Skip to content

chore(deps): bump datum-cloud/actions/.github/workflows/snyk-scan.yaml from 1.16.0 to 1.18.0#18

Merged
scotwells merged 1 commit into
mainfrom
dependabot/github_actions/datum-cloud/actions/dot-github/workflows/snyk-scan.yaml-1.18.0
Jul 2, 2026
Merged

chore(deps): bump datum-cloud/actions/.github/workflows/snyk-scan.yaml from 1.16.0 to 1.18.0#18
scotwells merged 1 commit into
mainfrom
dependabot/github_actions/datum-cloud/actions/dot-github/workflows/snyk-scan.yaml-1.18.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

Bumps datum-cloud/actions/.github/workflows/snyk-scan.yaml from 1.16.0 to 1.18.0.

Release notes

Sourced from datum-cloud/actions/.github/workflows/snyk-scan.yaml's releases.

v1.18.0

update-plugin-index is now a composite action

The plugin-catalog updater from v1.17.0 shipped as a reusable workflow, but that form can't actually authenticate cross-repo: a GitHub App token minted in one job and handed to a reusable-workflow job arrives empty, because masked secret values don't survive the job-to-job hop. This release re-delivers it as a composite action so the token is minted and used in the same job.

Same job — same purpose: when a service publishes a release, open a PR against your datumctl plugin catalog that bumps the plugin's manifest to the new version, refreshing every per-platform download URL and checksum straight from the release's checksums.txt. Nothing about a specific plugin is hardcoded, and the manifest's formatting and comments are preserved.

Using it

Mint the catalog token and call the action in the same job:

- name: Mint catalog token
  id: app-token
  uses: actions/create-github-app-token@v2
  with:
    app-id: ${{ secrets.PLUGIN_INDEX_APP_ID }}
    private-key: ${{ secrets.PLUGIN_INDEX_APP_PRIVATE_KEY }}
    owner: your-org
    repositories: your-catalog

name: Open the catalog PR
uses: datum-cloud/actions/update-plugin-index@v1.18.0
with:
index-repo: your-org/your-catalog
plugin-name: your-plugin
version: ${{ github.event.release.tag_name }}
token: ${{ steps.app-token.outputs.token }}

Migrating from v1.17.0

  • Reference the action path datum-cloud/actions/update-plugin-index@v1.18.0, not the .github/workflows/... reusable-workflow path.
  • The credential is now the token input (mint it in the same job) instead of the PLUGIN_INDEX_TOKEN secret.
  • The generated PR now links back to the source release so reviewers can see what shipped.

The reusable-workflow form from v1.17.0 is superseded and should not be used.

Full Changelog: datum-cloud/actions@v1.17.0...v1.18.0

v1.17.0

Keep plugin catalogs in sync with releases — automatically

Adds the update-plugin-index reusable workflow. When a service publishes a release, it opens a PR against your datumctl plugin catalog that bumps the plugin's manifest to the new version — refreshing every per-platform download URL and checksum straight from the release's checksums.txt. No more hand-editing a catalog manifest after each release.

  • Generic across plugins — it derives what to update from the manifest's existing platform list, so nothing about a specific plugin is hardcoded.
  • Safe cross-repo — authenticates to the catalog repo with a token you supply, and preserves the manifest's formatting and comments (only version, URLs, and checksums change).
  • Drop-in — leaves the rest of your release pipeline untouched; the catalog's own CI still validates the resulting PR.

Using it

... (truncated)

Commits
  • ae21ec8 Convert update-plugin-index to a composite action (#85)
  • 7604115 Link the catalog PR back to the source release
  • 4f10dc0 Convert update-plugin-index to a composite action
  • e72fc93 Add update-plugin-index reusable workflow (#84)
  • c889c28 Add update-plugin-index reusable workflow
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 2, 2026
Bumps [datum-cloud/actions/.github/workflows/snyk-scan.yaml](https://github.com/datum-cloud/actions) from 1.16.0 to 1.18.0.
- [Release notes](https://github.com/datum-cloud/actions/releases)
- [Commits](datum-cloud/actions@605da9a...ae21ec8)

---
updated-dependencies:
- dependency-name: datum-cloud/actions/.github/workflows/snyk-scan.yaml
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/datum-cloud/actions/dot-github/workflows/snyk-scan.yaml-1.18.0 branch from 948a9b6 to 932fb95 Compare July 2, 2026 16:52
@scotwells scotwells merged commit 596a267 into main Jul 2, 2026
7 of 8 checks passed
@scotwells scotwells deleted the dependabot/github_actions/datum-cloud/actions/dot-github/workflows/snyk-scan.yaml-1.18.0 branch July 2, 2026 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant