Conversation
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 26994186c0ac3ef5cae75ac16aa32e8153525f77 to de2c0eb89ae2a093876385947365aca7b0e5f844. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@2699418...de2c0eb) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: de2c0eb89ae2a093876385947365aca7b0e5f844 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| - name: Create Release | ||
| uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 | ||
| uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 |
There was a problem hiding this comment.
🚨 GitHub Actions dependency changed to unverified commit SHA (high severity)
The softprops/action-gh-release action was updated to a new commit SHA (de2c0eb89ae2a093876385947365aca7b0e5f844). This change must be verified to ensure it's a legitimate update from the upstream repository and not a malicious commit. The new SHA should be cross-referenced with the official softprops/action-gh-release repository tags/releases. If this is a downgrade or points to an unofficial fork, it could introduce supply chain vulnerabilities that access GITHUB_TOKEN and release artifacts containing the msgvault binary.
Automated security review by Claude 4.5 Sonnet - Human review still required
Security Review: 1 High/Medium Issue FoundClaude's automated security review identified potential security concerns. Please review the inline comments. Note: This is an automated review. False positives are possible. Please review each issue carefully and use your judgment. Powered by Claude 4.5 Sonnet |
dependabot
bot
deleted the
dependabot/github_actions/softprops/action-gh-release-de2c0eb89ae2a093876385947365aca7b0e5f844
branch
1 participant
Bumps softprops/action-gh-release from 26994186c0ac3ef5cae75ac16aa32e8153525f77 to de2c0eb89ae2a093876385947365aca7b0e5f844.
Changelog
Sourced from softprops/action-gh-release's changelog.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)