Skip to content

chore(deps): bump the github-actions group across 1 directory with 6 updates#1861

Merged
itomek merged 2 commits into
mainfrom
dependabot/github_actions/github-actions-573a976318
Jul 6, 2026
Merged

chore(deps): bump the github-actions group across 1 directory with 6 updates#1861
itomek merged 2 commits into
mainfrom
dependabot/github_actions/github-actions-573a976318

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 6 updates in the / directory:

Package From To
actions/checkout 4 7
actions/cache 5 6
actions/setup-node 4 6
anthropics/claude-code-action 1.0.140 1.0.165
sigstore/gh-action-sigstore-python 3.3.0 3.4.0
astral-sh/setup-uv 5 7

Updates actions/checkout from 4 to 7

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Updates actions/cache from 5 to 6

Release notes

Sourced from actions/cache's releases.

v6.0.0

What's Changed

Full Changelog: actions/cache@v5...v6.0.0

v5.1.0

What's Changed

Full Changelog: actions/cache@v5...v5.1.0

v5.0.5

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

New Contributors

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE] Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.1.0

6.0.0

  • Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
  • Migrated to ESM module system
  • Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

... (truncated)

Commits
  • 55cc834 Merge pull request #1768 from jasongin/readonly-cache
  • d8cd72f Bump @​actions/cache to v6.1.0 - handle cache write error due to RO token
  • 2c8a9bd Merge pull request #1760 from actions/samirat/esm_migration_and_package_update
  • e9b91fd Prettier fixes
  • e4884b8 Rebuild dist
  • 10baf01 Fixed licenses
  • e39b386 Fix test mock return order
  • b692820 PR feedback
  • 6074912 Rebuild dist bundles as ESM to match type:module
  • 5a912e8 Fix lint and jest issues
  • Additional commits viewable in compare view

Updates actions/setup-node from 4 to 6

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

Dependency Upgrades

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

New Contributors

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

Updates anthropics/claude-code-action from 1.0.140 to 1.0.165

Release notes

Sourced from anthropics/claude-code-action's releases.

v1.0.165

Full Changelog: anthropics/claude-code-action@v1...v1.0.165

v1.0.164

Full Changelog: anthropics/claude-code-action@v1...v1.0.164

v1.0.163

Full Changelog: anthropics/claude-code-action@v1...v1.0.163

v1.0.162

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.162

v1.0.161

Full Changelog: anthropics/claude-code-action@v1...v1.0.161

v1.0.160

Full Changelog: anthropics/claude-code-action@v1...v1.0.160

v1.0.159

What's Changed

New Contributors

Full Changelog: anthropics/claude-code-action@v1...v1.0.159

v1.0.158

Full Changelog: anthropics/claude-code-action@v1...v1.0.158

v1.0.157

Full Changelog: anthropics/claude-code-action@v1...v1.0.157

v1.0.156

Full Changelog: anthropics/claude-code-action@v1...v1.0.156

v1.0.155

What's Changed

New Contributors

... (truncated)

Commits
  • 558b1d6 chore: bump Claude Code to 2.1.201 and Agent SDK to 0.3.201
  • 01872cc chore: bump Claude Code to 2.1.200 and Agent SDK to 0.3.200
  • 769e3bd chore: bump Claude Code to 2.1.199 and Agent SDK to 0.3.199
  • 6c0083b chore: bump Claude Code to 2.1.198 and Agent SDK to 0.3.198
  • 846d5d8 Add agent-approval-check composite action (#1429)
  • fad22eb chore: bump Claude Code to 2.1.197 and Agent SDK to 0.3.197
  • 4633baf chore: bump Claude Code to 2.1.196 and Agent SDK to 0.3.196
  • a92e7c7 chore: bump Claude Code to 2.1.195 and Agent SDK to 0.3.195
  • f8076dc fix: bound app token revocation cleanup (#1437)
  • 5211368 chore: bump Claude Code to 2.1.193 and Agent SDK to 0.3.193
  • Additional commits viewable in compare view

Updates sigstore/gh-action-sigstore-python from 3.3.0 to 3.4.0

Release notes

Sourced from sigstore/gh-action-sigstore-python's releases.

v3.4.0

What's Changed

  • Used sigstore package version is now 4.3.0
  • Other dependency updates

Full Changelog: sigstore/gh-action-sigstore-python@v3.3.0...v3.4.0

Commits
  • 5b79a39 build(deps): bump sigstore in the python-dependencies group (#408)
  • 3d7f17b build(deps): bump idna in the python-dependencies group (#407)
  • 2d128b7 build(deps): bump github/codeql-action in the actions group (#405)
  • 06882d3 build(deps): bump the python-dependencies group with 3 updates (#406)
  • bab6f77 build(deps): bump the actions group across 1 directory with 3 updates (#403)
  • f98c429 build(deps): bump securesystemslib in the python-dependencies group (#404)
  • db9196e build(deps): bump the python-dependencies group across 1 directory with 3 upd...
  • 839093d build(deps): bump certifi from 2026.4.22 to 2026.5.20 in the python-dependenc...
  • d9df9da build(deps): bump ast-serialize in the python-dependencies group (#397)
  • 2f7a761 build(deps): bump github/codeql-action in the actions group (#395)
  • Additional commits viewable in compare view

Updates astral-sh/setup-uv from 5 to 7

Release notes

Sourced from astral-sh/setup-uv's releases.

v7.2.1 🌈 update known checksums up to 0.9.28

Changes

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v7.0.0 🌈 node24 and a lot of bugfixes

Changes

This release comes with a load of bug fixes and a speed up. Because of switching from node20 to node24 it is also a breaking change. If you are running on GitHub hosted runners this will just work, if you are using self-hosted runners make sure, that your runners are up to date. If you followed the normal installation instructions your self-hosted runner will keep itself updated.

This release also removes the deprecated input server-url which was used to download uv releases from a different server. The manifest-file input supersedes that functionality by adding a flexible way to define available versions and where they should be downloaded from.

Fixes

  • The action now respects when the environment variable UV_CACHE_DIR is already set and does not overwrite it. It now also finds cache-dir settings in config files if you set them.
  • Some users encountered problems that cache pruning took forever because they had some uv processes running in the background. Starting with uv version 0.8.24 this action uses uv cache prune --ci --force to ignore the running processes
  • If you just want to install uv but not have it available in path, this action now respects UV_NO_MODIFY_PATH
  • Some other actions also set the env var UV_CACHE_DIR. This action can now deal with that but as this could lead to unwanted behavior in some edgecases a warning is now displayed.

Improvements

If you are using minimum version specifiers for the version of uv to install for example

[tool.uv]
required-version = ">=0.8.17"

This action now detects that and directly uses the latest version. Previously it would download all available releases from the uv repo to determine the highest matching candidate for the version specifier, which took much more time.

If you are using other specifiers like 0.8.x this action still needs to download all available releases because the specifier defines an upper bound (not 0.9.0 or later) and "latest" would possibly not satisfy that.

🚨 Breaking changes

... (truncated)

Commits
  • 37802ad Fetch uv from Astral's mirror by default (#809)
  • 9f00d18 chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#808)
  • fd8f376 Switch to ESM for source and test, use CommonJS for dist (#806)
  • f9070de Bump deps (#805)
  • cadb67b chore: update known checksums for 0.10.10 (#804)
  • e06108d Use astral-sh/versions as primary version provider (#802)
  • 0f6ec07 docs: replace copilot instructions with AGENTS.md (#794)
  • 821e5c9 docs: add cross-client dependabot rollup skill (#793)
  • 6ee6290 chore(deps): bump versions (#792)
  • 9f332a1 Add riscv64 architecture support to platform detection (#791)
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Dependency updates label Jun 25, 2026
@dependabot dependabot Bot requested a review from kovtcharov-amd as a code owner June 25, 2026 20:39
@dependabot dependabot Bot added the dependencies Dependency updates label Jun 25, 2026
@github-actions github-actions Bot added devops DevOps/infrastructure changes security Security-sensitive changes cpp labels Jun 25, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/github-actions-573a976318 branch 3 times, most recently from b552ede to d127bd6 Compare June 29, 2026 16:51
…updates

Bumps the github-actions group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4` | `7` |
| [actions/cache](https://github.com/actions/cache) | `5` | `6` |
| [actions/setup-node](https://github.com/actions/setup-node) | `4` | `6` |
| [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.140` | `1.0.165` |
| [sigstore/gh-action-sigstore-python](https://github.com/sigstore/gh-action-sigstore-python) | `3.3.0` | `3.4.0` |
| [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `5` | `7` |



Updates `actions/checkout` from 4 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v7)

Updates `actions/cache` from 5 to 6
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v5...v6)

Updates `actions/setup-node` from 4 to 6
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v4...v6)

Updates `anthropics/claude-code-action` from 1.0.140 to 1.0.165
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@fbda2eb...558b1d6)

Updates `sigstore/gh-action-sigstore-python` from 3.3.0 to 3.4.0
- [Release notes](https://github.com/sigstore/gh-action-sigstore-python/releases)
- [Changelog](https://github.com/sigstore/gh-action-sigstore-python/blob/main/CHANGELOG.md)
- [Commits](sigstore/gh-action-sigstore-python@v3.3.0...v3.4.0)

Updates `astral-sh/setup-uv` from 5 to 7
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@v5...v7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.157
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: astral-sh/setup-uv
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: sigstore/gh-action-sigstore-python
  dependency-version: 3.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@itomek

itomek commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

All six action bumps check out as safe for how this repo uses them, and all nine red checks are pre-existing on main (or by-design placeholders) — none is caused by this PR.

Action Bump Assessment
actions/checkout v6 → v7 (major) Only breaking change restricts fork-PR checkout on pull_request_target/workflow_run; the repo's two pull_request_target workflows (auto-label, dependabot-automerge) never call checkout
actions/cache (+ /save, /restore) v5 → v6 (major) ESM-migration release only — no input/output/semantics change
astral-sh/setup-uv v5 → v7 (major) node24 runtime is a no-op on hosted runners; the removed server-url input is unused in this repo
anthropics/claude-code-action v1.0.140 → v1.0.165 patch
sigstore/gh-action-sigstore-python v3.3.0 → v3.4.0 minor
🔍 Failing-check triage (all verified against main baselines, with runs)

Verified by reading each bump's release notes against actual usage across the 52 workflows, plus per-check log comparison between this PR's runs and main's most recent runs of the same workflows.

@itomek itomek left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All six bumps verified against release notes and repo usage; every red check is pre-existing on main (triage in the comment above, fixes in #1926/#1927).

itomek pushed a commit that referenced this pull request Jul 6, 2026
The BUNDLED_UV_SHA256["mac-arm64"] pin captured a post-codesign digest,
but electron-builder ad-hoc-signs the bundled uv on every CI build (no
Developer ID cert configured), and ad-hoc codesign output depends on the
codesign/Xcode toolchain baked into the GitHub-hosted macos-latest runner
image. That image floats between macos-15-arm64 and macos-26-arm64,
producing two different digests for byte-identical source — confirmed
across dmg-structural-smoke runs on PRs #1861, #1886, and #1926. A fixed
pin is therefore not deterministic on macOS: it fails roughly half of CI
runs, and a shipped DMG whose signing output mismatches the baked-in pin
would hard-fail ensureUv() on a user's first launch.

Replace the fixed digest with `codesign --verify --strict` in both
ensureUv() (runtime) and the dmg-structural-smoke helper (CI), matching
the check to what's actually deterministic: the signature's structural
validity, not its exact bytes. Ad-hoc signatures pass this check;
tampered or corrupted binaries still fail it, preserving the fail-loud
guarantee. linux-x64/win-x64 keep their existing SHA256 pins, which are
genuinely deterministic there (no post-build re-signing).
pull Bot pushed a commit to bhardwajRahul/gaia that referenced this pull request Jul 6, 2026
…sign SHA pin (amd#1926)

The "DMG structural smoke" check fails on roughly half of CI runs —
including Dependabot PRs amd#1861 and amd#1886 — and, worse, any shipped DMG
built on the "other" runner image would hard-fail `ensureUv()` on a
user's first launch. Root cause: `BUNDLED_UV_SHA256["mac-arm64"]` pins
the POST-codesign digest of the bundled uv, but every CI build
ad-hoc-signs it (`identity=-`), and ad-hoc codesign output differs by
the Xcode/codesign toolchain in the floating `macos-latest` image.
Observed bimodal digests on byte-identical source: `macos-26-arm64`
images → `7ad94b65…`, `macos-15-arm64` → `6099aa8c…`. No fixed pin can
survive an image rollover.

This replaces the mac pin with `codesign --verify --strict` in both
`ensureUv()` (runtime: bundled resource, install, and warm-cache paths)
and the dmg-structural-smoke helper — deterministic across runner
images, still fail-loud with the same actionable `InstallError` on
corruption or tampering. linux-x64 / win-x64 keep their SHA256 pins
(deterministic there — no post-build re-signing). Supply-chain integrity
for the mac binary remains enforced at build time by the existing
upstream-tarball SHA256 verification in build-installers.yml.

**Reviewer tradeoff to weigh:** `codesign --verify` proves the binary is
intact and validly signed, but unlike the old pin it does not tie the
warm-cached copy in `~/.gaia/bin` to the exact shipped bytes (a local
attacker able to replace the file could re-sign ad-hoc). If that
matters, a follow-up could record the install-time digest and re-verify
it on cache reuse (TOFU) — kept out of scope here to fix the
release-breaking nondeterminism first.

## Test plan
- [x] Empirical codesign behavior: ad-hoc-signed binary passes `--verify
--strict`; byte-flipped binary fails with "invalid signature" (scratch
harness against the real `ensureUv()` code path — first-install,
warm-cache reuse, and tamper/fail-loud paths all verified)
- [x] `node --check` on all touched files; `tests/electron` jest suite
626/627 (the 1 failure is the pre-existing title assertion, fixed
separately in amd#1927)
- [x] "DMG structural smoke" green on this PR's build-installers run —
this exercises the new verification against a real CI-built DMG, on
whichever runner image the job lands

Co-authored-by: Tomasz Iniewicz <tomasz@iniewicz.com>
pull Bot pushed a commit to bhardwajRahul/gaia that referenced this pull request Jul 6, 2026
…md#1927)

"Test Electron Framework" has been red on main and every PR since
2026-06-22: amd#1750 renamed the Agent UI window title to "GAIA Agent UI",
but `test_electron_chat_app.js` still expects `<title>GAIA</title>`.
This aligns the assertion with the actual title — the same suite already
asserts `displayName: 'GAIA Agent UI'`, so the rename was clearly
intentional. Unblocks the check on Dependabot PRs amd#1803, amd#1805, amd#1861
among others.

## Test plan
- [x] `npx jest test_electron_chat_app.js` locally: 196/196 pass with
the fix (previously 195/196)
- [ ] "Test Electron Framework" green on this PR

Co-authored-by: Tomasz Iniewicz <tomasz@iniewicz.com>
@itomek itomek added this pull request to the merge queue Jul 6, 2026
Merged via the queue into main with commit 7e14797 Jul 6, 2026
74 of 82 checks passed
@itomek itomek deleted the dependabot/github_actions/github-actions-573a976318 branch July 6, 2026 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cpp dependencies Dependency updates devops DevOps/infrastructure changes security Security-sensitive changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant