chore(deps): bump the actions group across 1 directory with 5 updates#161
chore(deps): bump the actions group across 1 directory with 5 updates#161dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `7.0.0` | | [github/codeql-action/init](https://github.com/github/codeql-action) | `3.36.2` | `4.36.2` | | [github/codeql-action/analyze](https://github.com/github/codeql-action) | `3.36.2` | `4.36.2` | | [actions/cache](https://github.com/actions/cache) | `6.0.0` | `6.1.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.9.1` | `4.1.2` | Updates `actions/checkout` from 4.2.2 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.2.2...9c091bb) Updates `github/codeql-action/init` from 3.36.2 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@dd903d2...8aad20d) Updates `github/codeql-action/analyze` from 3.36.2 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@dd903d2...8aad20d) Updates `actions/cache` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@2c8a9bd...55cc834) Updates `sigstore/cosign-installer` from 3.9.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@398d4b0...6f9f177) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: github/codeql-action/analyze dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: github/codeql-action/init dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
3721cde to
46eafcb
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 46eafcb706
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
| - name: Install cosign | ||
| uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 | ||
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 |
There was a problem hiding this comment.
Pin cosign v2 or switch to bundle output
In this release workflow, updating the installer here changes the default cosign binary from v2.5.2 to v3.0.6; the cosign v3 changelog notes that --bundle output moved from optional to required in v3. The later Sign release artifacts (keyless) step still calls cosign sign-blob with only --output-signature and --output-certificate, so tag releases will fail during signing before any release assets are uploaded unless this step pins cosign-release to a compatible 2.x version or the signing/reconciliation logic is updated to emit .sigstore.json bundles.
Useful? React with 👍 / 👎.
|
Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting |
Bumps the actions group with 5 updates in the / directory:
4.2.27.0.03.36.24.36.23.36.24.36.26.0.06.1.03.9.14.1.2Updates
actions/checkoutfrom 4.2.2 to 7.0.0Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Updates
github/codeql-action/initfrom 3.36.2 to 4.36.2Release notes
Sourced from github/codeql-action/init's releases.
... (truncated)
Changelog
Sourced from github/codeql-action/init's changelog.
... (truncated)
Commits
0ad7c1fRebuild25c25b5Update changelog and version after v4.36.187557b9Merge pull request #3940 from github/update-v4.36.1-2a1689ed49431011Update changelog for v4.36.12a1689eMerge pull request #3939 from github/henrymercer/skip-overlay-revert-when-exp...d40e417Only do initial wait when not running tests5245323Disable missing diff-ranges fallback when overlay enabled manually948a63aAdd FF to force JGit-based Git backendUpdates
github/codeql-action/analyzefrom 3.36.2 to 4.36.2Release notes
Sourced from github/codeql-action/analyze's releases.
... (truncated)
Changelog
Sourced from github/codeql-action/analyze's changelog.
... (truncated)
Commits
0ad7c1fRebuild25c25b5Update changelog and version after v4.36.187557b9Merge pull request #3940 from github/update-v4.36.1-2a1689ed49431011Update changelog for v4.36.12a1689eMerge pull request #3939 from github/henrymercer/skip-overlay-revert-when-exp...d40e417Only do initial wait when not running tests5245323Disable missing diff-ranges fallback when overlay enabled manually948a63aAdd FF to force JGit-based Git backendUpdates
actions/cachefrom 6.0.0 to 6.1.0Release notes
Sourced from actions/cache's releases.
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
55cc834Merge pull request #1768 from jasongin/readonly-cached8cd72fBump@actions/cacheto v6.1.0 - handle cache write error due to RO tokenUpdates
sigstore/cosign-installerfrom 3.9.1 to 4.1.2Release notes
Sourced from sigstore/cosign-installer's releases.
... (truncated)
Commits
6f9f177Bump cosign to 3.0.6 (#232)b5e753aBump actions/github-script from 8.0.0 to 9.0.0 (#230)115e4ceBump actions/setup-go from 6.3.0 to 6.4.0 (#226)cad07c2chore: update default cosign-release to v3.0.5 (#223)ba7bc0afix: add retry to curl downloads for transient network failures (#210)5a292e1Bump cosign to 3.0.5 (#220)351ea76Bump actions/checkout from 6.0.1 to 6.0.2 (#217)c17565ftest with go 1.26 too (#221)a6fdd19Bump actions/setup-go from 6.1.0 to 6.3.0 (#218)430b6a7docs: fix registry from gcr.io to ghcr.io (#213)