Skip to content

Update github actions (main) (patch)#3338

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-patch-github-actions
Open

Update github actions (main) (patch)#3338
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-patch-github-actions

Conversation

@renovate

@renovate renovate Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/cache action patch v5.0.4v5.0.5
actions/checkout action patch v6.0.2v6.0.3
codecov/codecov-action action patch v5.5.4v5.5.5
peter-evans/create-pull-request action patch v8.1.0v8.1.1

Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

actions/checkout (actions/checkout)

v6.0.3

Compare Source

codecov/codecov-action (codecov/codecov-action)

v5.5.5

Compare Source

This release only contains the keybase.io change as described here.

Full Changelog: codecov/codecov-action@v5.5.4...v5.5.5

peter-evans/create-pull-request (peter-evans/create-pull-request)

v8.1.1: Create Pull Request v8.1.1

Compare Source

What's Changed

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:03 AM UTC · Completed 1:09 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 14, 2026

Copy link
Copy Markdown

Review — ✅ Approve

PR: #3338 — Update github actions (main) (patch)
Author: renovate[bot]
Verdict: Approve — no findings

Summary

Routine Renovate patch-level bump of four GitHub Actions across six workflow files:

Action Old Version New Version
actions/cache v5.0.4 v5.0.5
actions/checkout v6.0.2 v6.0.3
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Review dimensions

Dimension Result
Correctness ✅ All SHA pins consistently updated across all 21 occurrences. Each old SHA is fully replaced with the correct new SHA. No occurrences missed.
Security ✅ No permissions, secrets, or trigger changes. All actions remain pinned to full 40-character commit SHAs with version comments. SHA-to-tag mappings verified against upstream repos.
Intent & coherence ✅ Mechanical dependency bump by Renovate bot. Authorization implicit from automated tooling.
Style & conventions ✅ Value-only changes follow existing action@SHA # vX.Y.Z pin format consistently.
Documentation ✅ No code behavior changes; no documentation impact.
Cross-repo contracts ⏭ Skipped — no exported interfaces or APIs modified.

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml

Labels: PR updates GitHub Actions workflow dependencies

Previous run

Review — Approve ✅

PR: #3338 — Update github actions (main) (patch)
Author: renovate[bot]
Head SHA: 5f7063c7b1f72089e1e3446c66cf34275553dc9d

Summary

Automated Renovate patch-level update of four GitHub Actions across six workflow files. All changes are symmetric SHA-pin replacements with matching version comments — no workflow logic, step ordering, or configuration changes.

Actions Updated

Action Old Version New Version SHA Verified
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification Performed

  • SHA authenticity: All four new commit SHA pins were verified against upstream GitHub tag refs (dereferencing annotated tags where applicable). Each SHA resolves to the claimed version tag.
  • Coverage completeness: Searched all workflow files under .github/workflows/ for old SHA references. All 21 occurrences of old pins are replaced — zero stale references remain.
  • No logic changes: The diff is strictly oldsha → newsha and # vOLD → # vNEW on each uses: line. No steps were added, removed, reordered, or reconfigured.
  • Supply chain posture: The project correctly pins actions by full commit SHA with version comments, which is a supply chain security best practice. This PR maintains that discipline.

Findings

No findings at or above the reporting threshold.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (2)

Review — ✅ Approve

PR: #3338 — Update github actions (main) (patch)
Author: renovate[bot]
Scope: 6 GitHub Actions workflow files (patch-level dependency updates)

Summary

This is an automated Renovate PR that bumps four GitHub Actions to their latest patch versions:

Action Old Version New Version SHA Verified
actions/cache v5.0.4 v5.0.5
actions/checkout v6.0.2 v6.0.3
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification

  • SHA pin integrity: All four commit SHA pins were verified against the upstream repositories' tag references. Each pin resolves to the correct tagged release.
  • Consistency: Each action's SHA is updated consistently across all workflow files that reference it (e.g., actions/checkout updated identically in all 6 workflows).
  • Scope: Every changed line is a uses: directive — no workflow logic, permissions, step additions, environment variables, or secrets were modified.
  • Release notes: All upstream changes are routine maintenance (dependency bumps, bug fixes for SHA-256 repos, keybase.io changes, retry logic improvements).

