ci(deps): bump the actions-core group across 1 directory with 7 updates#1280
ci(deps): bump the actions-core group across 1 directory with 7 updates#1280dependabot[bot] wants to merge 1 commit into
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
| timeout-minutes: 10 | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
💡 Suggestion: The action pins are repeated across many jobs and workflow files, so this bump required changing the same checkout/setup-node/artifact/cache refs in dozens of places. Consider extracting the common checkout/pnpm/node setup and artifact download/upload patterns into local composite actions or reusable workflows so future action upgrades have one source of truth and less drift risk.
Bumps the actions-core group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.3.1` | `7.0.0` | | [actions/setup-node](https://github.com/actions/setup-node) | `4.4.0` | `6.4.0` | | [actions/cache](https://github.com/actions/cache) | `4.3.0` | `6.1.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `4.3.0` | `8.0.1` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.3.0` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `2.2.2` | `4.1.1` | Updates `actions/checkout` from 4.3.1 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...9c091bb) Updates `actions/setup-node` from 4.4.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@49933ea...48b55a0) Updates `actions/cache` from 4.3.0 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0057852...55cc834) Updates `actions/upload-artifact` from 4.6.2 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...043fb46) Updates `actions/download-artifact` from 4.3.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@d3f86a1...3e5f45b) Updates `actions/setup-python` from 5.6.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...ece7cb0) Updates `actions/attest-build-provenance` from 2.2.2 to 4.1.1 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@bd77c07...0f67c3f) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-core - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-core - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-core - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-core - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-core - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-core - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions-core ... Signed-off-by: dependabot[bot] <support@github.com>
cf00ab2 to
1eee7b5
Compare
| # Stored in the repo's attestation API; users verify with | ||
| # `gh attestation verify <file> --repo OriginTrail/dkg`. | ||
| uses: actions/attest-build-provenance@bd77c077858b8d561b7a36cbe48ef4cc642ca39d # v2.2.2 | ||
| uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 |
There was a problem hiding this comment.
🔴 Bug: Release provenance action is pinned to a non-existent advertised release
What's wrong
The release job's provenance control now points at a SHA labeled as v4.1.1, but the upstream action does not currently publish that release. This can break the release workflow at the attestation step, or worse, make the credentialed release job run action code that is not the reviewed immutable release the workflow claims to use.
Example
Triggering the release workflow reaches Attest build provenance for release assets. If 0f67c3f4856b2e3261c31976d6725780e5e4c373 is not a commit in actions/attest-build-provenance, GitHub Actions fails before producing provenance, so the release cannot complete. If it is an unreleased commit, the release attestation step is no longer pinned to the advertised immutable upstream release.
Suggested direction
Replace this pin with the actual commit for an existing actions/attest-build-provenance release, or update the comment and review record if the intent is to consume a specific unreleased commit.
Confidence note
The official tags page for actions/attest-build-provenance currently shows v4.1.0/v4 as latest, not v4.1.1; local git verification was blocked by DNS in the sandbox.
For Agents
In .github/workflows/release.yml, verify the intended upstream actions/attest-build-provenance release and pin the workflow to that release's actual immutable commit SHA. Preserve the existing subject-path: 'release-assets/*' behavior. Prove the fix by resolving the pinned ref against the upstream repo and running or dry-running the release job far enough to load the action.
The attestation action pin is not verified against an official release tag
What's wrong
This PR upgrades the release provenance action, which is part of the release asset trust chain, but the changed line advertises v4.1.1 without a matching official release/tag. That makes the validation evidence incomplete and gives false confidence that the release workflow is using a reviewed upstream release.
Example
A release run would execute the pinned SHA, but reviewers relying on the # v4.1.1 evidence cannot reproduce that this SHA is an immutable upstream release because the advertised tag is not present on the official action repo.
Suggested direction
Replace this pin with a SHA that resolves to an official immutable actions/attest-build-provenance release tag, or provide an automated/manual verification artifact proving this exact SHA is the intended upstream release.
For Agents
Check .github/workflows/release.yml at the attest-build-provenance step. Either pin to an official listed tag/SHA pair, or add clear validation evidence for why this exact commit is intended. Add or update the repo’s action-pin verification so it fails when a uses: SHA comment advertises a tag that does not exist or resolves to a different SHA.
Bumps the actions-core group with 7 updates in the / directory:
4.3.17.0.04.4.06.4.04.3.06.1.04.6.27.0.14.3.08.0.15.6.06.3.02.2.24.1.1Updates
actions/checkoutfrom 4.3.1 to 7.0.0Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Updates
actions/setup-nodefrom 4.4.0 to 6.4.0Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)Updates
actions/cachefrom 4.3.0 to 6.1.0Release notes
Sourced from actions/cache's releases.
... (truncated)
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
55cc834Merge pull request #1768 from jasongin/readonly-cached8cd72fBump@actions/cacheto v6.1.0 - handle cache write error due to RO token2c8a9bdMerge pull request #1760 from actions/samirat/esm_migration_and_package_updatee9b91fdPrettier fixese4884b8Rebuild dist10baf01Fixed licensese39b386Fix test mock return orderb692820PR feedback6074912Rebuild dist bundles as ESM to match type:module5a912e8Fix lint and jest issuesUpdates
actions/upload-artifactfrom 4.6.2 to 7.0.1Release notes
Sourced from actions/upload-artifact's releases.
... (truncated)
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)bbbca2dSupport direct file uploads (#764)589182cUpgrade the module to ESM and bump dependencies (#762)47309c9Merge pull request #754 from actions/Link-/add-proxy-integration-tests02a8460Add proxy integration testb7c566aMerge pull request #745 from actions/upload-artifact-v6-releasee516bc8docs: correct description of Node.js 24 support in READMEUpdates
actions/download-artifactfrom 4.3.0 to 8.0.1Release notes
Sourced from actions/download-artifact's releases.
... (truncated)
Commits
3e5f45bAdd regression tests for CJK characters (#471)e6d03f6Add a regression test for artifact name + content-type mismatches (#472)70fc10cMerge pull request #461 from actions/danwkennedy/digest-mismatch-behaviorf258da9Add change docsccc058eFix linting issuesbd7976bAdd a setting to specify what to do on hash mismatch and default it toerrorac21fcfMerge pull request #460 from actions/danwkennedy/download-no-unzip15999bfAdd note about package bumps974686eBump the version tov8and add release notesfbe48b1Update test names to make it clearer what they doUpdates
actions/setup-pythonfrom 5.6.0 to 6.3.0Release notes
Sourced from actions/setup-python's releases.
... (truncated)
Commits
ece7cb0Fix pip cache error handling on Windows. (#1040)1d18d7aUpdate advanced-usage.md (#811)d2b357aUpdate dependency versions and test workflow configuration (#1322)8f639b1Merge pull request #1324 from jasongin/update-actions-cache-5.1.06731c2bResolve high-severity audit issues0cb1a84Add RHEL support and include Linux distro in cache keys (#1323)dc6eab6Update dist6f4b74bStrict equalityfa8bde1Bump@actions/cacheto 5.1.0, log cache write deniedc8813baUpgrade@actionsdependencies and update licenses (#1303)Updates
actions/attest-build-provenancefrom 2.2.2 to 4.1.1Release notes
Sourced from actions/attest-build-provenance's releases.
... (truncated)
Commits
0f67c3fBump actions/checkout from 6.0.3 to 7.0.0 (#857)21b787dUpdate actions/attest to v4.1.1 (#858)f14352aadd dependabot cooldown (#851)2c04a00Bump actions/checkout from 6.0.2 to 6.0.3 in the actions-minor group (#850)10334b5remove badges from README (#840)c5efebdremove prober workflows (#837)a2bbfa2bump actions/attest from 4.0.0 to 4.1.0 (#838)0856891update RELEASE.md docs (#836)