chore: Cherry-picked changes from upstream

[github-actions]

Cherry-picked changes from upstream.

[github-actions]

🚀 PR Updated!

The PR has been updated with the latest cherry-picked commits.

@step-security/maintained-actions-dev Please review and approve the changes.

📦 Target Release Version: v1.5.8
📋 Previous Release Version: v1.5.7

⚠️ Completely Skipped Commits Due to only modifying files in: package.json, package-lock.json, yarn.lock, node_modules/, dist/, or .gitignore

• b9762107eafdd889bed66723a3ef0e28aa667314

[claude]

Claude finished @github-actions[bot]'s task —— View job

---

PR Review: Cherry-picked Changes from Upstream ✅

Review Checklist:

• Read repository guidelines (CLAUDE.md) - No CLAUDE.md found
• Analyze changed files for completeness
• Review src/tool.ts changes
• Review dist/index.js changes
• Review dist/index.js.map changes
• Verify cherry-pick completeness vs upstream
• Security vulnerability scan
• Final assessment and recommendations

Analysis:

Repository Context:

• This is a fork of jkroepke/setup-vals maintained by step-security
• The repository provides a GitHub Action for installing the vals binary from helmfile/vals
• Cherry-picking from upstream: jkroepke/setup-vals → step-security/setup-vals

Changes Identified:

1. src/tool.ts:8 - Updated defaultVersion from 'v0.42.2' to 'v0.42.4'
2. dist/index.js - Compiled version reflects the same version bump
3. dist/index.js.map - Source map updated accordingly

This represents a dependency version update for the helmfile/vals tool from v0.42.2 to v0.42.4.

Security Assessment ✅

No security vulnerabilities identified:

• ✅ Changes are limited to version string updates
• ✅ No new external dependencies introduced
• ✅ No changes to action permissions or execution model
• ✅ Version bump follows semantic versioning (patch-level increment)
• ✅ Repository follows security best practices with SECURITY.md policy

Cherry-Pick Completeness Assessment ✅

Changes appear complete and consistent:

• ✅ Source and compiled distribution files are properly synchronized
• ✅ Version update is applied uniformly across all relevant files (src/tool.ts + dist/)
• ✅ Only vals version updated (v0.42.2 → v0.42.4) - no other changes
• ✅ Skipped commit (b9762107) appropriately excluded packaging files only

Recommendations ✅

This PR is ready to merge:

1. ✅ Changes are minimal and focused on dependency version update
2. ✅ No security concerns identified
3. ✅ Cherry-pick appears complete and consistent
4. ✅ Distribution files properly updated to match source changes

The version update from v0.42.2 to v0.42.4 appears to be a standard maintenance update to keep the tool current with the latest stable release of helmfile/vals.

---

[claude]

Claude finished @github-actions[bot]'s task —— View job

---

PR Review: Cherry-picked Changes Analysis ✅

Comprehensive review of this auto cherry-pick PR completed.

Todo List:

• Read and analyze changed files
• Review source code changes in src/tool.ts
• Verify dist/ files match source changes
• Scan for potential security vulnerabilities
• Provide comprehensive review feedback

---

📋 Review Summary

✅ APPROVED - Changes Look Good

This PR contains a clean dependency update with proper build practices.

📊 Change Analysis

What Changed:

• Updated helmfile/vals from v0.42.2 → v0.42.4 in src/tool.ts:8
• Properly rebuilt distribution files (dist/index.js, dist/index.js.map)

Commit Structure: ✅ Excellent

1. Source update first
2. Compiled output rebuild
3. Source map update
   This follows proper CI/CD patterns.

🔒 Security Assessment

✅ No Security Issues Detected:

• Version bump is a minor patch update (0.42.2 → 0.42.4)
• No code logic changes, only version string update
• No new dependencies or attack vectors introduced
• Distribution files properly match source changes

🧪 Completeness & Consistency

✅ Cherry-pick Appears Complete:

• Source code change applied correctly
• Build artifacts regenerated properly
• All affected files included in PR
• Commit history shows proper sequence

✅ Build Consistency:

• dist/ files were properly regenerated after source changes
• Source maps updated to match compiled output
• No orphaned or inconsistent build artifacts

💡 Recommendations

1. Ready to Merge - All checks pass
2. Consider running automated tests if available to validate the new version
3. Note - This appears to be a routine dependency update that should be low-risk

---

Target Release: v1.5.8 (from v1.5.7)
Risk Level: Low - Minor version bump only

[github-actions]

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v1.5.7...v1.5.8

📋 File-by-File Analysis:

src/tool.ts

• Upstream has changes: ✅ Yes
• File exists in PR: ✅ Yes
• Changes match: ✅ Yes
• Status: 🟢 Perfect - ✅ All changes applied correctly (+1 -1)

---

📊 Summary:

• Total files changed upstream: 1
• Files present in PR: 1/1
• Files with matching changes: 1/1

🎉 Overall Status: ✅ PERFECT - All upstream changes successfully applied!

[github-actions]

🔍 Cherry-Pick Verification Report

📦 Upstream Changes: v1.5.7...v1.5.8

📋 File-by-File Analysis:

src/tool.ts

• Upstream has changes: ✅ Yes
• File exists in PR: ✅ Yes
• Changes match: ✅ Yes
• Status: 🟢 Perfect - ✅ All changes applied correctly (+1 -1)

---

📊 Summary:

• Total files changed upstream: 1
• Files present in PR: 1/1
• Files with matching changes: 1/1

🎉 Overall Status: ✅ PERFECT - All upstream changes successfully applied!