chore(deps): bump actions/checkout from 4.3.1 to 6.0.2#1
Open
dependabot[bot] wants to merge 10 commits into
Open
chore(deps): bump actions/checkout from 4.3.1 to 6.0.2#1dependabot[bot] wants to merge 10 commits into
dependabot[bot] wants to merge 10 commits into
Conversation
…pydantic dep - Homepage/Issues URLs were pointing at github.com/plusultra/... (404, wrong org slug). Replaced with github.com/plusultra-tools/... per red-team blocker A. - pydantic>=2.0 was declared but never imported anywhere in src/. Removed to avoid forcing a ~5 MB transitive dep for a feature that does not exist (red-team major B/A).
Per red-team blockers (Persona C/E #1, Persona A #2): - Replace 'zero-config validator' pitch with explicit 'scaffold, not validator' status block at the top. Almost any resource returns valid=true in v0.1; this is documented expectation. - Strike 'Hosted CI-as-a-service €19-49/mo' pricing block (no DPA, no Stripe, no legal entity; premature commercial claim). - Strike r/HL7 distribution claim (subreddit does not exist). - Add badges (CI, Python, License, Status). - Add explicit 'Use HAPI/Firely if you need real validation today' callout. - Add HL7/FHIR trademark attribution. - Drop pricing entirely until a design partner exists.
Per red-team Persona D blocker: v0.1.0 returned True for any bytes when the manifest entry was marked placeholder=true. In v0.2 (when real packs ship) this would be a supply-chain hole: an attacker re-flagging a tampered pack as placeholder bypasses verification silently. Fix: placeholder entries have NO integrity claim by construction and now always return False. Callers that want to accept a placeholder must inspect get_ig(name).placeholder explicitly; verify_pack_integrity will never assert 'verified' for them. Adds 3 regression tests covering unknown IG, default fail-closed, and opted-in path.
Per red-team Persona D major: - Pin actions/checkout@v4 to commit 34e114876b0b... (full SHA) - Pin actions/setup-python@v5 to commit a26af69be951... (full SHA) - Tag-based pinning lets a compromise of the action publisher's release tag propagate to all downstream pipelines; SHA-pinning prevents that. - Trailing comment preserves the human-readable version for review. - Add dependabot.yml so action+pip pins are kept fresh with reviewed PRs (weekly schedule, cap 5 open PRs per ecosystem).
…G date Per red-team Persona A major + Persona C blocker: - CONTRIBUTING.md was missing. New file covers dev install, test command, PHI redaction rules for bug reports, PR checklist (no real PHI, manifest sha256 either real or placeholder). - CHANGELOG was dated 2026-05-14 (workspace build date) but the repo pushed 2026-05-15. Align to actual publish date so wheel metadata matches. - Document the fail-closed change + Actions SHA-pin under Security.
Per red-team Persona D major: - Without an upper bound on resource size, a 1 GB JSON file will OOM the process. Reject anything over 100 MB by default (FHIR resources in practice are <1 MB; this is a generous Bundle ceiling). Tunable via FHIRV_MAX_RESOURCE_BYTES env var. - Reject top-level JSON arrays / scalars early (must be a resource object). Previously these would crash in validator with unhelpful tracebacks.
…handling Per red-team Persona C minor + D major + C blocker: - Note CRA Annex VII alignment from late 2027 (24h notification for actively exploited vulns); v0.1 stays at best-effort 72h pre-CRA. - Reflect the fail-closed change: placeholder packs have no integrity claim by construction. Real verification arrives with real packs in v0.2. - Mention the 100 MB input cap as partial DoS mitigation. - Forbid PHI in issues; point to CONTRIBUTING for redaction guidance.
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 4.3.1 to 6.0.2.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)