build(deps): Bump the actions group across 1 directory with 12 updates#377
build(deps): Bump the actions group across 1 directory with 12 updates#377dependabot[bot] wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9c2cee60b3
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
| - name: Install cosign | ||
| uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 | ||
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 |
There was a problem hiding this comment.
Pin cosign v2 or switch release signing to bundles
With the v4 installer, cosign-release now defaults to v3.0.6 (action.yml), and cosign v3's sign-blob flow expects a --bundle output (v3.0.6 docs); however the later Sign release artifacts step still calls cosign sign-blob --output-signature ... --output-certificate ... with no --bundle. On any tag release, the v3 signing-config path tries to write the required bundle to an empty path before the .sig/.pem files are created, so release publishing fails; either pin cosign-release: v2.5.2 or update the asset/signature flow to use .sigstore.json bundles.
Useful? React with 👍 / 👎.
9c2cee6 to
24ffa61
Compare
Bumps the actions group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `7.0.0` | | [taiki-e/install-action](https://github.com/taiki-e/install-action) | `2.81.3` | `2.83.3` | | [actions/setup-node](https://github.com/actions/setup-node) | `6.4.0` | `7.0.0` | | [actions/cache](https://github.com/actions/cache) | `6.0.0` | `6.1.0` | | [github/codeql-action/init](https://github.com/github/codeql-action) | `3.36.2` | `4.37.1` | | [github/codeql-action/analyze](https://github.com/github/codeql-action) | `3.36.2` | `4.37.1` | | [actions/cache/restore](https://github.com/actions/cache) | `4.2.4` | `6.1.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` | | [actions/cache/save](https://github.com/actions/cache) | `4.2.4` | `6.1.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `4.1.0` | `4.2.0` | | [docker/login-action](https://github.com/docker/login-action) | `4.2.0` | `4.4.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.9.1` | `4.1.2` | Updates `actions/checkout` from 4.2.2 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.2.2...9c091bb) Updates `taiki-e/install-action` from 2.81.3 to 2.83.3 - [Release notes](https://github.com/taiki-e/install-action/releases) - [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md) - [Commits](taiki-e/install-action@25435dc...ed67fa3) Updates `actions/setup-node` from 6.4.0 to 7.0.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@48b55a0...8207627) Updates `actions/cache` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@2c8a9bd...55cc834) Updates `github/codeql-action/init` from 3.36.2 to 4.37.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@dd903d2...7188fc3) Updates `github/codeql-action/analyze` from 3.36.2 to 4.37.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@dd903d2...7188fc3) Updates `actions/cache/restore` from 4.2.4 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0400d5f...55cc834) Updates `actions/upload-artifact` from 4.6.2 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...043fb46) Updates `actions/cache/save` from 4.2.4 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0400d5f...55cc834) Updates `docker/setup-buildx-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@d7f5e7f...bb05f3f) Updates `docker/login-action` from 4.2.0 to 4.4.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@650006c...af1e73f) Updates `sigstore/cosign-installer` from 3.9.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@398d4b0...6f9f177) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/cache/restore dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/cache/save dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-node dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/login-action dependency-version: 4.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: docker/setup-buildx-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: github/codeql-action/analyze dependency-version: 4.37.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: github/codeql-action/init dependency-version: 4.37.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: taiki-e/install-action dependency-version: 2.83.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
24ffa61 to
ef9ae3c
Compare
Bumps the actions group with 12 updates in the / directory:
4.2.27.0.02.81.32.83.36.4.07.0.06.0.06.1.03.36.24.37.13.36.24.37.14.2.46.1.04.6.27.0.14.2.46.1.04.1.04.2.04.2.04.4.03.9.14.1.2Updates
actions/checkoutfrom 4.2.2 to 7.0.0Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Updates
taiki-e/install-actionfrom 2.81.3 to 2.83.3Release notes
Sourced from taiki-e/install-action's releases.
... (truncated)
Changelog
Sourced from taiki-e/install-action's changelog.
... (truncated)
Commits
ed67fa3Release 2.83.3618fa55Update prek manifest4757909Update zizmor manifestf1fa005Update uv manifestaa8dc90Updaterelease-plz@latestto 0.3.160b965497Updateprek@latestto 0.4.97aab3a9Updatemise@latestto 2026.7.6bfee8d1Update kingfisher manifestb65771bUpdatedprint@latestto 0.55.22046892Updatecargo-dinghy@latestto 0.8.5Updates
actions/setup-nodefrom 6.4.0 to 7.0.0Release notes
Sourced from actions/setup-node's releases.
Commits
8207627Migrate to ESM and upgrade dependencies (#1574)04be95cAdd cache-primary-key and cache-matched-key as outputs (#1577)7c2c68ddocs: Update caching recommendations to mitigate cache poisoning risks (#1567)6a61c03Merge pull request #1569 from jasongin/update-actions-cache-5.1.030eb73bResolve high-severity audit issues4e1a87aUpdate dist360237fStrict equality4f8aac5Bump@actions/cacheto 5.1.0, log cache write deniedf4a67bbOnly usemirrorTokeningetManifestif it's provided (#1548)0355742Remove dummy NODE_AUTH_TOKEN export (#1558)Updates
actions/cachefrom 6.0.0 to 6.1.0Release notes
Sourced from actions/cache's releases.
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
55cc834Merge pull request #1768 from jasongin/readonly-cached8cd72fBump@actions/cacheto v6.1.0 - handle cache write error due to RO tokenUpdates
github/codeql-action/initfrom 3.36.2 to 4.37.1Release notes
Sourced from github/codeql-action/init's releases.
... (truncated)
Changelog
Sourced from github/codeql-action/init's changelog.
... (truncated)
Commits
7188fc3Merge pull request #4020 from github/update-v4.37.1-9e7c07009c8b5f69Update changelog for v4.37.19e7c070Merge pull request #4014 from github/mbg/explicit-remote-prefix3492b7eChangeREMOTE_PATH_PREFIXtoremote=3654baaMerge remote-tracking branch 'origin/main' into mbg/explicit-remote-prefix2d682acMerge pull request #4017 from github/dependabot/github_actions/dot-github/wor...23f6a50Merge pull request #4009 from github/mbg/action-state/additions1ee3c75Merge pull request #4018 from github/dependabot/github_actions/dot-github/wor...e053684Merge pull request #4015 from github/dependabot/npm_and_yarn/npm-minor-fd2e83...6803c56Merge pull request #4019 from github/update-bundle/codeql-bundle-v2.26.1Updates
github/codeql-action/analyzefrom 3.36.2 to 4.37.1Release notes
Sourced from github/codeql-action/analyze's releases.
... (truncated)
Changelog
Sourced from github/codeql-action/analyze's changelog.
... (truncated)
Commits
7188fc3Merge pull request #4020 from github/update-v4.37.1-9e7c07009c8b5f69Update changelog for v4.37.19e7c070Merge pull request #4014 from github/mbg/explicit-remote-prefix3492b7eChangeREMOTE_PATH_PREFIXtoremote=3654baaMerge remote-tracking branch 'origin/main' into mbg/explicit-remote-prefix2d682acMerge pull request #4017 from github/dependabot/github_actions/dot-github/wor...23f6a50Merge pull request #4009 from github/mbg/action-state/additions