chore(deps): bump googleapis/release-please-action from 4 to 5

[dependabot]

Bumps googleapis/release-please-action from 4 to 5.

Release notes

Sourced from googleapis/release-please-action's releases.

v5.0.0

5.0.0 (2026-04-22)

⚠ BREAKING CHANGES

• upgrade to node24 (#1188)

Features

• upgrade to node24 (#1188) (46dfc01)

Bug Fixes

• bump release-please from 17.3.0 to 17.6.0 (#1199) (f533c26)

v4.4.1

4.4.1 (2026-02-20)

Bug Fixes

• bump release-please from 17.1.3 to 17.3.0 (#1183) (ef9c274)

v4.4.0

4.4.0 (2025-10-09)

Features

• add ability to select versioning-strategy and release-as (#1121) (ee0f5ba)

Bug Fixes

• changelog-host parameter ignored when using manifest configuration (#1151) (535c413)
• bump mocha from 11.7.1 to 11.7.2 in the npm_and_yarn group across 1 directory (#1149) (3612a99)
• bump release-please from 17.1.2 to 17.1.3 (#1158) (66fbfe9)

v4.3.0

4.3.0 (2025-08-20)

Features

• deps: update release-please to 17.1.2 (f07192c)

v4.2.0

4.2.0 (2025-03-07)

... (truncated)

Changelog

Sourced from googleapis/release-please-action's changelog.

4.1.1 (2024-05-14)

Bug Fixes

• bump release-please from 16.10.0 to 16.10.2 (#969) (aa764e0)
• bump the npm_and_yarn group with 1 update (#967) (ce529d4)

4.1.0 (2024-03-11)

Features

• add changelog-host input to action.yml (#948) (863b06f)

4.0.3 (2024-03-11)

Bug Fixes

• bump release-please from 16.5.0 to 16.10.0 (#953) (d7e88e0)

4.0.2 (2023-12-18)

Bug Fixes

• bump release-please from 16.4.0 to 16.5.0 (#905) (df71963)
• log release-please version (#910) (2a496d1), closes #325

4.0.1 (2023-12-07)

Bug Fixes

• bump release-please from 16.3.1 to 16.4.0 (#897) (2463dad)

4.0.0 (2023-12-01)

⚠ BREAKING CHANGES

• remove most configuration options in favor of manifest configuration to configure the release-please-action
• rewrite in typescript
• remove command option in favor of setting release-type and skip-github-release/skip-github-pull-request
• run on node20
• deps: upgrade release-please to v16
• v4 release

Features

... (truncated)

Commits

• 45996ed chore(main): release 5.0.0 (#1200)
• a8121b9 chore: build dist (#1201)
• f533c26 fix: bump release-please from 17.3.0 to 17.6.0 (#1199)
• 46dfc01 feat!: upgrade to node24 (#1188)
• See full diff in compare view

Summary by CodeRabbit

• Chores
  • Updated release and publish workflow automation tooling.

[four-bytes-robby]

@dependabot rebase

[coderabbitai]

Walkthrough

Walkthrough

Both GitHub Actions workflow files (.github/workflows/publish.yml and .github/workflows/release.yml) update the googleapis/release-please-action action reference from @v4 to @v5. No other workflow logic, steps, or configuration are changed.

Changes

release-please-action Version Bump

Layer / File(s)	Summary
Action version update in both workflows .github/workflows/publish.yml, .github/workflows/release.yml	The googleapis/release-please-action step in each workflow is updated from @v4 to @v5. All other steps and conditions remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title directly and clearly describes the main change: bumping the googleapis/release-please-action dependency from version 4 to version 5, which matches the actual changeset modifications.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{Tip: You can configure your own custom pre-merge checks in the settings.}

Finishing Touches

Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/googleapis/release-please-action-5

Simplify code

• Create PR with simplified code
• Commit simplified code in branch dependabot/github_actions/googleapis/release-please-action-5

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Nitpick comments (1)

.github/workflows/publish.yml (1)

18-18: ⚡ Quick win

Consider pinning actions to commit hashes for supply chain security.

Both workflow files reference googleapis/release-please-action@v5 using a tag. Pinning to a commit hash (e.g., @abc123...) instead of a mutable tag prevents potential supply chain attacks where an attacker compromises the v5 tag to point to malicious code.

• .github/workflows/publish.yml#L18-L18: Pin googleapis/release-please-action@v5 to its release commit hash.
• .github/workflows/release.yml#L22-L22: Pin googleapis/release-please-action@v5 to its release commit hash.

Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml at line 18, Both
`.github/workflows/publish.yml` (line 18-18) and `.github/workflows/release.yml`
(line 22-22) use a mutable tag reference for the
googleapis/release-please-action action. To improve supply chain security,
replace the `@v5` tag reference with a pinned commit hash at both locations.
Find the current release commit hash for v5 of the
googleapis/release-please-action repository and update both uses of
`googleapis/release-please-action@v5` to
`googleapis/release-please-action@<commit-hash>` to prevent potential tag
manipulation attacks.

Source: Linters/SAST tools

Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/publish.yml:
- Line 18: Both `.github/workflows/publish.yml` (line 18-18) and
`.github/workflows/release.yml` (line 22-22) use a mutable tag reference for the
googleapis/release-please-action action. To improve supply chain security,
replace the `@v5` tag reference with a pinned commit hash at both locations.
Find the current release commit hash for v5 of the
googleapis/release-please-action repository and update both uses of
`googleapis/release-please-action@v5` to
`googleapis/release-please-action@<commit-hash>` to prevent potential tag
manipulation attacks.

---

Review info

Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3540c5c6-e71f-4670-a350-58605c985443

Commits

Reviewing files that changed from the base of the PR and between a881853 and d9ec374.

Files selected for processing (2)

• .github/workflows/publish.yml
• .github/workflows/release.yml