Assessment

Pure mechanical patch-level version bumps with verified SHA pins. No behavioral or security-relevant changes to the workflows themselves.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (3)

Review — Approve

PR: #3338 — Update github actions (main) (patch)
Author: renovate[bot]
Scope: 6 workflow files, 21 additions / 21 deletions

Summary

Automated Renovate patch-version bumps for four GitHub Actions:

Action Old Version New Version SHA Verified
actions/cache v5.0.4 v5.0.5
actions/checkout v6.0.2 v6.0.3
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification

  • SHA integrity: All four new commit-pin SHAs were verified against the upstream repositories by resolving the version tags (including annotated tag dereferencing) to their commit objects. Every SHA in the diff matches the corresponding upstream release.
  • Old SHA integrity: The old SHAs in the removed lines were also verified to match the prior version tags.
  • Scope: Changes are strictly limited to uses: action references and their version comments in .github/workflows/ YAML files. No workflow logic, permissions, environment variables, secrets access, or step configuration was altered.
  • Actions provenance: All four actions (actions/cache, actions/checkout, codecov/codecov-action, peter-evans/create-pull-request) are well-known, widely-used GitHub Actions from trusted maintainers.

Affected Workflows

  • checks-codecov.yaml — 11 pin updates (checkout, cache, codecov-action)
  • codeql.yaml — 2 pin updates (checkout, cache)
  • lint.yaml — 2 pin updates (checkout, cache)
  • release.yaml — 2 pin updates (checkout, cache)
  • scorecard.yml — 1 pin update (checkout)
  • update-go-containerregistry.yaml — 3 pin updates (checkout, cache, create-pull-request)

Assessment

This is a routine, low-risk dependency update. All changes are mechanical pin-hash updates generated by Renovate with no behavioral impact on workflow execution. The upstream release notes confirm these are minor fixes (dependency bumps, SHA-256 repo support, keybase.io change, retry logic improvement).

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (4)

Review — Approve ✅

Verdict: approve
Findings: none

Summary

This is a standard Renovate automated patch-version bump of four GitHub Actions dependencies across six workflow files:

Action Old Version New Version
actions/cache v5.0.4 v5.0.5
actions/checkout v6.0.2 v6.0.3
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Analysis

Correctness: All 21 changes are mechanical 1:1 commit-SHA pin replacements with matching version comments. Every occurrence of each action across all workflow files is updated consistently — no stale pins remain. No workflow logic, step configuration, environment variables, or action inputs are modified.

Security: The repository follows the recommended practice of pinning GitHub Actions to full commit SHAs (rather than mutable tags). This PR maintains that convention, updating each SHA to match the new patch release. All four actions are well-known, widely used first-party or popular community actions.

Scope & intent: The PR is appropriately scoped to a single Renovate grouping (patch-level GitHub Actions updates for the main branch). No unrelated changes are included.

Style & conventions: The existing uses: action@sha # vX.Y.Z comment convention is preserved throughout.

Documentation: No documentation updates are needed for CI dependency version bumps.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (5)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under the .github/ protected path. This PR has no linked issue providing explicit authorization for modifying governance/infrastructure files. While renovate.json is configured in the repository and the author is renovate[bot], human approval is required for all protected-path changes. Affected files: checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml.
    Remediation: A maintainer should verify the commit SHAs correspond to the claimed patch versions (v6.0.3, v5.0.5, v5.5.5, v8.1.1) and approve.
Previous run (6)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under the protected .github/ path. This PR has no linked issue providing justification for modifying governance/infrastructure files. While the changes are mechanical Renovate patch updates to GitHub Actions (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1), human approval is required for protected-path changes.
    Remediation: A human reviewer should verify the version bumps and approve. All SHA pins have been verified against upstream release tags.
Previous run (7)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml). This PR has no linked issue authorizing changes to governance/infrastructure files. While the changes are mechanical Renovate patch-version bumps of GitHub Actions (actions/checkout v6.0.2→v6.0.3, actions/cache v5.0.4→v5.0.5, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1) and pose no code-level risk, human approval is required for all .github/ modifications per repository policy.

Labels: PR exclusively modifies GitHub Actions workflow files with Renovate-managed version bumps.

Previous run (8)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under .github/, which is a protected path requiring human approval. The PR has no linked issue providing authorization for modifying governance/infrastructure files. Affected files: .github/workflows/checks-codecov.yaml, .github/workflows/codeql.yaml, .github/workflows/lint.yaml, .github/workflows/release.yaml, .github/workflows/scorecard.yml, .github/workflows/update-go-containerregistry.yaml.
    Remediation: A human maintainer must review and approve this CI dependency update. The code changes themselves (patch-level GitHub Actions version bumps by Renovate bot) are mechanically correct with no correctness or security findings.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on this deployment. Given this is a mechanical version-bump PR, no style findings were expected.
Previous run (9)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path. This PR has no linked issue providing explicit authorization for modifying governance/infrastructure files. Modified protected files: .github/workflows/checks-codecov.yaml, .github/workflows/codeql.yaml, .github/workflows/lint.yaml, .github/workflows/release.yaml, .github/workflows/scorecard.yml, .github/workflows/update-go-containerregistry.yaml. Human approval is required for all protected-path changes regardless of context.
    Remediation: A repository maintainer should review and approve these workflow changes directly. Consider linking a tracking issue to provide authorization context for future Renovate workflow updates.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. This is a mechanical version-bump PR with no style surface area, so impact is negligible.

  • [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. For a mechanical Renovate patch-bump PR, scope authorization is implicit from the automated nature of the change.

Previous run (10)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 files modified in this PR are under the .github/ protected path (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml). The PR has no linked issue providing explicit authorization for modifying governance/infrastructure files. Human approval is always required for protected-path changes.
    Remediation: A human maintainer should review and approve these workflow changes. While the changes are routine Renovate patch version bumps for GitHub Actions (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1), protected-path policy requires explicit human sign-off.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model not available on the deployment. Given the mechanical nature of this diff (value-only SHA and version comment updates), no style findings are expected.
Previous run (11)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path: checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml. This PR has no linked issue justifying the modification of governance/infrastructure files. Human approval is required for all changes to protected paths, regardless of whether the changes are automated dependency bumps.
    Remediation: A maintainer should verify that the updated commit SHAs correspond to the expected patch releases (actions/cache v5.0.5, actions/checkout v6.0.3, codecov/codecov-action v5.5.5, peter-evans/create-pull-request v8.1.1) and approve.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. Given the mechanical nature of this version-bump PR, no style findings are expected.

fullsend-ai-review[bot]

This comment was marked as outdated.

@codecov

codecov Bot commented Jun 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 53.61% <ø> (ø)
generative 17.18% <ø> (ø)
integration 28.36% <ø> (ø)
unit 71.74% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from a498b34 to 2ed129f Compare June 17, 2026 13:09
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 17, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:11 PM UTC · Completed 1:17 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 2ed129f to 29b3eba Compare June 17, 2026 18:49
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 17, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:51 PM UTC · Completed 6:57 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 29b3eba to a1895a9 Compare June 22, 2026 13:42
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 22, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:44 PM UTC · Completed 1:50 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from a1895a9 to 939a4df Compare June 26, 2026 20:27
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 26, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:30 PM UTC · Completed 8:37 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the github_actions Pull requests that update GitHub Actions code label Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 939a4df to 2ca9be4 Compare July 1, 2026 14:36
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:39 PM UTC · Completed 2:47 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 2ca9be4 to 0ea6d2d Compare July 1, 2026 19:50
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:53 PM UTC · Completed 8:01 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 0ea6d2d to ff4bdab Compare July 6, 2026 09:40
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 9:43 AM UTC · Completed 9:46 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot dismissed their stale review July 6, 2026 09:46

Superseded by updated review

@fullsend-ai-review fullsend-ai-review Bot dismissed stale reviews from themself July 6, 2026 09:46

Superseded by updated review

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jul 6, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from ff4bdab to 40a32c4 Compare July 6, 2026 12:58
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:03 PM UTC · Completed 1:06 PM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 6, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch 2 times, most recently from 9158177 to 00c955c Compare July 8, 2026 09:39
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 9:40 AM UTC · Completed 9:44 AM UTC
Commit: 7c8ccca · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 8, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 00c955c to 5f7063c Compare July 8, 2026 14:40
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:41 PM UTC · Completed 2:44 PM UTC
Commit: 7c8ccca · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 8, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 5f7063c to 8890028 Compare July 8, 2026 15:30
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 3:31 PM UTC · Completed 3:37 PM UTC
Commit: 8f05d87 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update GitHub Actions code main renovate requires-manual-review Review requires human judgment size: S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants