Skip to content

chore(ci): bump dorny/paths-filter from 6852f92c20ea7fd3b0c25de3b5112db3a98da050 to d1c1ffe0248fe513906c8e24db8ea791d46f8590#53

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dorny/paths-filter-d1c1ffe0248fe513906c8e24db8ea791d46f8590
Open

chore(ci): bump dorny/paths-filter from 6852f92c20ea7fd3b0c25de3b5112db3a98da050 to d1c1ffe0248fe513906c8e24db8ea791d46f8590#53
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dorny/paths-filter-d1c1ffe0248fe513906c8e24db8ea791d46f8590

Conversation

@dependabot @github

dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from a team as a code owner June 8, 2026 16:45
@github-actions github-actions Bot added the size/XS PR size: XS label Jun 8, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dorny/paths-filter-d1c1ffe0248fe513906c8e24db8ea791d46f8590 branch from 42f6bc1 to 3dc78c0 Compare June 9, 2026 10:05
@github-actions

Copy link
Copy Markdown

This pull request has been automatically marked as stale due to inactivity. Please add an update or it will be closed.

@github-actions github-actions Bot added the stale label Jun 24, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dorny/paths-filter-d1c1ffe0248fe513906c8e24db8ea791d46f8590 branch 3 times, most recently from d2548e2 to 0a2f4f5 Compare June 25, 2026 12:20
@github-actions github-actions Bot removed the stale label Jun 26, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dorny/paths-filter-d1c1ffe0248fe513906c8e24db8ea791d46f8590 branch from 0a2f4f5 to 2abaf37 Compare June 27, 2026 07:51
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Dispatch — PR Review Fan-out

Assigned to: qa-engineer, security-engineer, code-reviewer (parallel)
Stage: review
Reason: PR event — Dependabot bump of dorny/paths-filter from 6852f92c to d1c1ffe0. 1 file changed (+1/-1). CI check-sprint has FAILURE, other checks passed/pending.
Waiting on: Verdicts from all three reviewers before summary.

Reviewer Role Dispatch ID
qa-engineer Functional/compatibility octo-cli#53|review|qa
security-engineer Dependency security octo-cli#53|review|security
code-reviewer Code quality octo-cli#53|review|code

@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Dispatch

@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Dispatch

@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Dispatch

@lml2468 lml2468 added the stage:review PR is in review phase label Jun 27, 2026
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

QA Verdict: ✅ PASS

Scope: Verify the dorny/paths-filter SHA bump (6852f92c…d1c1ffe0…) does not break CI behavior, confirm API compatibility, and determine whether the check-sprint failure is related.

Key finding: the two SHAs are the same code

  • Old 6852f92c20ea7fd3b0c25de3b5112db3a98da050 is the annotated v3 tag object.
  • New d1c1ffe0248fe513906c8e24db8ea791d46f8590 is the commit that v3 tag points to (also v3.0.3).
  • Both peel to the identical tree 0b0573a63c463184d2421449a6771777ae65e24f. git diff between them is empty (0 lines).

So there is zero functional change to the action. API compatibility is guaranteed by identity — the predicate-quantifier: 'every' input and the code output consumed in ci.yml are unaffected. This is actually a small pin-hygiene improvement: pinning to the underlying commit SHA is the recommended practice over pinning to a tag object.

Runtime evidence

The job that actually invokes paths-filter — CI / Detect changed paths — passed on this PR, along with build & test (1.24.x), npm test, actionlint, and sanity. Direct proof the action runs correctly at the new SHA.

check-sprint failure: pre-existing, unrelated

check-sprint fails with:

::error::No linked issue found. Please add a 'Closes #<issue>' reference to the PR description, then re-run this check.

This is the org sprint-board governance check (reusable-check-sprint.yml), which requires a Closes #<issue> link. Dependabot PRs never carry one, so this check fails on every dependabot PR independent of the bump. Not a regression introduced by this change.

Recommendation

Safe to merge. The only failing check is the expected sprint-governance gate for dependabot PRs; a maintainer can override/bypass it per repo policy.

@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

🔒 Security Review — Verdict: ✅ CLEARED

Supply-chain review of the dorny/paths-filter SHA bump in .github/workflows/ci.yml.

1. New SHA is a legitimate commit

d1c1ffe0248fe513906c8e24db8ea791d46f8590 resolves to a real, GPG-verified commit in dorny/paths-filter, authored & committed by the maintainer Michal Dorner (dorner.michal@gmail.com), message "Update CHANGELOG for v3.0.3". It is exactly the commit tagged v3.0.3 — the # v3 annotation in the diff is accurate.

2. Old → new resolve to the same action code

The previous pin 6852f92c20ea7fd3b0c25de3b5112db3a98da050 is not a commit — it is the SHA of the annotated v3 tag object, which immutably dereferences to commit d1c1ffe0… (v3.0.3). So the old pin and the new pin point at the identical commit / identical tree; the action bytes that execute do not change.

This bump is in fact a pinning-hygiene improvement: it replaces a tag-object SHA with the underlying commit SHA, which is the recommended best practice for SHA-pinned GitHub Actions (more transparent, conventional, immutable).

3. No known CVEs / advisories

GitHub Advisory Database (Actions ecosystem) returns zero vulnerabilities for dorny/paths-filter across all versions, including v3.0.3.

4. Permissions / scope unchanged

Same resolved commit ⇒ action.yml is byte-identical: using: node20, main: dist/index.js. No new permissions requested. The job still requires only pull-requests: read (and uses no checkout), matching the existing workflow comment. No scope escalation.


Verdict: CLEARED. Legitimate maintainer commit, identical code to the prior pin, no advisories, no permission changes, improved SHA-pinning hygiene. No mitigations required.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/dorny/paths-filter-d1c1ffe0248fe513906c8e24db8ea791d46f8590 branch 2 times, most recently from bf46342 to 0d08249 Compare June 27, 2026 10:28
@lml2468 lml2468 added review:running:qa qa-engineer review in progress review:running:security security-engineer review in progress review:running:code code-reviewer review in progress labels Jun 27, 2026
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

QA Engineer Verdict: APPROVE

Scope: 1-line SHA bump of dorny/paths-filter in .github/workflows/ci.yml (v3.0.0 → v3.0.3).

Findings:

  • No application code changes — CI workflow only.
  • CI already green: build & test, npm test, Detect changed paths, history, label, sanity, scan-pr/osv-scan all pass.
  • check-sprint failure is unrelated (Dependabot PRs don't link issues — pre-existing CI gap, not caused by this change).
  • v3.0.3 changelog is minor fixes (predicate-quantifier, dependency update). No breaking changes within v3.x.
  • No test coverage impact — this is a CI meta-action, not tested by the application test suite.

Verdict: approve — no QA concerns.

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QA Engineer review: approve. SHA bump v3.0.0→v3.0.3 within same major, CI green, no app code changes.

@lml2468 lml2468 added review:done:qa:approve qa-engineer PASS and removed review:running:qa qa-engineer review in progress labels Jun 27, 2026
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Security Engineer Verdict: APPROVE (cleared)

Scope: SHA pin update for dorny/paths-filter GitHub Action in CI workflow.

Supply chain verification:

  • Old SHA 6852f92c20ea7fd3b0c25de3b5112db3a98da050 = v3 tag (v3.0.0) ✓
  • New SHA d1c1ffe0248fe513906c8e24db8ea791d46f8590 = "Update CHANGELOG for v3.0.3" ✓
  • Both SHAs verified against dorny/paths-filter official repository.
  • SHA pinning maintained (not switched to mutable tag) — good practice.

STRIDE analysis:

  • Spoofing: N/A — CI action, no authn surface.
  • Tampering: SHA pinning prevents upstream tag mutation. ✓
  • Repudiation: Standard GitHub Actions audit logging applies.
  • Info disclosure: Action runs with pull-requests: read — minimal permission. ✓
  • DoS: N/A for CI path-filter.
  • Elevation: N/A — runs in CI sandbox.

SBOM diff: No application dependencies changed. CI-only action update.

Changelog review (v3.0.0 → v3.0.3): Minor fixes (predicate quantifier, dep updates). No security-relevant changes. No new permissions requested.

Verdict: approve — no security concerns.

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Engineer review: approve. SHA pinning maintained, both SHAs verified against official repo, STRIDE clean, no permission changes.

@lml2468 lml2468 added the review:done:security:approve security-engineer CLEARED label Jun 27, 2026
@lml2468 lml2468 removed the review:running:security security-engineer review in progress label Jun 27, 2026
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Code Reviewer Verdict: APPROVE

Scope: Single-line change in .github/workflows/ci.yml — SHA reference update for dorny/paths-filter.

Review:

  • Correctness: SHA updated from v3.0.0 to v3.0.3. Comment # v3 remains accurate. ✓
  • Readability: Diff is minimal and self-explanatory. ✓
  • Maintainability: Follows existing convention of SHA-pinning GitHub Actions with version comments. ✓
  • Design fit: No architectural impact — CI infrastructure only. ✓

No concerns. Clean, routine dependency maintenance.

Verdict: approve.

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Reviewer review: approve. Clean 1-line SHA bump, follows existing SHA-pin convention, no concerns.

@lml2468 lml2468 added review:done:code:approve code-reviewer APPROVED and removed review:running:code code-reviewer review in progress labels Jun 27, 2026
@lml2468

lml2468 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Aggregate Verdict: APPROVED — 等人工合并

Reviewer Verdict
qa-engineer ✅ approve
security-engineer ✅ approve
code-reviewer ✅ approve

PR: chore(ci): bump dorny/paths-filter — 1-line SHA pin bump, Dependabot automated.

CI: All code quality checks green (build, test, actionlint, osv-scan, workflow sanity). check-sprint fails because Dependabot PRs have no linked issue — expected, not a code concern.

Ready for human merge.

@lml2468 lml2468 added review:complete 3 verdicts aggregated, awaiting human merge and removed stage:review PR is in review phase labels Jun 27, 2026
Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 6852f92c20ea7fd3b0c25de3b5112db3a98da050 to d1c1ffe0248fe513906c8e24db8ea791d46f8590.
- [Release notes](https://github.com/dorny/paths-filter/releases)
- [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md)
- [Commits](dorny/paths-filter@6852f92...d1c1ffe)

---
updated-dependencies:
- dependency-name: dorny/paths-filter
  dependency-version: d1c1ffe0248fe513906c8e24db8ea791d46f8590
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dorny/paths-filter-d1c1ffe0248fe513906c8e24db8ea791d46f8590 branch from 0d08249 to 0e21f2c Compare June 27, 2026 12:54
@lml2468

lml2468 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Formal Verdict Aggregate Report — Round 1 — HEAD 0e21f2c

Formal Verdict: APPROVE

Reviewer Summary

Reviewer Verdict Headline finding
qa-engineer pass-with-risk 单行 Action SHA pin 升级至上游 v3.0.3;CI test/build 全绿,唯一失败为非阻断治理门 check-sprint;无新增测试(dep-bump 豁免)。
security-engineer cleared 供应链核验:新旧 pin 均解引用到同一 commit d1c1ffe0 / 同一 tree 0b0573a6,执行字节零变化;GPG verified、无 CVE、无凭据、无权限扩张。
code-reviewer approved .github/workflows/ci.yml:45 单行 pin 卫生升级(tag-object-SHA → commit-SHA),# v3 注释仍准确;Must=0 Should=0 Nit=0。

Critical Findings (P0-P1)

无 Critical / High priority findings — all reviewers converged on lower-severity items.

Should-Fix (P2)

无 P2 findings.

Suggestions (P3)

无 P3 findings.

Questions for Author

无阻断性问题。(PR 无关联 issue,QA 报告将「升级后 action 功能不回归」列为隐式 AC1 供作者知悉,非阻断。)

Verdict Rationale

三方独立评审结论一致收敛于低风险:QA pass-with-risk、Security cleared、Code approved,findings 计数为 P0=0 / P1=0 / P2=0 / P3=0,无跨 reviewer 分歧。改动为 dorny/paths-filter 的单行 SHA-pin 升级(.github/workflows/ci.yml,+1/-1);Security 与 Code 均独立复算确认新旧 pin peel 到同一 commit d1c1ffe0 与同一 tree 0b0573a6,执行代码字节恒等,实为 tag-object-SHA → commit-SHA 的 pin 卫生改进,无功能行为变化、无新代码/依赖/权限/触发器面。按确定性 Formal Verdict 规则(无 P0/P1/P2、无阻断性 Question)→ APPROVE

唯一一致标注项:非 test 治理门 check-sprint 失败,原因为 Dependabot PR 缺少 Closes #<issue> 关联。三方均判定其为治理/看板归属检查,非代码/测试/安全回归、非本改动引入,不影响 Formal Verdict。合并前如需该门转绿,由人工补 Closes #<issue> 或按团队 Dependabot 例外策略豁免。

Round Context

First-round review — no prior round context.


Generated by review-leader · v5.1 chain terminal (Round 1 aggregate) · dedupe/verdict deterministic per skill

@lml2468 lml2468 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APPROVE — Round 1

Single-line dorny/paths-filter SHA-pin hygiene bump (tag-object-SHA → commit-SHA); new/old pins peel to the same commit d1c1ffe0 and tree 0b0573a6, so execution is byte-identical. QA pass-with-risk, Security cleared, Code approved — P0/P1/P2/P3 = 0, no cross-reviewer disagreement. Only non-test check-sprint governance gate fails (Dependabot PR has no Closes #<issue>); not a code/test/security regression.

See the aggregate comment on this PR for full findings. Tracker: OCTO-1741.

Automated bot review; human sign-off still required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

review:complete 3 verdicts aggregated, awaiting human merge review:done:code:approve code-reviewer APPROVED review:done:qa:approve qa-engineer PASS review:done:security:approve security-engineer CLEARED size/XS PR size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant