chore(deps): bump the github-actions group across 1 directory with 3 updates#1995
chore(deps): bump the github-actions group across 1 directory with 3 updates#1995dependabot[bot] wants to merge 1 commit into
Conversation
…updates Bumps the github-actions group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/download-artifact](https://github.com/actions/download-artifact) and [actions/setup-python](https://github.com/actions/setup-python). Updates `actions/checkout` from 6.0.2 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v6.0.2...v7) Updates `actions/download-artifact` from 4.3.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v4.3.0...3e5f45b) Updates `actions/setup-python` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a309ff8...ece7cb0) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-python dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
| n: ${{ steps.gen.outputs.n }} | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0 | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0 |
There was a problem hiding this comment.
🟡 The four actions/checkout SHA pins in this file were bumped to 9c091bb2... (v7.0.0) but the trailing # v5.0.0 comments were left unchanged on lines 48, 90, 130, and 146. Every other workflow in this PR was updated to # v7.0.0; only this file was missed. Cosmetic only — the SHA determines the runtime version — but fixing to # v7.0.0 keeps the file honest for reviewers.
Extended reasoning...
What the inconsistency is. In .github/workflows/collectivex-sweep.yml, four actions/checkout uses were pinned to SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd with a trailing # v5.0.0 comment. That comment was already inaccurate before this PR (that SHA is the v6.0.2 tag — every other file in this repo annotates it as # v6.0.2), but Dependabot only rewrites the version comment when it matches the format it expects. Since this file's comment said # v5.0.0 rather than # v6.0.2, Dependabot bumped the SHA to 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 (v7.0.0) and left the comment alone.\n\nWhy it's misleading. A reader scanning git diff sees # v5.0.0 on both sides of the hunk and reasonably concludes the workflow is still on v5. In reality, the SHA now resolves to v7.0.0 — a major-version upgrade with a breaking change (v7.0.0 blocks checking out fork PRs for pull_request_target and workflow_run, per the release notes in the PR description). Hiding a major bump behind an incorrect comment degrades reviewer trust in every future dependabot bump of this file.\n\nCross-checking every other file in this PR. benchmark-multinode-tmpl.yml, benchmark-tmpl.yml, claude-pr-review.yml, codeowner-signoff-verify.yml, collect-evals.yml, collect-results.yml, e2e-tests.yml, profile.yml, run-sweep.yml, speedbench-al.yml, test-changelog-gate.yml, test-matrix-logic.yml, and test-process-result.yml all correctly show actions/checkout@9c091bb2... # v7.0.0 after Dependabot's bump. The SHA is identical across every file. Only collectivex-sweep.yml is left with the stale # v5.0.0 on all four occurrences.\n\nRuntime impact. None. GitHub Actions resolves uses: by SHA, not by the trailing comment, so the four steps will execute actions/checkout v7.0.0 exactly like every other workflow in this PR. This is purely a code-review / audit-trail issue.\n\nStep-by-step proof.\n1. Before this PR, line 48 read: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0. Cross-reference: benchmark-tmpl.yml (line 164 before this PR) had the same SHA annotated as # v6.0.2 — confirming the pre-existing comment was already wrong (SHA de0fac2e = v6.0.2).\n2. This PR's diff at line 48 changes only the SHA: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0.\n3. Cross-reference the new SHA against benchmark-tmpl.yml (post-PR): - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0. Same SHA, correctly labeled # v7.0.0.\n4. The PR description's Dependabot release notes explicitly confirm SHA 9c091bb is the v7.0.0 tip commit ("update error wording (#2467)" — the last commit before v7.0.0 was cut).\n5. Therefore, line 48 (and by identical logic lines 90, 130, 146) is documenting the pin as v5.0.0 when it is actually running v7.0.0.\n\nFix. One-line change per occurrence: replace # v5.0.0 with # v7.0.0 on lines 48, 90, 130, and 146 of .github/workflows/collectivex-sweep.yml. Nothing else needs to change.
Bumps the github-actions group with 3 updates in the / directory: actions/checkout, actions/download-artifact and actions/setup-python.
Updates
actions/checkoutfrom 6.0.2 to 7.0.0Release notes
Sourced from actions/checkout's releases.
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Updates
actions/download-artifactfrom 4.3.0 to 8.0.1Release notes
Sourced from actions/download-artifact's releases.
... (truncated)
Commits
3e5f45bAdd regression tests for CJK characters (#471)e6d03f6Add a regression test for artifact name + content-type mismatches (#472)70fc10cMerge pull request #461 from actions/danwkennedy/digest-mismatch-behaviorf258da9Add change docsccc058eFix linting issuesbd7976bAdd a setting to specify what to do on hash mismatch and default it toerrorac21fcfMerge pull request #460 from actions/danwkennedy/download-no-unzip15999bfAdd note about package bumps974686eBump the version tov8and add release notesfbe48b1Update test names to make it clearer what they doUpdates
actions/setup-pythonfrom 6.2.0 to 6.3.0Release notes
Sourced from actions/setup-python's releases.
Commits
ece7cb0Fix pip cache error handling on Windows. (#1040)1d18d7aUpdate advanced-usage.md (#811)d2b357aUpdate dependency versions and test workflow configuration (#1322)8f639b1Merge pull request #1324 from jasongin/update-actions-cache-5.1.06731c2bResolve high-severity audit issues0cb1a84Add RHEL support and include Linux distro in cache keys (#1323)dc6eab6Update dist6f4b74bStrict equalityfa8bde1Bump@actions/cacheto 5.1.0, log cache write deniedc8813baUpgrade@actionsdependencies and update licenses (#1303)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions