Comparing changes

chore: update known checksums for 0.10.7 Co-authored-by: eifinger <[email protected]>

chore: update known checksums for 0.10.8 Co-authored-by: eifinger <[email protected]>

When Dependabot bumps dependencies in package.json, this workflow automatically runs `npm run all` to rebuild the dist folder and commits the changes back to the PR. This ensures the compiled JavaScript in `dist/` stays in sync with dependency updates. **How it works:** 1. Triggers on PRs opened by `dependabot[bot]` 2. Runs `npm ci` and `npm run all` (build, check, package, test) 3. Commits any changes to `dist/` back to the PR branch Uses `stefanzweifel/git-auto-commit-action` for the commit step.

chore: update known checksums for 0.10.9 Co-authored-by: eifinger <[email protected]>

…#787) The previous implementation checked `github.event.sender.login`, which is whoever triggered the event (e.g., someone closing/reopening the PR). This fixes it to check `github.event.pull_request.user.login` instead — the PR author — so the workflow runs correctly whenever a Dependabot-created PR is opened, synchronized, or reopened.

## Summary - keep the Dependabot build workflow single-job, but harden it a bit - replace `git-auto-commit-action` with explicit `git` commands and step-scoped push auth - add concurrency, a timeout, stricter Dependabot gating, and a guard for moved PR heads ## Why The workflow currently fails in the commit step because `actions/checkout` uses `persist-credentials: false`, but `git-auto-commit-action` later tries to push via `origin` without any credentials: ``` fatal: could not read Username for 'https://github.com': No such device or address ``` This change fixes that failure while keeping credentials scoped to the push step instead of persisting them for the whole job. ## Details - require `github.event.pull_request.user.login == 'dependabot[bot]'` - also require the PR head repo to match `github.repository` - also require the head ref to start with `dependabot/` - check out the exact PR head SHA - run `npm ci --ignore-scripts` - disable git hooks before commit - skip the dist commit if the PR head moved during the run ## Validation - `actionlint .github/workflows/dependabot-build.yml`

Too many security issues and complex setup. Using a Skill instead

Add `riscv64gc` as a recognized architecture in the `Architecture` type union and map Node.js's `riscv64` process.arch value to the `riscv64gc` uv platform identifier. This allows the action to correctly detect and download the appropriate uv binary on RISC-V 64-bit systems (e.g., linux/riscv64 runners).

## Summary - replicate the currently open Dependabot dependency updates in a single branch - update `smol-toml` to `^1.6.0` - update `@biomejs/biome` to `2.3.8` - regenerate `package-lock.json` and bundled `dist` output ## Notes - `main` already includes the open Octokit Dependabot bumps, so those PRs required no additional net changes here - the open `smol-toml` Dependabot PR currently resolves to `^1.6.0`, which is what this branch mirrors ## Validation - `npm run all`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on Feb 28, 2026

Commits on Mar 2, 2026

Commits on Mar 4, 2026

Commits on Mar 6, 2026

Commits on Mar 7, 2026

Commits on Mar 10, 2026

This comparison is taking too long to generate.

Uh oh!