Skip to content

Bump crowdin/github-action from 2.16.0 to 2.16.2#988

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/crowdin/github-action-2.16.2
Closed

Bump crowdin/github-action from 2.16.0 to 2.16.2#988
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/crowdin/github-action-2.16.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 5, 2026
edited
Loading

Bumps crowdin/github-action from 2.16.0 to 2.16.2.

Release notes

Sourced from crowdin/github-action's releases.

v2.16.2

What's Changed

Full Changelog: crowdin/github-action@v2.16.1...v2.16.2

v2.16.1

What's Changed

Full Changelog: crowdin/github-action@v2.16.0...v2.16.1

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Low risk dependency bump in GitHub Actions workflows; behavior should be unchanged aside from upstream Crowdin action fixes/CLI update.

Overview
Updates the crowdin/github-action used in the translation sync workflows (crowdin-pull.yml and crowdin-push.yml) from v2.16.0 to v2.16.2.

Reviewed by Cursor Bugbot for commit ad86637. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump crowdin/github-action from 2.16.0 to 2.16.2
ad86637 
Bumps [crowdin/github-action](https://github.com/crowdin/github-action) from 2.16.0 to 2.16.2.
- [Release notes](https://github.com/crowdin/github-action/releases)
- [Commits](crowdin/github-action@v2.16.0...v2.16.2)

---
updated-dependencies:
- dependency-name: crowdin/github-action
  dependency-version: 2.16.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels May 5, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 5, 2026

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying upstream changes between those tags to ground the verdict.

Verdict: benign

Why this looks safe

  • Upstream diff matches the release notes: the vendored copy shows Dockerfile pinned to crowdin/cli:4.14.2 and entrypoint.sh with normal Crowdin/git flow (including save_original_checkout_state / restore_original_checkout_state around sync), consistent with v2.16.1’s checkout-restore fix and v2.16.2’s CLI bump—not mystery behavior.
  • Scanner vs. interpretation: the report’s warn is from heuristics, not IOCs/Unicode. The shell_process_spawn hits match ordinary container setup (apk add …) and expected exec su-exec for dropping root—no hidden payload pattern. maintainer_drift for crowdin/github-action is a weak signal here (this is a GitHub Action, not an npm package in your repo); treat as scanner noise unless you have separate maintainer-compromise evidence.
  • Dependabot context: consumer change is uses: crowdin/github-action@v2.16.2 in Crowdin workflows only—no surprise lockfile/vendor/node_modules churn described; no typosquat (still crowdin/github-action).

Action: safe to merge from a supply-chain perspective; optional sanity check on GitHub that tag v2.16.2 points at the expected commit(s) from the PR body if you want belt-and-suspenders verification.

Compatibility Analysis

Tracing usage of crowdin/github-action and comparing upstream changes to assess compatibility.

1) Where it’s used

crowdin/github-action is referenced only in CI workflows:

  • .github/workflows/crowdin-push.ymluses: crowdin/github-action@v2.16.2 (~line 37): upload sources only (upload_sources: true, no download/PR).
  • .github/workflows/crowdin-pull.yml — same action (~line 59): download translations, create_pull_request: true, localization_branch_name, skip_ref_checkout: "true", GPG-related with: fields, etc.

Other hits are metadata/scanner artifacts, not runtime usage.

2) Overlap with upstream changes

From .upstream-dependency, v2.16.0..v2.16.2 changes only:

  • Dockerfile — image crowdin/cli 4.14.1 → 4.14.2 (matches release notes).
  • entrypoint.sh — save/restore original git checkout around localization branch push/PR flow; push_to_branch refactored to track RESULT and always attempt restore.

action.yml has no diff in that range, so the declared inputs/outputs surface is unchanged. Your workflows only pass documented with: keys; nothing here depends on removed or renamed inputs.

The checkout-restore work aligns with crowdin-pull.yml, which uses branch sync / PR creation (skip_ref_checkout: "true" is exactly the kind of path that needed crowdin/github-action#311). crowdin-push.yml is upload-only and is largely unaffected aside from running on a newer CLI image.

3) Risks / unknowns

  • Crowdin CLI patch (4.14.2): small chance of download/upload edge-case or API behavior differences; typical patch risk, not indicated in notes as breaking.
  • push_to_branch refactor: behavior change is intentional (restore checkout; cleaner exit codes when there’s nothing to commit). Worth smoke-testing the pull workflow once (manual workflow_dispatch or wait for scheduled run) to confirm PR/branch behavior still matches expectations.
  • Not a code API break for this repo: no library integration, only GitHub Actions YAML.

4) Recommendation

Merge — patch-level action bump, no action.yml contract change, and the entrypoint fix targets the pull/sync workflow you actually use for localization branches. Residual risk is low and routine verification of the Crowdin pull job is enough.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 2
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved upstream range: 7ca9c452bfe9197d3bb7fa83a4d7e2b0c9ae835d..8868a33591d21088edfc398968173a3b98d51706
  • Resolved refs: from=7ca9c452bfe9197d3bb7fa83a4d7e2b0c9ae835d to=8868a33591d21088edfc398968173a3b98d51706
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 3

Top findings

  • Dockerfile:3 shell_process_spawn :: RUN apk --no-cache add curl git git-lfs jq gnupg su-exec;
  • entrypoint.sh:9 shell_process_spawn :: exec su-exec "$TARGET_USER" "$0" "$@"
  • crowdin/github-action:0 maintainer_drift :: 2.16.0->2.16.2

cursor[bot]
cursor Bot reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit ad86637. Configure here.

Comment thread .github/workflows/crowdin-pull.yml

- name: crowdin action
uses: crowdin/github-action@v2.16.0
uses: crowdin/github-action@v2.16.2
Copy link
Copy Markdown

@cursor cursor Bot May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Translations commit targets wrong branch

Medium Severity

crowdin/github-action@v2.16.2 restores the original checkout after syncing the localization branch, so the follow-up compile-and-commit step no longer runs on l10n_crowdin_translations. The compiled translation changes are left on the original checkout and are not included in the Crowdin PR.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit ad86637. Configure here.

@BrandtH22 BrandtH22 mentioned this pull request May 27, 2026
Merged
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 28, 2026

Looks like crowdin/github-action is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this May 28, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/crowdin/github-action-2.16.2 branch May 28, 2026 01:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants