chore(deps): bump the github-actions group with 3 updates#1759
Conversation
Bumps the github-actions group with 3 updates: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv), [github/codeql-action/init](https://github.com/github/codeql-action) and [github/codeql-action/analyze](https://github.com/github/codeql-action). Updates `astral-sh/setup-uv` from 8.3.1 to 8.3.2 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@f98e069...11f9893) Updates `github/codeql-action/init` from 4.36.3 to 4.37.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@54f647b...99df26d) Updates `github/codeql-action/analyze` from 4.36.3 to 4.37.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@54f647b...99df26d) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.3.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action/init dependency-version: 4.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action/analyze dependency-version: 4.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
LGTM — routine Dependabot bump of pinned GitHub Actions SHAs, no logic changes.
Extended reasoning...
Overview
This PR updates three GitHub Actions workflow files (ci.yml, codeql.yml, release.yml) to bump pinned action SHAs: astral-sh/setup-uv 8.3.1→8.3.2 and github/codeql-action/init and .../analyze 4.36.3→4.37.0. All actions are pinned by full commit SHA with a version comment, and I confirmed each new SHA in the diff matches the version comment claimed (e.g. 11f9893... is tagged v8.3.2 per the linked Dependabot commit list, 99df26d... is tagged v4.37.0). No workflow logic, permissions, triggers, or job structure changed — only the uses: SHA references.
Security risks
None identified. This is exactly the kind of change Dependabot SHA-pinning is meant to make safe: the actions are pinned to immutable commit SHAs rather than mutable tags, so there's no floating-tag risk, and the version bump is a patch/minor release with no reported breaking changes (per the release notes, 4.37.0 only adds an upcoming optional config-file shorthand feature and bumps the default CodeQL bundle).
Level of scrutiny
Low. This is a mechanical, auto-generated dependency bump with no code or logic changes — the correct level of scrutiny is verifying the SHAs are legitimate and correctly pinned, which I did by cross-referencing the diff against the PR description's linked commits.
Other factors
No outstanding review comments on this PR, and no prior reviews from me to reconcile against. The change is self-contained to CI/tooling and does not affect the SDK's runtime behavior.
Bumps the github-actions group with 3 updates: astral-sh/setup-uv, github/codeql-action/init and github/codeql-action/analyze.
Updates
astral-sh/setup-uvfrom 8.3.1 to 8.3.2Commits
11f9893chore: roll up Dependabot updates (#948)f798556docs: update version references to v8.3.1 (#946)e80544dchore: update known checksums for 0.11.28 (#947)Updates
github/codeql-action/initfrom 4.36.3 to 4.37.0Release notes
Sourced from github/codeql-action/init's releases.
Changelog
Sourced from github/codeql-action/init's changelog.
... (truncated)
Commits
99df26dMerge pull request #3996 from github/update-v4.37.0-c7c896d7131c2707Add changenote for #397372df218Update changelog for v4.37.0c7c896dMerge pull request #3995 from github/update-bundle/codeql-bundle-v2.26.03f34ff0Add changelog note43bec09Update default bundle to codeql-bundle-v2.26.0f58f0d1Merge pull request #3973 from github/mbg/repo-props/config-file-shorthands7dc37cbMerge remote-tracking branch 'origin/main' into mbg/repo-props/config-file-sh...8e22350ThreadActionStatetoinitConfig69c9e8cMark somestatus-reportimports astype-only to avoid circular dependenciesUpdates
github/codeql-action/analyzefrom 4.36.3 to 4.37.0Release notes
Sourced from github/codeql-action/analyze's releases.
Changelog
Sourced from github/codeql-action/analyze's changelog.
... (truncated)
Commits
99df26dMerge pull request #3996 from github/update-v4.37.0-c7c896d7131c2707Add changenote for #397372df218Update changelog for v4.37.0c7c896dMerge pull request #3995 from github/update-bundle/codeql-bundle-v2.26.03f34ff0Add changelog note43bec09Update default bundle to codeql-bundle-v2.26.0f58f0d1Merge pull request #3973 from github/mbg/repo-props/config-file-shorthands7dc37cbMerge remote-tracking branch 'origin/main' into mbg/repo-props/config-file-sh...8e22350ThreadActionStatetoinitConfig69c9e8cMark somestatus-reportimports astype-only to avoid circular dependenciesYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions