chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0#327
chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0#327dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.6.1 to 3.0.0. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@153bb8e...b430933) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
Greptile SummaryThis PR bumps Confidence Score: 5/5Safe to merge — pinned hash correctly targets v3.0.0; only remaining findings are stale comments. The change is a single action runtime bump with no API-breaking changes to workflow inputs/outputs. Both files are updated consistently. The only issue is a cosmetic stale No files require special attention beyond the minor comment fix. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Tag push / Release PR merged] --> B[release-on-tag.yml / release.yml]
B --> C[Checkout & Build]
C --> D[Generate release notes]
D --> E["softprops/action-gh-release@b4309332 (v3.0.0, Node 24)"]
E --> F[GitHub Release created]
F --> G[Publish to npm]
Prompt To Fix All With AIThis is a comment left during a code review.
Path: .github/workflows/release-on-tag.yml
Line: 74
Comment:
**Outdated version comment**
The pinned commit hash now points to v3.0.0, but the trailing comment still reads `# v2`. This is misleading for anyone auditing the pinned hash.
```suggestion
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
```
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 117
Comment:
**Outdated version comment**
Same issue as `release-on-tag.yml` — the commit hash resolves to v3.0.0, not v2.
```suggestion
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
```
How can I resolve this? If you propose a fix, please make it concise.Reviews (1): Last reviewed commit: "chore(deps): bump softprops/action-gh-re..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
|
||
| - name: Create GitHub Release | ||
| uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 | ||
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2 |
There was a problem hiding this comment.
The pinned commit hash now points to v3.0.0, but the trailing comment still reads # v2. This is misleading for anyone auditing the pinned hash.
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2 | |
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 |
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/release-on-tag.yml
Line: 74
Comment:
**Outdated version comment**
The pinned commit hash now points to v3.0.0, but the trailing comment still reads `# v2`. This is misleading for anyone auditing the pinned hash.
```suggestion
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
```
How can I resolve this? If you propose a fix, please make it concise.|
|
||
| - name: Create GitHub Release | ||
| uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 | ||
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2 |
There was a problem hiding this comment.
Same issue as release-on-tag.yml — the commit hash resolves to v3.0.0, not v2.
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2 | |
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 |
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 117
Comment:
**Outdated version comment**
Same issue as `release-on-tag.yml` — the commit hash resolves to v3.0.0, not v2.
```suggestion
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
```
How can I resolve this? If you propose a fix, please make it concise.![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot SHA bump; the only finding is a stale version comment noted inline.
Extended reasoning...
Overview\nThis PR updates from v2.6.1 to v3.0.0 in two workflow files ( and ). The sole change in each file is replacing the pinned SHA on the line.\n\n### Security risks\nNo meaningful security risk. The new SHA () is the confirmed v3.0.0 release commit per the upstream repo's commit history included in the PR description. The change is a Node 20 → Node 24 runtime upgrade for the action; no new permissions, secrets, or attack surface are introduced.\n\n### Level of scrutiny\nLow. This is a mechanical Dependabot-generated SHA substitution with no logic changes. The action is only used at release time and has no access beyond the already present. A major version bump warrants a brief check of the changelog, which confirms the only change is the Node runtime version.\n\n### Other factors\nThe sole bug reported is a cosmetic comment mismatch ( vs ) with zero runtime impact, already captured as an inline comment. No prior reviews from me exist on this PR. No outstanding unresolved reviewer threads.
|
|
||
| - name: Create GitHub Release | ||
| uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 | ||
| uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2 |
There was a problem hiding this comment.
🟡 Both workflow files pin the action to SHA b4309332981a82ec1c5618f44dd2e27cc8bfbfda (the v3.0.0 release commit) but the trailing comment still reads # v2 — it should be # v3. Update the comment in both .github/workflows/release-on-tag.yml (line 74) and .github/workflows/release.yml (line 120).
Extended reasoning...
What the bug is and how it manifests
Both workflow files were updated by this PR to pin softprops/action-gh-release to SHA b4309332981a82ec1c5618f44dd2e27cc8bfbfda, but the human-readable version comment appended to each uses: line was left unchanged as # v2. The SHA is the v3.0.0 release commit, making the comment factually incorrect.
The specific code path that triggers it
The stale comment appears in two places:
.github/workflows/release-on-tag.yml, line 74:uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2.github/workflows/release.yml, line 120:uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2
In both cases the diff shows the old line also had # v2 — the Dependabot PR updated only the SHA and left the comment as-is.
Why existing code doesn't prevent it
Dependabot automates SHA updates but does not parse or update trailing version comments. There is no CI lint rule checking that the comment matches the actual version tag the SHA resolves to, so the mismatch goes undetected automatically.
What the impact would be
There is no runtime impact — GitHub Actions resolves the action by SHA, ignoring the comment entirely. The SHA b4309332981a82ec1c5618f44dd2e27cc8bfbfda will correctly execute v3.0.0 regardless. The harm is purely informational: any engineer auditing the workflow to verify the action version (e.g., during a security review or incident) will read # v2 and incorrectly conclude the workflow is running the v2 line, potentially spending time investigating a non-issue or missing that Node 24 is in use.
How to fix it
Change # v2 to # v3 on both affected lines:
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3Step-by-step proof
- The PR description's commit list confirms:
b430933 release: cut v3.0.0 for Node 24 upgrade (#670)— the SHAb4309332981a82ec1c5618f44dd2e27cc8bfbfdais the v3.0.0 release commit. - The diff shows both files changed from
@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2to@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2— the SHA was updated but# v2was preserved verbatim. - An engineer reading either file today sees
# v2and infers the workflow uses a v2.x release, but the SHA actually points to v3.0.0. The comment is wrong in both files.
Note on the duplicate refutation
One verifier argued bug_002 is a duplicate of bug_001. While bug_001's description mentions "both workflow files", the two occurrences are in separate files at separate lines and each requires its own edit. The synthesis agent correctly merged them into a single unified report covering both locations.
Bumps softprops/action-gh-release from 2.6.1 to 3.0.0.
Release notes
Sourced from softprops/action-gh-release's releases.
Changelog
Sourced from softprops/action-gh-release's changelog.
... (truncated)
Commits
b430933release: cut v3.0.0 for Node 24 upgrade (#670)c2e35e0chore(deps): bump the npm group across 1 directory with 7 updates (#783)3bb1273release 2.6.2c34030fchore: bump node to 24.14.18975bd0chore(deps): bump vite from 8.0.0 to 8.0.5 (#781)f71937fchore(deps): bump brace-expansion from 5.0.4 to 5.0.5 (#777)3f0d239chore(deps): bump picomatch from 4.0.3 to 4.0.4 (#775)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)