Bump the github group with 2 updates#89
Conversation
Bumps the github group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/github-script](https://github.com/actions/github-script). Updates `actions/checkout` from 6 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) Updates `actions/github-script` from 8 to 9 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v8...v9) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github ... Signed-off-by: dependabot[bot] <support@github.com>
rtibblesbot
left a comment
There was a problem hiding this comment.
Dependency group bump: actions/checkout 6→7 and actions/github-script 8→9, both major. CI/workflow-action dependency (github-actions ecosystem), effectively production for this repo since these actions drive the reusable workflows.
Breaking changes checked, neither applies:
actions/checkout6→7 blocks checking out fork PRs underpull_request_target/workflow_run. None of the touched workflows use those triggers (they'reworkflow_callreusable workflows, orschedule/workflow_dispatchforpr-statistics.yml), and checkout targets this repo directly via explicitrepository/refinputs — not a fork ref.actions/github-script8→9 dropsrequire('@actions/github')support and movesgetOctokitto an injected parameter.grep -rn "require(['\"]@actions/github['\"]\|getOctokit" ./scripts/*.jsfound no matches — scripts onlyrequire()local files.
Security fixes: none called out in either changelog.
Other notable changes: github-script v9 adds an opt-in getOctokit factory for multi-token workflows — no action needed here.
CI passing, no code changes required. Flagging COMMENT rather than APPROVE given the major-version, CI-critical nature of the bump — worth a human glance before merge even though nothing here blocks it.
@rtibblesbot's comments are generated by an LLM, and should be evaluated accordingly
How was this generated?
Ran a dependency-update review pipeline over the version bump:
- Classified the bump by semver (patch / minor / major) and dependency type (production vs. development)
- Extracted the changelog and release notes across the version range
- Assessed compatibility with this project's usage and whether any code changes are required
- Treated CI as the primary safety net
- Scaled the review depth to the update's risk
- Chose the verdict from semver risk, changelog findings, and CI status
Bumps the github group with 2 updates: actions/checkout and actions/github-script.
Updates
actions/checkoutfrom 6 to 7Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)Updates
actions/github-scriptfrom 8 to 9Release notes
Sourced from actions/github-script's releases.
Commits
3a2844bMerge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...ca10bbdfix: use@octokit/core/types import for v7 compatibility86e48e2merge: incorporate main branch changesc108472chore: rebuild dist for v9 upgrade and getOctokit factoryafff112Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...ff8117eci: fix user-agent test to handle orchestration ID81c6b78ci: use deployment: false to suppress deployment noise from integration tests3953cafdocs: update README examples from@v8to@v9, add getOctokit docs and v9 brea...c17d55bci: add getOctokit integration test joba047196test: add getOctokit integration tests via callAsyncFunctionDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions