ci(deps): Bump the github-actions group with 2 updates#33
Conversation
Bumps the github-actions group with 2 updates: [pnpm/action-setup](https://github.com/pnpm/action-setup) and [github/codeql-action](https://github.com/github/codeql-action). Updates `pnpm/action-setup` from 6.0.3 to 6.0.5 - [Release notes](https://github.com/pnpm/action-setup/releases) - [Commits](pnpm/action-setup@903f9c1...8912a91) Updates `github/codeql-action` from 4.35.2 to 4.35.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@95e58e9...e46ed2c) --- updated-dependencies: - dependency-name: pnpm/action-setup dependency-version: 6.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — Dependabot patch bumps for pnpm/action-setup (6.0.3 → 6.0.5) and github/codeql-action (4.35.2 → 4.35.3), both pinned to commit SHAs.
Extended reasoning...
Overview
The PR updates two GitHub Actions used in CI workflows: pnpm/action-setup from v6.0.3 to v6.0.5 (a patch bump fixing how npm is located/PATH'd during action bootstrap) and github/codeql-action from v4.35.2 to v4.35.3 (a patch bump bringing private-registry config improvements and an updated CodeQL bundle). Only .github/workflows/ci.yml and .github/workflows/codeql.yml are touched; references are pinned by full commit SHA with the version as a trailing comment, matching the repo's existing pinning convention.
Security risks
Both actions are pinned to specific commit SHAs (not floating tags), so the upgrade is reproducible and the supply-chain surface is unchanged from the existing pinning model. Both upstream repositories (pnpm/action-setup, github/codeql-action) are well-known and the changelogs describe non-security-sensitive patch fixes. No workflow permissions, secrets handling, or trigger semantics are modified.
Level of scrutiny
Low. These are minimal, mechanical CI dependency bumps from Dependabot — no application logic, no production code paths, no auth/crypto/permissions touched. The patch bumps carry low blast radius and CI itself will validate them.
Other factors
The bug hunting system found no issues. There are no prior reviews or outstanding comments on the PR. The diff is small (8 line changes total) and entirely within .github/workflows/.
|
| Experiment | Status | Actions |
|---|---|---|
| Uppercase (py) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Uppercase (ts) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (node) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (python) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Regression fixture | ❌ Regression | View GitHub Action Run · View in Langfuse |
Details
dependabot
Bot
deleted the
dependabot/github_actions/github-actions-a06ce5c2e8
branch
Bumps the github-actions group with 2 updates: pnpm/action-setup and github/codeql-action.
Updates
pnpm/action-setupfrom 6.0.3 to 6.0.5Release notes
Sourced from pnpm/action-setup's releases.
Commits
8912a91fix: append (not prepend) action node dir to PATH for npm bootstrap (#241)26f6d4ffix: use npm co-located with the action node binary (#239)Updates
github/codeql-actionfrom 4.35.2 to 4.35.3Release notes
Sourced from github/codeql-action's releases.
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
e46ed2cMerge pull request #3867 from github/update-v4.35.3-8c6e48dbeb73d1d1Add changelog entry for #385324e0bb0Reorder changelog entriesec298daUpdate changelog for v4.35.38c6e48dMerge pull request #3865 from github/update-bundle/codeql-bundle-v2.25.37190983Add changelog note2bb2095Update default bundle to codeql-bundle-v2.25.37851e55Merge pull request #3850 from github/mbg/private-registry/cloudsmith-gcp262a15fAdd generic non-printable chars test for OIDC configsa6109b1Merge pull request #3853 from github/mbg/start-proxy/improved-checksDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions