Bump the actions group across 1 directory with 2 updates#52
Bump the actions group across 1 directory with 2 updates#52dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the actions group with 2 updates in the / directory: [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) and [actions/download-artifact](https://github.com/actions/download-artifact). Updates `peter-evans/create-pull-request` from 7.0.11 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@22a9089...5f6978f) Updates `actions/download-artifact` from 7.0.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@37930b1...3e5f45b) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
|
AndrewEhlo
left a comment
AndrewEhlo
left a comment
There was a problem hiding this comment.
- peter-evans/create-pull-request v7.0.11 → v8.1.1
File: auto-update-templates.yml:48
Breaking change in v8.0.0: Requires Actions Runner v2.327.1+ for Node 24 support.
Verdict: SAFE. Runs on ubuntu-latest (GitHub-hosted), so the Node 24 runner requirement is already satisfied. Inputs used (commit-message, title, branch, delete-branch, body) are unchanged in v8. No deprecated params.
- actions/download-artifact v7.0.0 → v8.0.1
⚠️
File: docker-image-vulnerability-process.yml:87
Breaking changes in v8.0.0:
Hash mismatch now errors by default (was warning in v7). Controlled by new digest-mismatch parameter (error | warn | ignore).
ESM migration — transparent unless you're forking the action.
No longer auto-unzips non-zipped downloads (detects via Content-Type). New skip-decompress param. Only affects artifacts uploaded with direct-upload mode in upload-artifact.
Verdict: LOW-MEDIUM RISK, but watch carefully.
This step only runs when trivyMode == 'tarball', which is not the default ('normal'). So most callers won't even hit it.
The current consumer at docker-image-vulnerability-process.yml:101 expects the structure ./image.tar/.tar — meaning the producer is uploading the .tar file as artifact content, GH wraps it in a zip, and download-artifact unzips it back. That flow is unchanged in v8 (standard zipped artifacts still get unzipped).
The new "error on hash mismatch" default is the only behavioral surprise. If an upstream upload-artifact step produces a corrupted/digest-mismatched artifact, the workflow now fails instead of silently warning — arguably an improvement, but it could turn a previously-passing run into a failure.
Inconsistency worth flagging
Line 110 still uses actions/upload-artifact@... # v7 (the inline comment says v7, but pinact pinned the actual SHA). If you take the v8 download-artifact bump, the v7 producer/consumer pairing in this same file becomes slightly off-tempo. Functionally fine — v7 upload + v8 download interoperate — but it's an asymmetry to be aware of (Dependabot will likely propose the upload-artifact v8 bump separately when it groups them next).
Recommendation
Safe to merge. If you want belt-and-suspenders for the download-artifact change, add digest-mismatch: warn to preserve v7 semantics:
- name: Download Docker image from tarball
if: ${{ inputs.trivyMode == 'tarball' }}
uses: actions/download-artifact@3e5f45b # v8.0.1
with:
name: ${{ inputs.imageTarName }}
path: './${{ inputs.imageTarName }}'
digest-mismatch: warn
But I'd lean toward leaving the new error default in place — failing loudly on a corrupted artifact before Trivy scans an unknown blob is the right behavior for a vulnerability-scanning workflow.
|
Looks like these dependencies are updatable in another way, so this is no longer needed. |
2 participants
Bumps the actions group with 2 updates in the / directory: peter-evans/create-pull-request and actions/download-artifact.
Updates
peter-evans/create-pull-requestfrom 7.0.11 to 8.1.1Release notes
Sourced from peter-evans/create-pull-request's releases.
Commits
5f6978ffix: retry post-creation API calls on 422 eventual consistency errors (#4356)d32e88dbuild(deps-dev): bump the npm group with 3 updates (#4349)8170bccbuild(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#4344)0041819build(deps): bump picomatch (#4339)b993918build(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#4334)36d7c84build(deps-dev): bump undici from 6.23.0 to 6.24.0 (#4328)a45d1fbbuild(deps): bump@tootallnate/onceand jest-environment-jsdom (#4323)3499eb6build(deps): bump the github-actions group with 2 updates (#4316)3f3b473build(deps): bump minimatch (#4311)6699836build(deps-dev): bump the npm group with 2 updates (#4305)Updates
actions/download-artifactfrom 7.0.0 to 8.0.1Release notes
Sourced from actions/download-artifact's releases.
Commits
3e5f45bAdd regression tests for CJK characters (#471)e6d03f6Add a regression test for artifact name + content-type mismatches (#472)70fc10cMerge pull request #461 from actions/danwkennedy/digest-mismatch-behaviorf258da9Add change docsccc058eFix linting issuesbd7976bAdd a setting to specify what to do on hash mismatch and default it toerrorac21fcfMerge pull request #460 from actions/danwkennedy/download-no-unzip15999bfAdd note about package bumps974686eBump the version tov8and add release notesfbe48b1Update test names to make it clearer what they doDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions