ci: update actions/labeler by lachlancollins · Pull Request #10278 · TanStack/query

lachlancollins · 2026-03-17T12:57:57Z

🎯 Changes

actions/labeler@v6.0.1
Remove unnecessary fetch-depth and GITHUB_TOKEN

✅ Checklist

I have followed the steps in the Contributing guide.
I have tested this code locally with pnpm run test:pr.

🚀 Release Impact

This change affects published code, and I have generated a changeset.
This change is docs/CI/dev-only (no release).

Summary by CodeRabbit

Chores
- Upgraded automated label-management workflow to a newer action version.
- Adjusted CI checkout steps to use default shallow clones instead of full fetches.
- Removed explicit passing of the repository token for the release/publishing step.

changeset-bot · 2026-03-17T12:58:03Z

⚠️ No Changeset found

Latest commit: 501b557

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

coderabbitai · 2026-03-17T12:58:15Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b56a87b2-8111-4f46-afd7-13712910a2ad

📥 Commits

Reviewing files that changed from the base of the PR and between 9b66df4 and 501b557.

📒 Files selected for processing (2)

.github/workflows/pr.yml
.github/workflows/release.yml

💤 Files with no reviewable changes (2)

.github/workflows/release.yml
.github/workflows/pr.yml

📝 Walkthrough

Walkthrough

Small CI workflow updates across GitHub Actions: upgraded actions/labeler to v6.0.1 with an explicit step name, removed fetch-depth: 0 from checkout steps in PR workflow, and removed GITHUB_TOKEN env mapping from Changesets steps in release workflow.

Changes

Cohort / File(s)	Summary
Labeler workflow `\.github/workflows/labeler.yml`	Bumped `actions/labeler` from v5.0.0 to v6.0.1 and changed the step to a named `uses` step ("Labeler"); existing `repo-token` and `configuration-path` remain.
PR workflow checkout `\.github/workflows/pr.yml`	Removed `fetch-depth: 0` from two `actions/checkout` steps (Preview and Provenance jobs), reverting to default shallow clone behavior.
Release workflow changesets `\.github/workflows/release.yml`	Removed the explicit `GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}` environment mapping from the Run Changesets step, altering how that step receives authentication.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I hopped through CI with a tweak and cheer,
Labels leveled up, the steps more clear,
Checkouts trimmed back, tokens set aside,
Tiny tweaks in the workflow tide —
A happy rabbit bounces, build logs near! 🐇

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the primary change: updating the actions/labeler GitHub Action to a newer version.
Description check	✅ Passed	The pull request description follows the required template with all sections completed, including changes, checklist items, and release impact assessment.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch update-labeler

📝 Coding Plan

Generate coding plan for human review comments

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

nx-cloud · 2026-03-17T12:58:31Z

View your CI Pipeline Execution ↗ for commit 501b557

Command	Status	Duration	Result
`nx run-many --target=build --exclude=examples/*...`	✅ Succeeded	<1s	View ↗
`nx affected --targets=test:sherif,test:knip,tes...`	✅ Succeeded	16s	View ↗

☁️ Nx Cloud last updated this comment at 2026-03-17 13:03:55 UTC

github-actions · 2026-03-17T12:58:46Z

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

pkg-pr-new · 2026-03-17T12:59:32Z

More templates

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-experimental@10278

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@10278

@tanstack/preact-query

npm i https://pkg.pr.new/@tanstack/preact-query@10278

@tanstack/preact-query-devtools

npm i https://pkg.pr.new/@tanstack/preact-query-devtools@10278

@tanstack/preact-query-persist-client

npm i https://pkg.pr.new/@tanstack/preact-query-persist-client@10278

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@10278

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@10278

@tanstack/query-core

npm i https://pkg.pr.new/@tanstack/query-core@10278

@tanstack/query-devtools

npm i https://pkg.pr.new/@tanstack/query-devtools@10278

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/@tanstack/query-persist-client-core@10278

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@10278

@tanstack/react-query

npm i https://pkg.pr.new/@tanstack/react-query@10278

@tanstack/react-query-devtools

npm i https://pkg.pr.new/@tanstack/react-query-devtools@10278

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@10278

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/@tanstack/react-query-persist-client@10278

@tanstack/solid-query

npm i https://pkg.pr.new/@tanstack/solid-query@10278

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/@tanstack/solid-query-devtools@10278

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@10278

@tanstack/svelte-query

npm i https://pkg.pr.new/@tanstack/svelte-query@10278

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@10278

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@10278

@tanstack/vue-query

npm i https://pkg.pr.new/@tanstack/vue-query@10278

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/@tanstack/vue-query-devtools@10278

commit: 501b557

github-actions · 2026-03-17T12:59:41Z

size-limit report 📦

Path	Size
react full	11.92 KB (0%)
react minimal	8.95 KB (0%)

coderabbitai

🧹 Nitpick comments (1)

.github/workflows/labeler.yml (1)

16-16: Pin actions/labeler to a full commit SHA for supply-chain safety.

Line 16 uses a mutable tag. For better supply-chain hardening in a pull_request_target workflow with write scope, pin to the release commit SHA instead of v6.0.1.

Suggested change

-      - name: Labeler
-        uses: actions/labeler@v6.0.1
+      - name: Labeler
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/labeler.yml at line 16, The workflow currently references
a mutable tag "uses: actions/labeler@v6.0.1"; replace that mutable tag with the
full commit SHA for the corresponding v6.0.1 release to hard-pin the action for
supply-chain safety — locate the release commit SHA in the actions/labeler
repository (the 40-character commit hash for the v6.0.1 tag) and update the
workflow entry "uses: actions/labeler@v6.0.1" to "uses:
actions/labeler@<commit-sha>" so the workflow uses the immutable commit instead
of a mutable tag.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/labeler.yml:
- Line 16: The workflow currently references a mutable tag "uses:
actions/labeler@v6.0.1"; replace that mutable tag with the full commit SHA for
the corresponding v6.0.1 release to hard-pin the action for supply-chain safety
— locate the release commit SHA in the actions/labeler repository (the
40-character commit hash for the v6.0.1 tag) and update the workflow entry
"uses: actions/labeler@v6.0.1" to "uses: actions/labeler@<commit-sha>" so the
workflow uses the immutable commit instead of a mutable tag.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 138008b4-7e2e-4974-87e9-f338a6864a94

📥 Commits

Reviewing files that changed from the base of the PR and between 4c87002 and 9b66df4.

📒 Files selected for processing (1)

.github/workflows/labeler.yml

ci: update actions/labeler

9b66df4

Remove unnecessary config

501b557

coderabbitai Bot reviewed Mar 17, 2026

View reviewed changes

lachlancollins merged commit df07797 into main Mar 17, 2026
8 checks passed

lachlancollins deleted the update-labeler branch March 17, 2026 13:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ci: update actions/labeler#10278

ci: update actions/labeler#10278
lachlancollins merged 2 commits into
mainfrom
update-labeler

lachlancollins commented Mar 17, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

changeset-bot Bot commented Mar 17, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot commented Mar 17, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

nx-cloud Bot commented Mar 17, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Mar 17, 2026 •

edited

Loading

Uh oh!

pkg-pr-new Bot commented Mar 17, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Mar 17, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

lachlancollins commented Mar 17, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🎯 Changes

✅ Checklist

🚀 Release Impact

Summary by CodeRabbit

Uh oh!

changeset-bot Bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ No Changeset found

Uh oh!

coderabbitai Bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

nx-cloud Bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🚀 Changeset Version Preview

Uh oh!

pkg-pr-new Bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

lachlancollins commented Mar 17, 2026 •

edited by coderabbitai Bot

Loading

changeset-bot Bot commented Mar 17, 2026 •

edited

Loading

coderabbitai Bot commented Mar 17, 2026 •

edited

Loading

nx-cloud Bot commented Mar 17, 2026 •

edited

Loading

github-actions Bot commented Mar 17, 2026 •

edited

Loading

pkg-pr-new Bot commented Mar 17, 2026 •

edited

Loading

github-actions Bot commented Mar 17, 2026 •

edited

Loading