chore(deps): bump the github-actions group across 1 directory with 7 updates#1391
Merged
WilliamBerryiii merged 3 commits intomainfrom Apr 20, 2026
Merged
Conversation
…updates Bumps the github-actions group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [actions/setup-node](https://github.com/actions/setup-node) | `6.3.0` | `6.4.0` | | [github/gh-aw-actions](https://github.com/github/gh-aw-actions) | `2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc` | `ea222e359276c0702a5f5203547ff9d88d0ddd76` | | [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) | `4.0.0` | `5.0.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `8.0.0` | `8.1.0` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.0.0` | `3.1.1` | | [googleapis/release-please-action](https://github.com/googleapis/release-please-action) | `4.4.0` | `4.4.1` | Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) Updates `github/gh-aw-actions` from 2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc to ea222e359276c0702a5f5203547ff9d88d0ddd76 - [Release notes](https://github.com/github/gh-aw-actions/releases) - [Changelog](https://github.com/github/gh-aw-actions/blob/main/CHANGELOG.md) - [Commits](github/gh-aw-actions@2fe53ac...ea222e3) Updates `actions/upload-pages-artifact` from 4.0.0 to 5.0.0 - [Release notes](https://github.com/actions/upload-pages-artifact/releases) - [Commits](actions/upload-pages-artifact@7b1f4a7...fc324d3) Updates `astral-sh/setup-uv` from 8.0.0 to 8.1.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@cec2083...0880764) Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@f8d387b...1b10c78) Updates `googleapis/release-please-action` from 4.4.0 to 4.4.1 - [Release notes](https://github.com/googleapis/release-please-action/releases) - [Changelog](https://github.com/googleapis/release-please-action/blob/main/CHANGELOG.md) - [Commits](googleapis/release-please-action@16a9c90...5c625bf) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/gh-aw-actions dependency-version: ea222e359276c0702a5f5203547ff9d88d0ddd76 dependency-type: direct:production dependency-group: github-actions - dependency-name: actions/upload-pages-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: astral-sh/setup-uv dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/create-github-app-token dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: googleapis/release-please-action dependency-version: 4.4.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1391 +/- ##
==========================================
- Coverage 87.66% 87.65% -0.02%
==========================================
Files 61 61
Lines 9329 9329
==========================================
- Hits 8178 8177 -1
- Misses 1151 1152 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Dependabot's group bump in this PR left behind pre-existing version-comment drift that the action-version-consistency scanner flags as a High-severity VersionMismatch. The same SHA was commented with two different versions: - actions/checkout @ de0fac2e... = v6.0.2 upstream, but 48 occurrences still commented # v4.2.2 (stale from a prior bump). - actions/upload-artifact @ 043fb46d... = v7.0.1 upstream (this PR's bump), but 29 occurrences still commented # v4.4.3 (stale from a prior bump). Hand-authored workflows are normalized to match the comment style the .lock.yml files already use (# v6.0.2 and # v7), clearing both High violations and preventing the scanner from failing on future Dependabot group bumps that inherit the stale comments. No SHA changes in this commit; only the 'vX.Y.Z' comment after each SHA.
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF ScorecardScorecard details
Scanned Files
|
Contributor
Follow-up commit: normalized stale version commentsPushed What the scanner was catchingSame SHA, two different version comments — a pre-existing drift on
Both SHAs verified against the GitHub tags API — they genuinely point at v6.0.2 and v7.0.1. The stale The fixText-only substitution in 39 files, 77 insertions / 77 deletions, zero SHA changes:
Why this prevents recurrenceDependabot only rewrites the SHA when it bumps a group; it preserves whatever comment was on the line. As long as two stale-comment variants pointed at the same SHA, every future grouped bump would re-drift the scanner. With the comments normalized, the next bump will uniformly rewrite them to the new tag. VerificationHeads up for maintainersBecause a non-bot commit now sits on this branch, Dependabot will stop auto-rebasing it. If you'd prefer Dependabot stay in charge, close this PR and let the next weekly bump re-open with clean comments inherited from |
katriendg
approved these changes
Apr 20, 2026
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Dependency Review
This PR bumps 7 GitHub Actions in 44 workflow files. All updated references use SHA pinning with version comments ✅.
Dependency Changes
| Dependency | From | To | Bump Type | Assessment |
|---|---|---|---|---|
actions/upload-artifact |
7.0.0 | 7.0.1 | patch | ✅ Safe — documentation/dependency-only changes |
actions/setup-node |
6.3.0 | 6.4.0 | minor | ✅ Safe — new Node.js version support, dependency upgrades |
github/gh-aw-actions |
SHA | SHA | SHA bump | ✅ Safe — no version tag; SHA-only |
actions/upload-pages-artifact |
4.0.0 | 5.0.0 | major | |
astral-sh/setup-uv |
8.0.0 | 8.1.0 | minor | ✅ Safe |
actions/create-github-app-token |
3.0.0 | 3.1.1 | minor | ✅ Safe |
googleapis/release-please-action |
4.4.0 | 4.4.1 | patch | ✅ Safe |
Safety Checks
- License compatibility: All updated actions maintain their existing open-source licenses (MIT / Apache-2.0), compatible with this project's MIT license. ✅
- SHA pinning: All 7 updated references use full commit SHA pinning with version comments. ✅
- No new dependencies introduced: This PR updates only existing dependencies. ✅
- Vulnerabilities: Dependabot reports no known vulnerabilities. ✅
- Environment synchronization:
copilot-setup-steps.ymlis updated in this PR..devcontainer/is unaffected (no new tools added, version bumps only). ✅
Findings
⚠️ Major version bump: actions/upload-pages-artifact v4 → v5
The v5.0.0 changelog notes two changes:
- Updates the internal
upload-artifacttransitive dependency from v4 to v7 - Adds a new optional
include-hidden-filesinput
While the changes appear additive and low-risk, a major version bump requires human confirmation per this repo's review policy.
📝 Observation: actions/checkout comment corrected (no action required)
The actions/checkout SHA (de0fac2e...) is unchanged across all 44 files — no behavior change. The version comment was updated from # v4.2.2 to # v6.0.2 to reflect the actual version the SHA corresponds to. The old comment was simply incorrect; this is a documentation fix only.
Holding for human review on the actions/upload-pages-artifact major bump. The remaining 6 updates are safe to merge.
Generated by Dependabot PR Review for issue #1391 · ● 1.7M
Contributor
There was a problem hiding this comment.
PR Review — chore(deps): bump the github-actions group across 1 directory with 7 updates
Overview
This Dependabot PR correctly bumps 6 of the 7 listed actions (SHA + comment both updated). However, it introduces an incorrect version comment for actions/checkout across every workflow file changed in this PR, which requires a fix before merging.
✅ Issue Alignment
No linked issue — expected for automated Dependabot dependency-bump PRs. No action required.
✅ PR Template Compliance
PR description is auto-generated by Dependabot (not the standard template format). This is expected behaviour for bot-generated dependency PRs. No action required.
✅ Coding Standards — SHA Pinning (valid actions)
The following actions are correctly updated with both a new SHA and an accurate version comment:
| Action | From | To | Comment |
|---|---|---|---|
actions/setup-node |
53b83947... |
48b55a01... |
# v6.4.0 ✅ |
github/gh-aw-actions/setup |
2fe53acc... |
ea222e35... |
# v0.68.1 ✅ |
actions/upload-artifact |
bbbca2dd... |
043fb46d... |
# v7 ✅ |
actions/upload-pages-artifact |
7b1f4a76... |
fc324d35... |
# v5.0.0 ✅ |
astral-sh/setup-uv |
cec20831... |
08807647... |
# v8.1.0 ✅ |
❌ Coding Standards Violation — actions/checkout comment mismatch
Affects all ~30 workflow files in this PR.
The SHA for actions/checkout is unchanged (de0fac2e4500dabe0009e67214ff5f5447ce83dd) but the trailing comment was changed from # v4.2.2 to # v6.0.2 in every file. actions/checkout is not listed among the 7 packages this PR intends to update.
Per .github/instructions/hve-core/github-actions-workflows.instructions.md:
A semantic version MAY be included as a trailing comment for readability.
When a comment is included it must accurately reflect the version the SHA resolves to. A # v6.0.2 comment against a SHA pinned to v4.2.2 is incorrect and will mislead maintainers — including the automated SHA-staleness checker that reads these comments.
Required fix (one of):
- Revert the
actions/checkoutcomment back to# v4.2.2in all affected files, or - Update the
actions/checkoutSHA to the correct commit hash forv6.0.2if an intentional upgrade was intended.
Inline comments have been left on action-version-consistency-scan.yml and codeql-analysis.yml as representative examples; the fix must be applied consistently to all workflow files in this PR.
✅ Code Quality and Security
No secrets exposure, no unsafe input handling, no logic errors. The other dependency updates are routine patch/minor version bumps from well-known, trusted GitHub Actions maintained by GitHub and Astral.
🔧 Required Action
Fix the actions/checkout version comment discrepancy in all workflow files before this PR can be merged.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #1391
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none
bindsi
approved these changes
Apr 20, 2026
WilliamBerryiii
approved these changes
Apr 20, 2026
Contributor
There was a problem hiding this comment.
Dependency Review — Dependabot Group Bump (7 GitHub Actions)
Summary
| Dependency | From | To | Classification | SHA Pinned | Status |
|---|---|---|---|---|---|
actions/upload-artifact |
7.0.0 | 7.0.1 | Patch | ✅ | ✅ Pass |
actions/setup-node |
6.3.0 | 6.4.0 | Minor | ✅ | ✅ Pass |
github/gh-aw-actions |
SHA bump | SHA bump | SHA update | ✅ | ✅ Pass |
actions/upload-pages-artifact |
4.0.0 | 5.0.0 | Major | ✅ | |
astral-sh/setup-uv |
8.0.0 | 8.1.0 | Minor | ✅ | ✅ Pass |
actions/create-github-app-token |
3.0.0 | 3.1.1 | Minor | ✅ | |
googleapis/release-please-action |
4.4.0 | 4.4.1 | Patch | ✅ | ✅ Pass |
Safety Checks
- Licenses: All dependencies are first-party GitHub, Astral, or Google actions. License compatibility with the project's MIT license is maintained. ✅
- SHA pinning: All GitHub Actions references use full SHA pins with version comments. ✅
- No new dependencies introduced: All changes are bumps to existing dependencies. ✅
- Dependabot vulnerabilities: No known vulnerabilities reported in the PR. ✅
- Environment synchronization:
copilot-setup-steps.ymlreceives the samesetup-nodeandcheckoutupdates as other workflows. ✅
Items Requiring Human Verification
-
actions/upload-pages-artifactv4 → v5 (major bump) — See inline comment ondeploy-docs.yml. The v5.0.0 changes appear additive, but a major version bump requires human confirmation. -
actions/checkoutcomment-only changes — The SHAde0fac2e4500dabe0009e67214ff5f5447ce83ddis unchanged in every workflow file, but the version comment is updated from# v4.2.2to# v6.0.2across ~40 files. This action is not listed in the PR's 7-update table. Please confirm that this SHA resolves toactions/[email protected]. See inline comment onaction-version-consistency-scan.yml. -
actions/create-github-app-tokenversion comment — The version comment in all four affected workflow files still reads# v2.0.0after this PR, while Dependabot reports the version as3.1.1. See inline comment onrelease-stable.yml.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #1391
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | noneGenerated by Dependabot PR Review for issue #1391 · ● 1.7M
Contributor
There was a problem hiding this comment.
Code Review — chore(deps): bump the github-actions group across 1 directory with 7 updates
This automated review found one critical defect that must be fixed before merging.
Issue Alignment
No issue is linked in the PR description. Dependabot PRs do not typically link issues, but this is a formal requirement of the repository's PR template. This finding is noted but not blocking on its own given the automated nature of the PR.
PR Template Compliance
The PR description was generated by Dependabot and does not follow the repository's pull request template:
- Type of Change — No checkboxes checked. The applicable box is "Dependency update".
- Testing — No testing description provided.
- Checklist — All required checklist items are unchecked.
These are expected for automated Dependabot PRs. However, the repository should consider whether to gate Dependabot PRs differently if the template is meant for human-authored contributions only.
Coding Standards
All 44 changed workflow files were inspected against .github/instructions/ rules for **/.github/workflows/*.yml, specifically the Dependency Pinning requirement:
All third-party GitHub Actions MUST be pinned to a full commit SHA. Version tags MUST NOT be used as the reference. A semantic version MAY be included as a trailing comment for readability.
Correctly updated actions (SHA changed, comment updated):
| Action | Old SHA | New Comment |
|---|---|---|
actions/upload-artifact |
bbbca2dd... → 043fb46d... |
# v7 |
actions/setup-node |
53b83947... → 48b55a01... |
# v6.4.0 |
github/gh-aw-actions/setup |
2fe53acc... → ea222e35... |
# v0.68.1 |
actions/upload-pages-artifact |
7b1f4a76... → fc324d35... |
# v5.0.0 |
astral-sh/setup-uv |
cec20831... → 08807647... |
# v8.1.0 |
googleapis/release-please-action |
16a9c908... → 5c625bfb... |
# v4.4.1 |
actions/create-github-app-token |
f8d387b6... → 1b10c78c... |
# v2.0.0 |
🔴 Critical Code Quality Finding
actions/checkout — Version comment incorrectly overwritten across all 44 workflow files (48 occurrences)
The SHA for actions/checkout has not changed in this PR:
# Before (correct)
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
# After (incorrect — SHA unchanged, comment wrong)
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2Key facts:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83ddis the commit SHA for v4.2.2, not v6.0.2.actions/checkouthas no v6.x release — it is currently at v4.x.actions/checkoutdoes not appear in the PR description's update table, confirming it was never meant to be touched.- The SHA staleness checker (
Test-SHAStaleness.ps1) resolves the version comment as a git tag and compares it against the pinned SHA. After this PR merges, every affected workflow will produce a staleness-check failure because tagv6.0.2does not exist onactions/checkout.
Required action: Revert all actions/checkout lines to their pre-PR state. Amend or rebase the Dependabot commit to remove the unintended comment changes. See inline comment on .github/workflows/codeql-analysis.yml line 30 for an example of the fix.
Summary
| Category | Findings |
|---|---|
| Issue Alignment | 1 (no linked issue — informational) |
| PR Template Compliance | 3 (no Type of Change, no Testing, no Checklist) |
| Dependency Pinning | ✅ All SHA pins are full 40-character hashes |
| Version Comment Accuracy | 🔴 48 incorrect actions/checkout version comments |
Action items for the author:
- Fix all 44 workflow files: revert
actions/checkoutversion comments from# v6.0.2back to# v4.2.2.
Note
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
- #1391
pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none
dependabot
Bot
deleted the
dependabot/github_actions/github-actions-6d1247e326
branch
This was referenced Apr 20, 2026
WilliamBerryiii
pushed a commit
that referenced
this pull request
Apr 24, 2026
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the github-actions group with 7 updates in the / directory:
7.0.07.0.16.3.06.4.02fe53acc038ba01c3bbdc767d4b25df31ca5bdfcea222e359276c0702a5f5203547ff9d88d0ddd764.0.05.0.08.0.08.1.03.0.03.1.14.4.04.4.1Updates
actions/upload-artifactfrom 7.0.0 to 7.0.1Release notes
Sourced from actions/upload-artifact's releases.
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)Updates
actions/setup-nodefrom 6.3.0 to 6.4.0Release notes
Sourced from actions/setup-node's releases.
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)Updates
github/gh-aw-actionsfrom 2fe53acc038ba01c3bbdc767d4b25df31ca5bdfc to ea222e359276c0702a5f5203547ff9d88d0ddd76Changelog
Sourced from github/gh-aw-actions's changelog.
Commits
Updates
actions/upload-pages-artifactfrom 4.0.0 to 5.0.0Release notes
Sourced from actions/upload-pages-artifact's releases.
Commits
fc324d3Merge pull request #139 from Tom-van-Woudenberg/patch-1fe9d4b7Merge branch 'main' into patch-10ca1617Merge pull request #137 from jonchurch/include-hidden-files57f0e84Update action.yml4a90348v7 --> hash56f665aUpdate upload-artifact action to version 7f7615f5Addinclude-hidden-filesinputUpdates
astral-sh/setup-uvfrom 8.0.0 to 8.1.0Release notes
Sourced from astral-sh/setup-uv's releases.
Commits
0880764fix: grant contents:write to validate-release job (#860)717d6abAdd a release-gate step to the release workflow (#859)5a911ebDraft commitish releases (#858)080c31eAdd action-types.yml to instructions (#857)b3e97d2Add input no-project in combination with activate-environment (#856)7dd591dchore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 (#855)1541b77chore: update known checksums for 0.11.7 (#853)cdfb2eeRefactor version resolving (#852)cb84d12chore: update known checksums for 0.11.6 (#850)1912cc6chore: update known checksums for 0.11.5 (#845)Updates
actions/create-github-app-tokenfrom 3.0.0 to 3.1.1Release notes
Sourced from actions/create-github-app-token's releases.
Commits
1b10c78build(release): 3.1.1 [skip ci]07e2b76fix: improve error message when app identifier is empty (#362)ea01216ci: remove publish-immutable-action workflow (#361)7bd0371build(release): 3.1.0 [skip ci]e6bd4e6feat: addclient-idinput and deprecateapp-id(#353)076e948feat: update permission inputs (#358)3bbe07dfix(deps): bump p-retry from 7.1.1 to 8.0.0 (#357)28a99e3build(deps-dev): bump c8 from 10.1.3 to 11.0.04df5060build(deps-dev): bump open-cli from 8.0.0 to 9.0.04843c53build(deps-dev): bump the development-dependencies group with 3 updatesUpdates
googleapis/release-please-actionfrom 4.4.0 to 4.4.1Release notes
Sourced from googleapis/release-please-action's releases.
Changelog
Sourced from googleapis/release-please-action's changelog.
... (truncated)
Commits
5c625bfchore(main): release 4.4.1 (#1187)8bb7a2echore: build dist (#1186)ef9c274fix: bump release-please from 17.1.3 to 17.3.0 (#1183)64d83e9docs(README): add missing action inputs + package options (#1176)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions