Skip to content

chore(deps): bump the github-actions group across 1 directory with 2 updates#306

Closed
dependabot[bot] wants to merge 1 commit into
stagingfrom
dependabot/github_actions/github-actions-3e1200532a
Closed

chore(deps): bump the github-actions group across 1 directory with 2 updates#306
dependabot[bot] wants to merge 1 commit into
stagingfrom
dependabot/github_actions/github-actions-3e1200532a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 2 updates in the / directory: actions/checkout and actions/setup-python.

Updates actions/checkout from 6 to 7

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

Commits

Updates actions/setup-python from 6.2.0 to 6.3.0

Release notes

Sourced from actions/setup-python's releases.

v6.3.0

What's Changed

Enhancement

Dependency update

Documentation

New Contributors

Full Changelog: actions/setup-python@v6.2.0...v6.3.0

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 30, 2026
@dependabot
dependabot Bot force-pushed the dependabot/github_actions/github-actions-3e1200532a branch from 3b5c180 to 79c2135 Compare July 7, 2026 05:33
@dependabot
dependabot Bot force-pushed the dependabot/github_actions/github-actions-3e1200532a branch from 79c2135 to c496263 Compare July 14, 2026 05:34
@MickaelV0

Copy link
Copy Markdown
Contributor

Code Review — PR #306 (bump github-actions group)

Verdict: Approve with comments — no blockers. The actions/checkout v6→v7 bump is safe as applied.

Verified safe

  • praise: The only behaviour-changing item in checkout v6.0.3→v7.0.0 is the new default-deny for fork-PR checkout under pull_request_target/workflow_run (block checking out fork pr for pull_request_target and workflow_run actions/checkout#2454). None of this repo's checkout-using workflows use those triggers (ci.yml=push/pr, deploy-preview.yml=workflow_dispatch, upstream-watch.yml=schedule, context-lint.yml=pr/push). Zero blast radius.
  • praise: Every new SHA verifies against its claimed tag (checked live against the GitHub API): 9c091bb… == refs/tags/v7.0.0, ece7cb06… == refs/tags/v6. No substitution.
  • praise: All 7 workflows declare explicit least-privilege permissions:; no pull_request_target anywhere.

Non-blocking hygiene

  • issue: .github/workflows/deploy-preview.yml:21 — SHA bumped to a v7.0.0 commit but the trailing comment still reads # v6. A pin comment that lies defeats the audit value of SHA-pinning. Sibling ci.yml:15 / upstream-watch.yml:16 got # v7.0.0 in this same PR → file is internally inconsistent. Fix: # v7.0.0.
  • suggestion(non-blocking): [parallel-path-drift] Two uses: remain tag-pinned (mutable) while the other 11 SHA-pin: context-lint.yml:29 (actions/checkout@v7) and release-please.yml:23 (googleapis/release-please-action@v5). The latter is the sharper edge — it runs at contents: write + pull-requests: write with a minted App token, so a retagged v5 executes with commit-write authority. SHA-pin both.

⚠ Cross-cutting (not this PR, but gates this PR)

The auto-merge.yml:54 semver-major guard does not fire for this PR — it parses from X to Y from the PR title, but a grouped dependabot title ("…group across 1 directory with 2 updates") carries no versions. This PR contains a real major (checkout 6→7) and would auto-merge the moment a reviewed label lands. Being fixed in a separate branch (fetch-metadata gate + dependabot update-types split). Do not label reviewed until that lands.

@roxabi-ci

roxabi-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Auto-merge refusé : bump semver-major. Validation manuelle requise (e2e / boot de l'artefact), puis merge à la main.

@MickaelV0

Copy link
Copy Markdown
Contributor

ℹ️ The Auto-merge refusé comment above is the guard firing correctly, not a problem with this PR — I used #306 to live-test the new semver-major gate shipped in #342 (its payload is verified safe, so it was the right test subject; #338 was not).

Result: fetch-metadata reported update-type: version-update:semver-major on this grouped PR — exactly the case the old title-regex silently missed — and Enable auto-merge was skipped. The control is now verified end-to-end.

reviewed label removed. This PR stays open pending Dependabot re-emitting it split (safe minor/patch grouped, actions/checkout 6→7 as its own PR) under the new update-types config. Review verdict is unchanged: Approve with comments.

@MickaelV0

Copy link
Copy Markdown
Contributor

@dependabot recreate

…updates

Bumps the github-actions group with 2 updates in the / directory: [actions/checkout](https://github.com/actions/checkout) and [actions/setup-python](https://github.com/actions/setup-python).


Updates `actions/checkout` from 6 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v6...v7)

Updates `actions/setup-python` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a309ff8...ece7cb0)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/github_actions/github-actions-3e1200532a branch from 62ef170 to f4f7854 Compare July 16, 2026 09:38
@MickaelV0

Copy link
Copy Markdown
Contributor

ℹ️ The @dependabot recreate above was me testing the update-types: [minor, patch] split shipped in #342. It did not take effect — this PR still groups its semver-major. The config is correct per the docs; recreate appears not to re-derive group membership (undocumented). Full analysis: #342.

No action needed here and nothing is at risk: the semver-major auto-merge guard is verified working, so this PR cannot auto-merge while it contains a major. Leaving it open rather than closing it — closing a Dependabot PR suppresses re-proposal of that version, which would also drop the safe bumps.

@dependabot @github

dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 16, 2026
@dependabot
dependabot Bot deleted the dependabot/github_actions/github-actions-3e1200532a branch July 16, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant