chore(deps): bump the github-actions group across 1 directory with 5 updates#15
chore(deps): bump the github-actions group across 1 directory with 5 updates#15dependabot[bot] wants to merge 1 commit into
Conversation
…updates Bumps the github-actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/cache](https://github.com/actions/cache) | `5.0.3` | `5.0.5` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `8.0.0` | `8.0.1` | | [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) | `1.13.0` | `1.14.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.32.3` | `4.35.4` | Updates `actions/cache` from 5.0.3 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@cdf6c1f...27d5ce7) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `actions/download-artifact` from 8.0.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@70fc10c...3e5f45b) Updates `pypa/gh-action-pypi-publish` from 1.13.0 to 1.14.0 - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](pypa/gh-action-pypi-publish@ed0c539...cef2210) Updates `github/codeql-action` from 4.32.3 to 4.35.4 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@9e907b5...68bde55) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: pypa/gh-action-pypi-publish dependency-version: 1.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.35.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Pull Request Overview
A significant issue was identified in the release workflow where an incorrect SHA for 'pypa/gh-action-pypi-publish' results in a version downgrade to v1.12.4 instead of the intended upgrade to v1.14.0. This should be corrected to ensure intended features and security patches are applied. Additionally, there is a minor documentation inconsistency in the CodeQL workflow where the version comment remains generic compared to other updated actions. Codacy analysis indicates the PR is up to standards with no new quality or complexity issues.
About this PR
- Note that 'pypa/gh-action-pypi-publish' v1.14.0 now enables 'verbose' and 'print-hash' by default. This will increase the output volume of the publish step in the release workflow.
Test suggestions
- Verify 'actions/cache' successfully restores and saves the .venv and Docker Compose caches in the CI workflow using v5.0.5.
- Verify 'actions/upload-artifact' correctly uploads the build distribution in the release workflow using v7.0.1.
- Verify 'actions/download-artifact' correctly retrieves the distribution for release asset attachment and PyPI publishing using v8.0.1.
- Confirm successful publication to PyPI using 'pypa/gh-action-pypi-publish' v1.14.0, noting that verbose logging and hash printing are now enabled by default.
- Verify CodeQL analysis initializes and runs successfully using the updated 4.35.4 bundle/action.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
|
|
||
| - name: Publish to PyPI | ||
| uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 | ||
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The pinned SHA cef221092ed1bacb1cc03d23a2d87d1d172e277b points to v1.12.4, not v1.14.0. This results in a downgrade from the previous version (v1.13.0). To correctly upgrade to v1.14.0, use the corresponding SHA.
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 | |
| uses: pypa/gh-action-pypi-publish@070f3f2d0db3b426027c4424ee385c94297813a1 # v1.14.0 |
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 | ||
| uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 |
There was a problem hiding this comment.
⚪ LOW RISK
Nitpick: The version comment here still says '# v4', whereas other updated actions in this PR (like actions/cache) were updated to show the full semantic version (e.g., # v5.0.5). Consider updating this to '# v4.35.4' for consistency and clarity.
|
Looks like these dependencies are updatable in another way, so this is no longer needed. |
Bumps the github-actions group with 5 updates in the / directory:
5.0.35.0.57.0.07.0.18.0.08.0.11.13.01.14.04.32.34.35.4Updates
actions/cachefrom 5.0.3 to 5.0.5Release notes
Sourced from actions/cache's releases.
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
27d5ce7Merge pull request #1747 from actions/yacaovsnc/update-dependencyf280785licensed changes619aeb1npm run build generated dist filesbcf16c2Update ts-http-runtime to 0.3.56682284Merge pull request #1738 from actions/prepare-v5.0.4e340396Update RELEASES8a67110Add licenses1865903Update dependencies & patch security vulnerabilities5656298Merge pull request #1722 from RyPeck/patch-14e380d1Fix cache key in examples.md for bun.lockUpdates
actions/upload-artifactfrom 7.0.0 to 7.0.1Release notes
Sourced from actions/upload-artifact's releases.
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)Updates
actions/download-artifactfrom 8.0.0 to 8.0.1Release notes
Sourced from actions/download-artifact's releases.
Commits
3e5f45bAdd regression tests for CJK characters (#471)e6d03f6Add a regression test for artifact name + content-type mismatches (#472)Updates
pypa/gh-action-pypi-publishfrom 1.13.0 to 1.14.0Release notes
Sourced from pypa/gh-action-pypi-publish's releases.
Commits
cef2210Merge pull request #397 from whitequark/patch-1b4595e2Enableverboseandprint-hashby default.e2bab26Merge pull request #395 from him2him2/docs/fix-typos-and-grammar7495c38docs: fix typos and grammar in README and SECURITY03f86feMerge pull request #388 from woodruffw-forks/ww/rm-experimental4c78f1cMerge branch 'unstable/v1' into ww/rm-experimentalb5a6e8bdeps: bump sigstore and pypi-attestationsa48a03eremove another experimental mention8087a88action: remove a lingering mention of PEP 740 being experimental3317ede🧪 Integrate actionlint via pre-commit frameworkUpdates
github/codeql-actionfrom 4.32.3 to 4.35.4Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
68bde55Merge pull request #3885 from github/update-v4.35.4-803d9e8c39739ad2Update changelog for v4.35.4803d9e8Merge pull request #3883 from github/mbg/test/macro-wrapper0fd9c7dMerge pull request #3882 from github/dependabot/github_actions/dot-github/wor...922d6fbUsemakeMacroinstead oftest.macrodf77e87Update test macro snippet6e3f985Add wrapper fortest.macroe7a347dMerge pull request #3881 from github/update-bundle/codeql-bundle-v2.25.417eabb2Rebuildaaef09cBump ruby/setup-rubyDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions