chore(deps): bump the github-actions group across 1 directory with 6 updates#1861
Merged
Merged
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
b552ede to
d127bd6
Compare
…updates Bumps the github-actions group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4` | `7` | | [actions/cache](https://github.com/actions/cache) | `5` | `6` | | [actions/setup-node](https://github.com/actions/setup-node) | `4` | `6` | | [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.140` | `1.0.165` | | [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python) | `3.3.0` | `3.4.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `5` | `7` | Updates `actions/checkout` from 4 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v7) Updates `actions/cache` from 5 to 6 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v5...v6) Updates `actions/setup-node` from 4 to 6 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) Updates `anthropics/claude-code-action` from 1.0.140 to 1.0.165 - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@fbda2eb...558b1d6) Updates `sigstore/gh-action-sigstore-python` from 3.3.0 to 3.4.0 - [Release notes](https://github.com/sigstore/gh-action-sigstore-python/releases) - [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md) - [Commits](sigstore/gh-action-sigstore-python@v3.3.0...v3.4.0) Updates `astral-sh/setup-uv` from 5 to 7 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@v5...v7) --- updated-dependencies: - dependency-name: actions/cache dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: anthropics/claude-code-action dependency-version: 1.0.157 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: astral-sh/setup-uv dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: sigstore/gh-action-sigstore-python dependency-version: 3.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
d127bd6 to
a86e4e0
Compare
This was referenced Jul 6, 2026
Collaborator
|
All six action bumps check out as safe for how this repo uses them, and all nine red checks are pre-existing on main (or by-design placeholders) — none is caused by this PR.
🔍 Failing-check triage (all verified against main baselines, with runs)
Verified by reading each bump's release notes against actual usage across the 52 workflows, plus per-check log comparison between this PR's runs and main's most recent runs of the same workflows. |
itomek
pushed a commit
that referenced
this pull request
Jul 6, 2026
The BUNDLED_UV_SHA256["mac-arm64"] pin captured a post-codesign digest, but electron-builder ad-hoc-signs the bundled uv on every CI build (no Developer ID cert configured), and ad-hoc codesign output depends on the codesign/Xcode toolchain baked into the GitHub-hosted macos-latest runner image. That image floats between macos-15-arm64 and macos-26-arm64, producing two different digests for byte-identical source — confirmed across dmg-structural-smoke runs on PRs #1861, #1886, and #1926. A fixed pin is therefore not deterministic on macOS: it fails roughly half of CI runs, and a shipped DMG whose signing output mismatches the baked-in pin would hard-fail ensureUv() on a user's first launch. Replace the fixed digest with `codesign --verify --strict` in both ensureUv() (runtime) and the dmg-structural-smoke helper (CI), matching the check to what's actually deterministic: the signature's structural validity, not its exact bytes. Ad-hoc signatures pass this check; tampered or corrupted binaries still fail it, preserving the fail-loud guarantee. linux-x64/win-x64 keep their existing SHA256 pins, which are genuinely deterministic there (no post-build re-signing).
pull Bot
pushed a commit
to bhardwajRahul/gaia
that referenced
this pull request
Jul 6, 2026
…sign SHA pin (amd#1926) The "DMG structural smoke" check fails on roughly half of CI runs — including Dependabot PRs amd#1861 and amd#1886 — and, worse, any shipped DMG built on the "other" runner image would hard-fail `ensureUv()` on a user's first launch. Root cause: `BUNDLED_UV_SHA256["mac-arm64"]` pins the POST-codesign digest of the bundled uv, but every CI build ad-hoc-signs it (`identity=-`), and ad-hoc codesign output differs by the Xcode/codesign toolchain in the floating `macos-latest` image. Observed bimodal digests on byte-identical source: `macos-26-arm64` images → `7ad94b65…`, `macos-15-arm64` → `6099aa8c…`. No fixed pin can survive an image rollover. This replaces the mac pin with `codesign --verify --strict` in both `ensureUv()` (runtime: bundled resource, install, and warm-cache paths) and the dmg-structural-smoke helper — deterministic across runner images, still fail-loud with the same actionable `InstallError` on corruption or tampering. linux-x64 / win-x64 keep their SHA256 pins (deterministic there — no post-build re-signing). Supply-chain integrity for the mac binary remains enforced at build time by the existing upstream-tarball SHA256 verification in build-installers.yml. **Reviewer tradeoff to weigh:** `codesign --verify` proves the binary is intact and validly signed, but unlike the old pin it does not tie the warm-cached copy in `~/.gaia/bin` to the exact shipped bytes (a local attacker able to replace the file could re-sign ad-hoc). If that matters, a follow-up could record the install-time digest and re-verify it on cache reuse (TOFU) — kept out of scope here to fix the release-breaking nondeterminism first. ## Test plan - [x] Empirical codesign behavior: ad-hoc-signed binary passes `--verify --strict`; byte-flipped binary fails with "invalid signature" (scratch harness against the real `ensureUv()` code path — first-install, warm-cache reuse, and tamper/fail-loud paths all verified) - [x] `node --check` on all touched files; `tests/electron` jest suite 626/627 (the 1 failure is the pre-existing title assertion, fixed separately in amd#1927) - [x] "DMG structural smoke" green on this PR's build-installers run — this exercises the new verification against a real CI-built DMG, on whichever runner image the job lands Co-authored-by: Tomasz Iniewicz <tomasz@iniewicz.com>
pull Bot
pushed a commit
to bhardwajRahul/gaia
that referenced
this pull request
Jul 6, 2026
…md#1927) "Test Electron Framework" has been red on main and every PR since 2026-06-22: amd#1750 renamed the Agent UI window title to "GAIA Agent UI", but `test_electron_chat_app.js` still expects `<title>GAIA</title>`. This aligns the assertion with the actual title — the same suite already asserts `displayName: 'GAIA Agent UI'`, so the rename was clearly intentional. Unblocks the check on Dependabot PRs amd#1803, amd#1805, amd#1861 among others. ## Test plan - [x] `npx jest test_electron_chat_app.js` locally: 196/196 pass with the fix (previously 195/196) - [ ] "Test Electron Framework" green on this PR Co-authored-by: Tomasz Iniewicz <tomasz@iniewicz.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the github-actions group with 6 updates in the / directory:
4756461.0.1401.0.1653.3.03.4.057Updates
actions/checkoutfrom 4 to 7Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Updates
actions/cachefrom 5 to 6Release notes
Sourced from actions/cache's releases.
... (truncated)
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
55cc834Merge pull request #1768 from jasongin/readonly-cached8cd72fBump@actions/cacheto v6.1.0 - handle cache write error due to RO token2c8a9bdMerge pull request #1760 from actions/samirat/esm_migration_and_package_updatee9b91fdPrettier fixese4884b8Rebuild dist10baf01Fixed licensese39b386Fix test mock return orderb692820PR feedback6074912Rebuild dist bundles as ESM to match type:module5a912e8Fix lint and jest issuesUpdates
actions/setup-nodefrom 4 to 6Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)Updates
anthropics/claude-code-actionfrom 1.0.140 to 1.0.165Release notes
Sourced from anthropics/claude-code-action's releases.
... (truncated)
Commits
558b1d6chore: bump Claude Code to 2.1.201 and Agent SDK to 0.3.20101872ccchore: bump Claude Code to 2.1.200 and Agent SDK to 0.3.200769e3bdchore: bump Claude Code to 2.1.199 and Agent SDK to 0.3.1996c0083bchore: bump Claude Code to 2.1.198 and Agent SDK to 0.3.198846d5d8Add agent-approval-check composite action (#1429)fad22ebchore: bump Claude Code to 2.1.197 and Agent SDK to 0.3.1974633bafchore: bump Claude Code to 2.1.196 and Agent SDK to 0.3.196a92e7c7chore: bump Claude Code to 2.1.195 and Agent SDK to 0.3.195f8076dcfix: bound app token revocation cleanup (#1437)5211368chore: bump Claude Code to 2.1.193 and Agent SDK to 0.3.193Updates
sigstore/gh-action-sigstore-pythonfrom 3.3.0 to 3.4.0Release notes
Sourced from sigstore/gh-action-sigstore-python's releases.
Commits
5b79a39build(deps): bump sigstore in the python-dependencies group (#408)3d7f17bbuild(deps): bump idna in the python-dependencies group (#407)2d128b7build(deps): bump github/codeql-action in the actions group (#405)06882d3build(deps): bump the python-dependencies group with 3 updates (#406)bab6f77build(deps): bump the actions group across 1 directory with 3 updates (#403)f98c429build(deps): bump securesystemslib in the python-dependencies group (#404)db9196ebuild(deps): bump the python-dependencies group across 1 directory with 3 upd...839093dbuild(deps): bump certifi from 2026.4.22 to 2026.5.20 in the python-dependenc...d9df9dabuild(deps): bump ast-serialize in the python-dependencies group (#397)2f7a761build(deps): bump github/codeql-action in the actions group (#395)Updates
astral-sh/setup-uvfrom 5 to 7Release notes
Sourced from astral-sh/setup-uv's releases.
... (truncated)
Commits
37802adFetch uv from Astral's mirror by default (#809)9f00d18chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#808)fd8f376Switch to ESM for source and test, use CommonJS for dist (#806)f9070deBump deps (#805)cadb67bchore: update known checksums for 0.10.10 (#804)e06108dUse astral-sh/versions as primary version provider (#802)0f6ec07docs: replace copilot instructions with AGENTS.md (#794)821e5c9docs: add cross-client dependabot rollup skill (#793)6ee6290chore(deps): bump versions (#792)9f332a1Add riscv64 architecture support to platform detection (#791)