build(deps): bump actions/deploy-pages from 4 to 5#191
Conversation
Dependency review —
|
| Check | Result |
|---|---|
| Publisher | actions/ GitHub organisation (official, not a fork) |
| Repo status | public, not archived, not disabled |
v5 mutable tag → v5.0.0 |
both resolve to cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 |
| Release author | github-actions[bot], published 2026-03-25 |
| GHSA / CVE / security advisory | none published against actions/deploy-pages |
| OSV.dev / NVD | no records for this action |
Release notes: actions/deploy-pages v5.0.0. Diff: v4...v5.
Breaking-change analysis (v5)
The only material change is Node.js runtime bumped 20.x → 24.x (PR #404). Irrelevant here:
- Runtime is provided by the GitHub-hosted runner (
ubuntu-latest), which already ships Node 24. No local Node setup required by the action. - No input signature changes, no output signature changes, no permission-model changes.
- Required permissions remain
pages: write+id-token: write— already set at the job level (lines 19–22). Confirmed. - Other commits since v4.0.5 are dependency bumps (
braces,@actions/artifact) and docs/workflow hygiene. Nothing exploitable.
Defence-in-depth nit (non-blocking, LOW): the workflow pins by moving major tag (@v5) rather than a 40-character commit SHA. GitHub's own hardening guidance prefers SHA pinning for third-party actions — but since this is a first-party actions/* action and you pin all the other actions/* entries the same way (@v5, @v6), keeping consistency is fine. Flagging for awareness, not action.
CI failure triage — all failures are pre-existing develop issues, not PR-specific
I dug into the red checks. None are caused by this one-line workflow edit.
build (debian)— FAILURE. Root cause inside the Docker build:Theerror[E0658]: use of unstable library feature `unsigned_is_multiple_of` error: could not compile `unicode-segmentation` (lib) due to 2 previous errorsunicode-segmentationcrate has pulled a version that requires a newer stablerustcthan the pinned Rust toolchain inside the Debian Dockerfile. Nothing to do withactions/deploy-pages— this job never reaches thegithub-pages.ymlworkflow. Exit code 101 fromcargo buildinside the container, not from any GitHub Action.build (alpine)— CANCELLED. The matrix sibling was cancelled becausebuild (debian)failed (fail-fast). Not a PR-specific signal.fmt— FAILURE andtest-all— FAILURE. Pre-existing ondevelopper the task brief; will clear after PR build(deps): update zip requirement from 7.0 to 8.5 #193 lands and this branch rebases.tenderdash,cleanup-runs,docs— PASS. Thedocsjob passing is the meaningful signal here: documentation builds cleanly, which is the only thing the touched workflow (github-pages.yml) cares about.
Verdict
- Severity: SAFE. No security regressions, no behavioural regressions for our usage, supply chain provenance clean, failing checks are not caused by this change.
- Recommendation: merge after rebase onto current
develop(post-build(deps): update zip requirement from 7.0 to 8.5 #193) so the unrelated red checks go green. Do not block on the current CI state.
Findings tally: 0 CRITICAL / 0 HIGH / 0 MEDIUM / 1 LOW (defence-in-depth SHA-pinning note, non-blocking) / 1 INFO (clean supply chain) — 🍬
🤖 Co-authored by Claudius the Magnificent AI Agent
|
@dependabot rebase |
Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages) from 4 to 5. - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](actions/deploy-pages@v4...v5) --- updated-dependencies: - dependency-name: actions/deploy-pages dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
56ec50e to
f794a73
Compare
Bumps actions/deploy-pages from 4 to 5.
Release notes
Sourced from actions/deploy-pages's releases.
... (truncated)
Commits
cd2ce8fMerge pull request #404 from salmanmkc/node24bbe2a95Update Node.js version to 24.x854d7aaMerge pull request #374 from actions/Jcambass-patch-1306bb81Add workflow file for publishing releases to immutable action packageb742728Merge pull request #360 from actions/dependabot/npm_and_yarn/npm_and_yarn-513...7273294Bump braces in the npm_and_yarn group across 1 directory963791fMerge pull request #361 from actions/dependabot-friendly51bb29dMake the rebuild dist workflow safer for Dependabot89f3d10Merge pull request #358 from actions/dependabot/npm_and_yarn/non-breaking-cha...bce7355Merge branch 'main' into dependabot/npm_and_yarn/non-breaking-changes-99c12deb21