Skip to content

build(deps): bump actions/deploy-pages from 4 to 5#191

Merged
lklimek merged 1 commit into
developfrom
dependabot/github_actions/actions/deploy-pages-5
Apr 24, 2026
Merged

build(deps): bump actions/deploy-pages from 4 to 5#191
lklimek merged 1 commit into
developfrom
dependabot/github_actions/actions/deploy-pages-5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 26, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/deploy-pages from 4 to 5.

Release notes

Sourced from actions/deploy-pages's releases.

v5.0.0

Changelog


See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v4.0.5

Changelog


See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v4.0.4

Changelog


See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v4.0.3

Changelog

... (truncated)

Commits
  • cd2ce8f Merge pull request #404 from salmanmkc/node24
  • bbe2a95 Update Node.js version to 24.x
  • 854d7aa Merge pull request #374 from actions/Jcambass-patch-1
  • 306bb81 Add workflow file for publishing releases to immutable action package
  • b742728 Merge pull request #360 from actions/dependabot/npm_and_yarn/npm_and_yarn-513...
  • 7273294 Bump braces in the npm_and_yarn group across 1 directory
  • 963791f Merge pull request #361 from actions/dependabot-friendly
  • 51bb29d Make the rebuild dist workflow safer for Dependabot
  • 89f3d10 Merge pull request #358 from actions/dependabot/npm_and_yarn/non-breaking-cha...
  • bce7355 Merge branch 'main' into dependabot/npm_and_yarn/non-breaking-changes-99c12deb21
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 26, 2026
@Claudius-Maginificent

Copy link
Copy Markdown

Dependency review — actions/deploy-pages v4 → v5

Right, form up. Conducted the drill top-to-bottom. Verdict: SAFE to merge once the pre-existing develop CI issues clear.

Change scope

  • Single file, single line: .github/workflows/github-pages.yml:54@v4@v5.
  • Blast radius: one gh-pages job that deploys docs to GitHub Pages from master only (workflow trigger: on: push: branches: [master]). Not on the PR critical path.
  • Usage verified: actions/deploy-pages is referenced exactly once across .github/ — no other spots to sweep.

Supply chain — verified twice

Check Result
Publisher actions/ GitHub organisation (official, not a fork)
Repo status public, not archived, not disabled
v5 mutable tag → v5.0.0 both resolve to cd2ce8fcbc39b97be8ca5fce6e763baed58fa128
Release author github-actions[bot], published 2026-03-25
GHSA / CVE / security advisory none published against actions/deploy-pages
OSV.dev / NVD no records for this action

Release notes: actions/deploy-pages v5.0.0. Diff: v4...v5.

Breaking-change analysis (v5)

The only material change is Node.js runtime bumped 20.x → 24.x (PR #404). Irrelevant here:

  • Runtime is provided by the GitHub-hosted runner (ubuntu-latest), which already ships Node 24. No local Node setup required by the action.
  • No input signature changes, no output signature changes, no permission-model changes.
  • Required permissions remain pages: write + id-token: write — already set at the job level (lines 19–22). Confirmed.
  • Other commits since v4.0.5 are dependency bumps (braces, @actions/artifact) and docs/workflow hygiene. Nothing exploitable.

Defence-in-depth nit (non-blocking, LOW): the workflow pins by moving major tag (@v5) rather than a 40-character commit SHA. GitHub's own hardening guidance prefers SHA pinning for third-party actions — but since this is a first-party actions/* action and you pin all the other actions/* entries the same way (@v5, @v6), keeping consistency is fine. Flagging for awareness, not action.

CI failure triage — all failures are pre-existing develop issues, not PR-specific

I dug into the red checks. None are caused by this one-line workflow edit.

  1. build (debian) — FAILURE. Root cause inside the Docker build:
    error[E0658]: use of unstable library feature `unsigned_is_multiple_of`
    error: could not compile `unicode-segmentation` (lib) due to 2 previous errors
    
    The unicode-segmentation crate has pulled a version that requires a newer stable rustc than the pinned Rust toolchain inside the Debian Dockerfile. Nothing to do with actions/deploy-pages — this job never reaches the github-pages.yml workflow. Exit code 101 from cargo build inside the container, not from any GitHub Action.
  2. build (alpine) — CANCELLED. The matrix sibling was cancelled because build (debian) failed (fail-fast). Not a PR-specific signal.
  3. fmt — FAILURE and test-all — FAILURE. Pre-existing on develop per the task brief; will clear after PR build(deps): update zip requirement from 7.0 to 8.5 #193 lands and this branch rebases.
  4. tenderdash, cleanup-runs, docs — PASS. The docs job passing is the meaningful signal here: documentation builds cleanly, which is the only thing the touched workflow (github-pages.yml) cares about.

Verdict

  • Severity: SAFE. No security regressions, no behavioural regressions for our usage, supply chain provenance clean, failing checks are not caused by this change.
  • Recommendation: merge after rebase onto current develop (post-build(deps): update zip requirement from 7.0 to 8.5 #193) so the unrelated red checks go green. Do not block on the current CI state.

Findings tally: 0 CRITICAL / 0 HIGH / 0 MEDIUM / 1 LOW (defence-in-depth SHA-pinning note, non-blocking) / 1 INFO (clean supply chain) — 🍬

🤖 Co-authored by Claudius the Magnificent AI Agent

@lklimek

lklimek commented Apr 24, 2026

Copy link
Copy Markdown
Collaborator

@dependabot rebase

Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages) from 4 to 5.
- [Release notes](https://github.com/actions/deploy-pages/releases)
- [Commits](actions/deploy-pages@v4...v5)

---
updated-dependencies:
- dependency-name: actions/deploy-pages
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/github_actions/actions/deploy-pages-5 branch from 56ec50e to f794a73 Compare April 24, 2026 08:38
@lklimek
lklimek merged commit 92d21c3 into develop Apr 24, 2026
9 of 10 checks passed
@lklimek
lklimek deleted the dependabot/github_actions/actions/deploy-pages-5 branch April 24, 2026 08:43
@lklimek lklimek mentioned this pull request Apr 24, 2026
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants