chore(deps): bump the github-actions group across 1 directory with 9 updates#2636
chore(deps): bump the github-actions group across 1 directory with 9 updates#2636dependabot[bot] wants to merge 1 commit into
Conversation
…updates Bumps the github-actions group with 9 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.3.1` | `6.0.2` | | [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.53` | `1.0.123` | | [actions/github-script](https://github.com/actions/github-script) | `8.0.0` | `9.0.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `7.2.1` | `8.1.0` | | [actions/setup-node](https://github.com/actions/setup-node) | `6.2.0` | `6.4.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `6.0.0` | `7.0.1` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `7.0.0` | `8.0.1` | | [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) | `1.13.0` | `1.14.0` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.1.0` | `8.1.1` | Updates `actions/checkout` from 4.3.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.3.1...de0fac2) Updates `anthropics/claude-code-action` from 1.0.53 to 1.0.123 - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@2f8ba26...51ea8ea) Updates `actions/github-script` from 8.0.0 to 9.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@ed59741...3a2844b) Updates `astral-sh/setup-uv` from 7.2.1 to 8.1.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@803947b...0880764) Updates `actions/setup-node` from 6.2.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@6044e13...48b55a0) Updates `actions/upload-artifact` from 6.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b7c566a...043fb46) Updates `actions/download-artifact` from 7.0.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@37930b1...3e5f45b) Updates `pypa/gh-action-pypi-publish` from 1.13.0 to 1.14.0 - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](pypa/gh-action-pypi-publish@ed0c539...cef2210) Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@c0f553f...5f6978f) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: anthropics/claude-code-action dependency-version: 1.0.123 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: astral-sh/setup-uv dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: pypa/gh-action-pypi-publish dependency-version: 1.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
Bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
|
|
||
| - name: Create pull request | ||
| uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7 | ||
| uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7 |
There was a problem hiding this comment.
🟡 The trailing comment on this line still reads # v7, but the SHA 5f6978f corresponds to peter-evans/create-pull-request v8.1.1 (per the Dependabot description). This is a pre-existing inaccuracy — the old SHA was already v8.1.0 with the same # v7 comment — and Dependabot won't auto-correct it because it only rewrites comments that match a full-semver pattern. Since this line is being touched anyway, consider updating the comment to # v8.1.1 so it tracks correctly on future bumps.
Extended reasoning...
What the bug is. In .github/workflows/weekly-lockfile-update.yml line 32, the action pin was bumped from c0f553fe549906ede9cf27b5156039d195d2ece0 to 5f6978faf089d4d20b00c7766989d076bb2fc7f1, but the trailing version comment still says # v7. According to the Dependabot PR description, this bump is peter-evans/create-pull-request 8.1.0 → 8.1.1, so the SHA actually corresponds to v8.1.1 — a full major version newer than what the comment claims.
Why Dependabot didn't fix it. Dependabot rewrites the trailing version comment when it recognizes the existing comment as the version it is replacing (a full vX.Y.Z string matching the old version). Here the pre-existing comment was # v7, which didn't match the old version v8.1.0, so Dependabot preserved it verbatim — the same way it preserved # release/v1 on the pypa/gh-action-pypi-publish pin in this PR. This means the comment will keep being left as # v7 on every future bump until someone manually corrects it to a proper full-semver comment.
This is pre-existing. The comment was already wrong before this PR: c0f553fe... is v8.1.0, and the line said # v7 then too. This PR did not introduce the staleness; it just carried it forward. It is also worth noting that contrary to first impressions, not every other pin's comment was updated in this PR — pypa/gh-action-pypi-publish retained its # release/v1 comment for the same reason.
Impact. The SHA pin is what actually executes, so there is zero functional impact. But the entire point of putting a human-readable version comment next to an opaque SHA pin is so reviewers can audit at a glance. A reviewer auditing this workflow would be told they're running v7 of create-pull-request when they're actually running v8.1.1 — two major versions off. That defeats the purpose of the comment and could mislead someone reasoning about which features or breaking changes apply.
How to fix. Change the comment to # v8.1.1 (the exact version corresponding to the pinned SHA). Once the comment matches a full-semver string, Dependabot will keep it in sync automatically on future bumps. Note that hand-editing a Dependabot PR is normally avoided since it can interfere with auto-rebase — an alternative is to land this PR as-is and apply the one-character comment fix in a tiny follow-up.
Step-by-step proof:
- The diff line 32 changes
uses: peter-evans/create-pull-request@c0f553fe... # v7touses: peter-evans/create-pull-request@5f6978f... # v7— only the SHA changed, not the comment. - The Dependabot PR description states:
peter-evans/create-pull-request8.1.0 → 8.1.1, with commit linkpeter-evans/create-pull-request/commit/5f6978faf089d4d20b00c7766989d076bb2fc7f1listed under v8.1.1. - Therefore the SHA on line 32 is v8.1.1, but the comment claims v7 — the comment is stale by a full major version.
- Compare to
actions/checkoutlines elsewhere in this PR:# v4.3.1→# v6.0.2. Those comments were updated because the old comment exactly matched the old version, which Dependabot recognizes and rewrites.# v7did not matchv8.1.0, so it was left alone.
Bumps the github-actions group with 9 updates in the / directory:
4.3.16.0.21.0.531.0.1238.0.09.0.07.2.18.1.06.2.06.4.06.0.07.0.17.0.08.0.11.13.01.14.08.1.08.1.1Updates
actions/checkoutfrom 4.3.1 to 6.0.2Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Updates
anthropics/claude-code-actionfrom 1.0.53 to 1.0.123Release notes
Sourced from anthropics/claude-code-action's releases.
... (truncated)
Commits
51ea8eachore: bump Claude Code to 2.1.142 and Agent SDK to 0.3.142acfa366chore: bump pinned Bun to 1.3.14 (#1312)9eb125afix: handle non-user actors (e.g. Copilot) in permission and actor checks (#1...1450f65fix: write execution file when SDK throws (#1255)0756f6efix: exclude .claude-pr snapshot from git staging (#1277)f4d6a11fix: dereference symlinks when snapshotting sensitive paths to .claude-pr/ (#...bf6d40efix: allow , in branch names (#1310)86eb26bchore: bump Claude Code to 2.1.141 and Agent SDK to 0.2.141f4fb5c6chore: bump Claude Code to 2.1.140 and Agent SDK to 0.2.140dde2242chore: bump Claude Code to 2.1.139 and Agent SDK to 0.2.139Updates
actions/github-scriptfrom 8.0.0 to 9.0.0Release notes
Sourced from actions/github-script's releases.
Commits
3a2844bMerge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...ca10bbdfix: use@octokit/core/types import for v7 compatibility86e48e2merge: incorporate main branch changesc108472chore: rebuild dist for v9 upgrade and getOctokit factoryafff112Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...ff8117eci: fix user-agent test to handle orchestration ID81c6b78ci: use deployment: false to suppress deployment noise from integration tests3953cafdocs: update README examples from@v8to@v9, add getOctokit docs and v9 brea...c17d55bci: add getOctokit integration test joba047196test: add getOctokit integration tests via callAsyncFunctionUpdates
astral-sh/setup-uvfrom 7.2.1 to 8.1.0Release notes
Sourced from astral-sh/setup-uv's releases.
... (truncated)
Commits
0880764fix: grant contents:write to validate-release job (#860)717d6abAdd a release-gate step to the release workflow (#859)5a911ebDraft commitish releases (#858)080c31eAdd action-types.yml to instructions (#857)b3e97d2Add input no-project in combination with activate-environment (#856)7dd591dchore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 (#855)1541b77chore: update known checksums for 0.11.7 (#853)cdfb2eeRefactor version resolving (#852)cb84d12chore: update known checksums for 0.11.6 (#850)1912cc6chore: update known checksums for 0.11.5 (#845)Updates
actions/setup-nodefrom 6.2.0 to 6.4.0Release notes
Sourced from actions/setup-node's releases.
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)Updates
actions/upload-artifactfrom 6.0.0 to 7.0.1Release notes
Sourced from actions/upload-artifact's releases.
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)bbbca2dSupport direct file uploads (#764)589182cUpgrade the module to ESM and bump dependencies (#762)47309c9Merge pull request #754 from actions/Link-/add-proxy-integration-tests02a8460Add proxy integration testUpdates
actions/download-artifactfrom 7.0.0 to 8.0.1Release notes
Sourced from actions/download-artifact's releases.
Commits
3e5f45bAdd regression tests for CJK characters (#471)e6d03f6Add a regression test for artifact name + content-type mismatches (#472)70fc10cMerge pull request #461 from actions/danwkennedy/digest-mismatch-behaviorf258da9Add change docsccc058eFix linting issuesbd7976bAdd a setting to specify what to do on hash mismatch and default it toerrorac21fcfMerge pull request #460 from actions/danwkennedy/download-no-unzip15999bfAdd note about package bumps974686eBump the version tov8and add release notesfbe48b1Update test names to make it clearer what they doUpdates
pypa/gh-action-pypi-publishfrom 1.13.0 to 1.14.0Release notes
Sourced from pypa/gh-action-pypi-publish's releases.
Commits
cef2210Merge pull request #397 from whitequark/patch-1b4595e2Enableverboseandprint-hashby default.e2bab26Merge pull request #395 from him2him2/docs/fix-typos-and-grammar7495c38docs: fix typos and grammar in README and SECURITY03f86feMerge pull request #388 from woodruffw-forks/ww/rm-experimental4c78f1cMerge branch 'unstable/v1' into ww/rm-experimentalb5a6e8bdeps: bump sigstore and pypi-attestationsa48a03eremove another experimental mention8087a88action: remove a lingering mention of PEP 740 being experimental3317ede🧪 Integrate actionlint via pre-commit frameworkUpdates
peter-evans/create-pull-requestfrom 8.1.0 to 8.1.1Release notes
Sourced from peter-evans/create-pull-request's releases.
Commits
5f6978ffix: retry post-creation API calls on 422 eventual consistency errors (#4356)d32e88dbuild(deps-dev): bump the npm group with 3 updates (#4349)8170bccbuild(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#4344)0041819build(deps): bump picomatch (#4339)b993918build(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#4334)36d7c84build(deps-dev): bump undici from 6.23.0 to 6.24.0 (#4328)a45d1fbbuild(deps): bump@tootallnate/onceand jest-environment-jsdom (#4323)3499eb6build(deps): bump the github-actions group with 2 updates (#4316)3f3b473build(deps): bump minimatch (#4311)6699836build(deps-dev): bump the npm group with 2 updates (#4305)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignor...Description has been truncated