chore(deps)!: Update GitHub Actions (major)#37
Conversation
|
Warning Review limit reached
Next review available in: 34 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
There was a problem hiding this comment.
Pull request overview
This PR updates pinned GitHub Actions used across the repository’s CI/security workflows to newer major versions, primarily to keep the automation ecosystem up to date (including Node.js runtime bumps in several actions).
Changes:
- Bump core workflow actions (e.g.,
actions/checkout,actions/setup-python,actions/upload-artifact) to newer major versions pinned by commit SHA. - Update security/compliance-related actions (
SonarSource/sonarqube-scan-action,actions/dependency-review-action,fsfe/reuse-action) to newer major versions. - Update utility actions used in validation/reporting (
actions/download-artifact,actions/github-script,astral-sh/setup-uv,lycheeverse/lychee-action).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/sonarcloud.yml | Updates checkout/setup-python/sonarqube scan/upload-artifact action pins used for SonarCloud analysis. |
| .github/workflows/slsa-provenance.yml | Updates actions/download-artifact pin used to fetch release artifacts for provenance hashing. |
| .github/workflows/reuse.yml | Updates checkout/reuse-action/upload-artifact pins for REUSE compliance checks and artifact upload. |
| .github/workflows/pr-validation.yml | Updates checkout/setup-python/setup-uv/lychee-action pins for PR validation jobs. |
| .github/workflows/fips-compatibility.yml | Updates checkout/setup-uv/upload-artifact/github-script pins used for FIPS scanning and PR commenting. |
| .github/workflows/dependency-review.yml | Updates checkout and dependency-review-action pins for PR dependency scanning. |
| - name: Dependency Review | ||
| uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 | ||
| uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 |
fede7ab to
c26d58b
Compare
ff539c1 to
09f1559
Compare
09f1559 to
e5298fc
Compare
Summary
Why
Scheduled patch update, bug fixes and security patches with no API changes.
Changes
This PR contains the following updates:
v4.0.0→v8.2.0v4.2.2→v7.0.0v4.5.0→v5.0.0v6.0.0→v8.0.1v7.0.1→v9.0.0v5.3.0→v6.3.0v4.5.0→v7.0.1v7.1.1→v8.2.0v4.0.0→v6.0.0v1.10.0→v2.8.0Impact
Acceptance Criteria
Testing
Notes
Release Notes
SonarSource/sonarqube-scan-action (SonarSource/sonarqube-scan-action)
v8.2.0Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v8...v8.2.0
v8.2Compare Source
v8.1.0Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v8...v8.1.0
v8.1Compare Source
v8.0.0Compare Source
What's Changed
Breaking change
Full Changelog: SonarSource/sonarqube-scan-action@v7...v8.0.0
v8.0Compare Source
v8Compare Source
v7.2.1Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.2.1
v7.2.0Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.2.0
v7.2Compare Source
v7.1.0Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v7...v7.1.0
v7.1Compare Source
v7.0.0Compare Source
What's Changed
New Contributors
Full Changelog: SonarSource/sonarqube-scan-action@v6.0.0...v7.0.0
v7.0Compare Source
v7Compare Source
v6.0.0Compare Source
BREAKING CHANGE!
In order to prevent command-line injection, the actions has been rewritten from Bash to JS, and the
argsinput is now parsed differently. When updating to v6, you might have to update your workflow to change how arguments are quoted.For example, if you were previously passing:
you should now pass:
For more
argspassing examples, please refer to the README fileWhat's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v5.3.1...v6.0.0
v6.0Compare Source
v6Compare Source
v5.3.2Compare Source
Full Changelog: SonarSource/sonarqube-scan-action@v5.3.1...v5.3.2
v5.3.1Compare Source
OVERLOOKED BREAKING CHANGE!
In order to prevent command-line injection, the way to parse the
argsinput has been changed, but this is possibly a breaking change regarding support of quotes.For example, if you were previously passing:
you should now pass:
Edit: We have now released v6 that more accurately reflect this breaking change.
