chore(deps): bump the github-actions group across 1 directory with 2 updates#1960
chore(deps): bump the github-actions group across 1 directory with 2 updates#1960dependabot[bot] wants to merge 1 commit into
Conversation
…updates Bumps the github-actions group with 2 updates in the / directory: [actions/checkout](https://github.com/actions/checkout) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `actions/checkout` from 6.0.2 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v6.0.2...v7) Updates `actions/download-artifact` from 4.3.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v4.3.0...3e5f45b) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
| n: ${{ steps.gen.outputs.n }} | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0 | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0 |
There was a problem hiding this comment.
🟣 The actions/checkout SHA on lines 48, 90, and 130 was bumped to 9c091bb2... (v7.0.0) — the same SHA that every other workflow in this PR annotates with # v7.0.0 — but these three lines still trail with # v5.0.0, a two-major-version lie. The mismatch is pre-existing (prior SHA de0fac2... was v6.0.2 with the same # v5.0.0 comment), but this PR widens the gap and is the natural place to fix it: update all three trailing comments from # v5.0.0 to # v7.0.0.
Extended reasoning...
What the bug is
In .github/workflows/collectivex-sweep.yml, three actions/checkout step pins (lines 48, 90, 130) were bumped from SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd to 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0. The new SHA is unambiguously actions/checkout v7.0.0 — every other workflow file in this same PR pins the identical SHA with a # v7.0.0 comment (e.g. benchmark-tmpl.yml, claude-pr-review.yml, codeowner-signoff-verify.yml, e2e-tests.yml, profile.yml, run-sweep.yml, etc.). However, in this file the trailing comment was left as # v5.0.0, producing a two-major-version mismatch between the pin and its annotation.
How it manifests / why existing code doesn't prevent it
This is a pre-existing mismatch: the previous pin de0fac2... is actions/checkout v6.0.2 (confirmable from every other workflow's pre-PR # v6.0.2 comment), yet this file's comment was already # v5.0.0 before this PR. Dependabot updates the SHA but does not normalize an already-wrong trailing comment, so the bump from v6 to v7 propagated without fixing the lie — and future dependabot bumps will continue to do so. Nothing in the workflow currently parses or validates that the comment matches the pinned SHA.
Impact
Runtime behavior is unaffected — the SHA wins, so v7.0.0 is what actually runs. The harm is documentation/maintenance:
- A reviewer reading
# v5.0.0will look up v5 release notes and miss v7's new behavior, most notably the newpull_request_target/workflow_runfork-blocking semantics introduced in v7 (PR #2454). - Auditors checking pinned versions will see an inconsistency between what is pinned and what is labeled, eroding trust in the workflow file as an accurate record of what runs.
- Future dependabot bumps will continue carrying the wrong comment forward indefinitely.
Step-by-step proof
-
Open the PR diff for
.github/workflows/collectivex-sweep.yml. Three hunks changeactions/checkoutlines (the setup, sweep, and aggregate jobs). Each hunk is of the form:- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0The SHA changed; the trailing
# v5.0.0comment did not. -
Cross-check the new SHA against any other workflow in this PR — e.g.
.github/workflows/claude-pr-review.yml:- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0Same SHA, comment
# v7.0.0. The dependabot PR description also confirms this is the v7.0.0 release:actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0is listed under the v7.0.0 commits, and the previousde0fac2...is v6.0.2 (every other workflow's pre-PR pin used that SHA with# v6.0.2). -
Conclusion: on lines 48, 90, and 130 of
collectivex-sweep.yml, the SHA pins v7.0.0 but the comment claims v5.0.0 — a two-major-version mismatch.
How to fix
Change the trailing comment on all three lines from # v5.0.0 to # v7.0.0:
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0 | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
(apply the same one-character — well, two-digit — fix to lines 48, 90, and 130.)
Bumps the github-actions group with 2 updates in the / directory: actions/checkout and actions/download-artifact.
Updates
actions/checkoutfrom 6.0.2 to 7.0.0Release notes
Sourced from actions/checkout's releases.
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Updates
actions/download-artifactfrom 4.3.0 to 8.0.1Release notes
Sourced from actions/download-artifact's releases.
... (truncated)
Commits
3e5f45bAdd regression tests for CJK characters (#471)e6d03f6Add a regression test for artifact name + content-type mismatches (#472)70fc10cMerge pull request #461 from actions/danwkennedy/digest-mismatch-behaviorf258da9Add change docsccc058eFix linting issuesbd7976bAdd a setting to specify what to do on hash mismatch and default it toerrorac21fcfMerge pull request #460 from actions/danwkennedy/download-no-unzip15999bfAdd note about package bumps974686eBump the version tov8and add release notesfbe48b1Update test names to make it clearer what they doDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions