ci(deps): bump the github-actions group with 2 updates#827
Conversation
Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `github/codeql-action` from 4.36.0 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7211b7c...8aad20d) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
LGTM — SHA-pinned patch bumps for actions/checkout (v6.0.2 → v6.0.3) and github/codeql-action (v4.36.0 → v4.36.2).
Extended reasoning...
Overview
This PR is a Dependabot-generated bump of two GitHub Actions across four workflow files (ci.yml, codeql.yml, release.yml, zizmor.yml):
actions/checkout: v6.0.2 → v6.0.3 (SHA-256 repo support fixes)github/codeql-action(init/autobuild/analyze): v4.36.0 → v4.36.2 (caching + exponential backoff for SARIF polling, CodeQL bundle bump to 2.25.6)
All references are pinned by commit SHA with version comments, matching the repo's existing pinning convention.
Security risks
Minimal. The actions are pinned to specific commit SHAs (not tags), so the upgrade is immutable and reviewable. actions/checkout is an official GitHub action, and github/codeql-action is GitHub's first-party CodeQL runner. persist-credentials: false is preserved on all checkout steps. No new permissions, secrets, or workflow logic introduced.
Level of scrutiny
Low. Patch-level bumps of well-known first-party GitHub Actions, with no logic changes to the workflows themselves. The CI workflow itself will validate the upgrade end-to-end.
Other factors
No bugs were flagged by the bug hunting system, no prior reviews on this PR, and the changes are purely mechanical SHA replacements (no surrounding YAML edits).
Bumps the github-actions group with 2 updates: actions/checkout and github/codeql-action.
Updates
actions/checkoutfrom 6.0.2 to 6.0.3Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)Updates
github/codeql-actionfrom 4.36.0 to 4.36.2Release notes
Sourced from github/codeql-action's releases.
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
8aad20dMerge pull request #3949 from github/update-v4.36.2-dcb947ce1f521b08Add additional changelog notes8aeff0fUpdate changelog for v4.36.2dcb947cMerge pull request #3948 from github/update-bundle/codeql-bundle-v2.25.6c251bceAdd changelog note62953c1Update default bundle to codeql-bundle-v2.25.6423b570Merge pull request #3946 from github/dependabot/npm_and_yarn/npm-minor-5d507a...c35d1b1Merge pull request #3947 from github/dependabot/github_actions/dot-github/wor...cb1a588Merge pull request #3937 from github/robertbrignull/waitForProcessing_backoffba47406Merge pull request #3943 from github/henrymercer/cache-cli-version-infoDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions