chore(deps): bump the actions group across 1 directory with 8 updates#274
chore(deps): bump the actions group across 1 directory with 8 updates#274dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the actions group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4` | `7` | | [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) | `3` | `5` | | [actions/deploy-pages](https://github.com/actions/deploy-pages) | `4` | `5` | | [actions/github-script](https://github.com/actions/github-script) | `7` | `9` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4` | `7` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `4` | `8` | | [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2` | `3` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `2` | `4` | Updates `actions/checkout` from 4 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v7) Updates `actions/upload-pages-artifact` from 3 to 5 - [Release notes](https://github.com/actions/upload-pages-artifact/releases) - [Commits](actions/upload-pages-artifact@v3...v5) Updates `actions/deploy-pages` from 4 to 5 - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](actions/deploy-pages@v4...v5) Updates `actions/github-script` from 7 to 9 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v7...v9) Updates `actions/upload-artifact` from 4 to 7 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v7) Updates `actions/download-artifact` from 4 to 8 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v4...v8) Updates `softprops/action-gh-release` from 2 to 3 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@v2...v3) Updates `actions/attest-build-provenance` from 2 to 4 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@v2...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-pages-artifact dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/deploy-pages dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: softprops/action-gh-release dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/attest-build-provenance dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
| image: golang:1.26.4 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
Potential issue: actions/checkout@v7 may not exist. As of the latest known releases, actions/checkout has not published a v7 tag (the latest stable major version is v4). Using a non-existent action version will cause this workflow to fail immediately at runtime.
Please verify that actions/checkout@v7 has actually been released before merging. If it hasn't, keep @v4 or update to whatever the actual latest major version is.
Note: The same concern applies to the other action version bumps across your workflows (upload-artifact@v7, download-artifact@v8, github-script@v9, deploy-pages@v5, attest-build-provenance@v4, softprops/action-gh-release@v3, upload-pages-artifact@v5). Please verify each one exists.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Potential issue: Unverified action version. actions/checkout@v7 may not exist. As of the latest known releases, actions/checkout is at v4. Using a non-existent version tag will cause the workflow to fail immediately at the checkout step.
Please verify that v7 is a valid, published release tag for actions/checkout before merging. If it doesn't exist yet, keep using @v4 or pin to a specific commit SHA for better security.
|
|
||
| - name: Post review comments to PR | ||
| uses: actions/github-script@v7 | ||
| uses: actions/github-script@v9 |
There was a problem hiding this comment.
Potential issue: Unverified action version. actions/github-script@v9 may not exist. As of the latest known releases, actions/github-script is at v7. Using a non-existent version tag will cause this step (and the entire job) to fail, meaning review comments will never be posted to the PR.
Please verify that v9 is a valid, published release tag for actions/github-script before merging. If it doesn't exist yet, keep using @v7 or pin to a specific commit SHA.
|
|
||
| - name: Create GitHub Release | ||
| uses: softprops/action-gh-release@v2 | ||
| uses: softprops/action-gh-release@v3 |
There was a problem hiding this comment.
Security: Third-party action pinned to mutable tag. softprops/action-gh-release is a third-party action and should be pinned to a full commit SHA rather than a mutable version tag (v3). Tags can be moved or hijacked, which poses a supply-chain risk for a release workflow that handles artifacts and credentials.
Consider pinning to a specific commit SHA, e.g.:
uses: softprops/action-gh-release@<full-commit-sha> # v3You can find the SHA corresponding to v3 on the action's releases page.
Rebasing might not happen immediately, so don't worry if this takes some time.
Note: if you make any changes to this PR yourself, they will take precedence over the rebase.
Bumps the actions group with 8 updates in the / directory:
4735457947482324Updates
actions/checkoutfrom 4 to 7Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Updates
actions/upload-pages-artifactfrom 3 to 5Release notes
Sourced from actions/upload-pages-artifact's releases.
Commits
fc324d3Merge pull request #139 from Tom-van-Woudenberg/patch-1fe9d4b7Merge branch 'main' into patch-10ca1617Merge pull request #137 from jonchurch/include-hidden-files57f0e84Update action.yml4a90348v7 --> hash56f665aUpdate upload-artifact action to version 7f7615f5Addinclude-hidden-filesinput7b1f4a7Merge pull request #127 from heavymachinery/pin-sha4cc19c7Pinactions/upload-artifactto SHA2d163beMerge pull request #107 from KittyChiu/mainUpdates
actions/deploy-pagesfrom 4 to 5Release notes
Sourced from actions/deploy-pages's releases.
... (truncated)
Commits
cd2ce8fMerge pull request #404 from salmanmkc/node24bbe2a95Update Node.js version to 24.x854d7aaMerge pull request #374 from actions/Jcambass-patch-1306bb81Add workflow file for publishing releases to immutable action packageb742728Merge pull request #360 from actions/dependabot/npm_and_yarn/npm_and_yarn-513...7273294Bump braces in the npm_and_yarn group across 1 directory963791fMerge pull request #361 from actions/dependabot-friendly51bb29dMake the rebuild dist workflow safer for Dependabot89f3d10Merge pull request #358 from actions/dependabot/npm_and_yarn/non-breaking-cha...bce7355Merge branch 'main' into dependabot/npm_and_yarn/non-breaking-changes-99c12deb21Updates
actions/github-scriptfrom 7 to 9Release notes
Sourced from actions/github-script's releases.
... (truncated)
Commits
3a2844bMerge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...ca10bbdfix: use@octokit/core/types import for v7 compatibility86e48e2merge: incorporate main branch changesc108472chore: rebuild dist for v9 upgrade and getOctokit factoryafff112Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...ff8117eci: fix user-agent test to handle orchestration ID81c6b78ci: use deployment: false to suppress deployment noise from integration tests3953cafdocs: update README examples from@v8to@v9, add getOctokit docs and v9 brea...c17d55bci: add getOctokit integration test joba047196test: add getOctokit integration tests via callAsyncFunctionUpdates
actions/upload-artifactfrom 4 to 7Release notes
Sourced from actions/upload-artifact's releases.
... (truncated)
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)bbbca2dSupport direct file uploads (#764)589182cUpgrade the module to ESM and bump dependencies (#762)47309c9Merge pull request #754 from actions/Link-/add-proxy-integration-tests02a8460Add proxy integration testb7c566aMerge pull request #745 from actions/upload-artifact-v6-releasee516bc8docs: correct description of Node.js 24 support in READMEUpdates
actions/download-artifactfrom 4 to 8Release notes
Sourced from actions/download-artifact's releases.
... (truncated)
Commits
3e5f45bAdd regression tests for CJK characters (#471)e6d03f6Add a regression test for artifact name + content-type mismatches (#472)70fc10cMerge pull request #461 from actions/danwkennedy/digest-mismatch-behaviorf258da9Add change docsccc058eFix linting issuesbd7976bAdd a setting to specify what to do on hash mismatch and default it toerrorac21fcfMerge pull request #460 from actions/danwkennedy/download-no-unzip15999bfAdd note about package bumps974686eBump the version tov8and add release notesfbe48b1Update test names to make it clearer what they doUpdates
softprops/action-gh-releasefrom 2 to 3Release notes
Sourced from softprops/action-gh-release's releases.
... (truncated)
Changelog
Sourced from softprops/action-gh-release's changelog.
Commits
718ea10release 3.0.1f1a938bchore(deps): bump esbuild from 0.28.0 to 0.28.1 (#802)0066eadchore(deps): bump vite from 8.0.14 to 8.0.16 (#806)dc643cachore(deps): bump the npm group with 3 updates (#805)85ee99bchore(deps): bump actions/checkout in the github-actions group (#804)9ed3cf9chore(deps): bump the npm group with 2 updates (#800)3efcac8chore(deps): bump the npm group with 3 updates (#798)05d6b91chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 (#797)403a524chore(deps): bump@types/nodefrom 24.12.2 to 24.12.3 in the npm group (#796)437e073chore(deps): bump the npm group with 4 updates (#792)Updates
actions/attest-build-provenancefrom 2 to 4Release notes
Sourced from actions/attest-build-provenance's releases.