chore(deps): bump the github-actions group across 1 directory with 5 updates#1364
chore(deps): bump the github-actions group across 1 directory with 5 updates#1364dependabot[bot] wants to merge 2 commits intomainfrom
Conversation
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - name: Upload validation report | ||
| if: inputs.upload-artifact && always() | ||
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4.4.3 | ||
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.4.3 |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1364 +/- ##
==========================================
- Coverage 87.66% 87.65% -0.02%
==========================================
Files 61 61
Lines 9328 9328
==========================================
- Hits 8177 8176 -1
- Misses 1151 1152 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
@dependabot recreate |
…updates Bumps the github-actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [github/gh-aw-actions](https://github.com/github/gh-aw-actions) | `2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc` | `ea222e359276c0702a5f5203547ff9d88d0ddd76` | | [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) | `4.0.0` | `5.0.0` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.0.0` | `3.1.1` | | [googleapis/release-please-action](https://github.com/googleapis/release-please-action) | `4.4.0` | `4.4.1` | Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `github/gh-aw-actions` from 2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc to ea222e359276c0702a5f5203547ff9d88d0ddd76 - [Release notes](https://github.com/github/gh-aw-actions/releases) - [Changelog](https://github.com/github/gh-aw-actions/blob/main/CHANGELOG.md) - [Commits](github/gh-aw-actions@2fe53ac...ea222e3) Updates `actions/upload-pages-artifact` from 4.0.0 to 5.0.0 - [Release notes](https://github.com/actions/upload-pages-artifact/releases) - [Commits](actions/upload-pages-artifact@7b1f4a7...fc324d3) Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@f8d387b...1b10c78) Updates `googleapis/release-please-action` from 4.4.0 to 4.4.1 - [Release notes](https://github.com/googleapis/release-please-action/releases) - [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md) - [Commits](googleapis/release-please-action@16a9c90...5c625bf) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/gh-aw-actions dependency-version: ea222e359276c0702a5f5203547ff9d88d0ddd76 dependency-type: direct:production dependency-group: github-actions - dependency-name: actions/upload-pages-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/create-github-app-token dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: googleapis/release-please-action dependency-version: 4.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/github_actions/github-actions-7cfafe4b3e
branch
from
5fbbfbf to
2ea07b2
Compare
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Dependency Review
Author: dependabot[bot] | Type: GitHub Actions group bump (5 actions)
All SHA pinning is compliant — every reference uses a full commit SHA with a version comment. ✅
Dependency Changes
| Action | From | To | Classification | Assessment |
|---|---|---|---|---|
actions/upload-artifact |
7.0.0 |
7.0.1 |
Patch | ✅ Safe — README and internal typespec/ts-http-runtime dep update only |
github/gh-aw-actions |
2fe53acc |
ea222e35 |
SHA refresh | ✅ Safe — same v0.68.1 tag, SHA updated to latest commit |
actions/upload-pages-artifact |
4.0.0 |
5.0.0 |
Major | |
actions/create-github-app-token |
3.0.0 |
3.1.1 |
Minor | ✅ Safe — bug fix (improved error message) and internal p-retry bump |
googleapis/release-please-action |
4.4.0 |
4.4.1 |
Patch | ✅ Safe — patch release |
⚠️ actions/upload-pages-artifact 4 → 5 (Major Bump)
Per review policy, major version bumps require human confirmation before approval. That said, this bump appears low-risk:
- The v5.0.0 changelog shows only additive changes: the internal
upload-artifactdependency was updated from v4 to v7, and a new optionalinclude-hidden-filesinput was added. - No inputs were removed or renamed.
- The sole usage in
deploy-docs.ymlpasses only apath:argument, which is unchanged.
A human reviewer should confirm this assessment before merging.
📝 Pre-existing Observation
actions/create-github-app-token is referenced with a # v2.0.0 version comment in several workflow files, but Dependabot reports the bump is from 3.0.0 → 3.1.1. The stale version comment predates this PR and is not introduced by it. Consider correcting these comments in a follow-up to keep SHA staleness checks accurate.
Generated by Dependabot PR Review for issue #1364 · ● 757.5K
There was a problem hiding this comment.
PR Review: chore(deps): bump the github-actions group across 1 directory with 5 updates
This PR bumps 5 GitHub Actions dependencies to their latest SHA-pinned versions across 34 workflow files. The underlying dependency updates are mechanically correct — all SHAs use full commit hashes with inline version comments as required — but several process requirements are unmet and one code quality issue needs attention.
📋 Issue Alignment
❌ No linked issue found.
The PR body does not contain any issue reference (Fixes #, Closes #, or Resolves #). A linked issue is required by the repository's contribution process. For automated dependency update PRs, a standing tracking issue (e.g., "Track GitHub Actions dependency updates") or a dedicated issue per update batch should be linked.
📄 PR Template Compliance
The PR uses Dependabot's auto-generated format rather than the repository PR template (.github/PULL_REQUEST_TEMPLATE.md). The following required fields are absent:
| Required Field | Status |
|---|---|
| Related Issue(s) | ❌ Missing |
| Type of Change checkboxes | ❌ None checked (Dependency update applies) |
| Testing description | ❌ Missing |
| Checklist — Required Checks | ❌ Not completed |
| Security Considerations attestations | ❌ Not completed |
🔧 Coding Standards
The dependency pinning convention is followed — all updated references use the full commit SHA format with a trailing version comment, matching the required pattern:
uses: actions/action-name@<full-sha> # vX.Y.ZHowever, a version comment inconsistency exists (see inline comment on action-version-consistency-scan.yml line 117):
The # v4.4.3 annotation on actions/upload-artifact in approximately 20 workflow files is incorrect. Per the PR description, this action is being updated from 7.0.0 → 7.0.1, meaning the SHA represents v7.0.1, not v4.4.3. Other files in this same PR correctly label the identical SHA as # v7. This pre-existing mislabelling is carried forward unchanged and should be corrected to # v7.0.1.
This is particularly notable because action-version-consistency-scan.yml (the workflow that enforces version comment accuracy across the repo) itself carries the incorrect comment.
🔒 Code Quality and Security
- ✅ No secrets or sensitive data introduced
- ✅ No logic changes — pure SHA pointer updates
- ✅ All 5 updated actions use properly pinned full SHAs
- ✅ No breaking changes to workflow behaviour
⚠️ Version comment inconsistency noted above (# v4.4.3vs. actual# v7.0.1)
✅ Action Items
- Link a GitHub issue to this PR (create a tracking issue for dependency updates if one does not exist).
- Check the
Dependency updatecheckbox under "Infrastructure & Configuration" in the PR template Type of Change section. - Correct the
# v4.4.3version comments to# v7.0.1in all affected workflow files whereactions/upload-artifactcarries the wrong annotation. A follow-up PR or amendment to this one is acceptable.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #1364
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none| - name: Upload validation report | ||
| if: inputs.upload-artifact && always() | ||
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4.4.3 | ||
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.4.3 |
There was a problem hiding this comment.
# v4.4.3 does not match the actual version being pinned here.
According to this PR's own description, actions/upload-artifact is being bumped from 7.0.0 → 7.0.1, meaning 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a is the SHA for v7.0.1 — not v4.4.3. Notably, the same SHA (bbbca2ddaa5d8feaa63e36b76fdaad77386f024f) is correctly annotated as # v7 in other files within this PR (e.g., dependency-pr-review.lock.yml), making this a pre-existing mislabelling that this bump carries forward.
Per the workflow conventions, the version comment should accurately reflect the pinned version:
# ✅ Correct
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
# ❌ Incorrect (current)
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4.4.3This same issue affects all other workflows in this PR that carry the # v4.4.3 comment for this action: copyright-headers.yml, dependency-pinning-scan.yml, frontmatter-validation.yml, gitleaks-scan.yml, link-lang-check.yml, markdown-link-check.yml, markdown-lint.yml, msdate-freshness-check.yml, pester-tests.yml, pip-audit.yml, ps-script-analyzer.yml, pytest-tests.yml, python-lint.yml, sha-staleness-check.yml, skill-validation.yml, spell-check.yml, table-format.yml, workflow-permissions-scan.yml, and yaml-lint.yml. The version comment should be corrected to # v7.0.1 (or at minimum # v7) in all of these files.
4 participants
Bumps the github-actions group with 5 updates in the / directory:
7.0.07.0.12fe53acc038ba01c3bbdc767d4b25df31ca5bdfcea222e359276c0702a5f5203547ff9d88d0ddd764.0.05.0.03.0.03.1.14.4.04.4.1Updates
actions/upload-artifactfrom 7.0.0 to 7.0.1Release notes
Sourced from actions/upload-artifact's releases.
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)Updates
github/gh-aw-actionsfrom 2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc to ea222e359276c0702a5f5203547ff9d88d0ddd76Changelog
Sourced from github/gh-aw-actions's changelog.
Commits
Updates
actions/upload-pages-artifactfrom 4.0.0 to 5.0.0Release notes
Sourced from actions/upload-pages-artifact's releases.
Commits
fc324d3Merge pull request #139 from Tom-van-Woudenberg/patch-1fe9d4b7Merge branch 'main' into patch-10ca1617Merge pull request #137 from jonchurch/include-hidden-files57f0e84Update action.yml4a90348v7 --> hash56f665aUpdate upload-artifact action to version 7f7615f5Addinclude-hidden-filesinputUpdates
actions/create-github-app-tokenfrom 3.0.0 to 3.1.1Release notes
Sourced from actions/create-github-app-token's releases.
Commits
1b10c78build(release): 3.1.1 [skip ci]07e2b76fix: improve error message when app identifier is empty (#362)ea01216ci: remove publish-immutable-action workflow (#361)7bd0371build(release): 3.1.0 [skip ci]e6bd4e6feat: addclient-idinput and deprecateapp-id(#353)076e948feat: update permission inputs (#358)3bbe07dfix(deps): bump p-retry from 7.1.1 to 8.0.0 (#357)28a99e3build(deps-dev): bump c8 from 10.1.3 to 11.0.04df5060build(deps-dev): bump open-cli from 8.0.0 to 9.0.04843c53build(deps-dev): bump the development-dependencies group with 3 updatesUpdates
googleapis/release-please-actionfrom 4.4.0 to 4.4.1Release notes
Sourced from googleapis/release-please-action's releases.
Changelog
Sourced from googleapis/release-please-action's changelog.
... (truncated)
Commits
5c625bfchore(main): release 4.4.1 (#1187)8bb7a2echore: build dist (#1186)ef9c274fix: bump release-please from 17.1.3 to 17.3.0 (#1183)64d83e9docs(README): add missing action inputs + package options (#1176)