-
Notifications
You must be signed in to change notification settings - Fork 212
chore(deps): bump the github-actions group across 1 directory with 2 updates #1960
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
dependabot
wants to merge
1
commit into
main
Choose a base branch
from
dependabot/github_actions/github-actions-97accce477
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟣 The actions/checkout SHA on lines 48, 90, and 130 was bumped to
9c091bb2...(v7.0.0) — the same SHA that every other workflow in this PR annotates with# v7.0.0— but these three lines still trail with# v5.0.0, a two-major-version lie. The mismatch is pre-existing (prior SHAde0fac2...was v6.0.2 with the same# v5.0.0comment), but this PR widens the gap and is the natural place to fix it: update all three trailing comments from# v5.0.0to# v7.0.0.Extended reasoning...
What the bug is
In
.github/workflows/collectivex-sweep.yml, threeactions/checkoutstep pins (lines 48, 90, 130) were bumped from SHAde0fac2e4500dabe0009e67214ff5f5447ce83ddto9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0. The new SHA is unambiguously actions/checkout v7.0.0 — every other workflow file in this same PR pins the identical SHA with a# v7.0.0comment (e.g.benchmark-tmpl.yml,claude-pr-review.yml,codeowner-signoff-verify.yml,e2e-tests.yml,profile.yml,run-sweep.yml, etc.). However, in this file the trailing comment was left as# v5.0.0, producing a two-major-version mismatch between the pin and its annotation.How it manifests / why existing code doesn't prevent it
This is a pre-existing mismatch: the previous pin
de0fac2...is actions/checkout v6.0.2 (confirmable from every other workflow's pre-PR# v6.0.2comment), yet this file's comment was already# v5.0.0before this PR. Dependabot updates the SHA but does not normalize an already-wrong trailing comment, so the bump from v6 to v7 propagated without fixing the lie — and future dependabot bumps will continue to do so. Nothing in the workflow currently parses or validates that the comment matches the pinned SHA.Impact
Runtime behavior is unaffected — the SHA wins, so v7.0.0 is what actually runs. The harm is documentation/maintenance:
# v5.0.0will look up v5 release notes and miss v7's new behavior, most notably the newpull_request_target/workflow_runfork-blocking semantics introduced in v7 (PR #2454).Step-by-step proof
Open the PR diff for
.github/workflows/collectivex-sweep.yml. Three hunks changeactions/checkoutlines (the setup, sweep, and aggregate jobs). Each hunk is of the form:The SHA changed; the trailing
# v5.0.0comment did not.Cross-check the new SHA against any other workflow in this PR — e.g.
.github/workflows/claude-pr-review.yml:Same SHA, comment
# v7.0.0. The dependabot PR description also confirms this is the v7.0.0 release:actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0is listed under the v7.0.0 commits, and the previousde0fac2...is v6.0.2 (every other workflow's pre-PR pin used that SHA with# v6.0.2).Conclusion: on lines 48, 90, and 130 of
collectivex-sweep.yml, the SHA pins v7.0.0 but the comment claims v5.0.0 — a two-major-version mismatch.How to fix
Change the trailing comment on all three lines from
# v5.0.0to# v7.0.0:(apply the same one-character — well, two-digit — fix to lines 48, 90, and 130.)