ci(deps): bump the gha group with 5 updates#1
Merged
Conversation
Bumps the gha group with 5 updates: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4` | `6` | | [github/codeql-action](https://github.com/github/codeql-action) | `3` | `4` | | [actions/setup-python](https://github.com/actions/setup-python) | `5` | `6` | | [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) | `3` | `5` | | [actions/deploy-pages](https://github.com/actions/deploy-pages) | `4` | `5` | Updates `actions/checkout` from 4 to 6 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) Updates `github/codeql-action` from 3 to 4 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3...v4) Updates `actions/setup-python` from 5 to 6 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v5...v6) Updates `actions/upload-pages-artifact` from 3 to 5 - [Release notes](https://github.com/actions/upload-pages-artifact/releases) - [Commits](actions/upload-pages-artifact@v3...v5) Updates `actions/deploy-pages` from 4 to 5 - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](actions/deploy-pages@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: gha - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major dependency-group: gha - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: gha - dependency-name: actions/upload-pages-artifact dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: gha - dependency-name: actions/deploy-pages dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major dependency-group: gha ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
xmap
added a commit
that referenced
this pull request
May 16, 2026
Lands the 4 in-scope items flagged by the Phase 11a gate review (3-agent parallel: architecture / test coverage / cross-BC consistency). Nit #3 (`test_hazard_classification.py`) was a false positive — the file already exists with full coverage of bool-trap + 4 Invalid* errors + boundary values. ## Doc drift (#4) `state.py:13,38` claimed "12-value ClearanceKind" — the enum has 10 values (post-11a-a refactor split form-type from facility identity via the orthogonal `facility_asset_id` field). Comment now reflects the locked 10 + cites the refactor history. ## 5 missing projection apply() arms (#2) `test_clearance_summary_projection.py` had direct `apply()` assertions for ClearanceRegistered / ClearanceApproved / ClearanceRejected + the ClearanceReviewStepAppended no-op (4 of 9 event types). The 5 missing arms (Submitted / ReviewStarted / Activated / Expired / Superseded) were only covered transitively through `test_list_clearances_handler_postgres.py`. New direct tests pin each event's status update + last_status_changed_at + event-specific columns (Expired carries `reason`; Superseded deliberately drops `by_clearance_id` per deferred column). Notable: the Superseded test asserts `by_clearance_id` does NOT land in the SQL args — pins the deferred-projection-column intent so an accidental SQL change surfacing it would fail loudly. ## End-to-end Run.start gate integration test (#1) `test_postgres_clearance_lookup.py` pins the adapter in isolation; `test_start_run_clearance_gate_decider.py` pins the decider in isolation; until this commit, NOTHING exercised the COMPOSITION of real PG event store + real `PostgresClearanceLookup` + Run.start handler chain. The 11a gate review's #1 coverage gap. New `test_start_run_clearance_gate_postgres.py` seeds the full upstream chain (Capability + Asset + Method + Practice + Plan + Subject + mount), overrides `build_postgres_deps`'s default `AlwaysCoveredClearanceLookup` with the real `PostgresClearanceLookup(db_pool)`, and pins three scenarios: 1. Active Clearance bound to Subject -> Run.start succeeds 2. NO Clearance references the scope -> RunRequiresActiveClearanceError 3. Defined-only Clearance -> RunClearanceCoverageMismatchError Uses `SubjectBinding` (not `RunBinding`) to decouple from FixedIdGenerator ordering -- subject_id is operator-supplied. ## Amend idempotency contract test (#5) `register_clearance` had `test_register_clearance_idempotency.py`; `amend_clearance` (also create-style 201-returning + idempotency- wrapped at wire.py) had no equivalent. New `test_amend_clearance_idempotency.py` pins three flows mirroring the register tests: 1. No key + same body -> two calls; second hits the parent's post-Superseded gate and returns 409 (documents why the key matters for amend specifically) 2. Same key + same body -> 201 with the SAME child clearance_id (cached response; handler not re-executed; parent not transitioned twice) 3. Same key + different body -> 422 idempotency conflict ## Verification - pyright 0/0/0 - ruff clean (lint + format) - 5423 unit+contract+architecture tests pass (8 new: 5 projection + 3 amend idempotency) - 275 PG integration tests pass (3 new gate end-to-end) - All pre-commit hooks pass (ruff, pyright, tach, architecture fitness, secrets scan) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
xmap
added a commit
that referenced
this pull request
May 18, 2026
Renames the closed `CampaignIntent` enum from 5 domain-specific values
(IN_SITU / OPERANDO / PARAMETER_SWEEP / MULTI_MODAL / PROPOSAL_BLOCK)
to 4 abstract shape values (SERIES / SWEEP / COORDINATED / BLOCK). The
new enum answers "what shape of coordination" rather than conflating
shape with scientific technique or purpose.
Conceptual mapping (pre-pilot; no event-payload migration needed):
- IN_SITU + OPERANDO -> SERIES (both describe repeated measurements
over time on shared resources; the in-situ/operando distinction is
a technique tag, not a shape)
- PARAMETER_SWEEP -> SWEEP
- MULTI_MODAL -> COORDINATED (covers both multi-Method and
multi-Subject coordinated acquisition)
- PROPOSAL_BLOCK -> BLOCK (scheduling envelope: proposal / beamtime /
cycle)
Rationale: closed enum should track ONE axis cleanly. Mixing "what
shape" with "what scientific technique" or "what purpose" causes the
enum to collapse under tag-pressure (Watch #1 trigger thresholds). The
shape-vs-purpose split:
- intent (closed, 4 values) = coordination shape (Series / Sweep /
Coordinated / Block)
- tags (free frozenset) = technique + purpose (in-situ, operando,
tomography, EDD, calibration, maintenance, validation, replication,
pilot, longitudinal, ...)
Mirrors Caution BC's category + tags dual-shape pattern.
Watch #1 trigger candidates rewritten: future shape additions only
(Comparison, Discovery if cluster distinctly). Purpose-tags (calibration
/ maintenance / validation) EXPLICITLY stay in tags, not promoted to
shape values.
Pre-pilot file replacement (no events on disk; mirrors gate-cleanup N8
projection rename precedent). Atlas migration body rewritten:
CHECK (intent IN ('Series', 'Sweep', 'Coordinated', 'Block'))
Atlas hash re-computed.
~57 files touched: aggregate state.py + 6 slice src files + Atlas
migration + atlas.sum + 19 unit tests + 22 contract tests + 4
integration tests + 3 memory docs (design memo Decision + Why §5
rewrite + Locks block + Watch #1 + Watch #3 + LOOSE Subject paragraph;
MEMORY.md line 47; phase plan 6i row).
Semantic test-intent preservation: where the IN_SITU+OPERANDO -> SERIES
collapse would have broken assertions (parametrized intent uniqueness,
filter-narrows-correctly tests), the test data was hand-fixed to use
distinct shapes (SERIES vs COORDINATED, SWEEP vs BLOCK) preserving the
test's behavioral pin.
Pyright 0/0/0, ruff clean, 209 campaign unit + 126 campaign contract +
21 PG integration + 1 XPASS (the documented race-skeleton).
Zero grep hits for old values across src, tests, infra, memory.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
xmap
added a commit
that referenced
this pull request
May 18, 2026
…rrorPort + gen_ai telemetry (Phase 8f-b iter 2a)
Ships the infrastructure plumbing 8f-b iter 2b's RunDebrief
subscriber will consume: a provider-neutral LLMPort with value-
type bundle (CacheBreakpoint, LLMContentBlock, LLMSystemPrompt,
ModelRef, LLMUsage, LLMResponse, LLMChatRequest) and a six-class
LLMError taxonomy; a production AnthropicLLMAdapter implementing
the port; an abstract LogbookMirrorPort with no implementor; a
gen_ai OTel telemetry helper with per-call token + cost histograms;
Kernel wiring for both ports; an Anthropic SDK dependency.
NO subscriber, NO Agent seed, NO actual LLM behavior at iter 2a --
those land at iter 2b with the security-specialist gate review.
## Port surface (cora.infrastructure.ports.llm)
LLMPort.chat(request: LLMChatRequest) -> LLMResponse with:
- System prompt as layered LLMContentBlock tuple; each block can
carry an optional CacheBreakpoint (ttl: "5m" | "1h") to mark a
cached prefix boundary.
- User message as a single LLMContentBlock (also breakpoint-able).
- Structured output as a JSON Schema dict (the adapter forces
tool-use-as-structured-output convention).
- ModelRef VO (provider + model + snapshot_pin) carrying the
Agent.model_ref shape; deliberately duplicated (not hoisted) from
the agent aggregate's validated VO since one carries domain
invariants and the other is a wire shape. Hoist deferred to
rule-of-three trigger (second LLM-consuming agent at 8f-c+).
- LLMUsage (input/output/cache_creation/cache_read tokens; None
coerced to 0 at the adapter boundary).
- LLMResponse (parsed + raw_text + usage + stop_reason + model_id).
Six error subclasses (LLMRateLimitError, LLMServerError,
LLMTimeoutError, LLMAuthenticationError, LLMInvalidRequestError,
LLMSchemaValidationError) all inherit from LLMError so iter 2b's
retry layer can isinstance-classify on the base.
FakeLLMAdapter test stub with a response queue + LLMError pass-
through + received-request capture; mirrors the
AlwaysCoveredClearanceLookup / AlwaysQuietCautionLookup test-default
convention.
## Production adapter (cora.agent.adapters.anthropic_llm_adapter)
AnthropicLLMAdapter wraps anthropic.AsyncAnthropic with:
- max_retries=2, request_timeout=600s (design memo lock).
- 4-cache-breakpoint client-side validation (fail-fast before API
call instead of opaque 400; raises LLMInvalidRequestError).
- 1h-TTL beta header (extended-cache-ttl-2025-04-11) set
conditionally when any block requests "1h".
- Tool-use-as-structured-output via stable synthetic tool name
cora_structured_output (cache-correctness invariant pinned by
test_synthetic_tool_name_stable_across_calls).
- Full Anthropic SDK error -> LLMError translation including the
defensive APIStatusError default arm (pinned by
test_unknown_apistatuserror_subclass_translates_to_server_error).
- ModelRef snapshot_pin appended as "<model>-<pin>" suffix when
set.
Owns the adapter per cross-BC convention (Safety BC owns
PostgresClearanceLookup; Caution BC owns PostgresCautionLookup;
Agent BC owns AnthropicLLMAdapter). Tach validated.
## LogbookMirrorPort (cora.infrastructure.ports.logbook_mirror)
Abstract Protocol with no production implementor at 8f-b. Reserves
the Kernel slot (Kernel.logbook_mirror: LogbookMirrorPort | None)
so iter 2b's subscriber can short-circuit cleanly on `is None`
and a future PhoebusOlogAdapter / SciLogAdapter / SciCatAdapter
slots in without subscriber churn. mirror_decision is
fire-and-forget (returns None) so logbook outages never propagate
to the Decision-emission path.
## gen_ai telemetry helper (cora.infrastructure.observability.gen_ai)
record_llm_call(span, ...) sets OTel GenAI semantic-convention
span attributes (gen_ai.system, gen_ai.request.model,
gen_ai.response.model, gen_ai.usage.{input,output,
cache_creation,cache_read}_tokens, gen_ai.response.finish_reasons)
and records two histograms (gen_ai.client.token.usage per OTel
spec + cora.agent.llm.cost.usd custom).
PRICING dict keyed on (provider, model) carrying per-MTok rates
for opus/sonnet/haiku 4-x (1h-TTL cache write tier). Unknown
models cost $0.00 with a one-time-per-process warning. compute_
cost_usd returns dollar value the adapter intentionally discards
(histogram is the persistent record; return value is for tests).
Helpers NOT re-exported from observability/__init__.py: the only
consumer (AnthropicLLMAdapter) imports from the submodule directly.
Re-export trigger is "second LLM adapter ships" (cross-BC review
P1).
## Settings + secret handling
Settings.anthropic_api_key: SecretStr | None = None (read from
ANTHROPIC_API_KEY env var). SecretStr redacts to `**********` in
repr(), str(), and model_dump_json() so no debug-log / json-dump
path can leak the credential. Verified by
test_anthropic_api_key_is_secret_str_and_redacted_in_repr.
The factory (cora.agent.llm_factory.build_llm) is the one and
only call site of .get_secret_value(); composition root binds
build_llm into build_kernel's llm_factory parameter.
## Composition root
LLMPortFactory Protocol in cora.infrastructure.deps:
__call__(settings) -> LLMPort | None. Returns None when settings
indicate no LLM should be wired (eg. anthropic_api_key unset);
iter 2b's subscriber-registration step will fail-fast on
kernel.llm is None.
cora.api.main binds build_llm into build_kernel(llm_factory=...).
## Gate review (Stage 3, 3 baseline panel)
Architecture / test-coverage / cross-BC consistency all
APPROVE WITH NITS, 0 P0s. All P1s addressed in same commit:
- arch P1 #1 (SecretStr leak): anthropic_api_key now SecretStr
with redaction test pin.
- arch P1 #2 (ModelRef duplication): documented as intentional
separation with rule-of-three trigger to hoist.
- test-coverage P1 #1 (APIStatusError defensive default
untested): added
test_unknown_apistatuserror_subclass_translates_to_server_error.
- test-coverage P1 #2 (tool-name stability not pinned): added
test_synthetic_tool_name_stable_across_calls (cache-correctness
invariant).
- test-coverage P1 #3 (record_llm_call return discard intent):
documented at the call site.
- test-coverage P1 #4 (None cache-token coercion untested): added
test_none_cache_token_fields_coerce_to_zero.
- cross-BC P1 #1 (gen_ai re-export bloat): dropped from
observability/__init__.py.
Deferred to iter 2b (with documented triggers):
- test-coverage watch (AsyncAnthropic.aclose leak): subscriber
lifecycle is iter 2b scope.
- cross-BC nit (LLMPort/LogbookMirrorPort suffix vs prior no-
suffix ports): cross-cutting naming review; not iter 2a scope.
- cross-BC nit (AlwaysSilentLLM stub for Kernel symmetry):
Optional shape gives fail-fast at subscriber registration,
intentional; revisit if RecipeScreener at 8f-c surfaces friction.
## Tests + verification
49 new tests, all green: 22 unit (AnthropicLLMAdapter) + 12 unit
(LLMPort + FakeLLMAdapter) + 7 unit (gen_ai telemetry) + 3 unit
(LogbookMirrorPort Protocol) + 5 unit (deps Kernel composition +
build_llm + SecretStr redaction).
Full suite: 6608 unit+contract+architecture + 329 PG integration
tests pass, 107 skipped, 0 failures. pyright 0/0/0, ruff clean
(8f-b iter 2a scope), tach validated. anthropic>=0.79.0,<1 added
to dependencies (0.102.0 installed); uv.lock committed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
xmap
added a commit
that referenced
this pull request
May 20, 2026
Four parallel reviewers fired on Iter B-1 (0cac602). One HIGH + 4 MEDIUM across security/test-coverage/impl/design. Reviewer #1 from impl-quality claimed the circular-import workaround was fictional; empirical revert verified the cycle IS real (Settings -> auth.config -> ports.token_verifier package init -> authorize -> routing -> observability -> Settings), so the _PrincipalKindLiteral mirror stays - but pinned via a new fitness test. HIGH F11 - production-posture refuses per-IdP allow_insecure_*: api/main.py _enforce_production_principal_policy now iterates settings.identity_providers under app_env in {prod, production} and refuses boot when any entry has allow_insecure_jwks_url=True or allow_insecure_introspection_url=True. Defends against operator (or env-var-write attacker) downgrading ONE IdP to plaintext under prod. MEDIUM F12 - empty audiences fail-fast: new _audiences_non_empty model_validator rejects audiences={} at boot, naming the missing config. Was fail-late mode that violated startup-validation promise. MEDIUM F10 - RFC 6648 nonconformance: metadata endpoint dropped 'x-cora-surface-audiences' (deprecated X-prefix) for 'io.cora.surface_audiences' (reverse-DNS namespace). Test-coverage gaps: - test_settings_env_load.py (5 tests): IDENTITY_PROVIDERS env-var round-trip, SecretStr wrapping, multi-IdP, fail-fast, empty-audiences. - test_metadata_resource_honors_x_forwarded_headers: X-Forwarded-* honoring at metadata endpoint (real correctness bug for prod). - test_metadata_endpoint_unauthenticated polarity flipped to require_authenticated_principal=True. - test_settings_injection_propagates_to_app_state: settings= kwarg actually reaches app.state.deps.settings. - test_metadata_last_wins_when_two_idps_declare_same_surface: pins multi-IdP-same-Surface contract. - 3 prod-posture refusal tests for F11. - test_both_paths_config_constructs_two_adapters: deeper assertions (registry._jwt_by_issuer + _introspection presence) not just isinstance. Impl-quality cleanups: - registry_builder.py -> registry_factory.py (codebase convention). - assert -> RuntimeError in builder (python -O safety). - list[Any] -> list[IdentityProviderConfig] on metadata builder. - Removed inconsistent type: ignore[attr-defined] on app.state.deps. - StaticSubjectMapper accepts Mapping + defensive-copies into dict (immutable-interface convention). Fitness test: tests/architecture/test_auth_principal_kind_sync.py asserts typing.get_args(_PrincipalKindLiteral) == get_args(PrincipalKind). The local mirror is load-bearing but mirrors drift. CI now catches PrincipalKind widening that doesn't also widen _PrincipalKindLiteral. Deferred to Iter B-2 / D: - Settings.public_base_url (forward-looking, F4 follow-up). - Cache-Control: private vs public (flip with WI10 per-tenant). - Design memo TTL field reconciliation + settings DI seam watch-item - Iter D close-out. Verification: 12032 passed (+14 net) / 319 skipped in 255s; pyright + ruff + tach clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
xmap
added a commit
that referenced
this pull request
May 21, 2026
…dation (Phase 1A) First concrete instantiation of the Q4 compensation-primitive pattern (per [[project-dataset-demote-design]] / [[project-compensation-primitive-research]]). Closes documented gap at `state.py:184` where `Intent.RETRACTED` was anticipated but not implemented. Mirrors the Crossref retraction model (additive notice, original DatasetPromoted preserved + marked). Data BC: - Intent.RETRACTED added to open enum (terminal — no re-promote) - DatasetDemoted event (mirrors DatasetPromoted shape) - Evolver fold Production→Retracted (status + AsShot used_calibrations preserved) - demote_dataset slice (command/decider/handler/route/tool) mirroring discard_dataset (no context.py — no cross-BC cascade by [[project-calibration-design]] anti-hook #3) - DemotionReason VO + DatasetCannotDemoteError + DatasetAlreadyRetractedError + InvalidDemotionReasonError - Wire/routes/tools registration; OpenAPI snapshot regenerated Decision BC: - DecisionOverrideKind Literal extended 4→5: added "invalidation" - SUPERSEDES Q4 memo's `Decision.compensates_decision_id` field proposal. Gate-review code-inspection found existing parent_id + override_kind discriminator already carries the chain semantic more cleanly. No new field, no migration. Q4 watch item #1 resolved by extending the closed enum instead. "invalidation" maps to PROV-O wasInvalidatedBy on the activity side; parent_id stays informedBy across all 5 kinds. REST + MCP: - POST /datasets/{id}/demote with 204/404/409×3/400/422×2 coverage - demote_dataset MCP tool Projection update SKIPPED (gate-review discovery): DatasetSummaryProjection deliberately tracks status only, not intent (DatasetPromoted also unsubscribed). Watch item: subscribe to both Promoted+Demoted together when first consumer asks. Documented in design memo. Strict-not-idempotent at decider (re-demote → DatasetAlreadyRetractedError); source-state must be Production (Trial→Retracted rejected — use discard for Trial cleanup; Discarded→Retracted rejected — Discarded is stronger terminal). Decision linkage at slice is OPTIONAL (mirror adjust_run). Tests: 40+ new. 11980 pass / 319 skipped (+11 vs baseline). - decider 9, handler 8, events 3, evolver 4, VO 6 (Data) - register_decision_decider 2 (Decision) - REST endpoint 8, MCP tool 2 (contract) - existing parametrize + Intent enum tests extended Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
xmap
added a commit
that referenced
this pull request
May 21, 2026
v1 of the MTP-style read-model bundle per
[[project-asset-integration-view-design]] / [[project-mtp-integration-
manifest-research]] Q1 Option E staged adoption. Closes the operator/
agent 7-query walkthrough ("get_asset + get_family per family + active-
cautions query + applicable-capabilities query") into one endpoint.
v1 is READ-TIME COMPOSITION: no new projection table, no new
subscribers, no migration. Single new query slice composes the bundle
by loading the Asset stream + each referenced Family stream + querying
the existing CautionLookup port + (with pool) the Capability
projection. v2 promotion to a denormalized projection is the explicit
upgrade path; trigger is documented in the design memo (p95 > 200ms
OR load > 10rps OR rule-of-three cross-Asset query demand).
Bundle scope (CLOSED at v1):
- Asset core (id, name, level, lifecycle, condition, parent_id)
- families (id + name + affordances as frozenset[str])
- ports (name + direction + signal_type)
- settings (raw dict)
- active_cautions (id + category + severity + text) — via existing
CautionLookup port (AlwaysQuietCautionLookup in test mode = [])
- applicable_capabilities (id + code + name + status) — via SQL
`required_affordances <@ combined-Family-affordances` + status IN
('Defined','Versioned'); no-pool fallback returns []
- incomplete: bool — TRUE if any Family in asset.families failed to
load (mirrors promote_dataset peer-load tolerance per
[[project-dataset-lineage-design]])
Conduit options DROPPED from Q1 memo scope: gate-review-time
code-inspection confirmed no Asset-Conduit linkage exists in CORA.
HMI / alarms / safety / time-series-history out of scope (Q1
anti-hook #1: over-bundling drift).
Endpoints:
- REST: GET /assets/{asset_id}/integration-view (200/403/404/422)
- MCP: get_asset_integration_view tool (tools/list + tools/call)
- OpenAPI snapshot regenerated.
Tests: 12 new. 12023 pass / 321 skipped (+43 vs Phase 1A baseline).
- handler unit 6 (returns-None / no-families / 2-families-affordances
/ missing-family-tolerance / unauthorized / wire-registration)
- REST contract 4 (200/404/422 + happy-with-family)
- MCP contract 2 (tools/list + tools/call on unknown)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the gha group with 5 updates:
4634563545Updates
actions/checkoutfrom 4 to 6Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Updates
github/codeql-actionfrom 3 to 4Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
fbba1e0Rebuild933238eUpdate changelog and version after v4.35.3e46ed2cMerge pull request #3867 from github/update-v4.35.3-8c6e48dbeb73d1d1Add changelog entry for #385324e0bb0Reorder changelog entriesec298daUpdate changelog for v4.35.38c6e48dMerge pull request #3865 from github/update-bundle/codeql-bundle-v2.25.37190983Add changelog note2bb2095Update default bundle to codeql-bundle-v2.25.3Updates
actions/setup-pythonfrom 5 to 6Release notes
Sourced from actions/setup-python's releases.
... (truncated)
Commits
a309ff8Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)bfe8cc5Upgrade@actionsdependencies to Node 24 compatible versions (#1259)4f41a90Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)83679a8Bump@types/nodefrom 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...bfc4944Bump prettier from 3.5.3 to 3.6.2 (#1234)97aeb3eBump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)443da59Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...cfd55cagraalpy: add graalpy early-access and windows builds (#880)bba65e5Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)18566f8Improve wording and "fix example" (remove 3.13) on testing against pre-releas...Updates
actions/upload-pages-artifactfrom 3 to 5Release notes
Sourced from actions/upload-pages-artifact's releases.
Commits
fc324d3Merge pull request #139 from Tom-van-Woudenberg/patch-1fe9d4b7Merge branch 'main' into patch-10ca1617Merge pull request #137 from jonchurch/include-hidden-files57f0e84Update action.yml4a90348v7 --> hash56f665aUpdate upload-artifact action to version 7f7615f5Addinclude-hidden-filesinput7b1f4a7Merge pull request #127 from heavymachinery/pin-sha4cc19c7Pinactions/upload-artifactto SHA2d163beMerge pull request #107 from KittyChiu/mainUpdates
actions/deploy-pagesfrom 4 to 5Release notes
Sourced from actions/deploy-pages's releases.
... (truncated)
Commits
cd2ce8fMerge pull request #404 from salmanmkc/node24bbe2a95Update Node.js version to 24.x854d7aaMerge pull request #374 from actions/Jcambass-patch-1306bb81Add workflow file for publishing releases to immutable action packageb742728Merge pull request #360 from actions/dependabot/npm_and_yarn/npm_and_yarn-513...7273294Bump braces in the npm_and_yarn group across 1 directory963791fMerge pull request #361 from actions/dependabot-friendly51bb29dMake the rebuild dist workflow safer for Dependabot89f3d10Merge pull request #358 from actions/dependabot/npm_and_yarn/non-breaking-cha...bce7355Merge branch 'main' into dependabot/npm_and_yarn/non-breaking-changes-99c12deb21Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions