From 71e07d4c75e1dad297bc505b249acd556bf5b253 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 1 Jun 2026 14:38:08 +0200
Subject: [PATCH] Bump hashicorp/vault-action from 3.4.0 to 4.0.0 (#19804)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bumps
[hashicorp/vault-action](https://github.com/hashicorp/vault-action) from
3.4.0 to 4.0.0.
Release notes
Sourced from hashicorp/vault-action's
releases.
v4.0.0
4.0.0 (May 12, 2026)
Improvements:
- Bump node runtime from node20 to node24 GH-604
- Fix leading slash in secret paths causing HTTP 400 errors (e.g.
/cubbyhole/test → v1/cubbyhole/test instead of
v1//cubbyhole/test)
- bump jsrsasign from 11.1.0 to 11.1.3
- bump body-parser from 1.20.3 to 1.20.5
- bump qs from 6.13.0 to 6.15.1
- bump http-errors from 2.0.0 to 2.0.1
- bump minimatch from 3.1.2 to 3.1.5
- bump underscore from 1.13.4 to 1.13.8
Changelog
Sourced from hashicorp/vault-action's
changelog.
4.0.0 (May 12, 2026)
Improvements:
- Bump node runtime from node20 to node24 GH-604
- Fix leading slash in secret paths causing HTTP 400 errors (e.g.
/cubbyhole/test → v1/cubbyhole/test instead of
v1//cubbyhole/test)
- bump jsrsasign from 11.1.0 to 11.1.3
- bump body-parser from 1.20.3 to 1.20.5
- bump qs from 6.13.0 to 6.15.1
- bump http-errors from 2.0.0 to 2.0.1
- bump minimatch from 3.1.2 to 3.1.5
- bump underscore from 1.13.4 to 1.13.8
3.4.0 (June 13, 2025)
Bugs:
Improvements:
3.3.0 (March 3, 2025)
Features:
- Wildcard secret imports can use
** to retain case of
exported env keys GH-545
3.2.0 (March 3, 2025)
Improvements:
- Add retry for jwt auth login to fix intermittent login failures GH-574
3.1.0 (January 9, 2025)
Improvements:
- fix wildcard handling when field contains dot GH-542
- bump body-parser from 1.20.0 to 1.20.3
- bump braces from 3.0.2 to 3.0.3
- bump cross-spawn from 7.0.3 to 7.0.6
- bump micromatch from 4.0.5 to 4.0.8
Features:
secretId is no longer required for approle to support
advanced use cases like machine login when bind_secret_id
is false. GH-522- Use
pki configuration to generate certificates from
Vault GH-564
3.0.0 (February 15, 2024)
... (truncated)
Commits
892a268
Update copywrite headers for v.4.0.0 release (#607)a7ffa26
Prepare for release v4.0.0 (#606)a049f01
[COMPLIANCE] Add/Update Copyright Headers (#605)95977a3
Adding team-vault-consumption as CODEOWNERS (#600)7e48e56
Upgrade Node.js to 24 and update dependencies (#604)79632e3
[COMPLIANCE] Add Copyright and License Headers (Batch 1 of 1) (#589)734c523
README.md: Removing jwtGithubAudience default (#590)2c58270
[Compliance] - PR Template Changes Required (#586)- See full diff in compare
view
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
.github/workflows/docker.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index e343d950b3..801d369c48 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -67,7 +67,7 @@ jobs:
- name: Get team registry token
id: import-secrets
- uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
+ uses: hashicorp/vault-action@892a26828f195e65540a40b4768ae4571f51ebfc # v4.0.0
with:
url: https://vault.infra.ci.i.element.dev
role: ${{ steps.vault-jwt-role.outputs.role_name }}
@@ -164,7 +164,7 @@ jobs:
- name: Get team registry token
id: import-secrets
- uses: hashicorp/vault-action@4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b # v3.4.0
+ uses: hashicorp/vault-action@892a26828f195e65540a40b4768ae4571f51ebfc # v4.0.0
with:
url: https://vault.infra.ci.i.element.dev
role: ${{ steps.vault-jwt-role.outputs.role_name }}