Skip to content

chore(deps): bump the actions group with 7 updates #231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 2 commits into
base: main
Choose a base branch
from
+12 −12
Open

chore(deps): bump the actions group with 7 updates #231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9505779
chore(deps): bump the actions group with 7 updates
dependabot[bot] Jun 26, 2026
a12a7b6
fix: keep actions/checkout@v4 in ocr-review.yml
lizhengfeng101 Jun 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
container:
image: golang:1.26.4
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

@github-actions github-actions Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential issue: actions/checkout@v7 may not exist. As of the latest known releases, actions/checkout@v4 is the latest stable major version. Jumping from v4 directly to v7 (skipping v5 and v6) is unusual. If this tag does not exist on the actions/checkout repository, all CI jobs will fail immediately at the checkout step.

Please verify that actions/checkout@v7 has actually been released before merging. You can check at https://github.com/actions/checkout/releases.


- name: Trust workspace
run: git config --global safe.directory '*'
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/deploy-pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
container:
image: node:20
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

@github-actions github-actions Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential issue: Verify action version exists. The version has been bumped from v4 to v7, skipping two major versions. If actions/checkout@v7 does not exist, this workflow will fail immediately at runtime. Please verify that this tag actually exists in the actions/checkout repository before merging. The same concern applies to the other version bumps across your workflows (upload-artifact@v7, download-artifact@v8, upload-pages-artifact@v5, deploy-pages@v5).


- name: Trust workspace
run: git config --global safe.directory '*'
Expand All @@ -41,7 +41,7 @@ jobs:
cp -r pages/dist/* _site/
cp pages/logo.svg _site/logo.svg

- uses: actions/upload-pages-artifact@v3
- uses: actions/upload-pages-artifact@v5
with:
path: _site

Expand All @@ -56,4 +56,4 @@ jobs:
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
uses: actions/deploy-pages@v5
2 changes: 1 addition & 1 deletion .github/workflows/ocr-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ jobs:
cat /tmp/ocr-stderr.log

- name: Post review comments to PR
uses: actions/github-script@v7
uses: actions/github-script@v9

@github-actions github-actions Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potentially non-existent action version: actions/github-script@v9 may not exist. The latest known stable major version is v7. Using a non-existent tag will cause the workflow to fail at runtime. Please verify that v9 has actually been published before merging.

with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
- goos: windows
goarch: arm64
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

- name: Trust workspace
run: git config --global safe.directory '*'
Expand All @@ -50,7 +50,7 @@ jobs:
go build -ldflags "${LD_FLAGS}" -o "${BIN_NAME}" ./cmd/opencodereview
echo "bin_name=${BIN_NAME}" >> $GITHUB_ENV

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@v7
with:
name: binary-${{ matrix.goos }}-${{ matrix.goarch }}
path: ${{ env.bin_name }}
Expand All @@ -64,7 +64,7 @@ jobs:
- name: Install git
run: apt-get update && apt-get install -y git

- uses: actions/checkout@v4
- uses: actions/checkout@v7
with:
fetch-depth: 0

Expand Down Expand Up @@ -129,7 +129,7 @@ jobs:
echo "RELEASE_NOTES_EOF"
} >> "$GITHUB_OUTPUT"

- uses: actions/download-artifact@v4
- uses: actions/download-artifact@v8
with:
pattern: binary-*
merge-multiple: true
Expand All @@ -138,7 +138,7 @@ jobs:
run: sha256sum opencodereview-* | sort > sha256sum.txt

- name: Create GitHub Release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@v3

@github-actions github-actions Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security: Third-party action should be pinned to a commit SHA.

softprops/action-gh-release is a third-party action. Unlike first-party actions/* actions (where major version tags like v4 are acceptable), third-party actions should be pinned to a full commit SHA to prevent supply-chain attacks via tag hijacking. Tags are mutable and can be moved to point to malicious code.

Consider pinning to a specific commit SHA, e.g.:

uses: softprops/action-gh-release@<full-commit-sha> # v3

You can add a comment with the version tag for readability.

with:
body: ${{ steps.notes.outputs.body }}
files: |
Expand All @@ -153,15 +153,15 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

- name: Trust workspace
run: git config --global safe.directory '*'

- name: Install jq
run: apt-get update && apt-get install -y jq

- uses: actions/download-artifact@v4
- uses: actions/download-artifact@v8
with:
pattern: binary-*
merge-multiple: true
Expand Down