Skip to content

chore(deps): update github-actions#613

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github-actions
Closed

chore(deps): update github-actions#613
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/github-actions

Conversation

@renovate

@renovate renovate Bot commented May 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/cache (changelog) action digest 1bd1e320057852
github/codeql-action (changelog) action digest 9e0d7b88aad20d
marocchino/sticky-pull-request-comment action patch v2.9.1v2.9.4

Release Notes

marocchino/sticky-pull-request-comment (marocchino/sticky-pull-request-comment)

v2.9.4

Compare Source

What's Changed

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.3...v2.9.4

v2.9.3

Compare Source

What's Changed
  • Update deps (including security issues)
  • Test with vitest instead of jest
  • Use biome

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.2...v2.9.3

v2.9.2

Compare Source

What's Changed

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.1...v2.9.2

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

  • Branch creation
    • "before 6am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): pin dependencies chore(deps): pin dependencies - autoclosed May 12, 2026
@renovate renovate Bot closed this May 12, 2026
@renovate renovate Bot deleted the renovate/github-actions branch May 12, 2026 05:07
@renovate renovate Bot changed the title chore(deps): pin dependencies - autoclosed chore(deps): update actions/cache digest to 0057852 May 18, 2026
@renovate renovate Bot reopened this May 18, 2026
@renovate renovate Bot force-pushed the renovate/github-actions branch 2 times, most recently from ab4913f to c7befcc Compare May 18, 2026 07:48
@renovate renovate Bot changed the title chore(deps): update actions/cache digest to 0057852 chore(deps): update github-actions May 19, 2026
@renovate renovate Bot force-pushed the renovate/github-actions branch 2 times, most recently from c06a650 to e6b8878 Compare May 22, 2026 14:49
@renovate renovate Bot force-pushed the renovate/github-actions branch from e6b8878 to 7af9554 Compare May 22, 2026 16:58
jrusso1020
jrusso1020 approved these changes Jun 13, 2026
View reviewed changes

@jrusso1020 jrusso1020 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict

Approve. Clean, low-risk Renovate GitHub Actions digest bump. All 30+ required checks green, and I verified every pinned digest against the upstream repos rather than trusting the comment annotations:

Action New SHA Resolves to
actions/cache 0057852 v4.3.0 (latest v4.x) ✅ real commit, correct tag
github/codeql-action/{init,analyze} 7211b7c v4.36.0 ✅ real commit, correct tag
marocchino/sticky-pull-request-comment 7737449 v2.9.4 (exact tag object SHA) ✅ real commit, correct tag

sticky-pull-request-comment v2.9.1→v2.9.4 is patch-level (transitive dep/security bumps — undici, octokit); it's used only in the continue-on-error Fallow-audit comment step, so no blast radius even on regression.

Nit (non-blocking)

The PR body table advertises codeql-action 8aad20d (= v4.36.2), but the diff actually pins 7211b7c (= v4.36.0) — Renovate rebased the branch since the body was generated and the table went stale. Both are legitimate codeql v4 releases; merging takes v4.36.0 and Renovate's immortal PR will follow up to bump the remaining two patch versions. Worth nothing more than awareness.

@jrusso1020

jrusso1020 commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

Closing as stale/unmergeable.

Why: This branch's last real commit is 2026-05-22 (409 commits behind main). The action-pin bumps themselves are still valid and verified safe (actions/cache→v4.3.0 0057852, codeql-action→v4.36.0 7211b7c, sticky-pull-request-comment→v2.9.4 7737449 — all confirmed against upstream tags), and main is still on the old pins. But a fresh CI re-run today fails two required checks (Test, Tests on windows-latest) on unrelated @hyperframes/core gsap-parser tests — pure stale-branch rot, nothing to do with the 3-line workflow-YAML diff. The repo ruleset is non-strict (strict_required_status_checks_policy: false) so it doesn't need an up-to-date branch to merge, but it does need green CI, which only a rebase onto current main would restore.

Why not just rebase-and-merge: the branch touches .github/workflows/ and the org enforces signed commits, so only Renovate can rebase it. Ticking the rebase checkbox was acknowledged (box unchecked) but produced no new commit — and the whole Renovate fleet in this repo (#613, #614, #711) has been frozen since 2026-05-22, which suggests Renovate currently can't push here (likely the org-wide signed-commits ruleset blocking the bot, or a lost workflows:write permission). That's the real blocker worth fixing, since it's stalling all dependency updates.

Renovate will recreate a fresh PR for these pins on its next healthy run.

@jrusso1020 jrusso1020 closed this Jun 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrusso1020 jrusso1020 jrusso1020 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrusso1020