build(deps): Bump the github-actions group across 1 directory with 5 updates#263
Open
dependabot[bot] wants to merge 1 commit into
Open
build(deps): Bump the github-actions group across 1 directory with 5 updates#263dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
IcebergAutoReview
Verdict: approve
The supply-chain update is correctly scoped and compatible. All five actions remain pinned to immutable 40-character SHAs with accurate version comments. The major upgrades’ documented breaking changes do not affect the workflow’s current inputs or image-signing command.
Findings
- No blocking findings.
Validation
- Inspected the complete main...HEAD diff and commit ancestry.
- Verified action SHA pins, version comments, workflow permissions, conditions, inputs, and Cosign invocation.
- Ran git diff --check main...HEAD successfully.
Residual risks / optional notes
- Tag-only attestation, signing, and publishing are not exercised by PR CI or the build-only workflow_dispatch path; compatibility relies on upstream migration guarantees until the next release.
Automated review by Codex 5c70494f0d1d using IcebergAutoReview.
…updates Bumps the github-actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github/codeql-action/init](https://github.com/github/codeql-action) | `4.37.0` | `4.37.1` | | [github/codeql-action/analyze](https://github.com/github/codeql-action) | `4.37.0` | `4.37.1` | | [docker/metadata-action](https://github.com/docker/metadata-action) | `5.10.0` | `6.2.0` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `3.2.0` | `4.1.1` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.10.1` | `4.1.2` | Updates `github/codeql-action/init` from 4.37.0 to 4.37.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@99df26d...7188fc3) Updates `github/codeql-action/analyze` from 4.37.0 to 4.37.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@99df26d...7188fc3) Updates `docker/metadata-action` from 5.10.0 to 6.2.0 - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@c299e40...dc80280) Updates `actions/attest-build-provenance` from 3.2.0 to 4.1.1 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@96278af...0f67c3f) Updates `sigstore/cosign-installer` from 3.10.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@7e8b541...6f9f177) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: docker/metadata-action dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: github/codeql-action/analyze dependency-version: 4.37.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action/init dependency-version: 4.37.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/github-actions-935b04e165
branch
from
July 19, 2026 10:41
5c70494 to
ff606ca
Compare
Contributor
There was a problem hiding this comment.
IcebergAutoReview
Verdict: approve
The follow-up head is a clean rebase onto current main with no changes to the previously approved PR content. All five action upgrades remain correctly scoped and immutably pinned.
Findings
- No blocking findings.
Validation
- Confirmed HEAD has current main as its direct parent and main...HEAD changes only the two expected workflow files.
- Confirmed both workflow blobs are identical to prior approved head 5c70494.
- Verified all five actions use 40-character SHA pins with matching version comments.
- Ran git diff --check main...HEAD successfully.
Residual risks / optional notes
- Release-only attestation, signing, and publishing remain unexercised by PR CI; compatibility relies on the reviewed upstream migration guarantees until the next tagged release.
Automated review by Codex ff606cada851 using IcebergAutoReview.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the github-actions group with 5 updates in the / directory:
4.37.04.37.14.37.04.37.15.10.06.2.03.2.04.1.13.10.14.1.2Updates
github/codeql-action/initfrom 4.37.0 to 4.37.1Release notes
Sourced from github/codeql-action/init's releases.
Changelog
Sourced from github/codeql-action/init's changelog.
... (truncated)
Commits
7188fc3Merge pull request #4020 from github/update-v4.37.1-9e7c07009c8b5f69Update changelog for v4.37.19e7c070Merge pull request #4014 from github/mbg/explicit-remote-prefix3492b7eChangeREMOTE_PATH_PREFIXtoremote=3654baaMerge remote-tracking branch 'origin/main' into mbg/explicit-remote-prefix2d682acMerge pull request #4017 from github/dependabot/github_actions/dot-github/wor...23f6a50Merge pull request #4009 from github/mbg/action-state/additions1ee3c75Merge pull request #4018 from github/dependabot/github_actions/dot-github/wor...e053684Merge pull request #4015 from github/dependabot/npm_and_yarn/npm-minor-fd2e83...6803c56Merge pull request #4019 from github/update-bundle/codeql-bundle-v2.26.1Updates
github/codeql-action/analyzefrom 4.37.0 to 4.37.1Release notes
Sourced from github/codeql-action/analyze's releases.
Changelog
Sourced from github/codeql-action/analyze's changelog.
... (truncated)
Commits
7188fc3Merge pull request #4020 from github/update-v4.37.1-9e7c07009c8b5f69Update changelog for v4.37.19e7c070Merge pull request #4014 from github/mbg/explicit-remote-prefix3492b7eChangeREMOTE_PATH_PREFIXtoremote=3654baaMerge remote-tracking branch 'origin/main' into mbg/explicit-remote-prefix2d682acMerge pull request #4017 from github/dependabot/github_actions/dot-github/wor...23f6a50Merge pull request #4009 from github/mbg/action-state/additions1ee3c75Merge pull request #4018 from github/dependabot/github_actions/dot-github/wor...e053684Merge pull request #4015 from github/dependabot/npm_and_yarn/npm-minor-fd2e83...6803c56Merge pull request #4019 from github/update-bundle/codeql-bundle-v2.26.1Updates
docker/metadata-actionfrom 5.10.0 to 6.2.0Release notes
Sourced from docker/metadata-action's releases.
Commits
dc80280Merge pull request #696 from docker/dependabot/npm_and_yarn/docker/actions-to...2b9fe83[dependabot skip] chore: update generated content8128ce3chore(deps): Bump@docker/actions-toolkitfrom 0.91.0 to 0.92.01d1c895Merge pull request #695 from docker/dependabot/npm_and_yarn/semver-7.8.57f0c2ddMerge pull request #694 from docker/dependabot/npm_and_yarn/sigstore-4.1.1025f8c5[dependabot skip] chore: update generated contente98d63cchore(deps): Bump semver from 7.8.1 to 7.8.537d9379chore(deps): Bump sigstore from 4.1.0 to 4.1.1a1b8072Merge pull request #690 from docker/dependabot/npm_and_yarn/sigstore/core-3.2.1e0e3381[dependabot skip] chore: update generated contentUpdates
actions/attest-build-provenancefrom 3.2.0 to 4.1.1Release notes
Sourced from actions/attest-build-provenance's releases.
Commits
0f67c3fBump actions/checkout from 6.0.3 to 7.0.0 (#857)21b787dUpdate actions/attest to v4.1.1 (#858)f14352aadd dependabot cooldown (#851)2c04a00Bump actions/checkout from 6.0.2 to 6.0.3 in the actions-minor group (#850)10334b5remove badges from README (#840)c5efebdremove prober workflows (#837)a2bbfa2bump actions/attest from 4.0.0 to 4.1.0 (#838)0856891update RELEASE.md docs (#836)e4d4f7cprepare v4 release (#835)02a49bdBump github/codeql-action in the actions-minor group (#824)Updates
sigstore/cosign-installerfrom 3.10.1 to 4.1.2Release notes
Sourced from sigstore/cosign-installer's releases.
Commits
6f9f177Bump cosign to 3.0.6 (#232)b5e753aBump actions/github-script from 8.0.0 to 9.0.0 (#230)115e4ceBump actions/setup-go from 6.3.0 to 6.4.0 (#226)cad07c2chore: update default cosign-release to v3.0.5 (#223)ba7bc0afix: add retry to curl downloads for transient network failures (#210)5a292e1Bump cosign to 3.0.5 (#220)351ea76Bump actions/checkout from 6.0.1 to 6.0.2 (#217)c17565ftest with go 1.26 too (#221)a6fdd19Bump actions/setup-go from 6.1.0 to 6.3.0 (#218)430b6a7docs: fix registry from gcr.io to ghcr.io (#213)