build(deps): bump the github-actions group with 10 updates#1707
build(deps): bump the github-actions group with 10 updates#1707dependabot[bot] wants to merge 1 commit into
Conversation
--- updated-dependencies: - dependency-name: chainguard-dev/actions/boilerplate dependency-version: 1.6.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: golang/govulncheck-action dependency-version: 1.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: chainguard-dev/actions/donotsubmit dependency-version: 1.6.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: chainguard-dev/actions/setup-kind dependency-version: 1.6.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: chainguard-dev/actions/kind-diag dependency-version: 1.6.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/stale dependency-version: 10.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: chainguard-dev/actions/gofmt dependency-version: 1.6.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: chainguard-dev/actions/goimports dependency-version: 1.6.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: chainguard-dev/actions/trailing-space dependency-version: 1.6.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: chainguard-dev/actions/eof-newline dependency-version: 1.6.27 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit b0b979d. Configure here.
| check-latest: true | ||
|
|
||
| - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 | ||
| - uses: golang/govulncheck-action@032d45514ae346b1db93c04b0c90b841c370344f # v1.1.0 |
There was a problem hiding this comment.
Invalid govulncheck action pin
High Severity · Logic Bug
The build.yaml workflow pins golang/govulncheck-action to 032d455... (labeled v1.1.0). This commit/tag does not exist upstream, which causes the Build job to fail when resolving the action and blocks PR CI.
Reviewed by Cursor Bugbot for commit b0b979d. Configure here.
|
|
||
| - name: Setup Cluster | ||
| uses: chainguard-dev/actions/setup-kind@f0be69916b439d0fcced2451b23d0f27cd46d545 # main | ||
| uses: chainguard-dev/actions/setup-kind@4d37df0d85a91f619edc34a8803323033cdcb124 # main |
There was a problem hiding this comment.
Invalid Chainguard actions pin
High Severity · Logic Bug
Eight workflow steps pin chainguard-dev/actions/* to commit 4d37df0…, but that commit does not appear to exist upstream. The previous pin f0be699… still resolves. KinD e2e, style, boilerplate, and donotsubmit jobs would fail when GitHub Actions tries to fetch those actions.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit b0b979d. Configure here.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsNote
Low Risk
Routine Dependabot pin updates to CI only; no application or runtime code changes, though CI behavior could shift slightly with newer action versions.
Overview
Bumps pinned third-party and Chainguard GitHub Actions across CI workflows with no workflow logic changes.
Chainguard actions (
boilerplate,donotsubmit,setup-kind,kind-diag,gofmt,goimports,trailing-space,eof-newline) move from commitf0be699…to4d37df0…in boilerplate, donotsubmit, kind-e2e, and style workflows.Other bumps:
golang/govulncheck-actionv1.0.4 → v1.1.0 inbuild.yaml, andactions/stalev10.3.0 → v10.4.0 instale.yaml.Reviewed by Cursor Bugbot for commit b0b979d. Bugbot is set up for automated code reviews on this repo. Configure here.