Skip to content

chore(deps): update github-actions (major)#170

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-github-actions
Open

chore(deps): update github-actions (major)#170
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/major-github-actions

Conversation

@renovate

@renovate renovate Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/checkout action major v6.0.2v7.0.0
actions/setup-go action major v6.4.0v7.0.0
actions/setup-node action major v6.4.0v7.0.0
slackapi/slack-github-action action major v3.0.3v4.0.0
sorenlouv/backport-github-action action major v11.0.0v12.0.4

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source

v6.0.3

Compare Source

actions/setup-go (actions/setup-go)

v7.0.0

Compare Source

v7

Compare Source

v6.5.0

Compare Source

actions/setup-node (actions/setup-node)

v7.0.0

Compare Source

v7

Compare Source

v6.5.0

Compare Source

slackapi/slack-github-action (slackapi/slack-github-action)

v4.0.0

Compare Source

v4.0

Compare Source

v4

Compare Source

v3.0.5: Slack GitHub Action v3.0.5

Compare Source

Patch Changes
  • 96fddbe: fix: revert multiline yaml parsing indentation change

v3.0.4: Slack GitHub Action v3.0.4

Compare Source

Patch Changes
sorenlouv/backport-github-action (sorenlouv/backport-github-action)

v12.0.4

Compare Source

What's Changed

Full Changelog: sorenlouv/backport-github-action@v12.0.0...v12.0.4

v12.0.3

Compare Source

What's Changed

Full Changelog: sorenlouv/backport-github-action@v12.0.0...v12.0.3

v12.0.2

Compare Source

What's Changed

Full Changelog: sorenlouv/backport-github-action@v12.0.0...v12.0.2

v12.0.1

Compare Source

What's Changed

Full Changelog: sorenlouv/backport-github-action@v12.0.0...v12.0.1

v12.0.0

Compare Source

Update backport to 12.0.0

v12

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Claude finished @renovate[bot]'s task in 1m 53s —— View job


Review

Mechanical bump. Only one substantive risk worth flagging.

⚠️ Potential breaking change: actions/checkout v7 blocks fork-PR checkout under pull_request_target

Per the v7 changelog, actions/checkout#2454 "Block checking out fork PR for pull_request_target and workflow_run" — this is exactly the pattern used in .github/workflows/claude-code-review.yaml:

  • Line 4: reusable workflow (workflow_call) — invoked by callers that (per the in-file comment on line 17) use pull_request_target so secrets are available for fork PRs "by design"
  • Line 30: ref: ${{ github.event.pull_request.head.sha }} — the fork PR head SHA
  • Lines 42–51: an entire "Setup fork as origin for Claude" step, so fork PRs are explicitly a supported path

If the v7 block is a hard failure (not opt-in), every Claude code-review run on a fork PR will start failing at the checkout step after this merges and callers pick up @main. Callers include downstream repos, so the blast radius extends beyond this repo.

Please verify against v7's actual behavior before merging:

  1. Read actions/checkout PR #2454 — does v7 add a new input (e.g. allow-fork-pr or similar) to opt back into the old behavior, or is it a hard block?
  2. If a hard block: either keep checkout@v6 on claude-code-review.yaml (and any downstream workflow that runs under pull_request_target + checks out head.sha), or drop the reusable workflow's fork-PR support.
  3. If opt-in escape hatch exists: add the required input on line 28 with a comment explaining why fork PRs are intentionally allowed here.

Note: ai-pr-review.yaml is not affected — its job gates on github.event.pull_request.head.repo.full_name == github.repository (line 43), skipping fork PRs entirely.

Not an issue

  • sorenlouv/backport-github-action v11→v12: backport.yaml only passes standard inputs (github_token, auto_backport_label_prefix, add_original_reviewers), none of which appear affected by the v12 release notes (release automation + npm dep bumps only).
  • SHA pinning is consistent across all 38 files (9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 for checkout, 8a6c0381851f43f9f1fddc7303f0e9015eb57b62 for backport).
    · Branch

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved by the shared auto-approve workflow because this PR matched the approval criteria.

For more information, see https://github.com/loft-sh/github-actions?tab=readme-ov-file#auto-approve-bot-prs.

@renovate renovate Bot force-pushed the renovate/major-github-actions branch from 8a5e40a to 72611a3 Compare July 9, 2026 08:10
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Claude finished @renovate[bot]'s task in 4m 14s —— View job


Review

Renovate rebased/force-pushed (commit 72611a3, 08:10 UTC) with no substantive change from the diff reviewed yesterday. The primary risk still stands.

⚠️ actions/checkout v7 fork-PR block breaks claude-code-review.yaml

Per the v7.0.0 changelog: actions/checkout#2454 "Block checking out fork PR for pull_request_target and workflow_run". This is exactly what claude-code-review.yaml is designed to do:

  • L4: workflow_call reusable workflow.
  • L16-17: comment explicitly states callers invoke it via pull_request_target so secrets are available for fork PRs "by design".
  • L28-30: actions/checkout@v7 with ref: ${{ github.event.pull_request.head.sha }} — the fork PR head SHA.
  • L42-51: dedicated "Setup fork as origin for Claude" step, i.e. fork PRs are a first-class supported path.

If v7 hard-blocks (rather than opt-in warns), every caller running claude-code-review.yaml@main will fail at the checkout step on fork PRs after merge — blast radius includes downstream repos consuming this reusable workflow.

I could not verify v7's exact behavior against upstream (gh api, curl, and WebFetch are all sandboxed in this job). Please confirm one of the following before merging:

  1. Hard block, no bypass: keep checkout@v6.0.3 on claude-code-review.yaml (a bare-minimum fix; the rest of the repo can safely go to v7).
  2. Opt-in via input (e.g. some new allow-fork-pr / equivalent): add it on L28-32 with a comment linking to #2454 and justifying why fork PRs are intentionally allowed here.
  3. Detection by ref vs. event, not eventName: verify the specific check by reading src/input-helper.ts.

Fix this →

Not an issue

  • ai-pr-review.yaml is safe — gated on github.event.pull_request.head.repo.full_name == github.repository (L43), so fork PRs are skipped upstream of checkout.
  • sorenlouv/backport-github-action v11→v12: backport.yaml passes only github_token, auto_backport_label_prefix, add_original_reviewers — none touched by the v12 release notes (CI automation + npm bumps only).
  • SHA pins are consistent and match the claimed tags across all 39 files.

Todos:

  • Verify actions/checkout v7 fork-PR block affects claude-code-review.yaml
  • Verify sorenlouv/backport v11→v12 input compatibility
  • Verify SHA pins match across changed files
  • Post review
    · Branch

@renovate renovate Bot force-pushed the renovate/major-github-actions branch from 72611a3 to 17add75 Compare July 14, 2026 03:16
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown

Claude finished @renovate[bot]'s task in 2m 27s —— View job


Review

No substantive change since the last review. Primary risk still stands and remains unverified against the v7 source (sandbox in this job blocks curl, wget, gh api, and WebFetch to github.com — same limitation as prior run).

⚠️ actions/checkout v7 fork-PR block likely breaks claude-code-review.yaml

Per the v7.0.0 changelog: actions/checkout#2454 "Block checking out fork PR for pull_request_target and workflow_run". This is a first-class supported path in claude-code-review.yaml:

  • L4: workflow_call reusable workflow.
  • L16-17: comment states callers invoke it via pull_request_target so secrets are available on fork PRs by design.
  • L28-30: checkout@v7 with ref: ${{ github.event.pull_request.head.sha }} — the fork head SHA.
  • L42-51: dedicated "Setup fork as origin for Claude" step, confirming fork PRs are supported.

If v7's block is a hard fail (no opt-in), every claude-code-review.yaml@main invocation on a fork PR will fail at the checkout step after merge — blast radius includes downstream repos consuming this reusable workflow.

Verify one of the following before merging (cannot verify from this sandbox):

  1. Hard block, no bypass → keep checkout@v6.0.3 (SHA 08eba0b27e820071cde6df949e0beb9ba4906955) on claude-code-review.yaml only. Rest of repo can go to v7. Fix this →
  2. Opt-in input exists (e.g. allow-fork-pr or similar in v7's action.yml) → add it on L28-32 with a comment linking to #2454.
  3. Block only fires on specific ref shapes you don't hit → confirm by reading v7's src/input-helper.ts / src/git-source-provider.ts.

Not an issue

  • ai-pr-review.yaml — gated on github.event.pull_request.head.repo.full_name == github.repository (L43), fork PRs skipped upstream of checkout.
  • sorenlouv/backport-github-action v11→v12 — backport.yaml passes only github_token, auto_backport_label_prefix; v12 release notes are CI automation + npm dep bumps only.
  • SHA pins consistent across all 39 files (9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 for checkout, 8a6c0381851f43f9f1fddc7303f0e9015eb57b62 for backport).

Todos:

  • Confirm risk still applies after 2026-07-14 rebase
  • Attempt v7 source verification (blocked by sandbox — same as prior run)
  • Re-check backport v12 input compatibility
  • Post review
    · Branch

@renovate renovate Bot force-pushed the renovate/major-github-actions branch from 17add75 to c9d0157 Compare July 16, 2026 01:12
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

Claude finished @renovate[bot]'s task in 1m 45s —— View job


Review

No substantive change since the prior review. Same primary risk, still unverified against v7 source (sandbox blocks curl, gh api to external repos, and WebFetch requires interactive permission — same limitation as prior three runs).

⚠️ actions/checkout v7 fork-PR block likely breaks claude-code-review.yaml

Per v7.0.0 changelog: actions/checkout#2454 "Block checking out fork PR for pull_request_target and workflow_run". This is exactly the pattern in .github/workflows/claude-code-review.yaml:

  • L4: workflow_callgithub.event_name inside is inherited from caller.
  • L16-17: comment states callers invoke via pull_request_target by design.
  • L28-30: checkout@v7 with ref: ${{ github.event.pull_request.head.sha }} — the fork head SHA.
  • L42-51: dedicated "Setup fork as origin for Claude" step; fork PRs are a first-class supported path.

If v7's block is hard (no opt-in), every claude-code-review.yaml@main run on a fork PR fails at the checkout step after merge. Blast radius includes downstream repos consuming this reusable workflow.

Verify one of the following before merging (I cannot from this sandbox):

  1. Hard block, no bypass → keep checkout@v6.0.3 (SHA 08eba0b27e820071cde6df949e0beb9ba4906955) on claude-code-review.yaml only. Fix this →
  2. Opt-in input exists (e.g. allow-fork-pr in v7's action.yml) → add it on L28-32 with a comment linking to #2454.
  3. Block only fires on ref shapes you don't hit → confirm by reading v7's src/input-helper.ts / src/git-source-provider.ts.

Not an issue

  • ai-pr-review.yaml — gated on head.repo.full_name == github.repository (L43), fork PRs skipped upstream of checkout.
  • sorenlouv/backport-github-action v11→v12 — backport.yaml passes only github_token, auto_backport_label_prefix, add_original_reviewers; v12 release notes are CI automation + npm dep bumps only.
  • SHA pins consistent across all 42 files (9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 for checkout, 8a6c0381851f43f9f1fddc7303f0e9015eb57b62 for backport).

  • Confirm risk still applies after 2026-07-16 rebase
  • Attempt v7 source verification (blocked by sandbox — same as prior runs)
  • Re-check backport v12 input compatibility
  • Post review
    · Branch

@renovate renovate Bot force-pushed the renovate/major-github-actions branch from c9d0157 to 4266e73 Compare July 16, 2026 05:46
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

Claude finished @renovate[bot]'s task in 1m 34s —— View job


Review

No substantive change since the prior review. Same primary risk, still unverified against v7 source (WebFetch requires interactive permission not granted in this job, and gh api to external repos is sandboxed — same limitation as prior four runs).

⚠️ actions/checkout v7 fork-PR block likely breaks claude-code-review.yaml

Per v7.0.0 changelog: actions/checkout#2454 "Block checking out fork PR for pull_request_target and workflow_run". This is exactly the pattern in .github/workflows/claude-code-review.yaml:

  • L4: workflow_callgithub.event_name inside is inherited from caller.
  • L16-17: comment states callers invoke via pull_request_target so secrets are available on fork PRs by design.
  • L28-30: checkout@v7 with ref: ${{ github.event.pull_request.head.sha }} — the fork head SHA.
  • L42-51: dedicated "Setup fork as origin for Claude" step; fork PRs are a first-class supported path.

If v7's block is hard (no opt-in), every claude-code-review.yaml@main run on a fork PR fails at the checkout step after merge. Blast radius includes downstream repos consuming this reusable workflow.

Verify one of the following before merging (I cannot from this sandbox):

  1. Hard block, no bypass → keep checkout@v6.0.3 (SHA 08eba0b27e820071cde6df949e0beb9ba4906955) on claude-code-review.yaml only. Fix this →
  2. Opt-in input exists (e.g. allow-fork-pr in v7's action.yml) → add it on L28-32 with a comment linking to #2454.
  3. Block only fires on ref shapes you don't hit → confirm by reading v7's src/input-helper.ts / src/git-source-provider.ts.

Not an issue

  • ai-pr-review.yaml — gated on head.repo.full_name == github.repository (L43), fork PRs skipped upstream of checkout.
  • sorenlouv/backport-github-action v11→v12 — backport.yaml passes only github_token, auto_backport_label_prefix, add_original_reviewers; v12 release notes are CI automation + npm dep bumps only.
  • SHA pins consistent across all 45 files (9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 for checkout, 8a6c0381851f43f9f1fddc7303f0e9015eb57b62 for backport).

  • Confirm risk still applies after 2026-07-16 rebase
  • Attempt v7 source verification (blocked by sandbox — same as prior runs)
  • Re-check backport v12 input compatibility
  • Post review
    · Branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants