Conversation
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 7.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@d3f86a1...37930b1) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
ci
dependencies
dependabot
bot
deleted the
dependabot/github_actions/actions/download-artifact-7.0.0
branch
CybotTM
added a commit
that referenced
this pull request
Apr 16, 2026
- codeql.yml: reuses existing .github/codeql/codeql-config.yml (security-extended + security-and-quality queries), weekly + per-PR. - scorecard.yml: weekly OpenSSF Scorecard analysis, publishes to scorecard.dev and uploads SARIF to the Security tab. - dependency-review.yml: blocks PRs that introduce vulnerable dependencies at moderate severity or above. All actions SHA-pinned. Covers: ER-19/20/21, GH-19. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
5 tasks
CybotTM
added a commit
that referenced
this pull request
Apr 17, 2026
## Summary Closes the actionable gaps flagged by `/automated-assessment` across the `agent-rules`, `git-workflow`, `github-project`, and `enterprise-readiness` skill checkpoints. Starting state: 28 pass / 59 fail (7 errors, 45 warnings). After this PR: **66 pass / 31 fail** (4 errors, 11 warnings, 16 info). Remaining failures are all either checker false positives (script bugs — AG-13 double-escaped regex, GH-24/26 multi-line regex, GH-30/31 command-whitelist rejections), PHP-centric checks that don't apply to this Python project (ER-02 `composer audit`), external-registration dependent (ER-05 OpenSSF Best Practices badge), or info-level optional sections. ## What changed | Commit | What | |---|---| | [`139e9bf`](139e9bf) | Governance files: `SECURITY.md`, `CHANGELOG.md`, `.github/CODEOWNERS`, `.github/PULL_REQUEST_TEMPLATE.md` | | [`304dddd`](304dddd) | Supply-chain workflows: `codeql.yml` (security-extended + security-and-quality), `scorecard.yml`, `dependency-review.yml` | | [`5c006ab`](5c006ab) | `.pre-commit-config.yaml`: flake8, black, isort, shellcheck, hygiene hooks | | [`28654fa`](28654fa) | README badges: CI, CodeQL, Codecov, OpenSSF Scorecard, License | | [`e427278`](e427278) | AGENTS.md: canonical sections (Setup / Development / Testing / Architecture / Commands) + `Last verified` footer | | [`a593745`](a593745) | `security.yml` (pip-audit + bandit + CycloneDX SBOM) + `vendor/` in `.gitignore` | | [`a616933`](a616933) | `step-security/harden-runner` in CodeQL, Scorecard, dependency-review workflows (audit mode) | All GitHub Actions SHA-pinned. YAML + bash syntax validated. Full test suite: 546 passed. ## Checkpoints covered Errors: ER-22, GH-11, ER-01, ER-03, GH-19 (+2 false-positive multi-line regex errors remain: GH-24 / GH-26). Warnings: GW-03, GW-05, GW-06, GW-14, GH-3, GH-5, GH-10, GH-12, ER-04, ER-19, ER-20, ER-21, ER-23, ER-27, ER-44, AG-03 through AG-07, AG-18. ## Not in scope - **ER-05** (bestpractices.dev badge) — requires external registration at [openssf.org/bestpractices](https://www.bestpractices.dev/), not a code change. - **PHP/TYPO3-specific checks** (ER-70/71/72/73 Infection mutation targets, ER-31 phpstan baseline, ER-02 `composer audit`) — false positives for a Python project. - **Script-whitelist rejections** (GW-15, GH-6, GH-23, GH-30, GH-31, ER-43) — the checkpoint runner's allowed-command whitelist is overly restrictive; re-check manually if needed. - **AG-13** (`Commands (verified…)` heading regex) — checker's YAML parser double-escapes backslashes, making the regex uncompilable. Unfixable content-side. - **AG-12, AG-14–17, AG-26** — info-level optional AGENTS.md sections. ## Test plan - [x] `uv run pytest` — 546 passed, 1 skipped - [x] `python3 -c "import yaml; yaml.safe_load(open(f))"` on every new/modified workflow - [x] `/automated-assessment` re-run: 66 pass / 31 fail (was 28/59) - [ ] CI run on this branch to confirm the three new workflows execute and pass on push/PR. - [ ] Monitor first Scorecard weekly run; publish badge to the badges row if score is reasonable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/download-artifact from 4.3.0 to 7.0.0.
Release notes
Sourced from actions/download-artifact's releases.
... (truncated)
Commits
37930b1Merge pull request #452 from actions/download-artifact-v7-release72582b9doc: update readme0d2ec9dchore: release v7.0.0 for Node.js 24 supportfd7ae8fMerge pull request #451 from actions/fix-storage-blobd484700chore: restore minimatch.dep.yml license file03a8080chore: remove obsolete dependency license files56fe6d9chore: update@actions/artifactlicense file to 5.0.18e3ebc4chore: update package-lock.json with@actions/artifact@5.0.11e3c4b4fix: update@actions/artifactto ^5.0.0 for Node.js 24 punycode fix458627dchore: use local@actions/artifactpackage for Node.js 24 testingDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)