chore(deps): bump hashicorp/vault-action from 3.4.0 to 4.0.0

[dependabot]

Bumps hashicorp/vault-action from 3.4.0 to 4.0.0.

Release notes

Sourced from hashicorp/vault-action's releases.

v4.0.0

4.0.0 (May 12, 2026)

Improvements:

• Bump node runtime from node20 to node24 GH-604
• Fix leading slash in secret paths causing HTTP 400 errors (e.g. /cubbyhole/test → v1/cubbyhole/test instead of v1//cubbyhole/test)
• bump jsrsasign from 11.1.0 to 11.1.3
• bump body-parser from 1.20.3 to 1.20.5
• bump qs from 6.13.0 to 6.15.1
• bump http-errors from 2.0.0 to 2.0.1
• bump minimatch from 3.1.2 to 3.1.5
• bump underscore from 1.13.4 to 1.13.8

Changelog

Sourced from hashicorp/vault-action's changelog.

4.0.0 (May 12, 2026)

Improvements:

• Bump node runtime from node20 to node24 GH-604
• Fix leading slash in secret paths causing HTTP 400 errors (e.g. /cubbyhole/test → v1/cubbyhole/test instead of v1//cubbyhole/test)
• bump jsrsasign from 11.1.0 to 11.1.3
• bump body-parser from 1.20.3 to 1.20.5
• bump qs from 6.13.0 to 6.15.1
• bump http-errors from 2.0.0 to 2.0.1
• bump minimatch from 3.1.2 to 3.1.5
• bump underscore from 1.13.4 to 1.13.8

Commits

• 892a268 Update copywrite headers for v.4.0.0 release (#607)
• a7ffa26 Prepare for release v4.0.0 (#606)
• a049f01 [COMPLIANCE] Add/Update Copyright Headers (#605)
• 95977a3 Adding team-vault-consumption as CODEOWNERS (#600)
• 7e48e56 Upgrade Node.js to 24 and update dependencies (#604)
• 79632e3 [COMPLIANCE] Add Copyright and License Headers (Batch 1 of 1) (#589)
• 734c523 README.md: Removing jwtGithubAudience default (#590)
• 2c58270 [Compliance] - PR Template Changes Required (#586)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by Bito

This pull request updates the hashicorp/vault-action dependency in the GitHub Actions release workflow from version 3.4.0 to 4.0.0. The update includes improvements such as upgrading the Node.js runtime to version 24 and fixing issues with leading slashes in secret paths that caused HTTP 400 errors.

Detailed Changes

• Updates hashicorp/vault-action from v3.4.0 to v4.0.0 in release.yml workflow, introducing Node.js 24 runtime and fixes for secret path leading slash issues.

[bito-code-review]

Code Review Agent Run #81eec5

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: 2bce33e..2bce33e

  • .github/workflows/release.yml
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at jared.jolton@contentful.com.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[wiz-inc-38d59fb8d7]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	1
SAST Findings	-
Software Management Findings	-
Total	1

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted	Summary
Other Improvements - Update hashicorp/vault-action to version 4.0.0	release.yml	Updates the hashicorp/vault-action from v3.4.0 to v4.0.0 in the release workflow, incorporating improvements like Node.js runtime upgrade to 24 and fixes for secret path handling.

[bito-code-review]

Impact Analysis by Bito

Interaction Diagram

sequenceDiagram
participant Dev as Developer
participant GHA as GitHub Actions
participant VA as Vault Action<br/>🔄 Updated | ●●○ Medium
participant HV as HashiCorp Vault
participant GAPI as GitHub API
participant NX as NX Release
Dev->>GHA: Push code or trigger release workflow
GHA->>VA: Execute retrieve secrets step
VA->>HV: Authenticate with JWT and request secrets
HV-->>VA: Return encrypted secrets
VA-->>GHA: Provide secrets as environment variables
GHA->>GAPI: Get bot user ID for git config
GAPI-->>GHA: Return user ID
GHA->>GHA: Configure git user credentials
GHA->>GAPI: Checkout repository code
GAPI-->>GHA: Provide repository files
GHA->>GHA: Setup Node.js and install dependencies
GHA->>GHA: Restore build cache
GHA->>NX: Run NX release command
NX-->>GHA: Complete release and versioning
GHA->>GAPI: Upload DXT file to release (if on main)
Note over VA: Updated vault-action to v4.0.0<br/>for improved security and features
Note over GHA, GAPI: Automated release process<br/>handles versioning and publishing

Loading

---

The release workflow updates the HashiCorp Vault action from v3.4.0 to v4.0.0, enhancing the secret retrieval step in the automated release process. This change improves security and compatibility for accessing encrypted secrets from Vault during CI/CD. The update affects the integration point with external HashiCorp Vault service but maintains the same workflow logic.

Cross-Repository Impact Analysis

What Changed	Impact of Change	Suggested Review Actions
Upgraded hashicorp/vault-action from v3.4.0 to v4.0.0 in release workflow	- CI/CD Pipeline [Internal]: Node runtime upgraded from 20 to 24; secret path handling fixed for paths with leading slashes. No application code changes.	- Verify release workflow executes successfully after merge - Confirm Vault secret paths in workflow do not rely on pre-v4 leading slash behavior - Test secret retrieval in a non-production workflow run if possible

Code Paths Analyzed

Impact:
CI/CD infrastructure update only - no application code changes

Flow:
GitHub Actions release workflow → HashiCorp Vault → secret retrieval for release process

Direct Changes (Diff Files):
• .github/workflows/release.yml [10] — Updated vault-action version for secret retrieval during releases

Repository Impact:
• Release automation: Workflow depends on vault-action for secrets; v4 includes Node 24 runtime upgrade and bug fixes

Cross-Repository Dependencies:
• None.

Database/Caching Impact:
• None

API Contract Violations:
• None.

Infrastructure Dependencies:
• HashiCorp Vault integration for release secrets
• GitHub Actions runner environment (Node 24 runtime in v4)

Testing Recommendations

Frontend Impact:
• No issues detected

Service Integration:
• Validate release workflow can still retrieve secrets from Vault after version upgrade

Data Serialization:
• No issues detected

Privacy Compliance:
• No issues detected

Backward Compatibility:
• Verify existing Vault secret paths work correctly with v4 (leading slash handling changed)

OAuth Functionality:
• None

Cross-Service Communication:
• No issues detected

Reliability Testing:
• None

Additional Insights:
• Monitor first release after merge for any Vault authentication or secret retrieval issues
• Review vault-action v4 release notes for any additional migration steps

_{Analysis based on known dependency patterns and edges. Actual impact may vary.}

[bito-code-review]

✅ Review Settings Overridden

Status: Overridden Successfully

Guidelines:

• Accepted:

  • General : Review Posture, Domain Invariants

• Rejected: Repo Truth And Alignment (parse error)

Note: Extra guidelines beyond 3 general purpose guidelines and 1 language specific guideline per language are not processed. Guidelines are fetched from the source branch.