Skip to content

chore(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.7#57

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/trufflesecurity/trufflehog-3.95.7
Closed

chore(deps): bump trufflesecurity/trufflehog from 3.95.6 to 3.95.7#57
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/trufflesecurity/trufflehog-3.95.7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps trufflesecurity/trufflehog from 3.95.6 to 3.95.7.

Release notes

Sourced from trufflesecurity/trufflehog's releases.

v3.95.7

What's Changed

New Contributors

Full Changelog: trufflesecurity/trufflehog@v3.95.6...v3.95.7

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.95.6 to 3.95.7.
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Commits](trufflesecurity/trufflehog@v3.95.6...v3.95.7)

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-version: 3.95.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 02:54
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@github-actions github-actions Bot added the chore label Jul 1, 2026
@clawsweeper

clawsweeper Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 2, 2026, 2:05 AM ET / 06:05 UTC.

Summary
Dependabot updates the TruffleHog GitHub Action used by .github/workflows/secret-scan.yml from v3.95.6 to v3.95.7.

Reproducibility: not applicable. this is a dependency maintenance PR, not a bug report with runtime reproduction steps. The relevant verification is source review, upstream tag presence, and GitHub workflow checks on the PR head.

Review metrics: 1 noteworthy metric.

  • Workflow action refs: 1 changed. The only behavior change is the TruffleHog GitHub Action version used by the secret-scan workflow.

Root-cause cluster
Relationship: canonical
Canonical: #57
Summary: This PR is the only open canonical item found for the TruffleHog v3.95.7 bump; prior related PRs are merged adjacent workflow history, not duplicates.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • none.

Next step before merge

  • [P2] No repair job is needed; this PR already contains the narrow dependency update and has no actionable patch findings.

Security
Cleared: The diff only updates an existing third-party action tag under the current permissions and adds no secrets, permissions, scripts, lockfile changes, or publishing behavior.

Review details

Best possible solution:

Merge the narrow Dependabot bump through the normal maintainer dependency-review path while preserving the existing workflow permissions and scan-range behavior.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency maintenance PR, not a bug report with runtime reproduction steps. The relevant verification is source review, upstream tag presence, and GitHub workflow checks on the PR head.

Is this the best way to solve the issue?

Yes: updating the existing action reference is the narrowest maintainable way to take this TruffleHog patch release. The PR does not introduce a parallel workflow, new permissions, or new configuration surface.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against 7754b9d416df.

Label changes

Label justifications:

  • P3: This is a low-risk dependency maintenance PR with a one-line GitHub Actions version bump and green checks.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Contributor proof is not required for this Dependabot bot dependency bump; the GitHub checks and source review are the relevant validation signal.
Evidence reviewed

What I checked:

  • Current main source: Current main still pins trufflesecurity/trufflehog@v3.95.6 in the secret-scan workflow, so the requested dependency bump is not already implemented. (.github/workflows/secret-scan.yml:52, 7754b9d416df)
  • PR diff: The PR changes only the TruffleHog action ref from v3.95.6 to v3.95.7. (.github/workflows/secret-scan.yml:52, c93e84ded81e)
  • PR status: GitHub reports the PR as mergeable, with CI, CodeQL, and Security Gate: Secret Scanning checks successful on the PR head. (c93e84ded81e)
  • Security ownership: CODEOWNERS routes .github/workflows/ to @openclaw/openclaw-secops, so this is a security-owned workflow dependency update. (.github/CODEOWNERS:5, 7754b9d416df)
  • Upstream tag check: The upstream TruffleHog repository has both requested tags, and v3.95.7 resolves to f446421baf832d6356c42c1743d99abff52ff334. (f446421baf83)
  • Workflow provenance: Local history shows the verified secret scanning workflow was introduced in b5e289c4bd777dab2ecdf2b953f82e57b76ab607 and the current workflow snapshot is attributed by blame to release-prep commit 5637c35da08a835aaa334e7ab6b19a403039b926. (.github/workflows/secret-scan.yml:52, 5637c35da08a)

Likely related people:

  • steipete: Local blame attributes the current secret-scan workflow snapshot to release-prep commit 5637c35da08a835aaa334e7ab6b19a403039b926, and merged maintenance history shows recent TruffleHog workflow updates in this area. (role: recent area contributor; confidence: high; commits: 5637c35da08a, 9e078d5be63f; files: .github/workflows/secret-scan.yml, .github/workflows/ci.yml, .github/workflows/codeql.yml)
  • vincentkoc: Merged history shows this person introduced the verified secret-scanning workflow and protected automation ownership for the workflow surface. (role: introduced behavior; confidence: high; commits: b5e289c4bd77, 54e6b97d0d60; files: .github/workflows/secret-scan.yml, .github/CODEOWNERS)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 1, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #61.

@dependabot dependabot Bot closed this Jul 8, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/trufflesecurity/trufflehog-3.95.7 branch July 8, 2026 02:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant