Bump check-spelling/check-spelling from 0.0.25 to 0.0.26

[dependabot]

Bumps check-spelling/check-spelling from 0.0.25 to 0.0.26.

Release notes

Sourced from check-spelling/check-spelling's releases.

Release 0.0.26 (Immutable)

⏩ Upgrading

• 🧪 Test first on a branch 🏷️ by changing your workflow tags/references to this release
• See 🐣 Breaking Changes for how to adapt your workflow
• See 🐛 Known Issues for known issues

🐣 Breaking Changes

• The output for truncated items in logs is now wrapped to 15 "words" per line to make GitHub's pattern matchers happy (this shouldn't impact anyone, but if you're parsing logs, you may notice -- you should use the generated artifact instead).
• Commit instructions are now generated using apply.pl (unifying code) -- this may result in different commit suggestions than previous versions.
• Dropped support for custom_task (use task instead)
• Changed stem handling for words like GC'd (previously they didn't work well because GC was smaller than the default minimum word length)
• If you use allowing-select-actions-and-reusable-workflows-to-run, you will need to include:

  check-spelling/checkout-merge@c9cfe4b33a6ceb6c13136887a6fd3a3ed6443f28 # v0.0.8 

✨ New Features

• 🏴 Flag homoglyphs in words
• 🇹 Check images
• ⚙️ config.json for defining configuration using json instead of in workflows. This should make it easier to merge configuration/use unified configuration. It also enables load-config-from
• ⚙️ load-config-from -- GitHub changed the behavior of workflows running via pull_request_target to rely on the default branch for configuration. You can use this setting to allow interpreting specific settings from config.json from the base branch (or the head branch).
• ℹ️ Unused configuration file warning
• ⏭️ Ignore next line

Fixes

• Permission check for pull requests from forks -- GitHub broke an API at the beginning of April 2026
• Ignore suppress_push_for_open_pull_request when pull requests are disabled
• Git config is no longer edited
• Fix GitHub code scanning detection -- GitHub changed the response previously used to identify its availability
• Waits for hunspell dictionary downloads to resolve before proceeding to check spelling

Improvements

• Switched to using UTF8
• Switched from :...: to unicode emoji
• Improved pattern parsing and handling of broken patterns
• Removed most use of rsync
• Comment task no longer requires a checkout (all information is produced in the spelling task and packaged in the artifact)
• Added allow-hunspell -- for use as allow-hunspell: false to disable hunspell support
• Improved YAML parsing
• Candidate and Forbidden Patterns will now automatically expand if there are only one or two

Messages

• Harmonized messages and error codes

SARIF

• Added additional escapes to make GitHub -> VS Code integration
• Improved error handling
• Enhanced descriptions & advice for messages

... (truncated)

Commits

• cfb6f7e action: Release v0.0.26
• c11aa0b unknown-words: Switch write permission check to description field
• 7eb3c25 unknown-words: Skip suppress_push_for_open_pull_request when has_pull_request...
• 8829605 unknown-words: Mark up check_inputs warnings
• f29a368 LoadEnv: Allow personal access tokens for token inputs
• 75984cc unknown-words: Let get_page fail when call_curl fails
• aa438bf unknown-words: Fix code scanning detection
• e6acb73 summary-tables: Fix summary-tables-error message
• 58147a2 unknown-words: Harmonize message to use title case
• fbd0cbb secpoll: Set annotation title
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Summary by cubic

Upgrades the spelling workflow to check-spelling/check-spelling@v0.0.26 to pick up upstream fixes and features. No application code changes; only the GitHub Actions workflow is updated.

Summary of changes

• Changed behavior: Workflow now uses check-spelling/check-spelling v0.0.26 for check and comment steps; upstream adjusts log wrapping and commit suggestions, improves pattern/YAML parsing, waits for dictionary downloads, and fixes fork permission checks.
• New behavior available (not enabled here): Homoglyph flagging, image checking, config.json + load-config-from, unused-config warnings, and ignore-next-line support.
• Removed behavior: None in our workflow. Upstream dropped custom_task (we don’t use it), so no impact.
• Memory: No impact; CI-only action update with similar resource use.
• Security: Low risk. Patch includes permission-check fix for forks; if your org restricts actions, you may need to allow check-spelling/checkout-merge@v0.0.8. No new secrets required. Consider pinning to a commit SHA for stricter supply-chain controls.
• Tests: No unit tests added; validated via CI run of the updated workflow.

^{Written for commit fb48ec0. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 1 file