fix: upgrade GitHub Actions dependencies#1
Merged
Merged
Conversation
Bump actions/create-github-app-token v1->v3 in action.yml. In the release workflow, bump actions/checkout v4->v7 and replace disabled codfish with SHA-pinned cycjimmy/semantic-release-action@v6.0.0. Claude-Session: https://claude.ai/code/session_011T9ASy4VmRoYrnuTsLd9oU
faa3606 to
6f901ad
Compare
|
🎉 This PR is included in version 1.1.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrades GitHub Actions dependencies across workflows and the composite action.
actions/checkoutfrom v4 to v7 in the release workflow.codfish/semantic-release-action@v4withcycjimmy/semantic-release-actionpinned to v6.0.0 (usingextra_plugins). Replaced because codfish was disabled by GitHub after a supply-chain compromise so its tags no longer resolve; cycjimmy is the maintained standard replacement.actions/create-github-app-tokenfrom v1 to v3 inaction.yml. Tag bump only; no input values changed.https://claude.ai/code/session_011T9ASy4VmRoYrnuTsLd9oU
Note
Medium Risk
Release workflow and token-generation action changes affect automated releases and cross-repo auth; semantic-release action swap is supply-chain motivated but still alters release behavior.
Overview
Upgrades CI and composite-action dependencies and adds weekly Dependabot grouping for all
github-actionsupdates at the repo root.In
.github/workflows/release.yml,actions/checkoutmoves from v4 to v7. The release step switches fromcodfish/semantic-release-action@v4(withadditional-packages) tocycjimmy/semantic-release-actionpinned to the v6.0.0 commit, configuringsemantic-release-github-actions-tagsviaextra_pluginsinstead.In
action.yml, GitHub App token generation bumpsactions/create-github-app-tokenfrom v1 to v3 with the same inputs.Reviewed by Cursor Bugbot for commit 87c03b8. Bugbot is set up for automated code reviews on this repo. Configure here.