build(deps): Bump actions/checkout from 4 to 6#21
Closed
dependabot[bot] wants to merge 58 commits intomainfrom
Closed
build(deps): Bump actions/checkout from 4 to 6#21dependabot[bot] wants to merge 58 commits intomainfrom
dependabot[bot] wants to merge 58 commits intomainfrom
Conversation
- Add Python, Rust, Java, C# SDKs (parser, evaluator, verifier, tests) - Implement Ed25519, Merkle proof, and hash-chain crypto in all 6 SDKs - Add shared cross-SDK crypto test vectors generated from Go - Add landing page (docs/index.html) with interactive SPL demo - Add GitHub Actions CI for all 6 SDKs and Pages deployment - Update SPEC.md with crypto verification requirements - Fix Go module path to github.com/jmcentire/agent-safe/sdk/go - Add LICENSE (MIT), .gitignore 234 tests across 6 SDKs: TS(40), Go(41), Python(45), Rust(38), Java(35), C#(35) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add token sealing to SPEC and all 6 SDK verifiers (sealed tokens reject further attenuation) - Add Go benchmarks: ~15μs parse+eval, ~2μs eval-only on M1 - Add TypeScript benchmarks: ~11μs parse+eval, ~2μs eval-only - Rewrite README with "SQLite of agent authorization" positioning, local-first framing, real benchmark numbers, honest Biscuit comparison - Rewrite landing page with performance cards, throughput argument, and honest comparison table Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add mint() and verifyToken() to all 6 SDKs (Ed25519 signing + verification) - Add generateKeypair() to TS, Go, Python, Rust - Add end-to-end examples (mint → verify → attenuate → seal) in TS, Go, Python - Add GitHub Actions publish workflow (npm, PyPI, crates.io on release) - Add CHANGELOG.md with v0.1.0 entry - Update package metadata for npm (agent-safe-spl), PyPI, crates.io - Update README quickstart with real install commands and usage examples - Update landing page install commands Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The PyPI trusted publisher config requires environment: pypi in the workflow job. Without it, the OIDC claim shows environment: MISSING and the upload is rejected. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
npm and crates.io were already published locally. The workflow should not fail if a version already exists on those registries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Renamed "Total Language" column to "Language" with descriptive values (Biscuit's Datalog is total; the old column was misleading) - Clarified Java/C# install cards as "from source" since they aren't published to Maven Central or NuGet yet Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Security fixes (all SDKs): - Crypto predicate stubs default to false (fail-closed) - Full-envelope signing: signature covers policy + merkle_root + hash_chain_commitment + sealed + expires (null-byte separated) - Strict symbol resolution mode (errors on unbound symbols) - Type-aware equality (cross-type comparisons return false) - Max policy size enforcement (64 KB) in all parsers - PoP binding: token-level proof-of-possession via pop_key field, createPresentationSignature(), and verification in verifyToken() - HKDF-SHA256 per-service key derivation (zero new deps, cross-SDK parity verified) CI & security posture: - OpenSSF Scorecard workflow (weekly, SARIF upload) - CodeQL scanning for JS, Go, Python, Java, C# - Dependabot config for all 6 SDKs + GitHub Actions - Dependency audit in CI: cargo audit, govulncheck, npm audit, pip-audit - cargo clippy -D warnings in Rust CI, go vet in Go CI - All GitHub Actions pinned to commit SHAs - Workflow permissions scoped to least privilege - SECURITY.md with vulnerability disclosure policy SPEC.md updates: - PoP binding section (token-level + policy-level DPoP) - HKDF per-service key derivation section - Type-aware equality semantics - Max policy size recommendation - Merkle witness distribution model Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Crypto callbacks now default to false (fail-closed). Tests that relied on the old true defaults now either assert false or provide explicit true callbacks matching the pattern already used in Go/Rust/JS/Python. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CodeQL autobuild cannot find the Java project under sdk/java/. Replace autobuild with an explicit mvn compile pointing at the pom.xml. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
security: full hardening pass across all 6 SDKs
Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.2.5 to 3.5.5. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](apache/maven-surefire@surefire-3.2.5...surefire-3.5.5) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-version: 3.5.5 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [org.junit.jupiter:junit-jupiter](https://github.com/junit-team/junit-framework) from 5.10.2 to 6.0.3. - [Release notes](https://github.com/junit-team/junit-framework/releases) - [Commits](junit-team/junit-framework@r5.10.2...r6.0.3) --- updated-dependencies: - dependency-name: org.junit.jupiter:junit-jupiter dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/configure-pages](https://github.com/actions/configure-pages) from 4 to 5. - [Release notes](https://github.com/actions/configure-pages/releases) - [Commits](actions/configure-pages@v4...v5) --- updated-dependencies: - dependency-name: actions/configure-pages dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 25.3.0 to 25.3.2. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.3.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 4.3.1 to 5.1.0. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@67a3573...baa11fb) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: 5.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
--- updated-dependencies: - dependency-name: Microsoft.NET.Test.Sdk dependency-version: 18.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
--- updated-dependencies: - dependency-name: xunit.runner.visualstudio dependency-version: 3.1.5 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
CodeQL autobuild cannot find Go code under sdk/go/. Add explicit setup-go and go build steps, matching the Java fix. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix: CodeQL Go analysis custom build step
…ache.maven.plugins-maven-surefire-plugin-3.5.5 build(deps-dev): Bump org.apache.maven.plugins:maven-surefire-plugin from 3.2.5 to 3.5.5 in /sdk/java
…nit.jupiter-junit-jupiter-6.0.3 build(deps-dev): Bump org.junit.jupiter:junit-jupiter from 5.10.2 to 6.0.3 in /sdk/java
…s/configure-pages-5 build(deps): Bump actions/configure-pages from 4 to 5
…s/setup-node-6 build(deps): Bump actions/setup-node from 4 to 6
…ypes/node-25.3.2 build(deps-dev): Bump @types/node from 25.3.0 to 25.3.2 in /sdk/js
…s/setup-dotnet-5.1.0 build(deps): Bump actions/setup-dotnet from 4.3.1 to 5.1.0
…ntSafe.Spl.Tests/Microsoft.NET.Test.Sdk-18.3.0 Bump Microsoft.NET.Test.Sdk from 17.9.0 to 18.3.0
fix: replace rand with getrandom for Ed25519 key generation
fix: move language setup before CodeQL init
…ns/upload-pages-artifact-4 build(deps): Bump actions/upload-pages-artifact from 3 to 4
…ntSafe.Spl.Tests/xunit-2.9.3 Bump xunit from 2.7.0 to 2.9.3
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.32.4 to 4.32.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4558047...89a39a4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.4 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…/codeql-action-4.32.4 build(deps): Bump github/codeql-action from 3.32.4 to 4.32.4
Bump version to 0.2.0 across all 6 SDKs. Update CHANGELOG, README test counts (249), dependency table, and landing page. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
release: v0.2.0
- Link to Signet, Tessera, BlindDB, HermesP2P from landing page and README - Align performance comparison to 100-1,000x (was 500-2,500x on landing page) to match README's more conservative framing Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 5.1.0 to 5.2.0. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@baa11fb...c2fa09f) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: 5.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [getrandom](https://github.com/rust-random/getrandom) from 0.3.4 to 0.4.2. - [Changelog](https://github.com/rust-random/getrandom/blob/master/CHANGELOG.md) - [Commits](rust-random/getrandom@v0.3.4...v0.4.2) --- updated-dependencies: - dependency-name: getrandom dependency-version: 0.4.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 25.3.2 to 25.3.3. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.3.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.4 to 4.32.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@89a39a4...c793b71) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-java](https://github.com/actions/setup-java) from 4.8.0 to 5.2.0. - [Release notes](https://github.com/actions/setup-java/releases) - [Commits](actions/setup-java@c1e3236...be666c2) --- updated-dependencies: - dependency-name: actions/setup-java dependency-version: 5.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.6.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@40f1582...4b73464) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…ns/setup-dotnet-5.2.0 build(deps): Bump actions/setup-dotnet from 5.1.0 to 5.2.0
…ndom-0.4.2 build(deps): Bump getrandom from 0.3.4 to 0.4.2 in /sdk/rust
…types/node-25.3.3 build(deps-dev): Bump @types/node from 25.3.2 to 25.3.3 in /sdk/js
…b/codeql-action-4.32.5 build(deps): Bump github/codeql-action from 4.32.4 to 4.32.5
…ns/setup-java-5.2.0 build(deps): Bump actions/setup-java from 4.8.0 to 5.2.0
…ns/setup-go-6.3.0 build(deps): Bump actions/setup-go from 5.6.0 to 6.3.0
Owner
|
@dependabot rebase |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
from
a1963c4 to
9bae145
Compare
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 4 to 6.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)