Skip to content

[action] Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1#154

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/peter-evans/create-pull-request-8.1.1
Open

[action] Bump peter-evans/create-pull-request from 8.1.0 to 8.1.1#154
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/peter-evans/create-pull-request-8.1.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps peter-evans/create-pull-request from 8.1.0 to 8.1.1.

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v8.1.1

What's Changed

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1

Commits
  • 5f6978f fix: retry post-creation API calls on 422 eventual consistency errors (#4356)
  • d32e88d build(deps-dev): bump the npm group with 3 updates (#4349)
  • 8170bcc build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#4344)
  • 0041819 build(deps): bump picomatch (#4339)
  • b993918 build(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#4334)
  • 36d7c84 build(deps-dev): bump undici from 6.23.0 to 6.24.0 (#4328)
  • a45d1fb build(deps): bump @​tootallnate/once and jest-environment-jsdom (#4323)
  • 3499eb6 build(deps): bump the github-actions group with 2 updates (#4316)
  • 3f3b473 build(deps): bump minimatch (#4311)
  • 6699836 build(deps-dev): bump the npm group with 2 updates (#4305)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 8.1.0 to 8.1.1.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](peter-evans/create-pull-request@v8.1.0...v8.1.1)

---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
  dependency-version: 8.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 7, 2026
@dependabot dependabot Bot requested a review from rasa as a code owner July 7, 2026 15:02
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

⚠️MegaLinter analysis: Success with warnings

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 1 0 0 0.2s
⚠️ ACTION zizmor 1 1 15 0 1.55s
⚠️ COPYPASTE jscpd yes 6 no 1.55s
✅ EDITORCONFIG editorconfig-checker 1 0 0 0.03s
✅ REPOSITORY betterleaks yes no no 0.97s
✅ REPOSITORY checkov yes no no 18.69s
⚠️ REPOSITORY devskim yes 118 68 15.15s
✅ REPOSITORY dustilock yes no no 0.63s
✅ REPOSITORY gitleaks yes no no 2.28s
✅ REPOSITORY git_diff yes no no 0.01s
✅ REPOSITORY grype yes no no 49.75s
✅ REPOSITORY kingfisher yes no no 7.9s
⚠️ REPOSITORY osv-scanner yes 5 no 1.82s
✅ REPOSITORY secretlint yes no no 1.3s
✅ REPOSITORY syft yes no no 2.43s
✅ REPOSITORY trivy yes no no 12.65s
✅ REPOSITORY trivy-sbom yes no no 0.22s
✅ REPOSITORY trufflehog yes no no 4.26s
✅ SPELL cspell 2 0 0 4.04s
⚠️ SPELL lychee 1 2 0 0.66s
✅ YAML prettier 1 1 0 0 1.66s
✅ YAML v8r 1 0 0 2.95s
✅ YAML yamllint 1 0 0 0.55s

Detailed Issues

⚠️ REPOSITORY / devskim - 118 errors
SkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/pfm2afm.json"},"region":{"startLine":6,"startColumn":12,"endLine":6,"endColumn":78,"charOffset":222,"charLength":66,"snippet":{"text":"\"b6582404f57010e8a000c1fd6b9ec6100016588a15c629ac615834c0125d132e\"","rendered":{"text":"\"b6582404f57010e8a000c1fd6b9ec6100016588a15c629ac615834c0125d132e\"","markdown":"`\"b6582404f57010e8a000c1fd6b9ec6100016588a15c629ac615834c0125d132e\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/path-set.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":276,"charLength":66,"snippet":{"text":"\"765a7b7c947616237935179517bf42887ca21e60367ed22c4dabae3b10bfd0d4\"","rendered":{"text":"\"765a7b7c947616237935179517bf42887ca21e60367ed22c4dabae3b10bfd0d4\"","markdown":"`\"765a7b7c947616237935179517bf42887ca21e60367ed22c4dabae3b10bfd0d4\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/android-messages.json"},"region":{"startLine":8,"startColumn":20,"endLine":8,"endColumn":86,"charOffset":369,"charLength":66,"snippet":{"text":"\"06531c1c55351094bcd1df60724c96c9ed44dbbe39663a244899fcbccb1956e8\"","rendered":{"text":"\"06531c1c55351094bcd1df60724c96c9ed44dbbe39663a244899fcbccb1956e8\"","markdown":"`\"06531c1c55351094bcd1df60724c96c9ed44dbbe39663a244899fcbccb1956e8\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/vvv.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":356,"charLength":66,"snippet":{"text":"\"2739acb5f0051f676941bb1e9f622ade04cb14d171e3cc6509bc0099c285e7cf\"","rendered":{"text":"\"2739acb5f0051f676941bb1e9f622ade04cb14d171e3cc6509bc0099c285e7cf\"","markdown":"`\"2739acb5f0051f676941bb1e9f622ade04cb14d171e3cc6509bc0099c285e7cf\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/wizmo.json"},"region":{"startLine":7,"startColumn":12,"endLine":7,"endColumn":78,"charOffset":239,"charLength":66,"snippet":{"text":"\"7b0b47f936d24686de461bea05a9480179035a5b2b23a74167a7728e95922d5d\"","rendered":{"text":"\"7b0b47f936d24686de461bea05a9480179035a5b2b23a74167a7728e95922d5d\"","markdown":"`\"7b0b47f936d24686de461bea05a9480179035a5b2b23a74167a7728e95922d5d\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/gifsicle.json"},"region":{"startLine":15,"startColumn":20,"endLine":15,"endColumn":86,"charOffset":633,"charLength":66,"snippet":{"text":"\"7e47dd0bfd5ee47f911464c57faeed89a8709a7625dd1c449b16579889539ee8\"","rendered":{"text":"\"7e47dd0bfd5ee47f911464c57faeed89a8709a7625dd1c449b16579889539ee8\"","markdown":"`\"7e47dd0bfd5ee47f911464c57faeed89a8709a7625dd1c449b16579889539ee8\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/gifsicle.json"},"region":{"startLine":10,"startColumn":20,"endLine":10,"endColumn":86,"charOffset":371,"charLength":66,"snippet":{"text":"\"f31464e334b9fb83d4dc60a25bde7cfa35829564bc378c40f0d3c6350910256c\"","rendered":{"text":"\"f31464e334b9fb83d4dc60a25bde7cfa35829564bc378c40f0d3c6350910256c\"","markdown":"`\"f31464e334b9fb83d4dc60a25bde7cfa35829564bc378c40f0d3c6350910256c\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/ztree-beta.json"},"region":{"startLine":9,"startColumn":12,"endLine":9,"endColumn":78,"charOffset":350,"charLength":66,"snippet":{"text":"\"f1b533f46ceefd52a285d4f0f5ddcbfada17686eff680525bd1347997d3e1a59\"","rendered":{"text":"\"f1b533f46ceefd52a285d4f0f5ddcbfada17686eff680525bd1347997d3e1a59\"","markdown":"`\"f1b533f46ceefd52a285d4f0f5ddcbfada17686eff680525bd1347997d3e1a59\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/audacity-lame-plugin.json"},"region":{"startLine":14,"startColumn":16,"endLine":14,"endColumn":38,"charOffset":548,"charLength":22,"snippet":{"text":"http://lame.buanzo.org","rendered":{"text":"http://lame.buanzo.org","markdown":"`http://lame.buanzo.org`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/audacity-lame-plugin.json"},"replacements":[{"deletedRegion":{"charOffset":548,"charLength":22},"insertedContent":{"text":"https://lame.buanzo.org"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"},{"ruleId":"DS173237","level":"error","message":{"text":"Do not store tokens or keys in source code."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/audacity-lame-plugin.json"},"region":{"startLine":11,"startColumn":12,"endLine":11,"endColumn":78,"charOffset":363,"charLength":66,"snippet":{"text":"\"2ad66ed683b0074d0381055d387a871cce3c38626fea29ee30710f73cee12356\"","rendered":{"text":"\"2ad66ed683b0074d0381055d387a871cce3c38626fea29ee30710f73cee12356\"","markdown":"`\"2ad66ed683b0074d0381055d387a871cce3c38626fea29ee30710f73cee12356\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}},{"ruleId":"DS137138","message":{"text":"Insecure URL"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"bucket/audacity-lame-plugin.json"},"region":{"startLine":4,"startColumn":17,"endLine":4,"endColumn":39,"charOffset":93,"charLength":22,"snippet":{"text":"http://lame.buanzo.org","rendered":{"text":"http://lame.buanzo.org","markdown":"`http://lame.buanzo.org`"}},"sourceLanguage":"json"}}}],"fixes":[{"description":{"text":"An HTTP-based URL without TLS was detected."},"artifactChanges":[{"artifactLocation":{"uri":"bucket/audacity-lame-plugin.json"},"replacements":[{"deletedRegion":{"charOffset":93,"charLength":22},"insertedContent":{"text":"https://lame.buanzo.org"}}]}]}],"properties":{"tags":["ThreatModel.Integration.HTTP"],"DevSkimSeverity":"Moderate","DevSkimConfidence":"High"},"level":"warning"}],"columnKind":"utf16CodeUnits"}]}

(Truncated to last 8000 characters out of 155660)
⚠️ COPYPASTE / jscpd - 6 errors
Using config from .github/linters/.jscpd.json
Clone found (powershell)
 - bin/checkhashes.ps1 [38:25 - 43:43] (6 lines, 57 tokens)
   bin/checkver.ps1 [56:17 - 61:43]
Clone found (powershell)
 - bin/checkhashes.ps1 [58:1 - 68:50] (11 lines, 61 tokens)
   bin/checkver.ps1 [72:1 - 82:50]
Clone found (powershell)
 - bin/checkurls.ps1 [28:51 - 36:6] (9 lines, 65 tokens)
   bin/checkver.ps1 [52:96 - 60:6]
Clone found (powershell)
 - bin/checkurls.ps1 [28:51 - 35:46] (8 lines, 63 tokens)
   bin/describe.ps1 [9:29 - 16:46]
Clone found (powershell)
 - bin/describe.ps1 [8:33 - 24:67] (17 lines, 120 tokens)
   bin/formatjson.ps1 [7:34 - 23:67]
Clone found (python)
 - jsonfmt.py [19:1 - 29:31] (11 lines, 50 tokens)
   validate.py [26:1 - 36:31]
┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format     │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ ini        │ 2              │ 60          │ 136          │ 0            │ 0 (0.00%)        │ 0 (0.00%)         │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ powershell │ 11             │ 471         │ 3103         │ 5            │ 46 (9.77%)       │ 366 (11.80%)      │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ python     │ 9              │ 1927        │ 8304         │ 1            │ 10 (0.52%)       │ 50 (0.60%)        │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ toml       │ 2              │ 75          │ 276          │ 0            │ 0 (0.00%)        │ 0 (0.00%)         │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ txt        │ 3              │ 275         │ 2699         │ 0            │ 0 (0.00%)        │ 0 (0.00%)         │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:     │ 27             │ 2808        │ 14518        │ 6            │ 56 (1.99%)       │ 416 (2.87%)       │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 6 clones.
HTML report saved to megalinter-reports/copy-paste/jscpd-report.html
ERROR: jscpd found too many duplicates (2.0%) over threshold (0.5%)
time: 63.626ms
⚠️ SPELL / lychee - 2 errors
📝 Summary
---------------------
🔍 Total............4
🔗 Unique...........4
✅ Successful.......1
⏳ Timeouts.........0
🔀 Redirected.......1
👻 Excluded.........1
❓ Unknown..........0
🚫 Errors...........2
⛔ Unsupported......2

Errors in .github/workflows/mega-linter.yml
[404] https://megalinter.io/configuration/ (at 123:11) | Rejected status code: 404 Not Found
[404] https://megalinter.io/flavors/ (at 117:24) | Rejected status code: 404 Not Found

Hint: Followed 1 redirect. You might want to consider replacing redirecting URLs with the resolved URLs. Use verbose mode (`-v`/`-vv`) to see redirection details.
Hint: You can configure accepted/rejected response codes with `-a` or `--accept`
⚠️ REPOSITORY / osv-scanner - 5 errors
Scanning dir .
Starting filesystem walk for root: /
Scanned requirements.txt file and found 5 packages
End status: 38 dirs visited, 274 inodes visited, 1 Extract calls, 5.372001ms elapsed, 5.372171ms wall time

Total 1 package affected by 5 known vulnerabilities (0 Critical, 1 High, 4 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
5 vulnerabilities can be fixed.

+-------------------------------------+------+-----------+----------+---------+---------------+------------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE  | VERSION | FIXED VERSION | SOURCE           |
+-------------------------------------+------+-----------+----------+---------+---------------+------------------+
| https://osv.dev/PYSEC-2018-28       | 7.5  | PyPI      | requests | 2.9.2   | 2.20.0        | requirements.txt |
| https://osv.dev/GHSA-x84v-xcm2-53pg |      |           |          |         |               |                  |
| https://osv.dev/PYSEC-2023-74       | 6.1  | PyPI      | requests | 2.9.2   | 2.31.0        | requirements.txt |
| https://osv.dev/GHSA-j8r2-6x86-q33q |      |           |          |         |               |                  |
| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3  | PyPI      | requests | 2.9.2   | 2.32.4        | requirements.txt |
| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6  | PyPI      | requests | 2.9.2   | 2.32.0        | requirements.txt |
| https://osv.dev/GHSA-gc5v-m9x4-r6x2 | 4.4  | PyPI      | requests | 2.9.2   | 2.33.0        | requirements.txt |
+-------------------------------------+------+-----------+----------+---------+---------------+------------------+
⚠️ ACTION / zizmor - 15 errors
INFO zizmor: 🌈 zizmor v1.25.0
 INFO audit: zizmor: 🌈 completed .github/workflows/mega-linter.yml
help[artipacked]: credential persistence through GitHub Actions artifacts
   --> .github/workflows/mega-linter.yml:96:9
    |
 96 |         - name: Checkout Code
    |  _________^
 97 | |         uses: actions/checkout@v6 # was v4, changed by @rasa
 98 | |         with:
 99 | |           token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
...   |
106 | |       # <@rasa>
    | |_______________^ does not set persist-credentials: false
    |
    = note: audit confidence → Low
    = note: this finding has an auto-fix
    = help: audit documentation → https://docs.zizmor.sh/audits/#artipacked

help[template-injection]: code injection via template expansion
   --> .github/workflows/mega-linter.yml:110:11
    |
108 |         run: |
    |         --- this run block
109 |           cat <<-EOF
110 |           inputs=${{ toJSON(inputs) }}
    |           ^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Low
    = help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

info[template-injection]: code injection via template expansion
   --> .github/workflows/mega-linter.yml:177:39
    |
175 |         run: |
    |         --- this run block
176 |           cat <<-EOF
177 |           steps.ml.outputs=${{ toJSON(steps.ml.outputs) }}
    |                                       ^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Low
    = help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

info[template-injection]: code injection via template expansion
   --> .github/workflows/mega-linter.yml:224:33
    |
223 |         run: |
    |         --- this run block
224 |           echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
    |                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Low
    = note: this finding has an auto-fix
    = help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

info[template-injection]: code injection via template expansion
   --> .github/workflows/mega-linter.yml:225:30
    |
223 |         run: |
    |         --- this run block
224 |           echo "PR Number - ${{ steps.cpr.outputs.pull-request-number }}"
225 |           echo "PR URL - ${{ steps.cpr.outputs.pull-request-url }}"
    |                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Low
    = note: this finding has an auto-fix
    = help: audit documentation → https://docs.zizmor.sh/audits/#template-injection

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/mega-linter.yml:119:15
    |
119 |         uses: oxsecurity/megalinter@v9 # changed from v7 by @rasa
    |               ^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix
    = help: audit documentation → https://docs.zizmor.sh/audits/#unpinned-uses

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/mega-linter.yml:212:15
    |
212 |         uses: peter-evans/create-pull-request@v8.1.1 # changed from v5 by @rasa
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix
    = help: audit documentation → https://docs.zizmor.sh/audits/#unpinned-uses

error[unpinned-uses]: unpinned action reference
   --> .github/workflows/mega-linter.yml:234:15
    |
234 |         uses: stefanzweifel/git-auto-commit-action@v7.1.0 # changed from v4 by @rasa
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix
    = help: audit documentation → https://docs.zizmor.sh/audits/#unpinned-uses

15 findings (7 suppressed, 6 unsafe fixes): 3 informational, 2 low, 0 medium, 3 high
No fixes available to apply (6 held back by safe mode). Use --fix=unsafe or --fix=all to apply unsafe fixes.

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants