-
Notifications
You must be signed in to change notification settings - Fork 217
chore(deps): bump the github-actions group across 1 directory with 3 updates #1995
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
dependabot
wants to merge
1
commit into
main
Choose a base branch
from
dependabot/github_actions/github-actions-0fea4868d8
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+31
−31
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 The four
actions/checkoutSHA pins in this file were bumped to9c091bb2...(v7.0.0) but the trailing# v5.0.0comments were left unchanged on lines 48, 90, 130, and 146. Every other workflow in this PR was updated to# v7.0.0; only this file was missed. Cosmetic only — the SHA determines the runtime version — but fixing to# v7.0.0keeps the file honest for reviewers.Extended reasoning...
What the inconsistency is. In
.github/workflows/collectivex-sweep.yml, fouractions/checkoutuses were pinned to SHAde0fac2e4500dabe0009e67214ff5f5447ce83ddwith a trailing# v5.0.0comment. That comment was already inaccurate before this PR (that SHA is the v6.0.2 tag — every other file in this repo annotates it as# v6.0.2), but Dependabot only rewrites the version comment when it matches the format it expects. Since this file's comment said# v5.0.0rather than# v6.0.2, Dependabot bumped the SHA to9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0(v7.0.0) and left the comment alone.\n\nWhy it's misleading. A reader scanninggit diffsees# v5.0.0on both sides of the hunk and reasonably concludes the workflow is still on v5. In reality, the SHA now resolves to v7.0.0 — a major-version upgrade with a breaking change (v7.0.0 blocks checking out fork PRs forpull_request_targetandworkflow_run, per the release notes in the PR description). Hiding a major bump behind an incorrect comment degrades reviewer trust in every future dependabot bump of this file.\n\nCross-checking every other file in this PR.benchmark-multinode-tmpl.yml,benchmark-tmpl.yml,claude-pr-review.yml,codeowner-signoff-verify.yml,collect-evals.yml,collect-results.yml,e2e-tests.yml,profile.yml,run-sweep.yml,speedbench-al.yml,test-changelog-gate.yml,test-matrix-logic.yml, andtest-process-result.ymlall correctly showactions/checkout@9c091bb2... # v7.0.0after Dependabot's bump. The SHA is identical across every file. Onlycollectivex-sweep.ymlis left with the stale# v5.0.0on all four occurrences.\n\nRuntime impact. None. GitHub Actions resolvesuses:by SHA, not by the trailing comment, so the four steps will execute actions/checkout v7.0.0 exactly like every other workflow in this PR. This is purely a code-review / audit-trail issue.\n\nStep-by-step proof.\n1. Before this PR, line 48 read:- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0. Cross-reference:benchmark-tmpl.yml(line 164 before this PR) had the same SHA annotated as# v6.0.2— confirming the pre-existing comment was already wrong (SHAde0fac2e= v6.0.2).\n2. This PR's diff at line 48 changes only the SHA:+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0.\n3. Cross-reference the new SHA againstbenchmark-tmpl.yml(post-PR):- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0. Same SHA, correctly labeled# v7.0.0.\n4. The PR description's Dependabot release notes explicitly confirm SHA9c091bbis the v7.0.0 tip commit ("update error wording (#2467)" — the last commit before v7.0.0 was cut).\n5. Therefore, line 48 (and by identical logic lines 90, 130, 146) is documenting the pin as v5.0.0 when it is actually running v7.0.0.\n\nFix. One-line change per occurrence: replace# v5.0.0with# v7.0.0on lines 48, 90, 130, and 146 of.github/workflows/collectivex-sweep.yml. Nothing else needs to change.