ci(deps): bump the github-actions group across 1 directory with 13 updates#13614
Merged
wochinge merged 2 commits intoMay 15, 2026
Merged
Conversation
dependabot
Bot
added
dependencies
dosubot
Bot
added
the
size:XS
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
…dates Bumps the github-actions group with 13 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.3.1` | `6.0.2` | | [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | `6.1.0` | `6.1.1` | | [aws-actions/amazon-ecr-login](https://github.com/aws-actions/amazon-ecr-login) | `2.1.2` | `2.1.5` | | [aws-actions/amazon-ecs-render-task-definition](https://github.com/aws-actions/amazon-ecs-render-task-definition) | `1.8.4` | `1.8.5` | | [aws-actions/amazon-ecs-deploy-task-definition](https://github.com/aws-actions/amazon-ecs-deploy-task-definition) | `2.6.1` | `2.6.2` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.3` | | [actions/setup-node](https://github.com/actions/setup-node) | `6.3.0` | `6.4.0` | | [pnpm/action-setup](https://github.com/pnpm/action-setup) | `5.0.0` | `6.0.5` | | [actions/cache](https://github.com/actions/cache) | `5.0.4` | `5.0.5` | | [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) | `3.0.1` | `3.0.3` | | [useblacksmith/setup-docker-builder](https://github.com/useblacksmith/setup-docker-builder) | `1.6.0` | `1.8.0` | | [useblacksmith/build-push-action](https://github.com/useblacksmith/build-push-action) | `2.1.0` | `2.2.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `8.0.0` | `8.1.0` | Updates `actions/checkout` from 4.3.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.3.1...de0fac2) Updates `aws-actions/configure-aws-credentials` from 6.1.0 to 6.1.1 - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](aws-actions/configure-aws-credentials@ec61189...d979d5b) Updates `aws-actions/amazon-ecr-login` from 2.1.2 to 2.1.5 - [Release notes](https://github.com/aws-actions/amazon-ecr-login/releases) - [Changelog](https://github.com/aws-actions/amazon-ecr-login/blob/main/CHANGELOG.md) - [Commits](aws-actions/amazon-ecr-login@f2e9fc6...fa648b4) Updates `aws-actions/amazon-ecs-render-task-definition` from 1.8.4 to 1.8.5 - [Release notes](https://github.com/aws-actions/amazon-ecs-render-task-definition/releases) - [Changelog](https://github.com/aws-actions/amazon-ecs-render-task-definition/blob/master/CHANGELOG.md) - [Commits](aws-actions/amazon-ecs-render-task-definition@77954e2...6853cfa) Updates `aws-actions/amazon-ecs-deploy-task-definition` from 2.6.1 to 2.6.2 - [Release notes](https://github.com/aws-actions/amazon-ecs-deploy-task-definition/releases) - [Changelog](https://github.com/aws-actions/amazon-ecs-deploy-task-definition/blob/master/CHANGELOG.md) - [Commits](aws-actions/amazon-ecs-deploy-task-definition@fc8fc60...a310a83) Updates `github/codeql-action` from 4.35.1 to 4.35.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...e46ed2c) Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) Updates `pnpm/action-setup` from 5.0.0 to 6.0.5 - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@fc06bc1...8912a91) Updates `actions/cache` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@6682284...27d5ce7) Updates `slackapi/slack-github-action` from 3.0.1 to 3.0.3 - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md) - [Commits](slackapi/slack-github-action@af78098...45a88b9) Updates `useblacksmith/setup-docker-builder` from 1.6.0 to 1.8.0 - [Release notes](https://github.com/useblacksmith/setup-docker-builder/releases) - [Commits](useblacksmith/setup-docker-builder@5241b2e...722e97d) Updates `useblacksmith/build-push-action` from 2.1.0 to 2.2.0 - [Release notes](https://github.com/useblacksmith/build-push-action/releases) - [Commits](useblacksmith/build-push-action@cbd1f60...fb9e3e6) Updates `astral-sh/setup-uv` from 8.0.0 to 8.1.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@cec2083...0880764) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: astral-sh/setup-uv dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: aws-actions/amazon-ecr-login dependency-version: 2.1.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: aws-actions/amazon-ecs-deploy-task-definition dependency-version: 2.6.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: aws-actions/amazon-ecs-render-task-definition dependency-version: 1.8.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: aws-actions/configure-aws-credentials dependency-version: 6.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: pnpm/action-setup dependency-version: 6.0.5 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: slackapi/slack-github-action dependency-version: 3.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: useblacksmith/build-push-action dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: useblacksmith/setup-docker-builder dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/github-actions-fbe0ecf9a4
branch
from
18ddc57 to
7f2c118
Compare
Co-Authored-By: Codex Opus 4.6 (1M context) <noreply@anthropic.com>
wochinge
approved these changes
May 15, 2026
Contributor
|
@claude review |
There was a problem hiding this comment.
Mismatch I flagged on the prior revision has been resolved (the stale / comments on the zizmor-suffixed lines were stripped; cache-disabled variants kept and bumped their version comments). Dependabot group bump on CI workflows only — LGTM.
Extended reasoning...
Overview
Pure CI/CD dependency bump touching 8 workflow files under .github/workflows/ — 13 grouped updates ranging from patch bumps (aws-actions/*, codeql-action, setup-uv, setup-node, actions/cache) to major bumps (actions/checkout v4→v6, pnpm/action-setup v5→v6, useblacksmith/setup-docker-builder v1.6→v1.8). All actions are SHA-pinned. No production code, application config, or release/publishing logic semantics are changed by this PR — only the SHAs/comments referencing third-party action versions.
Security risks
The supply-chain hygiene mechanism here is SHA-pinning + a human-verifiable # vX.Y.Z comment. On the prior revision, several SHAs on pipeline.yml lines that also carried trailing # zizmor: ignore[cache-poisoning] ... directives were bumped but the version comment was left at the old value, producing 11+ zizmor "pin has mismatched or missing version comment" findings. The current revision resolves these by removing the now-stale # v6.3.0 / # v5.0.4 comment on those specific lines (leaving just SHA # zizmor: ignore[...] ...); the cache-disabled variants kept the version comment and bumped it correctly to # v6.4.0. All 11+ zizmor alerts are now marked resolved on the PR. Resolution is comment-only and runtime-equivalent.
Level of scrutiny
Low — config-only PR limited to .github/workflows/, no application or release code is altered. Major-version bumps (actions/checkout v4→v6, pnpm/action-setup v5→v6) are notable but: actions/checkout v5/v6 are Node-24-runtime updates + a credentials-storage refactor (not used in an interactive way here), and pnpm/action-setup v6 adds pnpm v11 support but the workflows pin pnpm 10.33.0 explicitly via version: 10.33.0, so the major bump is binary-only and version-pinned. useblacksmith/* bumps are minor.
Other factors
PR carries the lgtm label, size:XS, and was raised by Dependabot. CI checks are running. The user (wochinge) explicitly requested re-review after the prior version-comment fix landed. My prior bug-report inline comment is marked resolved and the underlying zizmor findings are no longer flagged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the github-actions group with 13 updates in the / directory:
4.3.16.0.26.1.06.1.12.1.22.1.51.8.41.8.52.6.12.6.24.35.14.35.36.3.06.4.05.0.06.0.55.0.45.0.53.0.13.0.31.6.01.8.02.1.02.2.08.0.08.1.0Updates
actions/checkoutfrom 4.3.1 to 6.0.2Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Updates
aws-actions/configure-aws-credentialsfrom 6.1.0 to 6.1.1Release notes
Sourced from aws-actions/configure-aws-credentials's releases.
Changelog
Sourced from aws-actions/configure-aws-credentials's changelog.
... (truncated)
Commits
d979d5bchore: release 6.1.1 (#1757)d4a9acdchore: Update distfc44f4achore(deps): bump@aws-sdk/client-stsfrom 3.1033.0 to 3.1038.0 (#1749)0b8336fchore: Update dist8c5bf33chore(deps-dev): bump@aws-sdk/credential-provider-env(#1751)53df0c1chore: Update distc2c5582chore(deps): bump@smithy/node-http-handlerfrom 4.6.0 to 4.6.1 (#1750)bd0031dchore(deps): bump postcss from 8.5.6 to 8.5.12 (#1752)6ab499achore(deps-dev): bump@biomejs/biomefrom 2.4.12 to 2.4.13 (#1747)bc94895chore(deps-dev): bump@biomejs/biomefrom 2.4.11 to 2.4.12 (#1739)Updates
aws-actions/amazon-ecr-loginfrom 2.1.2 to 2.1.5Release notes
Sourced from aws-actions/amazon-ecr-login's releases.
Changelog
Sourced from aws-actions/amazon-ecr-login's changelog.
... (truncated)
Commits
fa648b4chore(release): 2.1.53dfe08dchore: Update dist (#1052)5607af0chore(deps-dev): bump globals from 17.5.0 to 17.6.0 (#1044)dca3c95chore(deps): bump@aws-sdk/client-ecr-publicfrom 3.1038.0 to 3.1043.0 (#1041)0d5643achore: Update dist (#1048)4555c24chore(deps): bump@aws-sdk/credential-providers(#1043)7d5c14dchore(deps-dev): bump eslint from 10.2.1 to 10.3.0 (#1042)e7f36a1chore(deps): bump@aws-sdk/client-ecrfrom 3.1038.0 to 3.1043.0 (#1040)9e3a847chore: Update dist (#1038)827d1a8chore(deps): bump@aws-sdk/client-ecr-publicfrom 3.1034.0 to 3.1038.0 (#1032)Updates
aws-actions/amazon-ecs-render-task-definitionfrom 1.8.4 to 1.8.5Release notes
Sourced from aws-actions/amazon-ecs-render-task-definition's releases.
Changelog
Sourced from aws-actions/amazon-ecs-render-task-definition's changelog.
... (truncated)
Commits
6853cfachore(release): 1.8.546a24f1fix: allow secrets to render without environment-variables (#464)cdf43c3chore: Bump picomatch from 2.3.1 to 2.3.2 (#460)Updates
aws-actions/amazon-ecs-deploy-task-definitionfrom 2.6.1 to 2.6.2Release notes
Sourced from aws-actions/amazon-ecs-deploy-task-definition's releases.
Changelog
Sourced from aws-actions/amazon-ecs-deploy-task-definition's changelog.
... (truncated)
Commits
a310a83chore(release): 2.6.2d46c585fix: Detect deployment rollback after service stabilization (#860)Updates
github/codeql-actionfrom 4.35.1 to 4.35.3Release notes
Sourced from github/codeql-action's releases.
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
e46ed2cMerge pull request #3867 from github/update-v4.35.3-8c6e48dbeb73d1d1Add changelog entry for #385324e0bb0Reorder changelog entriesec298daUpdate changelog for v4.35.38c6e48dMerge pull request #3865 from github/update-bundle/codeql-bundle-v2.25.37190983Add changelog note2bb2095Update default bundle to codeql-bundle-v2.25.37851e55Merge pull request #3850 from github/mbg/private-registry/cloudsmith-gcp262a15fAdd generic non-printable chars test for OIDC configsa6109b1Merge pull request #3853 from github/mbg/start-proxy/improved-checksUpdates
actions/setup-nodefrom 6.3.0 to 6.4.0Release notes
Sourced from actions/setup-node's releases.
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)Updates
pnpm/action-setupfrom 5.0.0 to 6.0.5Release notes
Sourced from pnpm/action-setup's releases.
Commits
8912a91fix: append (not prepend) action node dir to PATH for npm bootstrap (#241)26f6d4ffix: use npm co-located with the action node binary (#239)903f9c1fix: update pnpm to 11.0.0-rc.5bdf0af2test: add strict version-match jobs to reproduce #225 / #22771c9247fix: pnpm self-update binary shadowed by bootstrap on PATH (#230)