Skip to content

chore(deps): bump the github-actions group across 1 directory with 2 updates#1960

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github-actions-97accce477
Open

chore(deps): bump the github-actions group across 1 directory with 2 updates#1960
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/github-actions-97accce477

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 2 updates in the / directory: actions/checkout and actions/download-artifact.

Updates actions/checkout from 6.0.2 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

Commits

Updates actions/download-artifact from 4.3.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

... (truncated)

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…updates

Bumps the github-actions group with 2 updates in the / directory: [actions/checkout](https://github.com/actions/checkout) and [actions/download-artifact](https://github.com/actions/download-artifact).


Updates `actions/checkout` from 6.0.2 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v6.0.2...v7)

Updates `actions/download-artifact` from 4.3.0 to 8.0.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v4.3.0...3e5f45b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 30, 2026
@dependabot dependabot Bot requested a review from a team June 30, 2026 14:46
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 30, 2026
n: ${{ steps.gen.outputs.n }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟣 The actions/checkout SHA on lines 48, 90, and 130 was bumped to 9c091bb2... (v7.0.0) — the same SHA that every other workflow in this PR annotates with # v7.0.0 — but these three lines still trail with # v5.0.0, a two-major-version lie. The mismatch is pre-existing (prior SHA de0fac2... was v6.0.2 with the same # v5.0.0 comment), but this PR widens the gap and is the natural place to fix it: update all three trailing comments from # v5.0.0 to # v7.0.0.

Extended reasoning...

What the bug is

In .github/workflows/collectivex-sweep.yml, three actions/checkout step pins (lines 48, 90, 130) were bumped from SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd to 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0. The new SHA is unambiguously actions/checkout v7.0.0 — every other workflow file in this same PR pins the identical SHA with a # v7.0.0 comment (e.g. benchmark-tmpl.yml, claude-pr-review.yml, codeowner-signoff-verify.yml, e2e-tests.yml, profile.yml, run-sweep.yml, etc.). However, in this file the trailing comment was left as # v5.0.0, producing a two-major-version mismatch between the pin and its annotation.

How it manifests / why existing code doesn't prevent it

This is a pre-existing mismatch: the previous pin de0fac2... is actions/checkout v6.0.2 (confirmable from every other workflow's pre-PR # v6.0.2 comment), yet this file's comment was already # v5.0.0 before this PR. Dependabot updates the SHA but does not normalize an already-wrong trailing comment, so the bump from v6 to v7 propagated without fixing the lie — and future dependabot bumps will continue to do so. Nothing in the workflow currently parses or validates that the comment matches the pinned SHA.

Impact

Runtime behavior is unaffected — the SHA wins, so v7.0.0 is what actually runs. The harm is documentation/maintenance:

  • A reviewer reading # v5.0.0 will look up v5 release notes and miss v7's new behavior, most notably the new pull_request_target/workflow_run fork-blocking semantics introduced in v7 (PR #2454).
  • Auditors checking pinned versions will see an inconsistency between what is pinned and what is labeled, eroding trust in the workflow file as an accurate record of what runs.
  • Future dependabot bumps will continue carrying the wrong comment forward indefinitely.

Step-by-step proof

  1. Open the PR diff for .github/workflows/collectivex-sweep.yml. Three hunks change actions/checkout lines (the setup, sweep, and aggregate jobs). Each hunk is of the form:

    -      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0
    +      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0
    

    The SHA changed; the trailing # v5.0.0 comment did not.

  2. Cross-check the new SHA against any other workflow in this PR — e.g. .github/workflows/claude-pr-review.yml:

    -        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    +        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
    

    Same SHA, comment # v7.0.0. The dependabot PR description also confirms this is the v7.0.0 release: actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 is listed under the v7.0.0 commits, and the previous de0fac2... is v6.0.2 (every other workflow's pre-PR pin used that SHA with # v6.0.2).

  3. Conclusion: on lines 48, 90, and 130 of collectivex-sweep.yml, the SHA pins v7.0.0 but the comment claims v5.0.0 — a two-major-version mismatch.

How to fix

Change the trailing comment on all three lines from # v5.0.0 to # v7.0.0:

Suggested change
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

(apply the same one-character — well, two-digit — fix to lines 48, 90, and 130.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

0 participants