chore(deps): bump the github-actions group with 2 updates#1691
Conversation
There was a problem hiding this comment.
LGTM, straightforward dependabot patch bump of pinned actions/checkout (v6.0.2→v6.0.3) and github/codeql-action (v4.36.0→v4.36.1) with version comments updated correctly.
Extended reasoning...
Overview
This is a Dependabot grouped update touching only four GitHub Actions workflow files (ci.yml, codeql.yml, release.yml, zizmor.yml). It bumps two pinned-by-SHA actions to their next patch versions: actions/checkout from v6.0.2 to v6.0.3, and github/codeql-action (init and analyze) from v4.36.0 to v4.36.1. Both SHA pins and trailing version comments are updated consistently across all usages.
Security risks
None of note. Both actions remain pinned by full commit SHA — the supply-chain hardening posture (SHA pinning, persist-credentials: false, minimal permissions, zizmor checks) is preserved. The checkout v6.0.3 release contains only SHA-256 git object ID handling fixes, and codeql-action v4.36.1 is documented as no user-facing changes. Neither bump alters any inputs, permissions, or secrets flow.
Level of scrutiny
Low. This is a mechanical, dependency-tracker-generated patch bump within the same major version, with no logic or configuration changes in the workflow files themselves. The SHA comments are kept in sync with the version tags, which is the convention this repo enforces (and zizmor will catch drift on the next run).
Other factors
No bugs were flagged by the upstream review system. No prior reviews or unresolved comments on this PR. CI on the PR itself will exercise the new checkout SHA on every job.
Bumps the github-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [github/codeql-action](https://github.com/github/codeql-action). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `github/codeql-action` from 4.36.0 to 4.36.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7211b7c...87557b9) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.36.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
1087b99 to
81e87f0
Compare
Bumps the github-actions group with 2 updates: actions/checkout and github/codeql-action.
Updates
actions/checkoutfrom 6.0.2 to 6.0.3Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)Updates
github/codeql-actionfrom 4.36.0 to 4.36.1Release notes
Sourced from github/codeql-action's releases.
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
87557b9Merge pull request #3940 from github/update-v4.36.1-2a1689ed49431011Update changelog for v4.36.12a1689eMerge pull request #3939 from github/henrymercer/skip-overlay-revert-when-exp...5245323Disable missing diff-ranges fallback when overlay enabled manuallyd1eb120Merge pull request #3933 from github/update-supported-enterprise-server-versions115001bMerge pull request #3934 from github/dependabot/npm_and_yarn/npm-minor-86fb5c...cef2e7aMerge pull request #3925 from github/dependabot/github_actions/dot-github/wor...5e6adf7Merge pull request #3936 from github/dependabot/npm_and_yarn/tmp-0.2.7ad170e6Merge branch 'main' into dependabot/github_actions/dot-github/workflows/actio...6a37b3aRebuildYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions