ci(deps): Bump the github-actions group with 2 updates#70
Conversation
Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action). Updates `actions/checkout` from 6.0.3 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@df4cb1c...9c091bb) Updates `zizmorcore/zizmor-action` from 0.5.6 to 0.5.7 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
|
| Experiment | Status | Actions |
|---|---|---|
| Uppercase (py) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Uppercase (ts) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (node) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (python) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Regression fixture | ❌ Regression | View GitHub Action Run · View in Langfuse |
Details
There was a problem hiding this comment.
LGTM, mechanical Dependabot SHA-pin bumps for actions/checkout v7 and zizmor-action v0.5.7.
Extended reasoning...
Overview
This is a Dependabot group update touching five workflow files (ci.yml, codeql.yml, release-bump-readme.yml, update-dist-on-label.yml, zizmor.yml). It bumps two pinned actions: actions/checkout from v6.0.3 → v7.0.0 (major) and zizmorcore/zizmor-action from v0.5.6 → v0.5.7 (patch). All changes are SHA-pin updates with matching version comments.
Security risks
None. SHA pins are preserved (no float to mutable tags), persist-credentials: false is kept everywhere, and the trust boundaries of the workflows are unchanged. Notably, actions/checkout v7's main behavior change is blocking fork PR checkouts on pull_request_target and workflow_run events — neither of which is used by any workflow in this repo (they use pull_request, push, release, schedule, and merge_group), so this is a no-op here. zizmor-action v0.5.7 only updates the default zizmor binary version.
Level of scrutiny
Low. These are CI-only configuration changes, mechanically generated by Dependabot, with no production code touched. The most significant change is the checkout major version, but its breaking change does not affect any workflow event used in this repo.
Other factors
No bugs were found by the bug hunting system, no outstanding reviewer comments exist, and the diff is fully mechanical. CI runs against this PR will exercise all five workflows on the new versions before merge.
Bumps the github-actions group with 2 updates: actions/checkout and zizmorcore/zizmor-action.
Updates
actions/checkoutfrom 6.0.3 to 7.0.0Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Updates
zizmorcore/zizmor-actionfrom 0.5.6 to 0.5.7Release notes
Sourced from zizmorcore/zizmor-action's releases.
Commits
192e21dSync zizmor versions (#127)2720f26Update README.md with new actions/checkout version (#126)40b41b8chore(deps): bump the github-actions group with 2 updates (#123)a687b25chore(deps): bump github/codeql-action from 4.35.5 to 4.36.0 in the github-ac...64a6900add note to explain that the default value foronline-checksis different t...14050abchore(deps): bump the github-actions group with 2 updates (#118)ee9b419chore(deps): bump github/codeql-action in the github-actions group (#116)fddf2b4Bump pins in README (#115)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions