Skip to content

build(deps): bump tj-actions/changed-files from 44 to 46 in /.github/workflows #5749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

build(deps): bump tj-actions/changed-files from 44 to 46 in /.github/workflows #5749

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Apr 22, 2025
edited
Loading

Bumps tj-actions/changed-files from 44 to 46.

Release notes

Sourced from tj-actions/changed-files's releases.

v46

Changes in v46.0.5

What's Changed

Full Changelog: tj-actions/changed-files@v46...v46.0.5

Changes in v46.0.4

What's Changed

Full Changelog: tj-actions/changed-files@v46...v46.0.4

Changes in v46.0.3

What's Changed

Full Changelog: tj-actions/changed-files@v46...v46.0.3

Changes in v46.0.2

What's Changed

... (truncated)

Changelog

Sourced from tj-actions/changed-files's changelog.

Changelog

46.0.5 - (2025-04-09)

⚙️ Miscellaneous Tasks

  • deps: Bump yaml from 2.7.0 to 2.7.1 (#2520) (ed68ef8) - (dependabot[bot])
  • deps-dev: Bump typescript from 5.8.2 to 5.8.3 (#2516) (a7bc14b) - (dependabot[bot])
  • deps-dev: Bump @​types/node from 22.13.11 to 22.14.0 (#2517) (3d751f6) - (dependabot[bot])
  • deps-dev: Bump eslint-plugin-prettier from 5.2.3 to 5.2.6 (#2519) (e2fda4e) - (dependabot[bot])
  • deps-dev: Bump ts-jest from 29.2.6 to 29.3.1 (#2518) (0bed1b1) - (dependabot[bot])
  • deps: Bump github/codeql-action from 3.28.12 to 3.28.15 (#2530) (6802458) - (dependabot[bot])
  • deps: Bump tj-actions/branch-names from 8.0.1 to 8.1.0 (#2521) (cf2e39e) - (dependabot[bot])
  • deps: Bump tj-actions/verify-changed-files from 20.0.1 to 20.0.4 (#2523) (6abeaa5) - (dependabot[bot])

⬆️ Upgrades

  • Upgraded to v46.0.4 (#2511)

Co-authored-by: github-actions[bot] (6f67ee9) - (github-actions[bot])

46.0.4 - (2025-04-03)

🐛 Bug Fixes

  • Bug modified_keys and changed_key outputs not set when no changes detected (#2509) (6cb76d0) - (Tonye Jack)

📚 Documentation

⬆️ Upgrades

  • Upgraded to v46.0.3 (#2506)

Co-authored-by: github-actions[bot] Co-authored-by: Tonye Jack jtonye@ymail.com (27ae6b3) - (github-actions[bot])

46.0.3 - (2025-03-23)

🔄 Update

  • Updated README.md (#2501)

Co-authored-by: github-actions[bot] (41e0de5) - (github-actions[bot])

  • Updated README.md (#2499)

Co-authored-by: github-actions[bot] (9457878) - (github-actions[bot])

📚 Documentation

... (truncated)

Commits
  • ed68ef8 chore(deps): bump yaml from 2.7.0 to 2.7.1 (#2520)
  • a7bc14b chore(deps-dev): bump typescript from 5.8.2 to 5.8.3 (#2516)
  • 3d751f6 chore(deps-dev): bump @​types/node from 22.13.11 to 22.14.0 (#2517)
  • e2fda4e chore(deps-dev): bump eslint-plugin-prettier from 5.2.3 to 5.2.6 (#2519)
  • 0bed1b1 chore(deps-dev): bump ts-jest from 29.2.6 to 29.3.1 (#2518)
  • 6802458 chore(deps): bump github/codeql-action from 3.28.12 to 3.28.15 (#2530)
  • cf2e39e chore(deps): bump tj-actions/branch-names from 8.0.1 to 8.1.0 (#2521)
  • 6abeaa5 chore(deps): bump tj-actions/verify-changed-files from 20.0.1 to 20.0.4 (#2523)
  • 6f67ee9 Upgraded to v46.0.4 (#2511)
  • 6cb76d0 fix: bug modified_keys and changed_key outputs not set when no changes detect...
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 22, 2025
@wisp3rwind
Copy link
Member

wisp3rwind commented Apr 22, 2025
edited
Loading

I had a look at workflow logs, and it seems we didn't run anything on Mar 14/15:

This is just before (Mar 13)

This is afterwards (Mar 17)

These issues are about the action compromise:

We don't need to update, since the malicious commit of changed-files has been removed. I've read the suggestion to pin actions to specific SHA hashes rather than tags. Should we do something like that?

@dependabot dependabot bot force-pushed the dependabot/github_actions/dot-github/workflows/tj-actions/changed-files-46 branch 2 times, most recently from ef99ad5 to 943c881 Compare May 14, 2025 09:48
@dependabot
build(deps): bump tj-actions/changed-files in /.github/workflows
6116e67 
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 44 to 46.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@v44...v46)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-version: '46'
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/github_actions/dot-github/workflows/tj-actions/changed-files-46 branch from 943c881 to 6116e67 Compare May 20, 2025 09:08
@snejus
Copy link
Member

snejus commented Jun 30, 2025

I had a look at workflow logs, and it seems we didn't run anything on Mar 14/15:

This is just before (Mar 13)

* lint run `#1076` https://github.com/beetbox/beets/actions/runs/13830068268/job/38692168362

* ci run '[Extend Spotify plugin to obtain (popularity and audio features) track attributes #4352](https://github.com/beetbox/beets/pull/4352)` https://github.com/beetbox/beets/actions/runs/13901313003/job/38893541291

This is afterwards (Mar 17)

* lint run `#1077` https://github.com/beetbox/beets/actions/runs/13901218919/job/38893219000

* ci run `#4351` https://github.com/beetbox/beets/actions/runs/13901218899/job/38893219036

These issues are about the action compromise:

* [[BUG] Pretty sure this repo got hacked and if you use this it will send your secrets to a hacker tj-actions/changed-files#2464](https://github.com/tj-actions/changed-files/issues/2464)

* [Multiple tags in this action are compromised tj-actions/changed-files#2463](https://github.com/tj-actions/changed-files/issues/2463)

* [[Security Advisory] Supply Chain Attack on reviewdog GitHub Actions during a specific time period reviewdog/reviewdog#2079](https://github.com/reviewdog/reviewdog/issues/2079)

We don't need to update, since the malicious commit of changed-files has been removed. I've read the suggestion to pin actions to specific SHA hashes rather than tags. Should we do something like that?

I doubt it's worth it, given how rarely such an issue occurs.

@snejus snejus closed this Jun 30, 2025
@dependabot Dependabot
Copy link
Author

dependabot bot commented on behalf of github Jun 30, 2025

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/github_actions/dot-github/workflows/tj-actions/changed-files-46 branch June 30, 2025 08:30
@wisp3rwind wisp3rwind mentioned this pull request Jul 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wisp3rwind @snejus