Skip to content

[Patch]: Update GitHub Actions dependencies to latest pinned versions#358

Merged
Marius Storhaug (MariusStorhaug) merged 5 commits into
mainfrom
dependencies
Jul 7, 2026
Merged

[Patch]: Update GitHub Actions dependencies to latest pinned versions#358
Marius Storhaug (MariusStorhaug) merged 5 commits into
mainfrom
dependencies

Conversation

@MariusStorhaug

@MariusStorhaug Marius Storhaug (MariusStorhaug) commented Jul 5, 2026

Copy link
Copy Markdown
Member

Consolidates the currently-passing Dependabot GitHub Actions updates into one change, so the pipeline moves to the latest action versions in a single release instead of separate bumps. It also configures Dependabot to group future GitHub Actions updates into one pull request, so this consolidated form happens automatically from now on.

Superseded Dependabot PRs: #351, #353, #354, #355 — Dependabot closes these automatically once this merges.

⚠️ Build-PSModule v5.0.0 (#350) is intentionally excluded. v5 makes moduleVersion a required input, which the current Build-Module.yml does not provide, so it fails CI (6 checks on #350's own PR too). Adopting it needs the "decide version before build" work in #342 and should ship with/after that PR. #350 stays open to track it.

Updated GitHub Actions

Action From To Bump
actions/checkout v6.0.2 v7.0.0 Major
PSModule/Publish-PSModule v2.2.4 v3.0.0 Major
super-linter/super-linter v8.6.0 v8.7.0 Minor
super-linter/super-linter/slim v8.6.0 v8.7.0 Minor

This bundle includes two major action upgrades, so it is labelled Major and cuts a major release of Process-PSModule on merge.

Changed: Dependabot groups GitHub Actions updates

.github/dependabot.yml now groups all github-actions updates into a single grouped pull request via a groups block. The github_actions label is also corrected — it was github-actions, which does not match the repository label and was silently dropped by Dependabot.

Technical Details

  • Each bump is a cherry-pick of the original Dependabot commit, preserving authorship and the Bump X from A to B messages for a clean linear history.

  • All bumps touch only uses: pins under .github/workflows/; no logic changes.

  • Dependabot grouping added:

    groups:
      github-actions:
        patterns:
          - "*"

    This groups every GitHub Actions ecosystem update (all semver levels) into one PR. To keep major bumps as separate PRs for individual review, add update-types: ["minor", "patch"] under the group — majors then continue to open on their own.

  • No linked issue: this is Dependabot-driven maintenance; the superseded PRs above are the traceability.

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...9c091bb)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@MariusStorhaug Marius Storhaug (MariusStorhaug) added Major dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 5, 2026
@MariusStorhaug Marius Storhaug (MariusStorhaug) requested a review from a team July 5, 2026 12:53
@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
MARKDOWN Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

dependabot Bot and others added 4 commits July 5, 2026 14:56
Bumps [PSModule/Publish-PSModule](https://github.com/psmodule/publish-psmodule) from 2.2.4 to 3.0.0.
- [Release notes](https://github.com/psmodule/publish-psmodule/releases)
- [Commits](PSModule/Publish-PSModule@8917aed...03c0f8b)

---
updated-dependencies:
- dependency-name: PSModule/Publish-PSModule
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [super-linter/super-linter](https://github.com/super-linter/super-linter) from 8.6.0 to 8.7.0.
- [Release notes](https://github.com/super-linter/super-linter/releases)
- [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md)
- [Commits](super-linter/super-linter@9e86335...4ce2083)

---
updated-dependencies:
- dependency-name: super-linter/super-linter
  dependency-version: 8.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [super-linter/super-linter/slim](https://github.com/super-linter/super-linter) from 8.6.0 to 8.7.0.
- [Release notes](https://github.com/super-linter/super-linter/releases)
- [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md)
- [Commits](super-linter/super-linter@9e86335...4ce2083)

---
updated-dependencies:
- dependency-name: super-linter/super-linter/slim
  dependency-version: 8.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@MariusStorhaug Marius Storhaug (MariusStorhaug) changed the title 🌟 [Major]: Update GitHub Actions dependencies to latest majors [Patch]: Update GitHub Actions dependencies to latest pinned versions Jul 7, 2026
@MariusStorhaug Marius Storhaug (MariusStorhaug) marked this pull request as ready for review July 7, 2026 22:11
Copilot AI review requested due to automatic review settings July 7, 2026 22:11
@MariusStorhaug Marius Storhaug (MariusStorhaug) merged commit 0506996 into main Jul 7, 2026
69 checks passed
@MariusStorhaug Marius Storhaug (MariusStorhaug) deleted the dependencies branch July 7, 2026 22:11

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates Dependabot-driven GitHub Actions updates by repinning workflow uses: references to newer action SHAs/versions and updating Dependabot config so future GitHub Actions updates are grouped into a single PR.

Changes:

  • Bump actions/checkout pins across workflows from v6.0.2 to v7.0.0 (SHA-pinned).
  • Bump super-linter/super-linter (and slim) pins from v8.6.0 to v8.7.0 (SHA-pinned).
  • Update .github/dependabot.yml to use the github_actions label and group all GitHub Actions updates into one PR.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/Test-SourceCode.yml Repin actions/checkout to v7.0.0.
.github/workflows/Test-ModuleLocal.yml Repin actions/checkout to v7.0.0.
.github/workflows/Test-Module.yml Repin actions/checkout to v7.0.0 (both jobs).
.github/workflows/Release.yml Repin actions/checkout to v7.0.0.
.github/workflows/Publish-Module.yml Repin actions/checkout to v7.0.0 and bump PSModule/Publish-PSModule to v3.0.0.
.github/workflows/Linter.yml Repin actions/checkout to v7.0.0 and bump super-linter/super-linter to v8.7.0.
.github/workflows/Lint-SourceCode.yml Repin actions/checkout to v7.0.0.
.github/workflows/Lint-Repository.yml Repin actions/checkout to v7.0.0 and bump super-linter/super-linter to v8.7.0.
.github/workflows/Get-Settings.yml Repin actions/checkout to v7.0.0.
.github/workflows/Build-Site.yml Repin actions/checkout to v7.0.0.
.github/workflows/Build-Module.yml Repin actions/checkout to v7.0.0.
.github/workflows/Build-Docs.yml Repin actions/checkout to v7.0.0 and bump super-linter/super-linter/slim to v8.7.0.
.github/workflows/BeforeAll-ModuleLocal.yml Repin actions/checkout to v7.0.0.
.github/workflows/AfterAll-ModuleLocal.yml Repin actions/checkout to v7.0.0.
.github/dependabot.yml Fix label to github_actions and group all github-actions ecosystem updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 32 to 34
- name: Publish module
uses: PSModule/Publish-PSModule@8917aed588dae1bd1aa2873b1caec1c50c20d255 # v2.2.4
uses: PSModule/Publish-PSModule@03c0f8b53d0367c85a0f121f98af9b40c817b0e3 # v3.0.0
env:
Marius Storhaug (MariusStorhaug) added a commit that referenced this pull request Jul 7, 2026
…363)

The module publishing pipeline once again calculates and stamps the real
release version before publishing, so consumer releases are versioned
and tagged correctly instead of shipping the build-time placeholder.
This reverts the premature `Publish-PSModule` major upgrade that left
`main` in an inconsistent state.

- Relates to #326 (move version calculation ahead of the build step)
- Contains the regression introduced by #358

## Fixed: Releases are versioned correctly again

`Publish-PSModule` is pinned back to `v2.2.4`, which calculates the
release version (from labels and tags) and stamps it into the module
manifest at publish time. On `main`, `Build-PSModule` (v4) only stamps a
`999.0.0` placeholder and does not compute the real version, and
`Publish-PSModule` v3.0.0 is publish-only — it expects the manifest to
already carry the final version. With v3.0.0 in place, nothing in the
pipeline computed the real version, so a real consumer release would
have published and tagged `999.0.0`. Reverting to `v2.2.4` restores the
fully consistent old pipeline: Get-Settings → Build (v4, `999.0.0`) →
Publish (v2.2.4, calculates + stamps).

Only the `Publish-PSModule` pin is reverted. The other action bumps from
#358 (`actions/checkout` v7.0.0, `super-linter` v8.7.0) are left in
place.

## Technical Details

- `.github/workflows/Publish-Module.yml`: `PSModule/Publish-PSModule`
pin reverted `03c0f8b… # v3.0.0` → `8917aed… # v2.2.4`. This is the
exact pin #358 replaced; no `with:` inputs changed — v2.2.4 consumes the
version-calculation inputs the workflow already passes, whereas v3.0.0
silently ignored them.
- `.github/workflows/Publish-Module.yml`: normalized the `APIKey` action
input from `secrets.APIKEY` to `secrets.APIKey` to match the `APIKey`
secret declaration and the other workflows (`workflow.yml`,
`Workflow-Test-*.yml`). GitHub Actions secret names are
case-insensitive, so this is a consistency-only change with no
behavioral effect (flagged during Copilot review).
- This is step 1 (containment) of #326. Follow-ups: release
`Resolve-PSModuleVersion` with the #348 fix, then rebase and land PR
#342 (Plan job + Build v5 + publish-only Publish) and re-pin the
first-party actions together.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code Patch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants