ci(deps)(deps): bump the actions group across 1 directory with 6 updates#9
ci(deps)(deps): bump the actions group across 1 directory with 6 updates#9dependabot[bot] wants to merge 1 commit into
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
@dependabot rebase |
Bumps the actions group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `5.0.1` | `7.0.0` | | [github/codeql-action/init](https://github.com/github/codeql-action) | `1ad29ea4a422cce9a242a9fae469541dcd08addc` | `99df26d4f13ea111d4ec1a7dddef6063f76b97e9` | | [github/codeql-action/analyze](https://github.com/github/codeql-action) | `1ad29ea4a422cce9a242a9fae469541dcd08addc` | `99df26d4f13ea111d4ec1a7dddef6063f76b97e9` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `4.3.0` | `8.0.1` | | [gitleaks/gitleaks-action](https://github.com/gitleaks/gitleaks-action) | `2.3.9` | `3.0.0` | Updates `actions/checkout` from 5.0.1 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@93cb6ef...9c091bb) Updates `github/codeql-action/init` from 1ad29ea4a422cce9a242a9fae469541dcd08addc to 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@1ad29ea...99df26d) Updates `github/codeql-action/analyze` from 1ad29ea4a422cce9a242a9fae469541dcd08addc to 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@1ad29ea...99df26d) Updates `actions/upload-artifact` from 4.6.2 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...043fb46) Updates `actions/download-artifact` from 4.3.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@d3f86a1...3e5f45b) Updates `gitleaks/gitleaks-action` from 2.3.9 to 3.0.0 - [Release notes](https://github.com/gitleaks/gitleaks-action/releases) - [Commits](gitleaks/gitleaks-action@ff98106...e0c47f4) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: github/codeql-action/analyze dependency-version: 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 dependency-type: direct:production dependency-group: actions - dependency-name: github/codeql-action/init dependency-version: 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 dependency-type: direct:production dependency-group: actions - dependency-name: gitleaks/gitleaks-action dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
dca4d0b to
4d8d42c
Compare
|
Assessment (2026-07-15, session 472ca883 — post-rebase onto current main): Rebased this onto current main (post #10/#12); the stale unittest/scan failures cleared, but it now fails 2 deliberate version-pin contract tests, and I'm not merging it as-is:
Main CI is green on both tests — the repo deliberately pins these security-workflow action versions (upload-artifact carries CodeQL SARIF; gitleaks/codeql are the secret/security scanners) and tests for them. So this dependabot bump can't merge without a policy decision to accept the major bumps (checkout v5→v7, upload-artifact v4→v7) AND update the contract tests to match. That's a security-workflow-touching, repo-owner call — not an autonomous merge. Options for the owner (Codex/operator): (a) accept the majors → update the two contract tests' pinned versions in the same PR, then merge; (b) keep the deliberate pins → close this and add these actions to a dependabot |
Bumps the actions group with 6 updates in the / directory:
5.0.17.0.01ad29ea4a422cce9a242a9fae469541dcd08addc99df26d4f13ea111d4ec1a7dddef6063f76b97e91ad29ea4a422cce9a242a9fae469541dcd08addc99df26d4f13ea111d4ec1a7dddef6063f76b97e94.6.27.0.14.3.08.0.12.3.93.0.0Updates
actions/checkoutfrom 5.0.1 to 7.0.0Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Updates
github/codeql-action/initfrom 1ad29ea4a422cce9a242a9fae469541dcd08addc to 99df26d4f13ea111d4ec1a7dddef6063f76b97e9Changelog
Sourced from github/codeql-action/init's changelog.
... (truncated)
Commits
Updates
github/codeql-action/analyzefrom 1ad29ea4a422cce9a242a9fae469541dcd08addc to 99df26d4f13ea111d4ec1a7dddef6063f76b97e9Changelog
Sourced from github/codeql-action/analyze's changelog.
... (truncated)
Commits
Updates
actions/upload-artifactfrom 4.6.2 to 7.0.1Release notes
Sourced from actions/upload-artifact's releases.
... (truncated)
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)bbbca2dSupport direct file uploads (#764)589182cUpgrade the module to ESM and bump dependencies (#762)47309c9Merge pull request #754 from actions/Link-/add-proxy-integration-tests02a8460Add proxy integration testb7c566aMerge pull request #745 from actions/upload-artifact-v6-releasee516bc8docs: correct description of Node.js 24 support in READMEUpdates
actions/download-artifactfrom 4.3.0 to 8.0.1Release notes
Sourced from actions/download-artifact's releases.
... (truncated)
Commits
3e5f45bAdd regression tests for CJK characters (#471)e6d03f6Add a regression test for artifact name + content-type mismatches (#472)70fc10cMerge pull request #461 from actions/danwkennedy/digest-mismatch-behaviorf258da9Add change docsccc058eFix linting issuesbd7976bAdd a setting to specify what to do on hash mismatch and default it toerrorac21fcfMerge pull request #460 from actions/danwkennedy/download-no-unzip15999bfAdd note about package bumps974686eBump the version tov8and add release notesfbe48b1Update test names to make it clearer what they doUpdates
gitleaks/gitleaks-actionfrom 2.3.9 to 3.0.0Release notes
Sourced from gitleaks/gitleaks-action's releases.
Commits
e0c47f4chore: migrate to Node 24 runtime (v3)bf2dc8eMerge pull request #191 from Olexandr88/patch-1b71323bUpdate README.md9c66aa9Update README.md186c3feCreate FUNDING.yml