Skip to content

chore(deps): bump the github-actions group across 1 directory with 5 updates #1645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
+11 −11
Open

chore(deps): bump the github-actions group across 1 directory with 5 updates #1645

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
with:
persist-credentials: false
- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: "3.13"
Expand All @@ -41,12 +41,12 @@ jobs:
with:
persist-credentials: false
- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: "3.13"
enable-cache: true # zizmor: ignore[cache-poisoning] CI-only, no artifacts published
- uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 # zizmor: ignore[cache-poisoning]
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 # zizmor: ignore[cache-poisoning]
Copy link
Copy Markdown

@claude claude Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 The actions/cache SHA on this line was bumped from 668228422ae6a00e4ad889ee87cd7109ec5666a7 (v5.0.4) to 27d5ce7f107fe9357f9df03efb73ab90386fccae (v5.0.5), but the trailing version comment was left at # v5.0.4. The other four dependency bumps in this PR correctly updated their comments — only this one was missed by Dependabot. Update the comment to # v5.0.5 so the human-readable annotation matches the pinned SHA, per commit d5ce2d2 ("chore(ci): pin action version comments to immutable patch tags").

Extended reasoning...

What's wrong

At .github/workflows/ci.yml:49, the diff updates only the SHA half of the pinned-action reference and leaves the comment stale:

-      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 # zizmor: ignore[cache-poisoning]
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 # zizmor: ignore[cache-poisoning]

The new SHA 27d5ce7f107fe9357f9df03efb73ab90386fccae is the merge commit for actions/cache#1747 ("Update ts-http-runtime dependency"), which is the sole change in the v5.0.5 release. The PR's own description table also explicitly lists actions/cache moving from 5.0.45.0.5. So the SHA is v5.0.5 but the comment still says v5.0.4.

Step-by-step proof

  1. The PR description's update table reads: actions/cache | 5.0.4 | 5.0.5.
  2. The new SHA in the diff is 27d5ce7f107fe9357f9df03efb73ab90386fccae.
  3. Per the v5.0.5 release notes, that SHA is the v5.0.5 tag's merge commit ("Merge pull request #1747 from actions/yacaovsnc/update-dependency").
  4. The trailing comment in the diff still reads # v5.0.4.
  5. Therefore the SHA-to-comment mapping is now incorrect: comment claims v5.0.4, SHA actually points to v5.0.5.

Why this matters

Pinning by SHA with a human-readable version comment is only useful if the comment is truthful — that's the whole point of the policy added in commit d5ce2d2 ("chore(ci): pin action version comments to immutable patch tags"). A reviewer or auditor scanning workflows for "what version of actions/cache are we on?" would read v5.0.4 and be wrong. The other four bumps in this same PR (setup-uv, codeql-action/init, codeql-action/analyze, fetch-metadata, slack-github-action) all had their comments correctly updated; only actions/cache was missed. This is purely a Dependabot diff inconsistency.

Impact

No runtime effect — the pinned SHA is what's actually executed. This is strictly a documentation/annotation correctness issue. However, it directly contradicts the project's recently-codified pinning policy, so it should be corrected before merge.

Fix

Change line 49 from:

- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 # zizmor: ignore[cache-poisoning]

to:

- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 # zizmor: ignore[cache-poisoning]

name: Cache mypy cache
with:
path: ./.mypy_cache
Expand Down Expand Up @@ -82,7 +82,7 @@ jobs:
with:
persist-credentials: false
- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: ${{ matrix.python-version }}
Expand Down Expand Up @@ -145,7 +145,7 @@ jobs:
with:
persist-credentials: false
- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: "3.13"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
Expand Down Expand Up @@ -89,6 +89,6 @@ jobs:
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
category: "/language:${{matrix.language}}"
2 changes: 1 addition & 1 deletion .github/workflows/dependabot-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Enable auto-merge for Dependabot PRs
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
persist-credentials: false

- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: "3.12"
Expand Down Expand Up @@ -321,7 +321,7 @@ jobs:

- name: Notify Slack on success
if: success()
uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
uses: slackapi/slack-github-action@03ea5433c137af7c0495bc0cad1af10403fc800c # v3.0.2
with:
webhook: ${{ secrets.SLACK_WEBHOOK_RELEASES }}
webhook-type: incoming-webhook
Expand Down Expand Up @@ -405,7 +405,7 @@ jobs:

- name: Notify Slack on failure
if: failure()
uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
uses: slackapi/slack-github-action@03ea5433c137af7c0495bc0cad1af10403fc800c # v3.0.2
with:
webhook: ${{ secrets.SLACK_WEBHOOK_ENGINEERING }}
webhook-type: incoming-webhook
Expand Down
Loading