for Node 24 upgrade (#670)
• c2e35e0 chore(deps): bump the npm group across 1 directory with 7 updates (#783)
• 3bb1273 release 2.6.2
• c34030f chore: bump node to 24.14.1
• 8975bd0 chore(deps): bump vite from 8.0.0 to 8.0.5 (#781)
• f71937f chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 (#777)
• 3f0d239 chore(deps): bump picomatch from 4.0.3 to 4.0.4 (#775)
• 153bb8e release 2.6.1
• 569deb8 fix: preserve discussion category when publishing releases (#765)
• 26e8ad2 release 2.6.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 38368fd.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/release.yml

Package	Version	License	Issue Type
softprops/action-gh-release	3.*.*	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/softprops/action-gh-release	3.*.*	🟢 4.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review ⚠️ 0 Found 2/30 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/release.yml

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!