chore(deps): bump pinned actions, add Dependabot cooldown#305
Open
data-douser wants to merge 1 commit into
Open
chore(deps): bump pinned actions, add Dependabot cooldown#305data-douser wants to merge 1 commit into
data-douser wants to merge 1 commit into
Conversation
Bump SHA pins for actions under .github/{actions,workflows}/**
to their latest cooldown-compliant release tags:
- actions/setup-node v6.3.0 -> v6.4.0
- actions/setup-go v6.3.0 -> v6.4.0
- actions/setup-java v5.2.0 -> v5.3.0
- actions/setup-dotnet v5.2.0 -> v5.3.0
- actions/cache v5.0.4 -> v5.0.5
- ruby/setup-ruby v1.310 -> v1.313.0
Normalize trailing tag comments to specific versions (e.g.
`# v6` -> `# v6.4.0`) so each pin's tag is unambiguous, and
correct the actions/dependency-review-action comment from `v4`
to `v5.0.0` to match the tag its SHA now resolves to.
Update .github/dependabot.yaml:
- Add `cooldown: { default-days: 7 }` to every ecosystem.
- Add a `gomod` ecosystem entry for /client.
- Group github-actions updates under `all-github-actions`
for parity with the existing `all-npm-dependencies` group.
Verified with `npm run lint`, `npm run format:check`, and
`npm run build-and-test`.
data-douser
added
dependencies
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refreshes the repository’s pinned GitHub Actions SHAs (with updated inline version annotations) and tunes Dependabot’s update cadence to reduce PR noise, improving CI supply-chain hygiene and maintenance ergonomics.
Changes:
- Updated pinned GitHub Actions references across workflows and the
setup-codeql-environmentcomposite action (e.g.,actions/setup-node,actions/cache, artifacts actions, dependency review action). - Added Dependabot
cooldownand broadened grouping for GitHub Actions and Go module updates. - Applied a consistent Dependabot cooldown to the repo’s npm update configuration across multiple directories.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-codeql.yml | Updates the pinned actions/setup-node reference/version comment used by the CodeQL update automation. |
| .github/workflows/release.yml | Updates pinned artifact download/upload actions used during the release assembly process. |
| .github/workflows/release-vsix.yml | Updates pinned setup-node and artifact upload action for VSIX release workflow. |
| .github/workflows/release-tag.yml | Updates pinned setup-node action used when creating tags. |
| .github/workflows/release-npm.yml | Updates pinned setup-node and artifact upload action used for npm publishing. |
| .github/workflows/release-codeql.yml | Updates pinned artifact upload action used for publishing CodeQL pack artifacts. |
| .github/workflows/query-unit-tests.yml | Updates pinned setup-node action used by query unit test workflows. |
| .github/workflows/query-unit-tests-swift.yml | Updates pinned setup-node action used by Swift query unit test workflow. |
| .github/workflows/lint-and-format.yml | Updates pinned setup-node action used for lint/format CI. |
| .github/workflows/dependency-review.yml | Updates the pinned dependency review action version annotation. |
| .github/workflows/copilot-setup-steps.yml | Updates pinned setup-node and actions/cache used in Copilot setup workflow. |
| .github/workflows/build-server.yml | Updates pinned setup-node used for server build workflow. |
| .github/workflows/build-and-test-extension.yml | Updates pinned setup-node and actions/cache used for extension build/test workflow. |
| .github/workflows/build-and-test-client.yml | Updates pinned setup-node used for client build/test workflows. |
| .github/dependabot.yaml | Adds cooldown and grouping to reduce Dependabot PR noise across ecosystems/directories. |
| .github/actions/setup-codeql-environment/action.yml | Updates pinned actions for caching and language runtime setup in the composite CodeQL environment action. |
Copilot's findings
- Files reviewed: 16/16 changed files
- Comments generated: 0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request updates the versions of several GitHub Actions used throughout the repository and enhances Dependabot configuration for more efficient dependency management. The main focus is on keeping actions up to date for improved security, stability, and new features, as well as grouping and scheduling dependency updates for easier maintenance.
Key changes:
GitHub Actions Version Updates
actions/cachetov5.0.5in multiple workflow and composite action files for improved caching reliability and bug fixes. [1] [2] [3] [4] [5] [6] [7]actions/setup-node,actions/setup-python,actions/setup-java,actions/setup-go,actions/setup-dotnet, andruby/setup-rubyto their latest patch or minor versions to ensure compatibility and receive the latest improvements. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]actions/upload-artifactandactions/download-artifactto the latest patch versions for artifact handling. [1] [2] [3] [4]actions/dependency-review-actiontov5.0.0for dependency review workflows.Dependabot Configuration Improvements
cooldownperiods and grouped updates forgithub-actions,gomod, andnpmecosystems to reduce noise and batch updates, making dependency management more manageable. [1] [2]These updates collectively improve workflow reliability, reduce maintenance overhead, and keep dependencies secure and up to date.