chore(deps): Pin dependencies#36
Conversation
|
Warning Review limit reached
Next review available in: 35 seconds Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (18)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dependency ReviewThe following issues were found:
License Issues.github/workflows/docs.yml
.github/workflows/python-compatibility.yml
.github/workflows/scorecard.yml
OpenSSF Scorecard
Scanned Files
|
There was a problem hiding this comment.
Pull request overview
This PR updates and pins GitHub Actions/reusable workflow references in this repository’s CI/security/release workflows to pick up patch/minor fixes and improve supply-chain security (immutable refs).
Changes:
- Updated multiple GitHub Actions (e.g.,
actions/checkout,actions/setup-python,actions/upload-artifact,actions/dependency-review-action,actions/github-script,step-security/harden-runner) to newer pinned SHAs. - Pinned org-level reusable workflows from
ByronWilliamsCPA/.githubto a specific commit SHA across several workflows. - Updated the SLSA generator workflow reference (but see review comment about tag-vs-SHA constraints).
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/sonarcloud.yml | Bumps pinned action SHAs for hardening, checkout, setup-python, Sonar scan, artifact upload. |
| .github/workflows/slsa-provenance.yml | Updates harden-runner; changes SLSA generator reusable workflow ref (needs adjustment). |
| .github/workflows/security-analysis.yml | Pins reusable workflow ref to a specific commit SHA. |
| .github/workflows/scorecard.yml | Updates pinned commit SHA for reusable scorecard workflow. |
| .github/workflows/sbom.yml | Pins reusable SBOM workflow ref to a specific commit SHA. |
| .github/workflows/reuse.yml | Bumps pinned action SHAs for hardening, checkout, artifact upload. |
| .github/workflows/qlty.yml | Updates pinned commit SHA for reusable Qlty coverage workflow. |
| .github/workflows/python-compatibility.yml | Pins reusable compatibility workflow ref to a specific commit SHA. |
| .github/workflows/publish-pypi.yml | Pins reusable publish workflow ref to a specific commit SHA. |
| .github/workflows/pr-validation.yml | Updates pinned SHAs for reusable CI + several actions (harden-runner/checkout/setup-python/setup-uv/lychee). |
| .github/workflows/mutation-testing.yml | Pins reusable mutation workflow ref to a specific commit SHA. |
| .github/workflows/fips-compatibility.yml | Bumps pinned action SHAs for hardening, checkout, setup-uv, upload-artifact, github-script. |
| .github/workflows/docs.yml | Pins reusable docs workflow ref to a specific commit SHA. |
| .github/workflows/dependency-review.yml | Bumps pinned SHAs for harden-runner/checkout and dependency-review-action. |
| .github/workflows/container-security.yml | Pins reusable container security workflow ref to a specific commit SHA. |
| .github/workflows/codecov.yml | Pins reusable codecov workflow ref; bumps harden-runner SHA in failure path. |
| .github/workflows/ci.yml | Pins reusable CI workflow ref; bumps harden-runner SHA in gate job. |
| id-token: write | ||
| contents: write | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # tag ref required: generator rejects SHA pins (fetches its release binary by tag) | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0 # tag ref required: generator rejects SHA pins (fetches its release binary by tag) |
321b065 to
faf75bd
Compare
|
No dependency changes detected. Learn more about Socket for GitHub. 👍 No dependency changes detected in pull request |
7ce8e6c to
96f0447
Compare
0b25620 to
9e834a1
Compare
1ad7469 to
f806f9d
Compare
f806f9d to
0fcabcf
Compare
0fcabcf to
dde067d
Compare
Summary
Why
Scheduled patch update, bug fixes and security patches with no API changes.
Changes
This PR contains the following updates:
1502ecdv4.0.0→v4.2.2v4.2.2→v4.3.1v4.5.0→v4.9.0v7.0.1→v7.1.0v5.3.0→v5.6.0v4.5.0→v4.6.2v7.1.1→v7.6.02ac9f03→2b973e8f7dd8c5v2.10.1→v2.19.4v2.19.1→v2.19.4Impact
Acceptance Criteria
Testing
Notes
Release Notes
SonarSource/sonarqube-scan-action (SonarSource/sonarqube-scan-action)
v4.2.2Compare Source
Full Changelog: SonarSource/sonarqube-scan-action@v4.2.1...v4.2.2
v4.2.1Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v4.2.0...v4.2.1
v4.2.0Compare Source
We are happy to announce this new version of the GitHub action, which brings support for C, C++, and Objective-C projects.
The action supports both AutoConfig scenarios, as well as scenarios where Build Wrapper is required, and is a complete replacement of
sonarqube-github-c-cppandsonarcloud-github-c-cpp.To install Build Wrapper, a new
sonarqube-scan-action/install-build-wrappersub-action is provided.Check the README for examples of configuration.
On top of C, C++, and Objective-C support, we have also improved our support of self-hosted GitHub runners:
RUNNER_TEMP) to be cleaned after every job execution: if present, the action will clean it, before running~/sonar/ssl) to be cleaned after every job execution: if present, the action will clean it, before runningWhat's Changed
New Contributors
Full Changelog: SonarSource/sonarqube-scan-action@v4.1.0...v4.2.0
v4.2Compare Source
v4.1.0Compare Source
The new version is now the official entrypoint for both Server and Cloud: a single GitHub action to interact with the SonarQube solution, whether on-premise or in the cloud!
It also brings several other improvements, including:
curlas a fallbackwhenwget is not available in the environment of the runnerkeytoolto be available has been liftedWhat's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v4.0.0...v4.1.0
v4.1Compare Source
actions/checkout (actions/checkout)
v4.3.1Compare Source
v4.3.0Compare Source
actions/dependency-review-action (actions/dependency-review-action)
v4.9.0: Dependency Review Action 4.9.0Compare Source
This feature release contains a couple of notable changes:
show_patched_versionswhich will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @felickz!allow-package-dependencylists, including case (in)sensitivity and url-encoded namespaces Thanks @juxtin!What's Changed
Patched VersiontoVulnerabilitiessummary by @felickz in #1045New Contributors
Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0
v4.8.3: 4.8.3Compare Source
Dependency Review Action v4.8.3
This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.
We have also updated the release process to use a long-lived
v4branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.What's Changed
Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3
v4.8.2Compare Source
Minor fixes:
v4.8.1: Dependency Review Action v4.8.1Compare Source
What's Changed
Full Changelog: actions/dependency-review-action@v4...v4.8.1
v4.8.0Compare Source
What's Changed
New Contributors
Full Changelog: actions/dependency-review-action@v4...v4.8.0
v4.7.4Compare Source
v4.7.3: 4.7.3Compare Source
What's Changed
Full Changelog: actions/dependency-review-action@v4...v4.7.3
v4.7.2: 4.7.2Compare Source
What's Changed
New Contributors
Full Changelog: actions/dependency-review-action@v4...v4.7.2
v4.7.1Compare Source
allow-dependencies-licenseswill be allowed even if the package in question has no license information #889Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g.Ruby)v4.7.0Compare Source
MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)OTHERin package licenses withLicenseRef-clearlydefined-OTHERso that parsing passesv4.6.0Compare Source
What's Changed
New Contributors
Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0
actions/github-script (actions/github-script)
v7.1.0Compare Source
What's Changed
actions/upload-artifactby @joshmgross in #512npm audit fixby @joshmgross in #515permissionsin workflows and update actions by @joshmgross in #531octokitREADME updates for v7 by @joshmgross in #557scriptby @joshmgross in #603New Contributors
Full Changelog: actions/github-script@v7...v7.1.0
actions/setup-python (actions/setup-python)
v5.6.0Compare Source
What's Changed
Full Changelog: actions/setup-python@v5...v5.6.0
v5.5.0Compare Source
What's Changed
Enhancements:
Bug fixes:
This update maps arm64 to aarch64 for Linux ARM64 PyPy installations.
Dependency updates:
New Contributors
Full Changelog: actions/setup-python@v5...v5.5.0
v5.4.0Compare Source
What's Changed
Enhancements:
Documentation changes:
Dependency updates:
undicifrom 5.28.4 to 5.28.5 by @dependabot in #1012urllib3from 1.25.9 to 1.26.19 in /tests/data by @dependabot in #895actions/publish-immutable-actionfrom 0.0.3 to 0.0.4 by @dependabot in #1014@actions/http-clientfrom 2.2.1 to 2.2.3 by @dependabot in #1020requestsfrom 2.24.0 to 2.32.2 in /tests/data by @dependabot in #1019@actions/cacheto^4.0.0by @priyagupta108 in #1007New Contributors
Full Changelog: actions/setup-python@v5...v5.4.0
actions/upload-artifact (actions/upload-artifact)
v4.6.2Compare Source
What's Changed
New Contributors
Full Changelog: actions/upload-artifact@v4...v4.6.2
v4.6.1Compare Source
What's Changed
Full Changelog: actions/upload-artifact@v4...v4.6.1
v4.6.0Compare Source
What's Changed
Full Changelog: actions/upload-artifact@v4...v4.6.0
astral-sh/setup-uv (astral-sh/setup-uv)
v7.6.0: 🌈 Fetch uv from Astral's mirror by defaultCompare Source
Changes
We now default to download uv from
releases.astral.sh.This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates
v7.6Compare Source
v7.5.0: 🌈 Useastral-sh/versionsas version providerCompare Source
No more rate-limits
This release addresses a long-standing source of timeouts and rate-limit failures in setup-uv.
Previously, the action resolved version identifiers like 0.5.x by iterating over available uv releases via the GitHub API to find the best match. In contrast, latest and exact versions such as 0.5.0 skipped version resolution entirely and downloaded uv directly.
The
manifest-fileinput was an earlier attempt to improve this. It allows providing an url to a file that lists available versions, checksums, and even custom download URLs. The action also shipped with such a manifest.However, because that bundled file could become outdated whenever new uv releases were published, the action still had to fall back to the GitHub API in many cases.
This release solves the problem by sourcing version data from Astral’s versions repository via the raw content endpoint:
https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson
By using the raw endpoint instead of the GitHub API, version resolution no longer depends on API authentication and is much less likely to run into rate limits or timeouts.
The
manifest-fileinput lets you override that source with your own URL, for example to test custom uv builds or alternate download locations.The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:
{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]} {"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}Changes
🚀 Enhancements
📚 Documentation
v7.5Compare Source
v7.4.0: 🌈 Add riscv64 architecture support to platform detectionCompare Source
Changes
Thank you @luhenry for adding support for riscv64 arch
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates
v7.4Compare Source
v7.3.1: 🌈 fall back to VERSION_CODENAME when VERSION_ID is not availableCompare Source
Changes
This release adds support for running in containers like
debian:testingordebian:unstable🐛 Bug fixes
🧰 Maintenance
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.