Conversation
Bumps the actions-deps group with 5 updates: | Package | From | To | | --- | --- | --- | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [actions/download-artifact](https://github.com/actions/download-artifact) | `7.0.0` | `8.0.1` | | [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.6.2` | `3.0.0` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `1.12.0` | `3.2.0` | | [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `2.5.0` | `3.1.0` | Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.1</h2> <h2>What's Changed</h2> <ul> <li>Update the readme with direct upload details by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/795">actions/upload-artifact#795</a></li> <li>Readme: bump all the example versions to v7 by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/796">actions/upload-artifact#796</a></li> <li>Include changes in typespec/ts-http-runtime 0.3.5 by <a href="https://github.com/yacaovsnc"><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/797">actions/upload-artifact#797</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v7...v7.0.1">https://github.com/actions/upload-artifact/compare/v7...v7.0.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"><code>043fb46</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/797">#797</a> from actions/yacaovsnc/update-dependency</li> <li><a href="https://github.com/actions/upload-artifact/commit/634250c1388765ea7ed0f053e636f1f399000b94"><code>634250c</code></a> Include changes in typespec/ts-http-runtime 0.3.5</li> <li><a href="https://github.com/actions/upload-artifact/commit/e454baaac2be505c9450e11b8f3215c6fc023ce8"><code>e454baa</code></a> Readme: bump all the example versions to v7 (<a href="https://redirect.github.com/actions/upload-artifact/issues/796">#796</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/74fad66b98a6d799dc004d3353ccd0e6f6b2530e"><code>74fad66</code></a> Update the readme with direct upload details (<a href="https://redirect.github.com/actions/upload-artifact/issues/795">#795</a>)</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a">compare view</a></li> </ul> </details> <br /> Updates `actions/download-artifact` from 7.0.0 to 8.0.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/download-artifact/releases">actions/download-artifact's releases</a>.</em></p> <blockquote> <h2>v8.0.1</h2> <h2>What's Changed</h2> <ul> <li>Support for CJK characters in the artifact name by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/471">actions/download-artifact#471</a></li> <li>Add a regression test for artifact name + content-type mismatches by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/472">actions/download-artifact#472</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v8...v8.0.1">https://github.com/actions/download-artifact/compare/v8...v8.0.1</a></p> <h2>v8.0.0</h2> <h2>v8 - What's new</h2> <blockquote> <p>[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.</p> </blockquote> <blockquote> <p>[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).</p> </blockquote> <h3>Direct downloads</h3> <p>To support direct uploads in <code>actions/upload-artifact</code>, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the <code>Content-Type</code> header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new <code>skip-decompress</code> parameter to <code>true</code>.</p> <h3>Enforced checks (breaking)</h3> <p>A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the <code>digest-mismatch</code> parameter. To be secure by default, we are now defaulting the behavior to <code>error</code> which will fail the workflow run.</p> <h3>ESM</h3> <p>To support new versions of the @actions/* packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Don't attempt to un-zip non-zipped downloads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/460">actions/download-artifact#460</a></li> <li>Add a setting to specify what to do on hash mismatch and default it to <code>error</code> by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/download-artifact/pull/461">actions/download-artifact#461</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/download-artifact/compare/v7...v8.0.0">https://github.com/actions/download-artifact/compare/v7...v8.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/download-artifact/commit/3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c"><code>3e5f45b</code></a> Add regression tests for CJK characters (<a href="https://redirect.github.com/actions/download-artifact/issues/471">#471</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/e6d03f67377d4412c7aa56a8e2e4988e6ec479dd"><code>e6d03f6</code></a> Add a regression test for artifact name + content-type mismatches (<a href="https://redirect.github.com/actions/download-artifact/issues/472">#472</a>)</li> <li><a href="https://github.com/actions/download-artifact/commit/70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3"><code>70fc10c</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/461">#461</a> from actions/danwkennedy/digest-mismatch-behavior</li> <li><a href="https://github.com/actions/download-artifact/commit/f258da9a506b755b84a09a531814700b86ccfc62"><code>f258da9</code></a> Add change docs</li> <li><a href="https://github.com/actions/download-artifact/commit/ccc058e5fbb0bb2352213eaec3491e117cbc4a5c"><code>ccc058e</code></a> Fix linting issues</li> <li><a href="https://github.com/actions/download-artifact/commit/bd7976ba57ecea96e6f3df575eb922d11a12a9fd"><code>bd7976b</code></a> Add a setting to specify what to do on hash mismatch and default it to <code>error</code></li> <li><a href="https://github.com/actions/download-artifact/commit/ac21fcf45e0aaee541c0f7030558bdad38d77d6c"><code>ac21fcf</code></a> Merge pull request <a href="https://redirect.github.com/actions/download-artifact/issues/460">#460</a> from actions/danwkennedy/download-no-unzip</li> <li><a href="https://github.com/actions/download-artifact/commit/15999bff51058bc7c19b50ebbba518eaef7c26c0"><code>15999bf</code></a> Add note about package bumps</li> <li><a href="https://github.com/actions/download-artifact/commit/974686ed5098c7f9c9289ec946b9058e496a2561"><code>974686e</code></a> Bump the version to <code>v8</code> and add release notes</li> <li><a href="https://github.com/actions/download-artifact/commit/fbe48b1d2756394be4cd4358ed3bc1343b330e75"><code>fbe48b1</code></a> Update test names to make it clearer what they do</li> <li>Additional commits viewable in <a href="https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c">compare view</a></li> </ul> </details> <br /> Updates `softprops/action-gh-release` from 2.6.2 to 3.0.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/softprops/action-gh-release/releases">softprops/action-gh-release's releases</a>.</em></p> <blockquote> <h2>v3.0.0</h2> <p><code>3.0.0</code> is a major release that moves the action runtime from Node 20 to Node 24. Use <code>v3</code> on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on <code>v2.6.2</code>.</p> <h2>What's Changed</h2> <h3>Other Changes 🔄</h3> <ul> <li>Move the action runtime and bundle target to Node 24</li> <li>Update <code>@types/node</code> to the Node 24 line and allow future Dependabot updates</li> <li>Keep the floating major tag on <code>v3</code>; <code>v2</code> remains pinned to the latest <code>2.x</code> release</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md">softprops/action-gh-release's changelog</a>.</em></p> <blockquote> <h2>3.0.0</h2> <p><code>3.0.0</code> is a major release that moves the action runtime from Node 20 to Node 24. Use <code>v3</code> on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on <code>v2.6.2</code>.</p> <h2>What's Changed</h2> <h3>Other Changes 🔄</h3> <ul> <li>Move the action runtime and bundle target to Node 24</li> <li>Update <code>@types/node</code> to the Node 24 line and allow future Dependabot updates</li> <li>Keep the floating major tag on <code>v3</code>; <code>v2</code> remains pinned to the latest <code>2.x</code> release</li> </ul> <h2>2.6.2</h2> <h2>What's Changed</h2> <h3>Other Changes 🔄</h3> <ul> <li>chore(deps): bump picomatch from 4.0.3 to 4.0.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/softprops/action-gh-release/pull/775">softprops/action-gh-release#775</a></li> <li>chore(deps): bump brace-expansion from 5.0.4 to 5.0.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/softprops/action-gh-release/pull/777">softprops/action-gh-release#777</a></li> <li>chore(deps): bump vite from 8.0.0 to 8.0.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/softprops/action-gh-release/pull/781">softprops/action-gh-release#781</a></li> </ul> <h2>2.6.1</h2> <p><code>2.6.1</code> is a patch release focused on restoring linked discussion thread creation when <code>discussion_category_name</code> is set. It fixes <code>[#764](https://github.com/softprops/action-gh-release/issues/764)</code>, where the draft-first publish flow stopped carrying the discussion category through the final publish step.</p> <p>If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.</p> <h2>What's Changed</h2> <h3>Bug fixes 🐛</h3> <ul> <li>fix: preserve discussion category on publish by <a href="https://github.com/chenrui333"><code>@chenrui333</code></a> in <a href="https://redirect.github.com/softprops/action-gh-release/pull/765">softprops/action-gh-release#765</a></li> </ul> <h2>2.6.0</h2> <p><code>2.6.0</code> is a minor release centered on <code>previous_tag</code> support for <code>generate_release_notes</code>, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a <code>working_directory</code> docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.</p> <p>If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.</p> <h2>What's Changed</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/softprops/action-gh-release/commit/b4309332981a82ec1c5618f44dd2e27cc8bfbfda"><code>b430933</code></a> release: cut v3.0.0 for Node 24 upgrade (<a href="https://redirect.github.com/softprops/action-gh-release/issues/670">#670</a>)</li> <li><a href="https://github.com/softprops/action-gh-release/commit/c2e35e05a74208bafbfcbdae5ebc9da7236e980f"><code>c2e35e0</code></a> chore(deps): bump the npm group across 1 directory with 7 updates (<a href="https://redirect.github.com/softprops/action-gh-release/issues/783">#783</a>)</li> <li>See full diff in <a href="https://github.com/softprops/action-gh-release/compare/3bb12739c298aeb8a4eeaf626c5b8d85266b0e65...b4309332981a82ec1c5618f44dd2e27cc8bfbfda">compare view</a></li> </ul> </details> <br /> Updates `actions/create-github-app-token` from 1.12.0 to 3.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/create-github-app-token/releases">actions/create-github-app-token's releases</a>.</em></p> <blockquote> <h2>v3.2.0</h2> <h2><a href="https://github.com/actions/create-github-app-token/compare/v3.1.1...v3.2.0">3.2.0</a> (2026-05-12)</h2> <h3>Features</h3> <ul> <li>add support for enterprise-level GitHub Apps (<a href="https://redirect.github.com/actions/create-github-app-token/issues/263">#263</a>) (<a href="https://github.com/actions/create-github-app-token/commit/952a2a7073df6bfa5f49bc469ec895b6ec1acea4">952a2a7</a>)</li> <li>support full repository names in <code>repositories</code> input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/372">#372</a>) (<a href="https://github.com/actions/create-github-app-token/commit/85eb8dd41472213aed25d1a126460e0069138ab6">85eb8dd</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump <code>@actions/core</code> from 3.0.0 to 3.0.1 in the production-dependencies group (<a href="https://redirect.github.com/actions/create-github-app-token/issues/364">#364</a>) (<a href="https://github.com/actions/create-github-app-token/commit/43e5c345bfd4d4f3ecea019ad0042001a09dd857">43e5c34</a>)</li> <li>validate private-key input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/376">#376</a>) (<a href="https://github.com/actions/create-github-app-token/commit/f24bbd89643991c0de27ae823c01791b2c6bafdd">f24bbd8</a>)</li> </ul> <h2>v3.1.1</h2> <h2><a href="https://github.com/actions/create-github-app-token/compare/v3.1.0...v3.1.1">3.1.1</a> (2026-04-11)</h2> <h3>Bug Fixes</h3> <ul> <li>improve error message when app identifier is empty (<a href="https://redirect.github.com/actions/create-github-app-token/issues/362">#362</a>) (<a href="https://github.com/actions/create-github-app-token/commit/07e2b760664f080c40eec4eacf7477256582db36">07e2b76</a>), closes <a href="https://redirect.github.com/actions/create-github-app-token/issues/249">#249</a></li> </ul> <h2>v3.1.0</h2> <h1><a href="https://github.com/actions/create-github-app-token/compare/v3.0.0...v3.1.0">3.1.0</a> (2026-04-11)</h1> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump p-retry from 7.1.1 to 8.0.0 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/357">#357</a>) (<a href="https://github.com/actions/create-github-app-token/commit/3bbe07d928e2d6c30bf3e37c6b89edbc4045facf">3bbe07d</a>)</li> </ul> <h3>Features</h3> <ul> <li>add <code>client-id</code> input and deprecate <code>app-id</code> (<a href="https://redirect.github.com/actions/create-github-app-token/issues/353">#353</a>) (<a href="https://github.com/actions/create-github-app-token/commit/e6bd4e6970172bed9fe138b2eaf4cbffa4cca8f9">e6bd4e6</a>)</li> <li>update permission inputs (<a href="https://redirect.github.com/actions/create-github-app-token/issues/358">#358</a>) (<a href="https://github.com/actions/create-github-app-token/commit/076e9480ca6e9633bff412d05eff0fc2f1e7d2be">076e948</a>)</li> </ul> <h2>v3.0.0</h2> <h1><a href="https://github.com/actions/create-github-app-token/compare/v2.2.2...v3.0.0">3.0.0</a> (2026-03-14)</h1> <ul> <li>feat!: node 24 support (<a href="https://redirect.github.com/actions/create-github-app-token/issues/275">#275</a>) (<a href="https://github.com/actions/create-github-app-token/commit/2e564a0bb8e7cc2b907b2401a2afe177882d4325">2e564a0</a>)</li> <li>fix!: require <code>NODE_USE_ENV_PROXY</code> for proxy support (<a href="https://redirect.github.com/actions/create-github-app-token/issues/342">#342</a>) (<a href="https://github.com/actions/create-github-app-token/commit/4451bcbc139f8124b0bf04f968ea2586b17df458">4451bcb</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li>remove custom proxy handling (<a href="https://redirect.github.com/actions/create-github-app-token/issues/143">#143</a>) (<a href="https://github.com/actions/create-github-app-token/commit/dce0ab05f36f30b22fd14289fd36655c618e4e8e">dce0ab0</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md">actions/create-github-app-token's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2><a href="https://github.com/actions/create-github-app-token/compare/v3.1.1...v3.2.0">3.2.0</a> (2026-05-12)</h2> <h3>Features</h3> <ul> <li>add support for enterprise-level GitHub Apps (<a href="https://redirect.github.com/actions/create-github-app-token/issues/263">#263</a>) (<a href="https://github.com/actions/create-github-app-token/commit/952a2a7073df6bfa5f49bc469ec895b6ec1acea4">952a2a7</a>)</li> <li>support full repository names in <code>repositories</code> input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/372">#372</a>) (<a href="https://github.com/actions/create-github-app-token/commit/85eb8dd41472213aed25d1a126460e0069138ab6">85eb8dd</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>deps:</strong> bump <code>@actions/core</code> from 3.0.0 to 3.0.1 in the production-dependencies group (<a href="https://redirect.github.com/actions/create-github-app-token/issues/364">#364</a>) (<a href="https://github.com/actions/create-github-app-token/commit/43e5c345bfd4d4f3ecea019ad0042001a09dd857">43e5c34</a>)</li> <li>validate private-key input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/376">#376</a>) (<a href="https://github.com/actions/create-github-app-token/commit/f24bbd89643991c0de27ae823c01791b2c6bafdd">f24bbd8</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/create-github-app-token/commit/bcd2ba49218906704ab6c1aa796996da409d3eb1"><code>bcd2ba4</code></a> chore(main): release 3.2.0 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/370">#370</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/f24bbd89643991c0de27ae823c01791b2c6bafdd"><code>f24bbd8</code></a> fix: validate private-key input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/376">#376</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/363531b6d972a60a00b3f1e6bb139e5e6c764cd9"><code>363531b</code></a> docs: capitalize Git as a proper noun in README (<a href="https://redirect.github.com/actions/create-github-app-token/issues/374">#374</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/fd2801133e469d2950f2c5af5e591d6b2ad833c8"><code>fd28011</code></a> docs: update procedure to configure Git (<a href="https://redirect.github.com/actions/create-github-app-token/issues/287">#287</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/85eb8dd41472213aed25d1a126460e0069138ab6"><code>85eb8dd</code></a> feat: support full repository names in <code>repositories</code> input (<a href="https://redirect.github.com/actions/create-github-app-token/issues/372">#372</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/c9aabb83728c3bd519212fa657ebc07e1f2a5dec"><code>c9aabb8</code></a> build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...</li> <li><a href="https://github.com/actions/create-github-app-token/commit/e02e816e5591415258a53bf735aff57977dcd5e2"><code>e02e816</code></a> build(deps-dev): bump undici from 7.24.6 to 8.2.0 (<a href="https://redirect.github.com/actions/create-github-app-token/issues/366">#366</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/8d835bfd37aa48fcb8e709925115857568d98bc4"><code>8d835bf</code></a> build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...</li> <li><a href="https://github.com/actions/create-github-app-token/commit/952a2a7073df6bfa5f49bc469ec895b6ec1acea4"><code>952a2a7</code></a> feat: add support for enterprise-level GitHub Apps (<a href="https://redirect.github.com/actions/create-github-app-token/issues/263">#263</a>)</li> <li><a href="https://github.com/actions/create-github-app-token/commit/43e5c345bfd4d4f3ecea019ad0042001a09dd857"><code>43e5c34</code></a> fix(deps): bump <code>@actions/core</code> from 3.0.0 to 3.0.1 in the production-dependenc...</li> <li>Additional commits viewable in <a href="https://github.com/actions/create-github-app-token/compare/d72941d797fd3113feb6b93fd0dec494b13a2547...bcd2ba49218906704ab6c1aa796996da409d3eb1">compare view</a></li> </ul> </details> <br /> Updates `dependabot/fetch-metadata` from 2.5.0 to 3.1.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dependabot/fetch-metadata/releases">dependabot/fetch-metadata's releases</a>.</em></p> <blockquote> <h2>v3.1.0</h2> <h2>What's Changed</h2> <ul> <li>Add permissions to all workflows by <a href="https://github.com/truggeri"><code>@truggeri</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/687">dependabot/fetch-metadata#687</a></li> <li>build(deps-dev): bump globals from 16.0.0 to 17.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/690">dependabot/fetch-metadata#690</a></li> <li>build(deps-dev): bump esbuild from 0.27.4 to 0.28.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/693">dependabot/fetch-metadata#693</a></li> <li>build(deps-dev): bump <code>@hono/node-server</code> from 1.19.10 to 1.19.13 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/694">dependabot/fetch-metadata#694</a></li> <li>build(deps-dev): bump hono from 4.12.7 to 4.12.12 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/695">dependabot/fetch-metadata#695</a></li> <li>Dynamically update the tracking tag in action by <a href="https://github.com/truggeri"><code>@truggeri</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/696">dependabot/fetch-metadata#696</a></li> <li>fix: handle duplicate dependency names in parseMetadataLinks by <a href="https://github.com/devantler"><code>@devantler</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/700">dependabot/fetch-metadata#700</a></li> <li>fix: remove $ anchor from updateFragment regex to handle pip directory suffixes by <a href="https://github.com/devantler"><code>@devantler</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/698">dependabot/fetch-metadata#698</a></li> <li>Updates to README for permissions clarification by <a href="https://github.com/truggeri"><code>@truggeri</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/697">dependabot/fetch-metadata#697</a></li> <li>fix: resolve update-type null for Python, Composer, and Terraform PRs by <a href="https://github.com/vitorsdcs"><code>@vitorsdcs</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/704">dependabot/fetch-metadata#704</a></li> <li>build(deps-dev): bump globals from 17.4.0 to 17.5.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/703">dependabot/fetch-metadata#703</a></li> <li>build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/701">dependabot/fetch-metadata#701</a></li> <li>build(deps): bump <code>@actions/github</code> from 9.0.0 to 9.1.0 in the dependencies group across 1 directory by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/702">dependabot/fetch-metadata#702</a></li> <li>build(deps-dev): bump hono from 4.12.12 to 4.12.14 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/705">dependabot/fetch-metadata#705</a></li> <li>v3.1.0 by <a href="https://github.com/fetch-metadata-action-automation"><code>@fetch-metadata-action-automation</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/692">dependabot/fetch-metadata#692</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/devantler"><code>@devantler</code></a> made their first contribution in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/700">dependabot/fetch-metadata#700</a></li> <li><a href="https://github.com/vitorsdcs"><code>@vitorsdcs</code></a> made their first contribution in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/704">dependabot/fetch-metadata#704</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/dependabot/fetch-metadata/compare/v3...v3.1.0">https://github.com/dependabot/fetch-metadata/compare/v3...v3.1.0</a></p> <h2>v3.0.0</h2> <p>The breaking change is requiring Node.js version v24 as the Actions runtime.