Skip to content

Update github actions (main) (patch)#3279

Open
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main-main/patch-github-actions
Open

Update github actions (main) (patch)#3279
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main-main/patch-github-actions

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented May 9, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/cache action patch v5.0.4v5.0.5
actions/checkout action patch v6.0.2v6.0.3
codecov/codecov-action action patch v5.5.4v5.5.5
peter-evans/create-pull-request action patch v8.1.0v8.1.1

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

actions/checkout (actions/checkout)

v6.0.3

Compare Source

codecov/codecov-action (codecov/codecov-action)

v5.5.5

Compare Source

This release only contains the keybase.io change as described here.

Full Changelog: codecov/codecov-action@v5.5.4...v5.5.5

peter-evans/create-pull-request (peter-evans/create-pull-request)

v8.1.1: Create Pull Request v8.1.1

Compare Source

What's Changed

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1


Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux Bot enabled auto-merge May 9, 2026 02:54
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch 3 times, most recently from 63233a0 to 197c8d6 Compare May 9, 2026 02:55
@codecov

codecov Bot commented May 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 53.47% <ø> (ø)
generative 17.35% <ø> (ø)
integration 28.63% <ø> (ø)
unit 71.80% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch 5 times, most recently from 47b42ac to 68bd7f0 Compare May 21, 2026 02:43
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch 3 times, most recently from df77d1f to c0069f3 Compare June 4, 2026 02:13
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review

Verdict: ✅ Approve

Automated patch-level update of 4 GitHub Actions dependencies across 6 workflow files, generated by Renovate (MintMaker). All changes are SHA-pin bumps with corresponding version comments — no workflow logic or configuration changes.

Updates verified

Action Old version New version SHA verified
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification details

  • SHA pin integrity: All 4 action SHAs were independently verified against their upstream Git tags (including annotated tag dereferencing for actions/checkout and codecov/codecov-action). Each SHA in the diff matches the commit pointed to by the claimed version tag.
  • Completeness: All 21 instances of these actions across .github/workflows/ are updated — no stale references remain.
  • Scope: Changes are confined to .github/workflows/ YAML files. No source code, configuration, or documentation files were modified.
  • Release notes: All updates are routine maintenance — dependency bumps, bug fixes (checkout SHA-256 repo support, codecov keybase.io change, create-pull-request 422 retry), and build dependency updates. No breaking changes or new features.

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run

Looks good to me — routine patch-level GitHub Actions version bumps via Renovate. All files are under .github/ (protected path); human approval is required per repository policy.

Previous run (2)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under the .github/ protected path. This PR has no linked issue to authorize changes to governance/infrastructure files. Affected files: .github/workflows/checks-codecov.yaml, .github/workflows/codeql.yaml, .github/workflows/lint.yaml, .github/workflows/release.yaml, .github/workflows/scorecard.yml, .github/workflows/update-go-containerregistry.yaml. Human approval is required for protected-path changes.
    Remediation: A maintainer should review and approve this automated dependency update. The changes themselves are mechanical patch-version bumps of pinned GitHub Actions (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1) with no behavioral or permission changes.

Labels: All changes are to GitHub Actions workflow files.

Previous run (3)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under .github/, a protected path. This PR has no linked issue providing authorization for modifying governance/infrastructure files. While the change is an automated Renovate patch version bump (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1) and the diff contains only commit SHA pin updates with no permission, trigger, or secrets changes, human approval is required for all protected-path modifications.
    Remediation: A human reviewer must approve this PR. The changes themselves are mechanically correct — all actions remain pinned by full commit SHA, no permissions or workflow triggers were modified.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on vertex deployment. For this mechanical version bump, the sub-agent would have triggered early-exit criteria (no style findings expected).
Previous run (4)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml). This PR has no linked issue justifying the modification of governance/infrastructure files. Human approval is required for all protected-path changes.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available. This is a low-risk gap for a mechanical version-bump PR.

The code changes themselves are a straightforward, mechanical Renovate bot update of four GitHub Actions to their latest patch versions (actions/cache v5.0.4 → v5.0.5, actions/checkout v6.0.2 → v6.0.3, codecov/codecov-action v5.5.4 → v5.5.5, peter-evans/create-pull-request v8.1.0 → v8.1.1). All SHA pins are consistent across workflow files, no permissions or secrets handling changed, and no new injection surfaces were introduced. The correctness and security sub-agents found no issues.

Previous run (5)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under .github/, a protected path. This PR has no linked issue authorizing changes to governance/infrastructure files. While the changes are automated Renovate patch-level version bumps (actions/checkout v6.0.2→v6.0.3, actions/cache v5.0.4→v5.0.5, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1) and the code changes themselves are correct and safe (verified: no permission changes, no structural workflow changes, no new secrets, SHA-pinning preserved), human approval is required for all protected-path modifications.
    Remediation: A human maintainer must review and approve this PR. The version bumps themselves are mechanically correct.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 not available on vertex deployment. This sub-agent would have early-exited with no findings for this mechanical version-bump PR.
Previous run (6)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml). The PR has no linked issue providing authorization for modifying governance/infrastructure files. Human approval is required for all protected-path changes.
    Remediation: A human reviewer with appropriate permissions must approve this PR. Consider linking a tracking issue that authorizes CI dependency updates.

Info

  • [supply-chain-verification] .github/workflows/checks-codecov.yaml — The PR bumps three GitHub Actions to new patch versions (actions/checkout v6.0.2→v6.0.3, actions/cache v5.0.4→v5.0.5, peter-evans/create-pull-request v8.1.0→v8.1.1) using full SHA pins. All instances across all 6 workflow files are consistently updated. No permissions, run steps, or workflow structure changes are introduced. SHA-to-tag mappings should be verified against upstream GitHub releases.

  • [sub-agent-failure] N/A — The style-conventions and intent-coherence sub-agents did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. These are sonnet-tier (non-blocking) dimensions; correctness and security reviews completed successfully.

Previous run (7)

Review

Findings

Medium

  • [protected-path] .github/workflows/ — All 6 modified files are under the .github/ protected path. This is an automated Renovate patch-version bump (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, peter-evans/create-pull-request v8.1.0→v8.1.1) with clear rationale, but human approval is always required for protected-path changes regardless of context.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. This dimension is non-critical for a SHA-pin-only dependency update.

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jun 4, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from c0069f3 to aec622c Compare June 5, 2026 02:37
fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot removed the requires-manual-review Review requires human judgment label Jun 5, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from aec622c to 32a05db Compare June 16, 2026 00:55
@github-actions github-actions Bot added size: S and removed size: XS labels Jun 16, 2026
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:57 AM UTC · Completed 1:01 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from 32a05db to 1505a16 Compare June 18, 2026 01:19
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 18, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:20 AM UTC · Completed 1:26 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from 1505a16 to 6421a03 Compare June 23, 2026 01:45
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 23, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:47 AM UTC · Completed 1:53 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from 6421a03 to 22a021d Compare June 27, 2026 01:37
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 27, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:40 AM UTC · Completed 1:47 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the github_actions Pull requests that update GitHub Actions code label Jun 27, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from 22a021d to a3ebf9a Compare July 2, 2026 01:40
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:43 AM UTC · Completed 1:50 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot dismissed stale reviews from themself July 2, 2026 01:50

Superseded by updated review

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jul 2, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch 2 times, most recently from 16954f2 to de11e74 Compare July 7, 2026 01:44
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from de11e74 to a18891c Compare July 8, 2026 01:48
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:49 AM UTC · Completed 1:53 AM UTC
Commit: 7c8ccca · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update GitHub Actions code main renovate requires-manual-review Review requires human judgment size: S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants