build(deps): bump actions/setup-dotnet from 4.3.1 to 5.2.0#1
Merged
bilbospocketses merged 1 commit intoMay 18, 2026
Merged
Conversation
dependabot
Bot
added
dependencies
Owner
|
@dependabot rebase |
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 4.3.1 to 5.2.0. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@67a3573...c2fa09f) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: 5.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-dotnet-5.2.0
branch
from
affd136 to
fd9a897
Compare
dependabot
Bot
deleted the
dependabot/github_actions/actions/setup-dotnet-5.2.0
branch
This was referenced May 19, 2026
bilbospocketses
added a commit
that referenced
this pull request
May 19, 2026
…Scorecard (#14) upload-artifact bump (ci.yml 1 site, release.yml 3 sites) - SHA ea165f8d -> 043fb46d. Closes the Node 20 deprecation banner that has been firing on every workflow run since GitHub's 2026-06-02 force_node24 cutover was announced; v7.x runs on Node 24. - Root cause of why this drifted while every other action stayed current: the prior pin had a bare `# v4` comment (just the major). Dependabot uses the trailing comment as the version anchor and treats bare-major as a "track v4 line" range pin -- so it never proposed a major-bump PR even though v5, v6, and v7 had all shipped. The 5 other actions in this repo all had precise `# v<x>.<y>.<z>` comments at SHA-pin time and got Dependabot bumps in PRs #1, #2, #3, #4, #5 on 2026-05-18. upload-artifact was silently skipped. - New pin uses precise `# v7.0.1` comment so future bumps surface normally. - v5 dropped immutable artifact names (same `name:` rejected twice per run). Verified safe: this repo uses 4 distinct names across the 4 upload sites (test-results, unsigned-windows-exes, unsigned-windows-msi, windows-final). OpenSSF Scorecard workflow (new .github/workflows/scorecard.yml) - Triggers: branch_protection_rule (catches master-ruleset regressions), weekly cron Monday 09:00 ET (matches Dependabot + CodeQL cadence), push to master. - SARIF uploads to Security tab (security-events: write) so findings sit next to CodeQL. Published to api.securityscorecards.dev via OIDC for the public scorecard.dev viewer page. - All actions SHA-pinned with precise version comments. Workflow-level `permissions: read-all` with narrower per-job grants. - Allowlist: `ossf/scorecard-action@*` added to repo-level patterns_allowed (was just `softprops/action-gh-release@*`). `github/codeql-action/upload-sarif` covered by github_owned_allowed. - Mostly informational -- CM already passes the bulk of Scorecard's checks via the Tier 1-5 hardening pass. Ongoing value is drift detection (a future workflow regressing on Token-Permissions or Pinned-Dependencies would surface a score delta).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-dotnet from 4.3.1 to 5.2.0.
Release notes
Sourced from actions/setup-dotnet's releases.
... (truncated)
Commits
c2fa09fBump minimatch from 3.1.2 to 3.1.5 (#705)02574b1Add support for optional architecture input for cross-architecture .NET insta...16c7b3cBump fast-xml-parser from 4.4.1 to 5.3.6 (#671)131b410Add support for workloads input (#693)baa11fbBump test dependencies to resolve System.Net.Http vulnerability, update workf...24ec4f2Upgrade to latest actions packages (#687)4c100cbFix icons (#604)25328d8Bump actions/checkout from 5 to 6 (#684)937b8ddUpdate README with note on setting DOTNET_INSTALL_DIR for Linux permission is...2016bd2Bump actions/publish-action from 0.3.0 to 0.4.0 and update macos-13 to macos-...