What's Changed
New Contributors
Full Changelog: SonarSource/sonarqube-scan-action@v5...v5.3.1
v5.3.0Compare Source
What's Changed
New Contributors
Full Changelog: SonarSource/sonarqube-scan-action@v5.2.0...v5.3.0
v5.3Compare Source
v5.2.0Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v5...v5.2.0
v5.2Compare Source
v5.1.0Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v5.0.0...v5.1.0
v5.1Compare Source
v5.0.0Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v4...v5.0.0
v5.0Compare Source
v5Compare Source
v4.2.2Compare Source
Full Changelog: SonarSource/sonarqube-scan-action@v4.2.1...v4.2.2
v4.2.1Compare Source
What's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v4.2.0...v4.2.1
v4.2.0Compare Source
We are happy to announce this new version of the GitHub action, which brings support for C, C++, and Objective-C projects.
The action supports both AutoConfig scenarios, as well as scenarios where Build Wrapper is required, and is a complete replacement of
sonarqube-github-c-cppandsonarcloud-github-c-cpp.To install Build Wrapper, a new
sonarqube-scan-action/install-build-wrappersub-action is provided.Check the README for examples of configuration.
On top of C, C++, and Objective-C support, we have also improved our support of self-hosted GitHub runners:
RUNNER_TEMP) to be cleaned after every job execution: if present, the action will clean it, before running~/sonar/ssl) to be cleaned after every job execution: if present, the action will clean it, before runningWhat's Changed
New Contributors
Full Changelog: SonarSource/sonarqube-scan-action@v4.1.0...v4.2.0
v4.2Compare Source
v4.1.0Compare Source
The new version is now the official entrypoint for both Server and Cloud: a single GitHub action to interact with the SonarQube solution, whether on-premise or in the cloud!
It also brings several other improvements, including:
curlas a fallbackwhenwget is not available in the environment of the runnerkeytoolto be available has been liftedWhat's Changed
Full Changelog: SonarSource/sonarqube-scan-action@v4.0.0...v4.1.0
v4.1Compare Source
actions/checkout (actions/checkout)
v7.0.0Compare Source
v7Compare Source
v6.0.3Compare Source
v6.0.2Compare Source
v6.0.1Compare Source
v6.0.0Compare Source
v6Compare Source
v5.0.1Compare Source
v5.0.0Compare Source
v5Compare Source
v4.3.1Compare Source
v4.3.0Compare Source
actions/dependency-review-action (actions/dependency-review-action)
v5.0.0: 5.0.0Compare Source
This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.
What's Changed
New Contributors
Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0
v4.9.0: Dependency Review Action 4.9.0Compare Source
This feature release contains a couple of notable changes:
show_patched_versionswhich will add a column to the output, showing the fix version of each vulnerable dependency. Thanks @felickz!allow-package-dependencylists, including case (in)sensitivity and url-encoded namespaces Thanks @juxtin!What's Changed
Patched VersiontoVulnerabilitiessummary by @felickz in #1045New Contributors
Full Changelog: actions/dependency-review-action@v4.8.3...v4.9.0
v4.8.3: 4.8.3Compare Source
Dependency Review Action v4.8.3
This is a bugfix release that updates a number of upstream dependencies and includes a fix for the earlier feature that detected oversized summaries and upload them as artifacts, which could occasionally crash the action.
We have also updated the release process to use a long-lived
v4branch for the action, instead of a force-pushed tag, which aligns better with git branching strategies; the change should be transparent to end users.What's Changed
Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.8.2..v4.8.3
v4.8.2Compare Source
Minor fixes:
v4.8.1: Dependency Review Action v4.8.1Compare Source
What's Changed
Full Changelog: actions/dependency-review-action@v4...v4.8.1
v4.8.0Compare Source
What's Changed
New Contributors
Full Changelog: actions/dependency-review-action@v4...v4.8.0
v4.7.4Compare Source
v4.7.3: 4.7.3Compare Source
What's Changed
Full Changelog: actions/dependency-review-action@v4...v4.7.3
v4.7.2: 4.7.2Compare Source
What's Changed
New Contributors
Full Changelog: actions/dependency-review-action@v4...v4.7.2
v4.7.1Compare Source
allow-dependencies-licenseswill be allowed even if the package in question has no license information #889Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g.Ruby)v4.7.0Compare Source
MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)OTHERin package licenses withLicenseRef-clearlydefined-OTHERso that parsing passesv4.6.0Compare Source
What's Changed
New Contributors
Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0
actions/download-artifact (actions/download-artifact)
v8.0.1Compare Source
What's Changed
Full Changelog: actions/download-artifact@v8...v8.0.1
[
v8.0.0](https://redirect.github.com/actions/download-artifact/releasConfiguration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.