chore(ci): bump dorny/paths-filter from 3 to 4

[dependabot]

Bumps dorny/paths-filter from 3 to 4.

Release notes

Sourced from dorny/paths-filter's releases.

v4.0.0

What's Changed

• feat: update action runtime to node24 by @​saschabratton in dorny/paths-filter#294

New Contributors

• @​saschabratton made their first contribution in dorny/paths-filter#294

Full Changelog: dorny/paths-filter@v3.0.3...v4.0.0

v3.0.3

What's Changed

• Add missing predicate-quantifier by @​wardpeet in dorny/paths-filter#279

New Contributors

• @​wardpeet made their first contribution in dorny/paths-filter#279

Full Changelog: dorny/paths-filter@v3...v3.0.3

v3.0.2

What's Changed

• feat: add config parameter for predicate quantifier by @​petermetz in dorny/paths-filter#224

New Contributors

• @​petermetz made their first contribution in dorny/paths-filter#224

Full Changelog: dorny/paths-filter@v3...v3.0.2

v3.0.1

What's Changed

• Compare base and ref when token is empty by @​frouioui in dorny/paths-filter#133

New Contributors

• @​frouioui made their first contribution in dorny/paths-filter#133

Full Changelog: dorny/paths-filter@v3...v3.0.1

Changelog

Sourced from dorny/paths-filter's changelog.

Changelog

v4.0.0

• Update action runtime to node24

v3.0.3

• Add missing predicate-quantifier

v3.0.2

• Add config parameter for predicate quantifier

v3.0.1

• Compare base and ref when token is empty

v3.0.0

• Update to Node.js 20
• Update all dependencies

v2.11.1

• Update @​actions/core to v1.10.0 - Fixes warning about deprecated set-output
• Document need for pull-requests: read permission
• Updating to actions/checkout@v3

v2.11.0

• Set list-files input parameter as not required
• Update Node.js
• Fix incorrect handling of Unicode characters in exec()
• Use Octokit pagination
• Updates real world links

v2.10.2

• Fix getLocalRef() returns wrong ref

v2.10.1

• Improve robustness of change detection

v2.10.0

• Add ref input parameter
• Fix change detection in PR when pullRequest.changed_files is incorrect

v2.9.3

• Fix change detection when base is a tag

v2.9.2

• Fix fetching git history

v2.9.1

• Fix fetching git history + fallback to unshallow repo

v2.9.0

... (truncated)

Commits

• fbd0ab8 feat: add merge_group event support
• efb1da7 feat: add dist/ freshness check to PR workflow
• d8f7b06 Merge pull request #302 from dorny/issue-299
• addbc14 Update README for v4
• 9d7afb8 Update CHANGELOG for v4.0.0
• 782470c Merge branch 'releases/v3'
• ce10459 Merge pull request #294 from saschabratton/master
• 5f40380 feat: update action runtime to node24
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated CI workflow tooling to latest version.

[dependabot]

Labels

The following labels could not be found: ci, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[greptile-apps]

dependabot[bot] has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[coderabbitai]

📝 Walkthrough

Walkthrough

The CI workflow updates the dorny/paths-filter action from v3 to v4 in the changes job. The filter configuration and downstream job dependencies remain unchanged.

Changes

CI Workflow Update

Layer / File(s)	Summary
Path filter action version update .github/workflows/ci.yml	The changes job's "Filter paths" step is updated to use dorny/paths-filter@v4 instead of @v3, maintaining the same api_or_proto glob patterns and gating the contract-tests job on the same changed paths condition.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A tiny bump from three to four,
The paths filter job will work once more,
One line changed, so swift and small,
A version leap that's good for all! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description contains release notes and changelog but omits required sections from the template like explicit Type of Change selection and mandatory security checklist confirmations.	Add Type of Change selection (mark Infrastructure/Ecosystem checkbox), complete mandatory security checklist items, and include explicit confirmation that CI security scans pass.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: bumping a GitHub Actions dependency from version 3 to 4.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/dorny/paths-filter-4

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 23: Replace the mutable action reference dorny/paths-filter@v4 with a
pinned commit SHA: locate the uses: dorny/paths-filter@v4 line in the GitHub
Actions workflow and update it to uses: dorny/paths-filter@<full-commit-sha>
(obtain the exact SHA from the action's GitHub repo commit history or the
specific release commit) so the workflow references an immutable commit instead
of the retargetable `@v4` tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f889ae48-038e-4e5e-8123-4ce2229e6883

📥 Commits

Reviewing files that changed from the base of the PR and between e9d472a and dd98632.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Confirm exact uses line in the workflow and surrounding context
echo "== ci.yml around Line 23 =="
nl -ba .github/workflows/ci.yml | sed -n '15,40p'

echo
echo "== All references to dorny/paths-filter in repo =="
rg -n "dorny/paths-filter" -S . || true

echo
echo "== Check for any uses: ...@<40+ hex> patterns (pinned by SHA) in ci.yml =="
rg -n "uses:\s*.+@([0-9a-f]{40,64})" .github/workflows/ci.yml || true

Repository: AIX-Format/PiWorker-OS

Length of output: 155

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== ci.yml around Line 23 =="
awk 'NR>=15 && NR<=40 {printf "%d:%s\n", NR, $0}' .github/workflows/ci.yml

echo
echo "== All references to dorny/paths-filter in repo =="
rg -n "dorny/paths-filter" -S . || true

echo
echo "== Check for any uses: ...@<40+ hex> patterns in workflow(s) =="
rg -n "uses:\s*[^@]+@[0-9a-f]{40,64}" .github/workflows/ci.yml .github/workflows || true

Repository: AIX-Format/PiWorker-OS

Length of output: 930

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== All references to dorny/paths-filter (including hidden dirs) =="
rg --hidden -n "dorny/paths-filter" . || true

echo
echo "== Any SHA-pinned dorny/paths-filter usages? =="
rg --hidden -n "dorny/paths-filter@([0-9a-f]{40,64})" .github/workflows . || true

echo
echo "== Any uses: ...@<40+ hex> patterns in workflows? =="
rg --hidden -n "uses:\s*[^@]+@[0-9a-f]{40,64}" .github/workflows . || true

Repository: AIX-Format/PiWorker-OS

Length of output: 302

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== uses: entries in .github/workflows/ci.yml =="
rg --hidden -n "^\s*uses:" .github/workflows/ci.yml

Repository: AIX-Format/PiWorker-OS

Length of output: 515

---

Pin dorny/paths-filter to a commit SHA, not the mutable @v4 tag.

Line 23 uses dorny/paths-filter@v4, which is retargetable; pin to an exact commit SHA for supply-chain hardening.

Suggested hardening change

-        uses: dorny/paths-filter@v4
+        uses: dorny/paths-filter@<full_length_commit_sha_for_v4>

🧰 Tools

🪛 zizmor (1.25.2)

[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 23, Replace the mutable action reference
dorny/paths-filter@v4 with a pinned commit SHA: locate the uses:
dorny/paths-filter@v4 line in the GitHub Actions workflow and update it to uses:
dorny/paths-filter@<full-commit-sha> (obtain the exact SHA from the action's
GitHub repo commit history or the specific release commit) so the workflow
references an immutable commit instead of the retargetable `@v4` tag.