Skip to content

Bump the go-dependencies group with 2 updates#67

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/go-dependencies-3709dcd30f
Open

Bump the go-dependencies group with 2 updates#67
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/go-dependencies-3709dcd30f

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 3, 2026

Bumps the go-dependencies group with 2 updates: codacy/codacy-analysis-cli-action and snyk/actions.

Updates codacy/codacy-analysis-cli-action from 1.1.0 to 4.4.7

Release notes

Sourced from codacy/codacy-analysis-cli-action's releases.

Bump CLI version to 7.9.25

No release notes provided.

Adds support for High severity

This release adds support for the newly added High severity

v4.4.5

What's Changed

v4.4.4

What's Changed

v4.4.3

What's Changed

v4.4.2

What's Changed

New Contributors

... (truncated)

Commits

Updates snyk/actions from 806182742461562b67788a64410098c9d9b96adb to 8e119fbb6c251787721d34ba683ed48eba792766

Commits
  • 8e119fb chore: update codeowners [prodsec-10215] (#209)
  • 9cf6ca7 chore: [skip ci] update codeowners [prodsec-10215] (#205)
  • 9adf32b chore(ci): adjust to build release based on current branch (#202)
  • ce71ff9 feat: release stable v1.0.0 (#201)
  • de2dda6 chore(ci): pin action to immutable sha (#199)
  • 6f87086 chore(ci): generate GitHub releases based on commits (#198)
  • e222141 fix: update upload-sarif documentations (#196)
  • 42be729 chore: add security.md [PRODSEC-5886] (#197)
  • 10a13eb fix: synchronizing Github actions templates (#195)
  • 7d78c83 chore: fixing wrong github warning markdown
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the go-dependencies group with 2 updates
52c5836 
Bumps the go-dependencies group with 2 updates: [codacy/codacy-analysis-cli-action](https://github.com/codacy/codacy-analysis-cli-action) and [snyk/actions](https://github.com/snyk/actions).


Updates `codacy/codacy-analysis-cli-action` from 1.1.0 to 4.4.7
- [Release notes](https://github.com/codacy/codacy-analysis-cli-action/releases)
- [Commits](codacy/codacy-analysis-cli-action@d840f88...562ee3e)

Updates `snyk/actions` from 806182742461562b67788a64410098c9d9b96adb to 8e119fbb6c251787721d34ba683ed48eba792766
- [Release notes](https://github.com/snyk/actions/releases)
- [Commits](snyk/actions@8061827...8e119fb)

---
updated-dependencies:
- dependency-name: codacy/codacy-analysis-cli-action
  dependency-version: 4.4.7
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: go-dependencies
- dependency-name: snyk/actions
  dependency-version: 8e119fbb6c251787721d34ba683ed48eba792766
  dependency-type: direct:production
  dependency-group: go-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Updating dependencies via GitHub Actions label Jun 3, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 3, 2026

🧪 Unit testing results

Status: ✅ success

📊 Report summary

TestsPassed ✅Skipped ⚠️Failed
JUnit Test Report29 ran26 passed3 skipped0 failed

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 3, 2026

AI Code Review

Brief Summary of Changes:

  • This PR updates the GitHub Actions dependencies used for SAST (Static Application Security Testing) workflows:
    • codacy/codacy-analysis-cli-action is upgraded from commit d840f886... (v1.1.0) to 562ee3e9... (v4.4.7).
    • snyk/actions/setup is upgraded from commit 8061827... to 8e119fb....

Critical Findings:

  • No critical vulnerabilities or breaking changes are visible in the workflow diff itself (the GitHub Actions configuration).
  • These actions are third-party; reviewing their upgrade changelog and source for breaking changes or newly introduced security risks should always be part of the upgrade process.
  • The update to Codacy analysis action spans several major releases. If your workflow depends on deprecated or altered inputs/outputs, this could silently break SAST runs or result interpretation.
  • For both Codacy and Snyk, their update could change CLI invocation, authentication, configuration, or report formats. However, based on diff, your workflow input keys have not changed, which suggests compatibility, but this must be verified against each vendor's changelog.

Suggestions for the Author:

  1. Perform Validation: After the upgrade, trigger the workflows and verify that SAST results are still being produced and uploaded correctly. Check action logs for warnings or errors.
  2. Check Changelogs: Review the changelog/release notes for both dependencies—Codacy’s updates include many features and fixes, and a major CLI version bump. Confirm that all workflow inputs, environment variables, and outputs are still valid.
  3. Backward Compatibility: Since both dependencies have changed significantly, especially Codacy—which jumped several major versions—it’s possible that some action inputs or outputs may have changed. Double-check usage for deprecated values or behaviors described in release notes.
  4. Security Considerations: These actions run untrusted code (pulling and running scanners). Ensure you pin by SHA (which you do), avoid using floating tags, and audit permissions required by the action.
  5. Test Edge Cases: If you rely on output parsing, SARIF reports, or custom configuration pipelines, validate those pathways after the upgrade.
  6. Workflow Inputs: Monitor for new/changed parameters or options (e.g., Codacy's new "High severity" support or "registry-address" parameter) to ensure you're not missing out on new features or unintentionally misconfiguring analysis.

Conclusion:

  • This is a routine dependency bump initiated by Dependabot, pinning actions by SHA, which is good practice.
  • The changes present no immediate security or logic bugs in the workflow diff, but major version upgrades require careful testing as outlined above.
  • No critical issues found, but thorough validation after update is essential.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Updating dependencies via GitHub Actions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants