chore(deps): bump the github-actions group across 1 directory with 4 updates#1643
chore(deps): bump the github-actions group across 1 directory with 4 updates#1643dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
…updates Bumps the github-actions group with 4 updates in the / directory: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv), [actions/cache](https://github.com/actions/cache), [github/codeql-action](https://github.com/github/codeql-action) and [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata). Updates `astral-sh/setup-uv` from 8.0.0 to 8.1.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@cec2083...0880764) Updates `actions/cache` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@6682284...27d5ce7) Updates `github/codeql-action` from 4.35.1 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@ffa630c...25dd0e3) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot bump of pinned GitHub Actions; the stale # v5.0.4 comment for actions/cache (SHA actually points to v5.0.5) is the only issue and is purely cosmetic.
Extended reasoning...
Overview
This PR is a Dependabot group update that bumps four pinned GitHub Actions across .github/workflows/{ci,codeql,dependabot-merge,release}.yml:
astral-sh/setup-uvv8.0.0 → v8.1.0 (4 occurrences)actions/cachev5.0.4 → v5.0.5 (1 occurrence)github/codeql-action/{init,analyze}v4.35.1 → v4.35.2 (2 occurrences)dependabot/fetch-metadatav3.0.0 → v3.1.0 (1 occurrence)
All are mechanical SHA + version-comment swaps; no logic, secrets handling, or workflow trigger conditions are changed.
Security risks
Low. Every action remains pinned to an immutable commit SHA (no floating tags), preserving the supply-chain hardening this repo already enforces. Release notes for the bumped actions are bug fixes / minor enhancements (e.g. actions/cache ts-http-runtime bump, CodeQL bundle 2.25.2 update). Nothing introduces new permissions or alters permissions: blocks.
Level of scrutiny
Low. CI/release infra changes warrant a closer look than typical config tweaks — the release workflow handles PyPI publishing and GitHub releases — but in this PR release.yml only changes the setup-uv SHA/version, with no change to the trusted-publishing flow, secret usage, or release logic. Same for dependabot-merge.yml, where only the fetch-metadata action SHA changed; the auto-merge gating on version-update:semver-patch is untouched.
Other factors
The bug-hunting system surfaced one nit: .github/workflows/ci.yml:49 was given the v5.0.5 SHA for actions/cache but the trailing comment still reads # v5.0.4. That mismatch is purely cosmetic — GitHub Actions resolves the SHA, not the comment — but it is worth fixing for auditability since the rest of the diff updated comments correctly. The inline comment already conveys that to the author. Given the mechanical nature of the diff and the nit-level severity of the only finding, this is well within the approval threshold.
| python-version: "3.13" | ||
| enable-cache: true # zizmor: ignore[cache-poisoning] CI-only, no artifacts published | ||
| - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 # zizmor: ignore[cache-poisoning] | ||
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 # zizmor: ignore[cache-poisoning] |
There was a problem hiding this comment.
🟡 On line 49 of .github/workflows/ci.yml, the actions/cache SHA was bumped to 27d5ce7f107fe9357f9df03efb73ab90386fccae (which is v5.0.5), but the trailing version comment still reads # v5.0.4. Dependabot normally rewrites these comments — this one was missed, so the SHA→version mapping that humans read to audit pinned actions is misleading. Comment-only nit, no runtime impact; please update the comment to # v5.0.5 to match the rest of the diff.
Extended reasoning...
What the bug is. In .github/workflows/ci.yml line 49, the actions/cache step is updated from SHA 668228422ae6a00e4ad889ee87cd7109ec5666a7 to 27d5ce7f107fe9357f9df03efb73ab90386fccae, but the trailing comment is left unchanged at # v5.0.4. The PR description's actions/cache section explicitly bumps that action from v5.0.4 → v5.0.5, and the actions/cache release notes show 27d5ce7f107fe9357f9df03efb73ab90386fccae as the v5.0.5 release commit ("Merge pull request #1747 from actions/yacaovsnc/update-dependency — Update ts-http-runtime dependency"). So the SHA on line 49 is v5.0.5 but the inline annotation still says v5.0.4.\n\nWhy this is a real (if cosmetic) issue. This repo pins every GitHub Action to an immutable SHA with a trailing # vX.Y.Z comment so reviewers can audit pinned versions at a glance — that is the only reason the comments exist. When Dependabot bumps actions, it rewrites those comments together with the SHA. In this same PR every other action comment was updated correctly: astral-sh/setup-uv v8.0.0 → v8.1.0, github/codeql-action v4.35.1 → v4.35.2, and dependabot/fetch-metadata v3.0.0 → v3.1.0 all have matching SHA + comment changes. Line 49 is the lone outlier where the SHA moved but the comment did not, which is a clear Dependabot oversight rather than intentional pinning.\n\nImpact. No runtime impact — GitHub Actions resolves the SHA, and 27d5ce7f... will correctly run v5.0.5 of actions/cache regardless of what the comment says. The cost is purely auditability: a future reviewer reading actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 will believe the pin is at v5.0.4 and may waste time tracing the discrepancy, or fail to notice that v5.0.5 is actually deployed when triaging behavior changes (e.g. the v5.0.5 ts-http-runtime bump).\n\nFix. Change # v5.0.4 to # v5.0.5 on line 49 of .github/workflows/ci.yml. No other change needed.\n\nStep-by-step proof.\n1. Open the diff for .github/workflows/ci.yml line 49: it reads - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 # zizmor: ignore[cache-poisoning]. The @SHA was changed (was 668228422ae6...); the # v5.0.4 comment was not.\n2. Confirm the new SHA's release. The PR description quotes the actions/cache v5.0.5 release notes, which list a single commit: 27d5ce7 — "Merge pull request #1747 from actions/yacaovsnc/update-dependency". That is the commit being pinned.\n3. Confirm the PR's intent. The PR description's header for this action reads "Updates actions/cache from 5.0.4 to 5.0.5", so the target version is unambiguously v5.0.5.\n4. Cross-check against sibling bumps in the same diff: every other action comment matches its SHA's release tag. Only line 49 is mismatched.\n5. Therefore the comment # v5.0.4 on line 49 is stale and should read # v5.0.5.\n\nAll four independent verifiers confirmed this with nit severity. Filing as nit (cosmetic, comment-only).
Bumps the github-actions group with 4 updates in the / directory: astral-sh/setup-uv, actions/cache, github/codeql-action and dependabot/fetch-metadata.
Updates
astral-sh/setup-uvfrom 8.0.0 to 8.1.0Release notes
Sourced from astral-sh/setup-uv's releases.
Commits
0880764fix: grant contents:write to validate-release job (#860)717d6abAdd a release-gate step to the release workflow (#859)5a911ebDraft commitish releases (#858)080c31eAdd action-types.yml to instructions (#857)b3e97d2Add input no-project in combination with activate-environment (#856)7dd591dchore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 (#855)1541b77chore: update known checksums for 0.11.7 (#853)cdfb2eeRefactor version resolving (#852)cb84d12chore: update known checksums for 0.11.6 (#850)1912cc6chore: update known checksums for 0.11.5 (#845)Updates
actions/cachefrom 5.0.4 to 5.0.5Release notes
Sourced from actions/cache's releases.
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
27d5ce7Merge pull request #1747 from actions/yacaovsnc/update-dependencyf280785licensed changes619aeb1npm run build generated dist filesbcf16c2Update ts-http-runtime to 0.3.5Updates
github/codeql-actionfrom 4.35.1 to 4.35.2Release notes
Sourced from github/codeql-action's releases.
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
95e58e9Merge pull request #3824 from github/update-v4.35.2-d2e135a736f31bfeUpdate changelog for v4.35.2d2e135aMerge pull request #3823 from github/update-bundle/codeql-bundle-v2.25.260abb65Add changelog note5a0a562Update default bundle to codeql-bundle-v2.25.26521697Merge pull request #3820 from github/dependabot/github_actions/dot-github/wor...3c45af2Merge pull request #3821 from github/dependabot/npm_and_yarn/npm-minor-345b93...f1c3393Rebuild1024fc4Rebuild9dd4cfeBump the npm-minor group across 1 directory with 6 updatesUpdates
dependabot/fetch-metadatafrom 3.0.0 to 3.1.0Release notes
Sourced from dependabot/fetch-metadata's releases.
Commits
25dd0e3v3.1.0 (#692)e073f50Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.140670e16build(deps-dev): bump hono from 4.12.12 to 4.12.147a7fe10Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...5168191Updating dist build23882e1build(deps): bump@actions/githubin the dependencies group1072469Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...43f8a00build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1b4d904aMerge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0c8046bbbuild(deps-dev): bump globals from 17.4.0 to 17.5.0You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions