chore(deps): bump the github-actions group across 1 directory with 6 updates#188
Closed
dependabot[bot] wants to merge 1 commit into
Closed
chore(deps): bump the github-actions group across 1 directory with 6 updates#188dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
mmanciop
added a commit
that referenced
this pull request
Jul 16, 2026
Dependency bumps change go.mod/go.sum, which invalidates the buildGoModule vendorHash in nix/package.nix and turns the Nix build red on the PR. The existing `nix-vendor-hash.yml` workflow fixes this on `pull_request`, but GitHub withholds Actions secrets from Dependabot- triggered `pull_request` runs, so the PAT-based checkout fails with "Input required and not supplied: token" (see PR #188). Add a companion workflow on `pull_request_target`, which does grant Actions secrets to Dependabot-triggered runs. Guard by `actor == dependabot[bot]` and same-repo head, and drop Dependabot from the existing workflow's `if:` so the two do not double-fire. Security tradeoff: the job still checks out and runs `nix build` on the PR branch while a write-scoped PAT is in the environment. Scope is confined to Dependabot's own bumps; the remaining trust surface is a compromised upstream dependency exfiltrating the PAT during the build.
mmanciop
added a commit
that referenced
this pull request
Jul 16, 2026
Dependency bumps change go.mod/go.sum, which invalidates the buildGoModule vendorHash in nix/package.nix and turns the Nix build red on the PR. The existing `nix-vendor-hash.yml` workflow fixes this on `pull_request`, but GitHub withholds Actions secrets from Dependabot- triggered `pull_request` runs, so the PAT-based checkout fails with "Input required and not supplied: token" (see PR #188). Add a companion workflow on `pull_request_target`, which does grant Actions secrets to Dependabot-triggered runs. Guard by `actor == dependabot[bot]` and same-repo head, and drop Dependabot from the existing workflow's `if:` so the two do not double-fire. Security tradeoff: the job still checks out and runs `nix build` on the PR branch while a write-scoped PAT is in the environment. Scope is confined to Dependabot's own bumps; the remaining trust surface is a compromised upstream dependency exfiltrating the PAT during the build.
dependabot
Bot
force-pushed
the
dependabot/github_actions/github-actions-d3492015fa
branch
from
July 16, 2026 07:49
d5d3cae to
8900e8f
Compare
Member
|
@dependabot rebase |
…updates Bumps the github-actions group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `6.0.3` | `7.0.0` | | [actions/setup-go](https://github.com/actions/setup-go) | `6.4.0` | `7.0.0` | | [docker/login-action](https://github.com/docker/login-action) | `4.2.0` | `4.4.0` | | [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) | `4.1.0` | `4.2.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `4.1.0` | `4.2.0` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `7.2.2` | `7.2.3` | Updates `actions/checkout` from 6.0.3 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@df4cb1c...9c091bb) Updates `actions/setup-go` from 6.4.0 to 7.0.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4a36011...b7ad1da) Updates `docker/login-action` from 4.2.0 to 4.4.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@650006c...af1e73f) Updates `docker/setup-qemu-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@0611638...96fe6ef) Updates `docker/setup-buildx-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@d7f5e7f...bb05f3f) Updates `goreleaser/goreleaser-action` from 7.2.2 to 7.2.3 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@5daf1e9...f06c13b) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-go dependency-version: 6.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/login-action dependency-version: 4.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/setup-buildx-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/setup-qemu-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/github-actions-d3492015fa
branch
from
July 16, 2026 07:55
8900e8f to
6feb97b
Compare
mmanciop
added a commit
that referenced
this pull request
Jul 16, 2026
The `push` trigger from PR #191 doesn't escape Dependabot's secret restrictions — GitHub applies the read-only / no-secrets policy to any event triggered directly by Dependabot, including `push`. That's why run 29481599947 on PR #188 failed with the same "Input required and not supplied: token" as before the workflow rewrite. Switch to `workflow_run` off the `Nix` build workflow. `workflow_run` runs start from the base repo on the default branch and are not classified as Dependabot-triggered, so Actions secrets (including the push-back PAT) resolve. The workflow now fires only when the `Nix` build failed on a non-main same-repo branch. `workflow_dispatch` remains for manual re-runs and takes an explicit `branch` input.
mmanciop
added a commit
that referenced
this pull request
Jul 16, 2026
The `push` trigger from PR #191 doesn't escape Dependabot's secret restrictions — GitHub applies the read-only / no-secrets policy to any event triggered directly by Dependabot, including `push`. That's why run 29481599947 on PR #188 failed with the same "Input required and not supplied: token" as before the workflow rewrite. Switch to `workflow_run` off the `Nix` build workflow. `workflow_run` runs start from the base repo on the default branch and are not classified as Dependabot-triggered, so Actions secrets (including the push-back PAT) resolve. The workflow now fires only when the `Nix` build failed on a non-main same-repo branch. `workflow_dispatch` remains for manual re-runs and takes an explicit `branch` input.
Contributor
Author
|
Looks like these dependencies are updatable in another way, so this is no longer needed. |
dependabot
Bot
deleted the
dependabot/github_actions/github-actions-d3492015fa
branch
July 16, 2026 08:32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the github-actions group with 6 updates in the / directory:
6.0.37.0.06.4.07.0.04.2.04.4.04.1.04.2.04.1.04.2.07.2.27.2.3Updates
actions/checkoutfrom 6.0.3 to 7.0.0Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Updates
actions/setup-gofrom 6.4.0 to 7.0.0Release notes
Sourced from actions/setup-go's releases.
Commits
b7ad1dachore(deps): bump@actions/cacheto 6.2.0 (#771)0778a10Migrate to ESM and upgrade dependencies (#763)924ae3achore: bump version to 6.5.0 in package.json and package-lock.json (#762)e91cc3bBump@actions/cacheto 5.1.0, log cache write denied (#758)4a2405echore: update@types/nodeand@typescript-eslintdependencies to latest versi...78961f6chore: update@actionsdependencies and refresh license cache (#744)Updates
docker/login-actionfrom 4.2.0 to 4.4.0Release notes
Sourced from docker/login-action's releases.
Commits
af1e73fMerge pull request #1034 from docker/dependabot/npm_and_yarn/aws-sdk-dependen...da722bd[dependabot skip] chore: update generated content2916ad6build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...ca0a662Merge pull request #1035 from crazy-max/fix-registry-auth-empty-maskc455755chore: update generated content4835190skip empty registry-auth secret mask992421cMerge pull request #1033 from docker/dependabot/github_actions/docker/bake-ac...b249b43Merge pull request #1032 from docker/dependabot/github_actions/docker/bake-ac...1b67977build(deps): bump docker/bake-action from 7.2.0 to 7.3.09d49d6abuild(deps): bump docker/bake-action/subaction/matrixUpdates
docker/setup-qemu-actionfrom 4.1.0 to 4.2.0Release notes
Sourced from docker/setup-qemu-action's releases.
Commits
96fe6efMerge pull request #315 from docker/dependabot/npm_and_yarn/docker/actions-to...31f08d3[dependabot skip] chore: update generated content4e7017abuild(deps): bump@docker/actions-toolkitfrom 0.91.0 to 0.92.00eca235Merge pull request #314 from crazy-max/fix-yarn-preapprove-actions-toolkitea66a41chore: allow actions-toolkit to bypass yarn age gate451542bMerge pull request #308 from docker/dependabot/npm_and_yarn/undici-6.27.0532ae00[dependabot skip] chore: update generated contentb6f5af6build(deps): bump undici from 6.26.0 to 6.27.0cf96b86Merge pull request #304 from docker/dependabot/npm_and_yarn/tmp-0.2.7f0ba643[dependabot skip] chore: update generated contentUpdates
docker/setup-buildx-actionfrom 4.1.0 to 4.2.0Release notes
Sourced from docker/setup-buildx-action's releases.
Commits
bb05f3fMerge pull request #580 from docker/dependabot/npm_and_yarn/docker/actions-to...321c814[dependabot skip] chore: update generated contentb9a36efbuild(deps): bump@docker/actions-toolkitfrom 0.91.0 to 0.92.0ebeab24Merge pull request #570 from docker/dependabot/npm_and_yarn/undici-6.27.05c7b8ae[dependabot skip] chore: update generated content037e618build(deps): bump undici from 6.25.0 to 6.27.066080e5Merge pull request #577 from docker/dependabot/npm_and_yarn/sigstore-4.1.1409aef0Merge pull request #562 from docker/dependabot/npm_and_yarn/js-yaml-4.2.049c6e42build(deps): bump sigstore from 4.1.0 to 4.1.12211273[dependabot skip] chore: update generated contentUpdates
goreleaser/goreleaser-actionfrom 7.2.2 to 7.2.3Release notes
Sourced from goreleaser/goreleaser-action's releases.
Commits
f06c13bchore: update distd393459ci: fix jobee731b1chore: workflow dispatch55de448chore(deps): bump js-yaml from 4.1.1 to 4.2.0a4f614eci: use a GitHub App token to rebuild dist on dependabot PRs (#569)d2d17a6ci: auto-rebuild dist on dependabot PRs (#568)d13def3build: regenerate dist after undici 6.27.0 bump (#567)21549b6chore(deps): bump undici from 6.24.1 to 6.27.0 (#565)47c416dci(deps): bump the actions group with 3 updates (#563)