Pin third-party GitHub Actions to verified SHAs#30
Closed
rubenlr wants to merge 44 commits into
Closed
Conversation
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v4...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [window-vibrancy](https://github.com/tauri-apps/tauri-plugin-vibrancy) from 0.5.3 to 0.6.0. - [Release notes](https://github.com/tauri-apps/tauri-plugin-vibrancy/releases) - [Changelog](https://github.com/tauri-apps/window-vibrancy/blob/dev/CHANGELOG.md) - [Commits](tauri-apps/window-vibrancy@window-vibrancy-v0.5.3...window-vibrancy-v0.6.0) --- updated-dependencies: - dependency-name: window-vibrancy dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [prettier-plugin-svelte](https://github.com/sveltejs/prettier-plugin-svelte) from 3.5.2 to 4.1.1. - [Release notes](https://github.com/sveltejs/prettier-plugin-svelte/releases) - [Changelog](https://github.com/sveltejs/prettier-plugin-svelte/blob/main/CHANGELOG.md) - [Commits](https://github.com/sveltejs/prettier-plugin-svelte/compare/v3.5.2...prettier-plugin-svelte@4.1.1) --- updated-dependencies: - dependency-name: prettier-plugin-svelte dependency-version: 4.1.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tauri](https://github.com/tauri-apps/tauri) from 2.11.2 to 2.11.3. - [Release notes](https://github.com/tauri-apps/tauri/releases) - [Commits](tauri-apps/tauri@tauri-v2.11.2...tauri-v2.11.3) --- updated-dependencies: - dependency-name: tauri dependency-version: 2.11.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@tauri-apps/api](https://github.com/tauri-apps/tauri) from 2.11.0 to 2.11.1. - [Release notes](https://github.com/tauri-apps/tauri/releases) - [Commits](https://github.com/tauri-apps/tauri/compare/@tauri-apps/api-v2.11.0...@tauri-apps/api-v2.11.1) --- updated-dependencies: - dependency-name: "@tauri-apps/api" dependency-version: 2.11.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [toml_edit](https://github.com/toml-rs/toml) from 0.22.27 to 0.25.12+spec-1.1.0. - [Commits](toml-rs/toml@v0.22.27...v0.25.12) --- updated-dependencies: - dependency-name: toml_edit dependency-version: 0.25.12+spec-1.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tauri-build](https://github.com/tauri-apps/tauri) from 2.6.2 to 2.6.3. - [Release notes](https://github.com/tauri-apps/tauri/releases) - [Commits](tauri-apps/tauri@tauri-build-v2.6.2...tauri-build-v2.6.3) --- updated-dependencies: - dependency-name: tauri-build dependency-version: 2.6.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) from 4.3.0 to 4.3.1. - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-vite) --- updated-dependencies: - dependency-name: "@tailwindcss/vite" dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.6.3 to 6.0.3. - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.6.3...v6.0.3) --- updated-dependencies: - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [prettier-plugin-tailwindcss](https://github.com/tailwindlabs/prettier-plugin-tailwindcss) from 0.6.14 to 0.8.0. - [Release notes](https://github.com/tailwindlabs/prettier-plugin-tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/prettier-plugin-tailwindcss/blob/main/CHANGELOG.md) - [Commits](tailwindlabs/prettier-plugin-tailwindcss@v0.6.14...v0.8.0) --- updated-dependencies: - dependency-name: prettier-plugin-tailwindcss dependency-version: 0.8.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…s/checkout-6' into deps/group-them
…s/download-artifact-8' into deps/group-them
…s/upload-artifact-7' into deps/group-them
…-0.6.0' into deps/group-them
…12spec-1.1.0' into deps/group-them
….3' into deps/group-them
…nto deps/group-them
…-plugin-svelte-4.1.1' into deps/group-them
…-plugin-tailwindcss-0.8.0' into deps/group-them # Conflicts: # package.json # pnpm-lock.yaml
…css/vite-4.3.1' into deps/group-them # Conflicts: # pnpm-lock.yaml
…ps/api-2.11.1' into deps/group-them # Conflicts: # pnpm-lock.yaml
…pt-6.0.3' into deps/group-them # Conflicts: # pnpm-lock.yaml
….118, getrandom to 0.4.3, muda to 0.19.3, and proc-macro-crate to 2.0.2. Clean up formatting in pnpm-lock.yaml and remove unused package entries.
…with grouped dependency updates across Rust, frontend tooling, and CI.
…g job names for clarity. Introduce new linting command in package.json and update pnpm-lock.yaml with dependency overrides for cookie and esbuild.
…int command in package.json, and adjust CI workflow for ESLint SARIF uploads. Also, update pnpm-lock.yaml with new dependencies and version changes.
Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.61.0 to 8.61.1. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: typescript-eslint dependency-version: 8.61.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [storybook](https://github.com/storybookjs/storybook/tree/HEAD/code/core) from 10.4.3 to 10.4.6. - [Release notes](https://github.com/storybookjs/storybook/releases) - [Changelog](https://github.com/storybookjs/storybook/blob/next/CHANGELOG.md) - [Commits](https://github.com/storybookjs/storybook/commits/v10.4.6/code/core) --- updated-dependencies: - dependency-name: storybook dependency-version: 10.4.6 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@sveltejs/vite-plugin-svelte](https://github.com/sveltejs/vite-plugin-svelte/tree/HEAD/packages/vite-plugin-svelte) from 5.1.1 to 6.2.4. - [Release notes](https://github.com/sveltejs/vite-plugin-svelte/releases) - [Changelog](https://github.com/sveltejs/vite-plugin-svelte/blob/main/packages/vite-plugin-svelte/CHANGELOG.md) - [Commits](https://github.com/sveltejs/vite-plugin-svelte/commits/@sveltejs/vite-plugin-svelte@6.2.4/packages/vite-plugin-svelte) --- updated-dependencies: - dependency-name: "@sveltejs/vite-plugin-svelte" dependency-version: 6.2.4 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 25.9.2 to 25.9.3. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.9.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [playwright](https://github.com/microsoft/playwright) from 1.60.0 to 1.61.0. - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.60.0...v1.61.0) --- updated-dependencies: - dependency-name: playwright dependency-version: 1.61.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…ht-1.61.0' into deps/group-them # Conflicts: # pnpm-lock.yaml
…de-25.9.3' into deps/group-them # Conflicts: # pnpm-lock.yaml
…/vite-plugin-svelte-6.2.4' into deps/group-them # Conflicts: # package.json # pnpm-lock.yaml
…k-10.4.6' into deps/group-them # Conflicts: # package.json # pnpm-lock.yaml
…pt-eslint-8.61.1' into deps/group-them # Conflicts: # package.json # pnpm-lock.yaml
…t, and refine file paths for SARIF results. Modify justfile for clarity on pre-push tasks and conditionally import PathBuf for macOS.
Replace floating tag refs with commit SHAs and version comments so CI dependencies are immutable and Dependabot can propose future bumps.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
# vX.Y.Zcomments for Dependabotactions/checkoutv6→v7,pnpm/action-setupv4→v6,github/ossar-actionv1→v2, and replacedtolnay/rust-toolchain@masterwith pinned v1upload-artifact,download-artifact,setup-node,codeql,scorecard,sonarqube,rust-cache,taiki-e/install-action)Test plan
Made with Cursor