Skip to content

chore(deps): Update GitHub Actions#51

Open
williaby wants to merge 1 commit into
mainfrom
renovate/github-actions
Open

chore(deps): Update GitHub Actions#51
williaby wants to merge 1 commit into
mainfrom
renovate/github-actions

Conversation

@williaby

@williaby williaby commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Change Type Update Age Adoption Passing Confidence OpenSSF
ByronWilliamsCPA/.github (changelog) 987d5171502ecd action digest
actions/attest-build-provenance v4.1.0v4.1.1 action patch age adoption passing confidence OpenSSF Scorecard
actions/setup-python v6.2.0v6.3.0 action minor age adoption passing confidence OpenSSF Scorecard

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes


Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v4.1.1

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

Full Changelog: actions/attest-build-provenance@v4.1.0...v4.1.1

actions/setup-python (actions/setup-python)

v6.3.0

Compare Source

What's Changed
Enhancement
Dependency update
Documentation
New Contributors

Full Changelog: actions/setup-python@v6...v6.3.0


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "after 10pm every weekday,before 5am every weekday,every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings June 11, 2026 02:13
@coderabbitai

coderabbitai Bot commented Jun 11, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Thirteen CI workflow files each update one or more pinned commit SHAs: reusable org-level workflow references are bumped to 83cc3919ba606da9459a7e0fa7e2a121e1aae3d5, actions/setup-python is updated to v6.3.0, and actions/attest-build-provenance is updated to v4.1.1.

CI Workflow SHA Bumps

Layer / File(s) Summary
Reusable workflow and action SHA bumps
.github/workflows/codecov.yml, .github/workflows/codeql.yml, .github/workflows/coverage.yml, .github/workflows/docs.yml, .github/workflows/fips-compatibility.yml, .github/workflows/mutation-testing.yml, .github/workflows/pr-validation.yml, .github/workflows/python-compatibility.yml, .github/workflows/qlty.yml, .github/workflows/sbom.yml, .github/workflows/slsa-provenance.yml, .github/workflows/sonarcloud.yml
Pinned SHA references for org-level reusable workflows updated to 83cc391...; actions/setup-python bumped to v6.3.0; actions/attest-build-provenance bumped to v4.1.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

Possibly related PRs

Suggested labels

ci

🐇 A hop, a skip, a SHA update so neat,
The workflows all march to a pinned new beat.
v6.3.0 for Python, provenance v4.1.1 too,
The reusable workflows gleam fresh and new.
Bunny stamps the CI with a satisfied paw! 🐾

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: updating GitHub Actions dependencies across workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the pinned commit SHA references for several org-level reusable GitHub Actions workflows (ByronWilliamsCPA/.github) from 987d517… to 7198a49…, keeping CI/security automation aligned with the latest patch-level fixes.

Changes:

  • Bumped the referenced digest for the shared python-* reusable workflows across CI-adjacent pipelines (SonarCloud, SLSA provenance, SBOM, coverage uploads, docs, compatibility, etc.).
  • No workflow logic or inputs were changed in this repo—only the pinned workflow revision.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/sonarcloud.yml Update reusable workflow pin for SonarCloud analysis.
.github/workflows/slsa-provenance.yml Update reusable workflow pin for SLSA provenance generation.
.github/workflows/sbom.yml Update reusable workflow pin for SBOM generation/security scan.
.github/workflows/qlty.yml Update reusable workflow pin for Qlty coverage upload.
.github/workflows/python-compatibility.yml Update reusable workflow pin for compatibility matrix runs.
.github/workflows/pr-validation.yml Update reusable workflow pin for supplemental PR checks.
.github/workflows/mutation-testing.yml Update reusable workflow pin for mutation testing.
.github/workflows/fips-compatibility.yml Update reusable workflow pin for FIPS compatibility checks.
.github/workflows/docs.yml Update reusable workflow pin for docs build/deploy.
.github/workflows/coverage.yml Update reusable workflow pin for Qlty coverage upload (post-CI).
.github/workflows/codecov.yml Update reusable workflow pin for Codecov coverage upload.

@codecov

codecov Bot commented Jun 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@williaby williaby force-pushed the renovate/github-actions branch from a285c62 to 4fcf889 Compare June 11, 2026 05:17
@williaby williaby changed the title chore(deps): Update GitHub Actions to 7198a49 chore(deps): Update GitHub Actions to bde8fc0 Jun 11, 2026
@williaby williaby force-pushed the renovate/github-actions branch from 4fcf889 to 526af99 Compare June 12, 2026 05:14
@williaby williaby changed the title chore(deps): Update GitHub Actions to bde8fc0 chore(deps): Update GitHub Actions to d88dd03 Jun 12, 2026
@williaby williaby force-pushed the renovate/github-actions branch from 526af99 to d5cf124 Compare June 14, 2026 11:14
@williaby williaby changed the title chore(deps): Update GitHub Actions to d88dd03 chore(deps): Update GitHub Actions to 01bb574 Jun 14, 2026
@williaby williaby force-pushed the renovate/github-actions branch from d5cf124 to f86ae6a Compare June 19, 2026 17:18
@williaby williaby changed the title chore(deps): Update GitHub Actions to 01bb574 chore(deps): Update GitHub Actions to aa39893 Jun 19, 2026
@williaby williaby force-pushed the renovate/github-actions branch from f86ae6a to 3163077 Compare June 19, 2026 20:15
@williaby williaby changed the title chore(deps): Update GitHub Actions to aa39893 chore(deps): Update GitHub Actions to 3542af7 Jun 19, 2026
@williaby williaby force-pushed the renovate/github-actions branch from 3163077 to f2b59df Compare June 19, 2026 23:13
@williaby williaby changed the title chore(deps): Update GitHub Actions to 3542af7 chore(deps): Update GitHub Actions to 58cb184 Jun 19, 2026
@williaby williaby force-pushed the renovate/github-actions branch from f2b59df to b30d141 Compare June 20, 2026 05:19
@williaby williaby changed the title chore(deps): Update GitHub Actions to 58cb184 chore(deps): Update GitHub Actions to bf4bdce Jun 20, 2026
@williaby williaby force-pushed the renovate/github-actions branch from b30d141 to e047f62 Compare June 20, 2026 23:15
@williaby williaby changed the title chore(deps): Update GitHub Actions to bf4bdce chore(deps): Update GitHub Actions to 865091c Jun 20, 2026
@williaby williaby force-pushed the renovate/github-actions branch from e047f62 to b5877f0 Compare June 21, 2026 02:16
@williaby williaby changed the title chore(deps): Update GitHub Actions to 865091c chore(deps): Update GitHub Actions to d4e2acf Jun 21, 2026
@williaby williaby force-pushed the renovate/github-actions branch from b5877f0 to 4489e10 Compare June 22, 2026 05:17
@williaby williaby changed the title chore(deps): Update GitHub Actions to d4e2acf chore(deps): Update GitHub Actions to 4acd7b6 Jun 22, 2026
@williaby williaby force-pushed the renovate/github-actions branch from 4489e10 to a1db00f Compare June 23, 2026 05:15
@williaby williaby changed the title chore(deps): Update GitHub Actions to 4acd7b6 chore(deps): Update GitHub Actions to ef10bbe Jun 23, 2026
@williaby williaby force-pushed the renovate/github-actions branch from a1db00f to 9118fa4 Compare June 24, 2026 05:18
@williaby williaby changed the title chore(deps): Update GitHub Actions to ef10bbe chore(deps): Update GitHub Actions to ea33319 Jun 24, 2026
@williaby williaby force-pushed the renovate/github-actions branch from 9118fa4 to 0292649 Compare June 26, 2026 20:17
@williaby williaby changed the title chore(deps): Update GitHub Actions to ea33319 chore(deps): Update GitHub Actions Jun 26, 2026
@williaby williaby force-pushed the renovate/github-actions branch 8 times, most recently from 7753140 to 7b7e5fc Compare June 30, 2026 17:46
@coderabbitai coderabbitai Bot added the ci label Jun 30, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/mutation-testing.yml (1)

42-53: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Consider scoping secrets instead of secrets: inherit.

secrets: inherit (Line 53) forwards every repo/org secret to the called workflow rather than only what it needs. Since this is a same-org, SHA-pinned reusable workflow the blast radius is bounded, but passing explicit named secrets follows least-privilege and silences the zizmor secrets-inherit warning. As per path instructions, review workflows for proper secret handling.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mutation-testing.yml around lines 42 - 53, The reusable
workflow call in mutation-testing.yml is using secrets: inherit, which passes
all available secrets instead of only the ones needed; update the workflow
invocation to pass explicit named secrets to the python-mutation.yml call and
remove the blanket inheritance, using the existing reusable-workflow
inputs/secrets mapping near the with block and secrets handling to keep
least-privilege and satisfy the secrets-inherit warning.

Sources: Path instructions, Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/mutation-testing.yml:
- Around line 42-53: The reusable workflow call in mutation-testing.yml is using
secrets: inherit, which passes all available secrets instead of only the ones
needed; update the workflow invocation to pass explicit named secrets to the
python-mutation.yml call and remove the blanket inheritance, using the existing
reusable-workflow inputs/secrets mapping near the with block and secrets
handling to keep least-privilege and satisfy the secrets-inherit warning.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1bd7a2bf-ed41-4059-9254-3d86cd3c09b6

📥 Commits

Reviewing files that changed from the base of the PR and between e3ea1fc and 7b7e5fc.

📒 Files selected for processing (12)
  • .github/workflows/codecov.yml
  • .github/workflows/codeql.yml
  • .github/workflows/coverage.yml
  • .github/workflows/docs.yml
  • .github/workflows/fips-compatibility.yml
  • .github/workflows/mutation-testing.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/python-compatibility.yml
  • .github/workflows/qlty.yml
  • .github/workflows/sbom.yml
  • .github/workflows/slsa-provenance.yml
  • .github/workflows/sonarcloud.yml

@williaby williaby force-pushed the renovate/github-actions branch 2 times, most recently from f68043e to ec2043b Compare June 30, 2026 23:12
@williaby williaby force-pushed the renovate/github-actions branch from ec2043b to f592698 Compare July 1, 2026 02:14
@sonarqubecloud

sonarqubecloud Bot commented Jul 1, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants