github-actions: bump softprops/action-gh-release from 2 to 3.0.0#579
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
Bot
added
the
dependencies
|
@dependabot rebase |
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2 to 3.0.0. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@v2...v3) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/softprops/action-gh-release-3
branch
from
50313f1 to
e34a84d
Compare
bgentry
left a comment
bgentry
left a comment
There was a problem hiding this comment.
🤖 Codex review: Security review looks good to me.
I reviewed this as a dependency-upgrade supply-chain/security pass for the softprops/action-gh-release update from v2 to the v3 line at PR head e34a84ddbaee1f8479366d75d9e983673b04bfa1. Although Dependabot's title names 3.0.0, the workflow uses the floating @v3 major tag, so I reviewed the current v3 tag target as well.
Scope reviewed:
- Confirmed the rebased PR only updates the release workflow's
softprops/action-gh-releasereference. - Resolved the current upstream
v3annotated tag and peeled commit, and compared upstream action metadata/source for the Node 24 runtime move and small release upload changes. - Checked the action's token usage: it still uses the configured/default GitHub token to create releases and upload the listed assets, only under the existing
startsWith(github.ref, 'refs/tags/')condition. - Looked for unexpected credential sources, new network destinations beyond GitHub release APIs, dynamic code execution, install hooks, or expanded file upload behavior.
Local validation completed on the rebased head:
npm run lintnpm run test:oncenpm run buildmake lintmake test
No blocking findings. Residual risk is that this release job intentionally has contents: write behavior on tag refs, and the workflow still trusts a moving major-version action reference rather than a pinned commit SHA.
bgentry
deleted the
dependabot/github_actions/softprops/action-gh-release-3
branch
1 participant
Bumps softprops/action-gh-release from 2 to 3.0.0.
Release notes
Sourced from softprops/action-gh-release's releases.
... (truncated)
Changelog
Sourced from softprops/action-gh-release's changelog.
Commits
718ea10release 3.0.1f1a938bchore(deps): bump esbuild from 0.28.0 to 0.28.1 (#802)0066eadchore(deps): bump vite from 8.0.14 to 8.0.16 (#806)dc643cachore(deps): bump the npm group with 3 updates (#805)85ee99bchore(deps): bump actions/checkout in the github-actions group (#804)9ed3cf9chore(deps): bump the npm group with 2 updates (#800)3efcac8chore(deps): bump the npm group with 3 updates (#798)05d6b91chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 (#797)403a524chore(deps): bump@types/nodefrom 24.12.2 to 24.12.3 in the npm group (#796)437e073chore(deps): bump the npm group with 4 updates (#792)