From 69f7fccac54a0b6869dd24c943bcb3ed543aa7c4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 20 Jun 2026 16:52:34 +0000 Subject: [PATCH 1/2] ci: bump actions/checkout from 6.0.3 to 7.0.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/df4cb1c069e1874edd31b4311f1884172cec0e10...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/affine-vscode-publish.yml | 2 +- .github/workflows/casket-pages.yml | 4 ++-- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/codeql.yml | 2 +- .github/workflows/governance.yml | 2 +- .github/workflows/panic-attack.yml | 2 +- .github/workflows/publish-jsr.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/scorecard-enforcer.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/secret-scanner.yml | 2 +- .github/workflows/semgrep.yml | 2 +- .github/workflows/stdlib-naming.yml | 2 +- .github/workflows/workflow-linter.yml | 2 +- 14 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/affine-vscode-publish.yml b/.github/workflows/affine-vscode-publish.yml index 2a87540..afbaa5b 100644 --- a/.github/workflows/affine-vscode-publish.yml +++ b/.github/workflows/affine-vscode-publish.yml @@ -32,7 +32,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Verify tag matches package version working-directory: packages/affine-vscode run: | diff --git a/.github/workflows/casket-pages.yml b/.github/workflows/casket-pages.yml index a33d5ab..3768375 100644 --- a/.github/workflows/casket-pages.yml +++ b/.github/workflows/casket-pages.yml @@ -49,9 +49,9 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Checkout casket-ssg - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: repository: hyperpolymath/casket-ssg path: .casket-ssg diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4bf76a8..1740dbb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Set up OCaml toolchain (self-hosted; replaces ocaml/setup-ocaml) run: | sudo apt-get update @@ -99,7 +99,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Set up OCaml toolchain (self-hosted; replaces ocaml/setup-ocaml) run: | sudo apt-get update @@ -128,7 +128,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Set up OCaml toolchain (self-hosted; replaces ocaml/setup-ocaml) run: | sudo apt-get update @@ -178,7 +178,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Set up OCaml toolchain (self-hosted; replaces ocaml/setup-ocaml) run: | sudo apt-get update @@ -238,7 +238,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Set up Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4 with: @@ -283,7 +283,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Set up Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 029134c..ff3004d 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,7 +32,7 @@ jobs: build-mode: none steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Initialize CodeQL uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.28.1 with: diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 56f42ae..abbc28d 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -26,7 +26,7 @@ jobs: timeout-minutes: 5 steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: fetch-depth: 0 - name: Fetch base ref (DOC-FORMAT delta) diff --git a/.github/workflows/panic-attack.yml b/.github/workflows/panic-attack.yml index af1359d..31f4387 100644 --- a/.github/workflows/panic-attack.yml +++ b/.github/workflows/panic-attack.yml @@ -31,7 +31,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Install Rust toolchain (stable) diff --git a/.github/workflows/publish-jsr.yml b/.github/workflows/publish-jsr.yml index ae0c2d5..74bd218 100644 --- a/.github/workflows/publish-jsr.yml +++ b/.github/workflows/publish-jsr.yml @@ -39,7 +39,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 - uses: denoland/setup-deno@v2 with: deno-version: v2.x diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7034092..4b39503 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,7 +33,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Create the release (idempotent) env: GH_TOKEN: ${{ github.token }} @@ -60,7 +60,7 @@ jobs: timeout-minutes: 10 steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up OCaml uses: ocaml/setup-ocaml@e32b06a3e831ff2fbc6f08cf35be2085e3918014 # v3 with: diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index 40b283d..54aaa02 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -23,7 +23,7 @@ jobs: security-events: write id-token: write # For OIDC steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: persist-credentials: false - name: Run Scorecard @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Check SECURITY.md exists run: | if [ ! -f "SECURITY.md" ]; then diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index d62967c..28c5035 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -27,7 +27,7 @@ jobs: id-token: write steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 with: persist-credentials: false - name: Run analysis diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index c6269db..ecf6ec9 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -24,6 +24,6 @@ jobs: timeout-minutes: 5 steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Run standalone secret scan run: ./tools/ci/secret-scan-standalone.sh diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 5e1c580..5d1a95d 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -24,7 +24,7 @@ jobs: container: image: semgrep/semgrep steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Run Semgrep run: semgrep scan --sarif --output=semgrep.sarif --config=auto . env: diff --git a/.github/workflows/stdlib-naming.yml b/.github/workflows/stdlib-naming.yml index 36b7a45..17fb0af 100644 --- a/.github/workflows/stdlib-naming.yml +++ b/.github/workflows/stdlib-naming.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Enforce lowercase .affine filenames in stdlib/ run: | BAD=$(find stdlib -maxdepth 1 -type f -name '*.affine' | grep -E '/stdlib/[A-Z]' || true) diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index 4fa586c..cd09e0d 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 - name: Check SPDX headers run: | errors=0 From 0df4a5ec7492f1c1741434289e02b3ceeb939848 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 20 Jun 2026 20:05:08 +0000 Subject: [PATCH 2/2] ci: normalize actions/checkout version comments to v7.0.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up tidy on the Dependabot bump (#605). The checkout SHA moved to v7.0.0 (9c091bb) uniformly, but several checkout lines kept a stale `# v4` comment — they had been relabeled `# v4` in #604/#606, where that SHA (df4cb1c) was actually v6.0.3, not v4. Normalize every `actions/checkout` comment to `# v7.0.0`, add the missing comment on publish-jsr's bare line, and refresh the ci.yml pin note. `setup-node` / `upload-artifact` remain genuinely v4 and are untouched. Comments only — no SHA or logic change; YAML validated. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01Lz7pRcec2Z3tVtaAhvB3M8 --- .github/workflows/casket-pages.yml | 4 ++-- .github/workflows/ci.yml | 20 +++++++++----------- .github/workflows/governance.yml | 2 +- .github/workflows/publish-jsr.yml | 2 +- .github/workflows/scorecard-enforcer.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/secret-scanner.yml | 2 +- .github/workflows/workflow-linter.yml | 2 +- 8 files changed, 18 insertions(+), 20 deletions(-) diff --git a/.github/workflows/casket-pages.yml b/.github/workflows/casket-pages.yml index 3768375..11d8e19 100644 --- a/.github/workflows/casket-pages.yml +++ b/.github/workflows/casket-pages.yml @@ -49,9 +49,9 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Checkout casket-ssg - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: hyperpolymath/casket-ssg path: .casket-ssg diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1740dbb..4991030 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,12 +7,10 @@ # OCaml >= 4.14, satisfied by the runner's apt OCaml (ocaml-system), with a # base-compiler fallback. # -# NOTE on pins: first-party `actions/*` stay SHA-pinned (repo SHA-pinning +# NOTE on pins: first-party `actions/*` are SHA-pinned (repo SHA-pinning # policy + Hypatia workflow_audit + the "allowed actions" policy that rejects -# tag refs at run-creation). The SHAs are unchanged from the prior ci.yml; -# only the fictional version *comments* (`# v6.0.3`, `# v7.0.1` — versions -# that do not exist upstream) were corrected. checkout's SHA is the same one -# scorecard-enforcer.yml labels `# v4`. +# tag refs at run-creation). `actions/checkout` is v7.0.0 (`9c091bb…`, bumped +# by Dependabot in #605); `setup-node` / `upload-artifact` remain v4. name: CI on: push: @@ -36,7 +34,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up OCaml toolchain (self-hosted; replaces ocaml/setup-ocaml) run: | sudo apt-get update @@ -99,7 +97,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up OCaml toolchain (self-hosted; replaces ocaml/setup-ocaml) run: | sudo apt-get update @@ -128,7 +126,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up OCaml toolchain (self-hosted; replaces ocaml/setup-ocaml) run: | sudo apt-get update @@ -178,7 +176,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up OCaml toolchain (self-hosted; replaces ocaml/setup-ocaml) run: | sudo apt-get update @@ -238,7 +236,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4 with: @@ -283,7 +281,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4 with: diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index abbc28d..08369b8 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -26,7 +26,7 @@ jobs: timeout-minutes: 5 steps: - name: Checkout code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Fetch base ref (DOC-FORMAT delta) diff --git a/.github/workflows/publish-jsr.yml b/.github/workflows/publish-jsr.yml index 74bd218..d791839 100644 --- a/.github/workflows/publish-jsr.yml +++ b/.github/workflows/publish-jsr.yml @@ -39,7 +39,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: denoland/setup-deno@v2 with: deno-version: v2.x diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index 54aaa02..64c763b 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -23,7 +23,7 @@ jobs: security-events: write id-token: write # For OIDC steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run Scorecard @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Check SECURITY.md exists run: | if [ ! -f "SECURITY.md" ]; then diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 28c5035..3276bd3 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -27,7 +27,7 @@ jobs: id-token: write steps: - name: Checkout code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run analysis diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index ecf6ec9..bf9cee3 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -24,6 +24,6 @@ jobs: timeout-minutes: 5 steps: - name: Checkout code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Run standalone secret scan run: ./tools/ci/secret-scan-standalone.sh diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index cd09e0d..646e0c6 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Check SPDX headers run: | errors=0