</p> <h2>What's Changed</h2> <ul> <li>feat: Parse versions from metadata links by <a href="https://github.com/ppkarwasz"><code>@ppkarwasz</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/632">dependabot/fetch-metadata#632</a></li> <li>Upgrade actions core and actions github packages by <a href="https://github.com/truggeri"><code>@truggeri</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/649">dependabot/fetch-metadata#649</a></li> <li>docs: Add notes for using <code>alert-lookup</code> with App Token by <a href="https://github.com/sue445"><code>@sue445</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/656">dependabot/fetch-metadata#656</a></li> <li>feat!: update Node.js version to v24 by <a href="https://github.com/sturman"><code>@sturman</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/671">dependabot/fetch-metadata#671</a></li> <li>Switch build tooling from ncc to esbuild by <a href="https://github.com/truggeri"><code>@truggeri</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/676">dependabot/fetch-metadata#676</a></li> <li>Add --legal-comments=none to esbuild build commands by <a href="https://github.com/jeffwidman"><code>@jeffwidman</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/679">dependabot/fetch-metadata#679</a></li> <li>Bump tsconfig target from es2022 to es2024 by <a href="https://github.com/jeffwidman"><code>@jeffwidman</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/680">dependabot/fetch-metadata#680</a></li> <li>Remove vestigial outDir from tsconfig.json by <a href="https://github.com/jeffwidman"><code>@jeffwidman</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/681">dependabot/fetch-metadata#681</a></li> <li>Switch tsconfig module resolution to bundler by <a href="https://github.com/jeffwidman"><code>@jeffwidman</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/682">dependabot/fetch-metadata#682</a></li> <li>Remove skipLibCheck from tsconfig.json by <a href="https://github.com/jeffwidman"><code>@jeffwidman</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/683">dependabot/fetch-metadata#683</a></li> <li>Add typecheck step to CI by <a href="https://github.com/jeffwidman"><code>@jeffwidman</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/685">dependabot/fetch-metadata#685</a></li> <li>Enable noImplicitAny in tsconfig.json by <a href="https://github.com/jeffwidman"><code>@jeffwidman</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/684">dependabot/fetch-metadata#684</a></li> <li>Upgrade <code>@actions/core</code> to ^3.0.0 by <a href="https://github.com/truggeri"><code>@truggeri</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/677">dependabot/fetch-metadata#677</a></li> <li>Upgrade <code>@actions/github</code> to ^9.0.0 and <code>@octokit/request-error</code> to ^7.1.0 by <a href="https://github.com/truggeri"><code>@truggeri</code></a> in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/678">dependabot/fetch-metadata#678</a></li> <li>Bump qs from 6.14.0 to 6.14.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/651">dependabot/fetch-metadata#651</a></li> <li>Bump hono from 4.11.1 to 4.11.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/652">dependabot/fetch-metadata#652</a></li> <li>Bump hono from 4.11.4 to 4.11.7 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/653">dependabot/fetch-metadata#653</a></li> <li>Bump hono from 4.11.7 to 4.12.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/657">dependabot/fetch-metadata#657</a></li> <li>Bump qs from 6.14.1 to 6.14.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/655">dependabot/fetch-metadata#655</a></li> <li>Bump <code>@modelcontextprotocol/sdk</code> from 1.25.1 to 1.26.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/654">dependabot/fetch-metadata#654</a></li> <li>Bump <code>@hono/node-server</code> from 1.19.9 to 1.19.10 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/665">dependabot/fetch-metadata#665</a></li> <li>Bump hono from 4.12.2 to 4.12.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/dependabot/fetch-metadata/pull/664">dependabot/fetch-metadata#664</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/dependabot/fetch-metadata/commit/25dd0e34f4fe68f24cc83900b1fe3fe149efef98"><code>25dd0e3</code></a> v3.1.0 (<a href="https://redirect.github.com/dependabot/fetch-metadata/issues/692">#692</a>)</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/e073f50d732cb48d48fb80afedb4fa61361626e9"><code>e073f50</code></a> Merge pull request <a href="https://redirect.github.com/dependabot/fetch-metadata/issues/705">#705</a> from dependabot/dependabot/npm_and_yarn/hono-4.12.14</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/0670e167df1fbee1b0d07121de6a182ddebdd674"><code>0670e16</code></a> build(deps-dev): bump hono from 4.12.12 to 4.12.14</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/7a7fe10a42310e65df80af6c771e9aa5d59842d1"><code>7a7fe10</code></a> Merge pull request <a href="https://redirect.github.com/dependabot/fetch-metadata/issues/702">#702</a> from dependabot/dependabot/npm_and_yarn/dependencies-...</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/5168191cea3d4daa635bff6c796b4f0faeba522d"><code>5168191</code></a> Updating dist build</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/23882e175b2f16bc495c89aa50940399c6a17504"><code>23882e1</code></a> build(deps): bump <code>@actions/github</code> in the dependencies group</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/1072469591c13fda1d8dba1d1ac2e80187e247d7"><code>1072469</code></a> Merge pull request <a href="https://redirect.github.com/dependabot/fetch-metadata/issues/701">#701</a> from dependabot/dependabot/github_actions/actions/cre...</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/43f8a0055c8e32587be67e097dff89a6823c9752"><code>43f8a00</code></a> build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/b4d904a50935c8ebe744da148ea8a18a43fe72e1"><code>b4d904a</code></a> Merge pull request <a href="https://redirect.github.com/dependabot/fetch-metadata/issues/703">#703</a> from dependabot/dependabot/npm_and_yarn/globals-17.5.0</li> <li><a href="https://github.com/dependabot/fetch-metadata/commit/c8046bb877d9989cc848797de1b944bc3e93ef82"><code>c8046bb</code></a> build(deps-dev): bump globals from 17.4.0 to 17.5.0</li> <li>Additional commits viewable in <a href="https://github.com/dependabot/fetch-metadata/compare/21025c705c08248db411dc16f3619e6b5f9ea21a...25dd0e34f4fe68f24cc83900b1fe3fe149efef98">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updated [Microsoft.Extensions.Http.Resilience](https://github.com/dotnet/extensions) from 10.5.0 to 10.6.0. <details> <summary>Release notes</summary> _Sourced from [Microsoft.Extensions.Http.Resilience's releases](https://github.com/dotnet/extensions/releases)._ ## 10.6.0 Version 10.6.0 stabilizes the response continuation token and background-response APIs in Microsoft.Extensions.AI.Abstractions. Most other AI work for May shipped in 10.5.1; this monthly release rolls those changes up alongside dependency updates and a small Resource Monitoring cleanup. ## Experimental API Changes ### Now Stable * ResponseContinuationToken and background-response APIs are now stable (previously `MEAI001`) #7512 ## What's Changed ### AI * Stabilize ResponseContinuationToken / background-response APIs #7512 by @jozkee (co-authored by @Copilot) ## Repository Infrastructure Updates * Update version to 10.6.0 #7458 by @jeffhandley * [main] Update dependencies from dotnet/arcade #7451 * Bump follow-redirects from 1.15.11 to 1.16.0 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/azure-devops-report/tasks/PublishAIEvaluationReport #7469 * Merge release/10.5 into main #7470 by @jeffhandley * Bump microsoft.visualstudio.slngen.tool from 12.0.13 to 12.0.32 #7484 * Bump postcss from 8.5.9 to 8.5.12 in /src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript #7494 * Bump dotnet-reportgenerator-globaltool from 5.5.7 to 5.5.9 #7504 * Rename release-notes skill to write-release-notes #7511 by @jeffhandley (co-authored by @Copilot) ## Acknowledgements * @wtgodbe @tarekgh @peterwald @JeremyLikness @eiriktsarpalis @ericstj @evgenyfedorov2 reviewed pull requests **Full Changelog**: dotnet/extensions@v10.5.2...v10.6.0 ## 10.5.2 This patch release ships a single fix to `Microsoft.Extensions.VectorData.Abstractions`, correcting `StorageName` resolution when external serialization is enabled. `Microsoft.Extensions.VectorData.ConformanceTests`, `Microsoft.Extensions.AI.Abstractions`, `Microsoft.Extensions.AI`, and `Microsoft.Extensions.AI.OpenAI` are published alongside it for version coherency — they contain no code changes from 10.5.1. ## Packages in this release | Package | Version | | --- | --- | | Microsoft.Extensions.VectorData.Abstractions | 10.5.2 | | Microsoft.Extensions.VectorData.ConformanceTests | 10.5.2 | | Microsoft.Extensions.AI.Abstractions | 10.5.2 | | Microsoft.Extensions.AI | 10.5.2 | | Microsoft.Extensions.AI.OpenAI | 10.5.2 | ## What's Changed ### Microsoft.Extensions.VectorData.Abstractions - Minor fixes to MEVD.Abstractions: correct `StorageName` behavior when external serialization is enabled, and disable a warning for `net462`. (by @roji in [#7475](dotnet/extensions#7475)) **Full Changelog**: dotnet/extensions@v10.5.1...v10.5.2 ## 10.5.1 Version 10.5.1 of the Microsoft.Extensions.AI packages stabilizes CodeInterpreter, WebSearch, and ImageGeneration tool content types. The release adds new experimental tool search and OpenAI request policy hooks. And the OpenTelemetry gen-ai semantic conventions are updated to align with v1.41. The 'aiagent-webapi' project template in Microsoft.Agents.AI.ProjectTemplates is updated to align with v1.3.0 of Agent Framework, updating the OpenTelemetry dependencies within the template projects as well. ## Packages in this release | Package | Version | |---------|---------| | Microsoft.Extensions.AI | 10.5.1 | | Microsoft.Extensions.AI.Abstractions | 10.5.1 | | Microsoft.Extensions.AI.OpenAI | 10.5.1 | | Microsoft.Extensions.AI.Templates | 10.5.1-preview.3.26251.3 | | Microsoft.Agents.AI.ProjectTemplates | 1.3.0-preview.1.26251.3 | ## Experimental API Changes ### Now Stable The following types previously emitted the `MEAI001` experimental diagnostic and are now stable. * CodeInterpreter and WebSearch tool content types are now stable #7493 * `CodeInterpreterToolCallContent` * `CodeInterpreterToolResultContent` * `WebSearchToolCallContent` * `WebSearchToolResultContent` * ImageGeneration tool content types and tool are now stable #7476 * `ImageGenerationToolCallContent` * `ImageGenerationToolResultContent` * `HostedImageGenerationTool` * `ImageGenerationOptions` * `ImageGenerationResponseFormat` (the `Hosted` enum value remains experimental) * `IImageGenerator` and the rest of the image generation infrastructure also remain experimental ### New Experimental APIs The following new APIs emit the `MEAI001` experimental diagnostic. * New experimental API: `HostedToolSearchTool` with `DeferredTools` for tool-search-driven deferred tool loading #7471 * New experimental API: `OpenAIRequestPolicies` extension hook for appending `System.ClientModel.PipelinePolicy` instances to outgoing OpenAI requests #7495 ### Breaking Changes to Experimental APIs * `WebSearchToolResultContent.Results` was renamed to `Outputs` as part of the stabilization in #7493, aligning with `CodeInterpreterToolResultContent.Outputs`. The original `Results` property was included in version 10.4.0 and 10.5.0; this is a binary breaking change and consumers need to update to consume the updated property. ```diff WebSearchToolResultContent content = ...; - IList<AIContent>? items = content.Results; + IList<AIContent>? items = content.Outputs; ``` ... (truncated) Commits viewable in [compare view](dotnet/extensions@v10.5.0...v10.6.0). </details> Updated [Microsoft.Extensions.Logging.Abstractions](https://github.com/dotnet/dotnet) from 10.0.7 to 10.0.8. <details> <summary>Release notes</summary> _Sourced from [Microsoft.Extensions.Logging.Abstractions's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits). </details> Updated [Microsoft.SourceLink.GitHub](https://github.com/dotnet/dotnet) from 10.0.203 to 10.0.300. <details> <summary>Release notes</summary> _Sourced from [Microsoft.SourceLink.GitHub's releases](https://github.com/dotnet/dotnet/releases)._ ## 10.0.300 You can build .NET 10.0 from the repository by cloning the release tag `v10.0.300` and following the build instructions in the [main README.md](https://github.com/dotnet/dotnet/blob/v10.0.300/README.md#building). Alternatively, you can build from the sources attached to this release directly. More information on this process can be found in the [dotnet/dotnet repository](https://github.com/dotnet/dotnet/blob/v10.0.300/README.md#building-from-released-sources). Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023 ## 10.0.204 You can build .NET 10.0 from the repository by cloning the release tag `v10.0.204` and following the build instructions in the [main README.md](https://github.com/dotnet/dotnet/blob/v10.0.204/README.md#building). Alternatively, you can build from the sources attached to this release directly. More information on this process can be found in the [dotnet/dotnet repository](https://github.com/dotnet/dotnet/blob/v10.0.204/README.md#building-from-released-sources). Attached are PGP signatures for the GitHub generated tarball and zipball. You can find the public key at https://dot.net/release-key-2023 Commits viewable in [compare view](dotnet/dotnet@v10.0.203...v10.0.300). </details> Updated [System.CommandLine](https://github.com/dotnet/dotnet) from 2.0.7 to 2.0.8. <details> <summary>Release notes</summary> _Sourced from [System.CommandLine's releases](https://github.com/dotnet/dotnet/releases)._ No release notes found for this version range. Commits viewable in [compare view](https://github.com/dotnet/dotnet/commits). </details> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Pieter Viljoen <ptr727@users.noreply.github.com>
## Summary - Updates the [`AGENTS.md`](./AGENTS.md) "Branching Model" section to reflect that the develop ruleset's `strict_required_status_checks_policy` was flipped from `true` to `false` server-side today (rule id 12277308). - Replaces the bullet that said *develop keeps the up-to-date check on, only main omits it* with a two-part bullet covering both rulesets and their distinct reasons (main: graph-reachability after every merge release; develop: bot auto-merge race-proofing). - Adds a do-not-reintroduce warning and threads the relaxed-flag rationale through the parallel-bots bullet so a future template sync can't quietly put the flag back. ## Why [PR #141](#141) sat OPEN with all checks green and auto-merge armed because a sibling Dependabot PR (#140) against develop merged ~10 seconds after #141 opened, pushing #141 into `mergeStateStatus: BEHIND`. Auto-merge cannot fire while the strict flag is on, and nothing in the merge-bot (see [merge-bot-pull-request.yml](./.github/workflows/merge-bot-pull-request.yml)) auto-updates a bot branch in that window. The matching main-side PR ([#142](#142)) merged cleanly because main's ruleset already had strict off — that asymmetry is the smoking gun. ## Upstream template The yesterday-synced ProjectTemplate ruleset has the same `strict_required_status_checks_policy: true` on develop. Filed [ptr727/ProjectTemplate#82](ptr727/ProjectTemplate#82) so the template gets the matching change and downstream consumers don't reintroduce the flag on their next sync. ## Scope Docs only. The actual ruleset flip was applied server-side and is already verifiable via `gh api repos/ptr727/LanguageTags/rules/branches/develop` → `strict_required_status_checks_policy: false`. PR #141 itself was unblocked separately (`gh api -X PUT .../pulls/141/update-branch`, re-arm auto-merge, merged at 14:45:33Z). ## Test plan - [ ] Copilot review on the current head — no factual / phrasing pushback. - [ ] `Check pull request workflow status` green. - [ ] Next pair of same-day Dependabot PRs against develop both auto-merge without anyone touching `gh pr update-branch`. (Will surface organically on the next daily run.)
Contributor
There was a problem hiding this comment.
Pull request overview
This release PR brings develop forward into main, primarily to synchronize contributor documentation about the develop branch ruleset change (the strict “up-to-date before merging” flag being disabled), and also includes dependency/workflow action version updates.
Changes:
- Update
AGENTS.mdbranching-model documentation to state that bothmainanddeveloprulesets havestrict_required_status_checks_policy: false, including rationale for each. - Bump several centrally-managed NuGet package versions in
Directory.Packages.props. - Update multiple GitHub Actions workflow dependencies (notably
actions/create-github-app-token,dependabot/fetch-metadata,actions/download-artifact, andsoftprops/action-gh-release) to newer pinned SHAs.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| Directory.Packages.props | Updates centrally-managed NuGet package versions. |
| AGENTS.md | Documents the updated develop ruleset behavior (strict flag disabled) and its rationale. |
| .github/workflows/run-codegen-pull-request-task.yml | Updates the pinned actions/create-github-app-token version used for codegen PR automation. |
| .github/workflows/merge-bot-pull-request.yml | Updates pinned action SHAs used by the merge bot (App token + Dependabot metadata). |
| .github/workflows/build-release-task.yml | Updates pinned action SHAs used when publishing GitHub releases (artifact download + release creation). |
| .github/workflows/build-library-task.yml | Updates pinned actions/upload-artifact used to publish build artifacts. |
3 tasks
ptr727
added a commit
that referenced
this pull request
May 13, 2026
## Summary - Adds `&filter=*-g*` to the `prereleaseversion-shield` URL in [README.md](./README.md) so the **GitHub Pre-Release** badge filters to tags with the Nerdbank `-g<short-sha>` suffix only. - Drops the **NuGet Pre-Release** badge entirely (both the in-body usage and the link-reference definition). Shields' NuGet endpoint does not accept a filter; no clean fix exists. ## Why Observed after [#144](#144) merged: the **GitHub Pre-Release** badge displayed `v1.2.42` (a full release), even though the actual latest pre-release at the time was `1.2.40-g0f69a1b0a0`. Same for the **NuGet Pre-Release** badge. Root cause is shields.io semantics: - `github/v/release/...?include_prereleases` and `nuget/vpre/...` both mean *"include pre-releases as candidates and return the latest by published date / highest version"* — not *"show pre-releases only"*. - After every develop → main release merge, Nerdbank.GitVersioning publishes a full release with a height higher than any preceding pre-release, so both pre-release badges converge to their release-only siblings within seconds. For GitHub there's a clean fix: shields.io's `github/v/release` endpoint accepts a `filter` glob. The Nerdbank short-sha suffix `-g<10hex>` only appears on pre-release tags, so `filter=*-g*` cleanly selects pre-releases. For NuGet there isn't: - The NuGet shield ignores `filter` silently. - The `dynamic/json` shield rejects JSONPath filter predicates (`query not supported`). - NuGet's flat-container index is semver-sorted (pre-releases ahead of their stable counterparts), so `$.versions[-1]` lands on the same stable. No way to filter to pre-releases only without a custom hosted endpoint. Dropping it is cleaner than carrying a redundant badge — the GitHub Pre-Release badge now carries the develop-side signal on its own. ## Verification Hit the new shield URLs directly: - GitHub Pre-Release with `filter=*-g*` → `v1.2.40-g0f69a1b0a0` ✓ - GitHub Release (unchanged) → `v1.2.42` ✓ ## Upstream The upstream `ptr727/ProjectTemplate` README likely carries the same badge pattern and the same bug. A separate issue will be filed there with details for replication. ## Test plan - [ ] Copilot review on the current head — no factual / phrasing pushback. - [ ] `Check pull request workflow status` green. - [ ] After the next pre-release publish on develop, the GitHub Pre-Release badge updates to the new pre-release tag (not the latest stable).
3 tasks
This was referenced May 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings develop forward into main. Net effect on main's file content is
AGENTS.mdonly — the documentation update from #143 covering the relaxeddevelopruleset (strict_required_status_checks_policy: false, now matching main).Why GitHub shows 6 files changed when the net diff to main is 1 file
GitHub's PR diff is
diff(merge-base, head), notdiff(base, head). The merge-base is an older commit on main that predates today's daily Dependabot batch. Develop's history since then includes the sibling Dependabot bumps #140 (actions-deps) and #141 (nuget-deps), so those file changes appear in the diff view. But the matching main-side bumps — #139 (actions-deps → main) and #142 (nuget-deps → main) — already landed via the dual-target Dependabot config in.github/dependabot.yml, so main's working tree already has those exact versions.git diff origin/main..origin/develop --statconfirms it:The merge commit will leave
Directory.Packages.propsand.github/workflows/*unchanged on main; onlyAGENTS.mdactually moves.Functional payload
#143 updates the "Branching Model" section of
AGENTS.mdto document that both rulesets now omit "Require branches to be up to date before merging", with the distinct rationale for each: main = graph-reachability after every merge release; develop = bot auto-merge race-proofing.Why this release
Yesterday's #130 template sync left
strict_required_status_checks_policy: trueon develop, which broke bot auto-merge when two PRs against develop landed within the same minute. Concrete repro: #141 sat OPEN with all checks green because #140 merged into develop ~10 s after #141 opened. The flag was flipped server-side this morning; this release brings the matchingAGENTS.mddocumentation forward to main so consumers reading the repo root doc see the current branching model.The upstream template carries the same misconfiguration and is tracked at ptr727/ProjectTemplate#82.
Test plan
Check pull request workflow statusgreen.publish-release.ymlon main produces a release artifact via the standard release-on-every-push flow.