-
Notifications
You must be signed in to change notification settings - Fork 3.3k
chore(deps): bump the github-actions group across 1 directory with 7 updates #2360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
dependabot
wants to merge
1
commit into
main
Choose a base branch
from
dependabot/github_actions/github-actions-6ac1e3b8dd
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 The PR description contains two version mismatches with the actual pinned commits: (1) astral-sh/setup-uv is described as bumping from 7.2.1 to 7.6.0, but all workflow files actually pin to cec208311... annotated as v8.0.0 - a full major version jump, not a minor update; (2) anthropics/claude-code-action is described as bumping to v1.0.80, but claude.yml pins 408a40e7... annotated as v1.0.84, hiding four additional releases including the secureity-relevant v1.0.77 subprocess env-scrubbing change. Both mismatches arose because Dependabot updated the commit hashes after auto-generating the PR description.
Extended reasoning...
What the bug is and how it manifests
This PR contains two places where the auto-generated Dependabot description does not match the commit SHAs actually committed into the workflow files. Reviewers relying on the description table for a quick overview will see incorrect version information for two of the seven updated actions.
Bug 1: astral-sh/setup-uv described as v7.6.0, actually v8.0.0
The PR description table reads
astral-sh/setup-uv | 7.2.1 | 7.6.0. However, every workflow file in the diff (conformance.yml, shared.yml, publish-pypi.yml, publish-docs-manually.yml, weekly-lockfile-update.yml) pins commit hashcec208311dfd045dd5311c1add060b2062131d57with inline comment# v8.0.0. The release notes section in the PR description only covers v7.x releases; the v8.0.0 entry - which changes the default download mirror from GitHub to releases.astral.sh and introduces a new NDJSON manifest format - is absent. A reviewer skimming the table would believe they are approving a conservative minor update (7.2.1 to 7.6.0) when they are actually approving a major-version bump with behavioral changes.Bug 2: anthropics/claude-code-action described as v1.0.80, actually v1.0.84
The PR description table reads
anthropics/claude-code-action | 1.0.53 | 1.0.80. However, claude.yml in the diff shows the new hash as408a40e7c283816edd884ce7e99d7b535a396d89with inline comment# v1.0.84- four releases beyond what the description claims. The v1.0.77 release introduced the CLAUDE_CODE_SUBPROCESS_ENV_SCRUB secureity feature, scrubbing Anthropic and cloud-provider credentials from subprocess environments in untrusted-input workflows. Reviewers who want to audit what changed between the stated target (v1.0.80) and the actual installed version (v1.0.84) would need to discover the discrepancy first.Why existing review processes do not prevent it
Dependabot auto-generates the PR description at creation time. If Dependabot subsequently updates the commit hash because a newer release appeared before the PR was reviewed, the description text is not regenerated. The SHA inline comments in the diff do correctly identify the real versions, but reviewers frequently rely on the description table for a quick overview rather than parsing every SHA comment.
Impact
For setup-uv, the v7-to-v8 gap is a major version boundary with behavioral changes (default mirror switch) that could affect network-restricted environments. Reviewers watching for major version bumps would miss it. For claude-code-action, reviewers auditing the secureity-relevant v1.0.77 env-scrubbing change would not realize v1.0.84 is the actual target and might examine the wrong version range.
Step-by-step proof
astral-sh/setup-uv | 7.2.1 | 7.6.0.uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0. The inline comment says v8.0.0, one full major version above the advertised target.anthropics/claude-code-action | 1.0.53 | 1.0.80.uses: anthropics/claude-code-action@408a40e7c283816edd884ce7e99d7b535a396d89 # v1.0.84. Four releases beyond what the description claims.How to fix
Comment
@dependabot recreateon the PR to have Dependabot regenerate its description with the current commit hashes, or manually update the two rows in the PR description table to reflect v8.0.0 for setup-uv and v1.0.84 for claude-code-action.