Skip to content

action-allowlist-review: bump browser-actions/setup-firefox from 1.7.1 to 1.7.2 in /.github/actions/for-dependabot-triggered-reviews#813

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/browser-actions/setup-firefox-1.7.2
Closed

action-allowlist-review: bump browser-actions/setup-firefox from 1.7.1 to 1.7.2 in /.github/actions/for-dependabot-triggered-reviews#813
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/browser-actions/setup-firefox-1.7.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps browser-actions/setup-firefox from 1.7.1 to 1.7.2.

Release notes

Sourced from browser-actions/setup-firefox's releases.

setup-firefox: v1.7.2

1.7.2 (2026-05-06)

Bug Fixes

  • drop 32-bit arch support (#645) (c5cfea2)
  • update Node.js runtime to v24 LTS (#642) (4eb4a82)
  • upgrade dev dependencies (@actions/*, biome v2, vitest v4, @​vercel/ncc) (#644) (59e1322)

v1.7.2

1.7.2 (2026-05-06)

Bug Fixes

  • drop 32-bit arch support (#645) (c5cfea2)
  • update Node.js runtime to v24 LTS (#642) (4eb4a82)
  • upgrade dev dependencies (@actions/*, biome v2, vitest v4, @​vercel/ncc) (#644) (59e1322)
Changelog

Sourced from browser-actions/setup-firefox's changelog.

Changelog

1.7.2 (2026-05-06)

Bug Fixes

  • drop 32-bit arch support (#645) (c5cfea2)
  • update Node.js runtime to v24 LTS (#642) (4eb4a82)
  • upgrade dev dependencies (@actions/*, biome v2, vitest v4, @​vercel/ncc) (#644) (59e1322)

1.7.1 (2026-02-21)

Bug Fixes

1.7.0 (2025-07-27)

Features

Bug Fixes

1.6.0 (2025-07-13)

Features

1.5.4 (2025-01-25)

Bug Fixes

  • Fix an off-by-one error with bz2/xz download URLs (#626) (f7574dd), closes #625

1.5.3 (2025-01-19)

Bug Fixes

  • Coping with compression change for linux download (#623) (063eed6)

... (truncated)

Commits
  • 0bc507d Release v1.7.2 at b2420b5fc5c9410c3bb4558ea29f202e52b4f41e
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 6, 2026
@dependabot dependabot Bot requested review from dfoulks1 and potiuk as code owners May 6, 2026 13:30
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 6, 2026
@hen

hen commented May 6, 2026

Copy link
Copy Markdown
Member

Comparing the old and new versions, the index.js for the new version is dramatically larger (8K lines to 35K lines) without an obvious commit. Without digging too deeply, it seems like updating dev dependencies may have inlined a lot of new code. Looking at GitHub metrics, this action seems fairly obscure (stars, forks etc), though the commits that have been applied since 1.7.1 look sensible. It's only the surprise leap in built index.js that raises the eyebrow.

potiuk
potiuk approved these changes May 6, 2026
View reviewed changes

@potiuk potiuk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Marking it as suspicious.

I do not like this action:

  • Huge changes in single commit (40K changes)
  • Single-person shop releasing those browser actions

I am running analyze skill on it

@potiuk potiuk mentioned this pull request May 6, 2026
Merged
3 tasks
@potiuk

potiuk commented May 6, 2026

Copy link
Copy Markdown
Member

I ran verify-action-build against this dependabot bump and the only failure is Lock file presencepackage.json (just {"type": "module"}) has no matching lock file.

That package.json declares zero dependencies, so a lock file would describe an empty graph. The check already skips dependency-less pyproject.toml and require-less go.mod for the same reason, but didn't have the equivalent skip for package.json. v1.7.0 and v1.7.1 were approved before the lock-file check landed in #770; once it landed, this whole class of release-please-style bundled tags started bouncing.

Fix in flight at #816 — once that merges, re-trigger CI here and Lock file presence should pass. The other checks already pass: JS build verifies, downloads have verification.

@potiuk potiuk mentioned this pull request May 6, 2026
Closed
potiuk added a commit that referenced this pull request May 6, 2026
@potiuk
verify-action-build: skip lock-file check for empty package.json
4fa633d 
The check already skips bare-config pyproject.toml and require-less
go.mod.  Mirror that for package.json with no dependencies — the case
that release-please-style bundled action tags ship (a self-contained
index.js next to a minimal {"type": "module"}).  browser-actions/
setup-firefox v1.7.2 (PR #813) hits this; v1.7.0 / v1.7.1 were
approved before the lock-file check landed.
@potiuk

potiuk commented May 6, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

@dependabot
action-allowlist-review: bump browser-actions/setup-firefox
6b0f5d6 
Bumps [browser-actions/setup-firefox](https://github.com/browser-actions/setup-firefox) from 1.7.1 to 1.7.2.
- [Release notes](https://github.com/browser-actions/setup-firefox/releases)
- [Changelog](https://github.com/browser-actions/setup-firefox/blob/master/CHANGELOG.md)
- [Commits](browser-actions/setup-firefox@fcf821c...0bc507d)

---
updated-dependencies:
- dependency-name: browser-actions/setup-firefox
  dependency-version: 1.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/browser-actions/setup-firefox-1.7.2 branch from 8c73bdf to 6b0f5d6 Compare May 6, 2026 23:07
potiuk
potiuk requested changes May 6, 2026
View reviewed changes

@potiuk potiuk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comparing the old and new versions, the index.js for the new version is dramatically larger (8K lines to 35K lines) without an obvious commit. Without digging too deeply, it seems like updating dev dependencies may have inlined a lot of new code. Looking at GitHub metrics, this action seems fairly obscure (stars, forks etc), though the commits that have been applied since 1.7.1 look sensible. It's only the surprise leap in built index.js that raises the eyebrow.

Ok. The "verify" passes now - it correctly detects that the .js in the action is not compiled but comes from the commit. And being orphan branch stripped from everything else - we definitely need to take a closer look and possibly run deeper inspection with agent.... tomorrow.

@potiuk potiuk mentioned this pull request May 6, 2026
Merged
@raboof

raboof commented May 7, 2026

Copy link
Copy Markdown
Member

Tagging @derkoe who introduced this action in the only place it's used, https://github.com/apache/tapestry-5/blob/master/.github/workflows/build-pull-request.yaml

@derkoe derkoe mentioned this pull request May 7, 2026
Merged
@benweidig

benweidig commented May 7, 2026

Copy link
Copy Markdown

It appears Tapestry no longer needs the action (and browser-actions/setup-geckodriver) , as the ubuntu-latest image already contains Firefox/Geckodriver according to https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md

@derkoe

derkoe commented May 7, 2026

Copy link
Copy Markdown

@raboof you can remove this from the allowlist - we use the built-in installs now

@raboof raboof mentioned this pull request May 7, 2026
Merged
@raboof

raboof commented May 7, 2026

Copy link
Copy Markdown
Member

@raboof you can remove this from the allowlist - we use the built-in installs now

Nice, even better! Filed #818

@potiuk

potiuk commented May 7, 2026

Copy link
Copy Markdown
Member

Closing this one then :)

@potiuk potiuk closed this May 7, 2026
@dependabot @github

dependabot Bot commented on behalf of github May 7, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/browser-actions/setup-firefox-1.7.2 branch May 7, 2026 21:59
potiuk pushed a commit to raboof/infrastructure-actions that referenced this pull request May 7, 2026
@raboof @potiuk
allowlist: remove browser-actions/setup-geckodriver and /setup-firefox
f57927d 
As Tapestry was the only one using them, and they
moved away from it.

apache#813
apache/tapestry-5#58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@potiuk potiuk potiuk requested changes

@dfoulks1 dfoulks1 Awaiting requested review from dfoulks1 dfoulks1 is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@hen @potiuk @raboof @benweidig @derkoe