Skip to content

Update github actions (main) (patch)#3279

Open
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main-main/patch-github-actions
Open

Update github actions (main) (patch)#3279
red-hat-konflux[bot] wants to merge 1 commit into
mainfrom
konflux/mintmaker/main-main/patch-github-actions

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented May 9, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/cache action patch v5.0.4v5.0.5
actions/checkout action patch v6.0.2v6.0.3
codecov/codecov-action action patch v5.5.4v5.5.5
peter-evans/create-pull-request action patch v8.1.0v8.1.1

Warning

Some dependencies could not be looked up. Check the warning logs for more information.


Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

actions/checkout (actions/checkout)

v6.0.3

Compare Source

codecov/codecov-action (codecov/codecov-action)

v5.5.5

Compare Source

This release only contains the keybase.io change as described here.

Full Changelog: codecov/codecov-action@v5.5.4...v5.5.5

peter-evans/create-pull-request (peter-evans/create-pull-request)

v8.1.1: Create Pull Request v8.1.1

Compare Source

What's Changed

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1


Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux Bot enabled auto-merge May 9, 2026 02:54
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch 3 times, most recently from 63233a0 to 197c8d6 Compare May 9, 2026 02:55
@codecov

codecov Bot commented May 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 54.25% <ø> (ø)
generative 16.80% <ø> (ø)
integration 27.97% <ø> (ø)
unit 71.74% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch 5 times, most recently from 47b42ac to 68bd7f0 Compare May 21, 2026 02:43
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch 3 times, most recently from df77d1f to c0069f3 Compare June 4, 2026 02:13
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review of PR #3279 — Update github actions (main) (patch)

Verdict: approve

Summary

Automated Renovate/MintMaker patch-level bump of four GitHub Actions across six workflow files. All changes are 1:1 SHA pin replacements with version comment updates — no workflow logic, permissions, or configuration changes.

Action Old Version New Version SHA Verified
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification

All four new commit SHAs were verified against the upstream repositories' Git tags via the GitHub API. Each SHA resolves to the claimed version tag (dereferencing annotated tags where applicable).

Dimension Assessment

  • Correctness: Pure version pin updates with no behavioral changes. Patch releases contain bug fixes and dependency bumps only (checkout SHA-256 repo fix, cache runtime dependency update, codecov keybase.io change, create-pull-request 422 retry fix). No logic changes in workflows.
  • Security: All actions remain pinned by full 40-character commit SHA — the recommended supply chain security practice. No new permissions introduced. No secrets handling changes.
  • Intent & coherence: Properly scoped automated dependency update targeting only patch versions. Consistent with the repo's existing Renovate/MintMaker configuration.
  • Style/conventions: Follows existing @<sha> # vX.Y.Z pinning convention throughout.
  • Documentation: No documentation impact — CI dependency bumps don't require doc updates.
  • Cross-repo contracts: These actions are consumed, not published. No downstream impact.

No findings at or above the severity threshold.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run

Review

Verdict: Approve

Summary

Automated Renovate/MintMaker patch-level bump of four GitHub Actions dependencies across six workflow files:

Package Update
actions/checkout v6.0.2v6.0.3
actions/cache v5.0.4v5.0.5
codecov/codecov-action v5.5.4v5.5.5
peter-evans/create-pull-request v8.1.0v8.1.1

Verification

  • SHA pin integrity — All four new SHA pins were verified against their upstream Git tags via the GitHub API. Each resolves to the correct tagged commit.
  • Completeness — All 21 occurrences of old SHAs across the 6 workflow files are replaced (9 checkout, 7 cache, 4 codecov, 1 create-pull-request). No stale references remain.
  • No functional changes — Only SHA pins and version comments are modified. No workflow logic, step ordering, inputs, or secrets handling changed.
  • Trusted sources — All actions are from well-known, widely-used publishers (actions/*, codecov/*, peter-evans/*).
  • Scope — Changes are confined to .github/workflows/ with no impact on application code, tests, or documentation.

Dimensions

  • Correctness: No logic changes; mechanical find-and-replace of pinned SHAs. No risk of behavioral regression.
  • Security: Actions remain pinned by full commit SHA (supply-chain best practice). Patch bumps include upstream dependency updates and bug fixes — no new permissions or inputs introduced.
  • Intent & coherence: Standard automated dependency maintenance, appropriately scoped.
  • Style/conventions: Follows existing convention of @<sha> # <version> pinning.
  • Documentation: No documentation changes needed for CI dependency bumps.
  • Cross-repo contracts: No cross-repo impact; these are CI-only changes.

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (2)

Review

Verdict: Approve ✅

Summary

This is an automated dependency update PR from MintMaker/Renovate that bumps four GitHub Actions to their latest patch versions across six workflow files:

Action Old Version New Version
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification

  • SHA integrity: All four commit SHA pins were verified against their upstream GitHub tag references. Each SHA correctly resolves to the claimed version tag. ✅
  • Coverage completeness: All instances of these action references across all .github/workflows/ files are covered by this PR — no stale references remain. ✅
  • Scope: Changes are confined to CI workflow files (.github/workflows/). No application code, configuration, or documentation is modified. ✅
  • Format consistency: All references follow the existing action@<full-sha> # <version> pinning convention. ✅

Dimension Analysis

  • Correctness: No logic changes. Version pins are mechanically updated with verified SHAs.
  • Security: SHA-pinned action references prevent tag-mutation attacks. All actions are from trusted, well-known publishers (GitHub, Codecov, peter-evans). Patch-level updates include bug fixes and dependency bumps in the actions themselves.
  • Intent & coherence: Appropriately scoped automated maintenance. Patch-level CI dependency updates are routine and low-risk.
  • Style/conventions: Follows existing SHA-pinning pattern with version comments.
  • Documentation: No documentation impact — CI workflow version bumps do not affect in-repo docs.
  • Cross-repo contracts: No API, schema, or interface changes.

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (3)

Review of PR #3279 — Update GitHub Actions (patch)

Verdict: ✅ Approve

Summary

This PR is an automated patch-level version bump for four GitHub Actions dependencies across six workflow files. All changes are limited to updating SHA pins and version comments — no workflow logic, step ordering, or configuration is modified.

Changes Reviewed

Action Old Version New Version SHA Verified
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification Performed

  1. SHA pin integrity: All four commit SHAs in the PR were dereferenced against the upstream repository tags via the GitHub API. Each SHA correctly resolves to the claimed version tag (accounting for annotated vs. lightweight tags).
  2. Completeness: All instances of each action across all .github/workflows/ files are updated — no stale pins remain.
  3. No behavioral changes: The diff contains only uses: line updates. No changes to step inputs, environment variables, secrets usage, or workflow triggers.
  4. Upstream release notes: All updates are patch releases containing bug fixes and dependency bumps with no breaking changes.

Findings

No findings. This is a clean, well-formed automated dependency update.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (4)

Review

Verdict: ✅ Approve

Automated patch-level update of 4 GitHub Actions dependencies across 6 workflow files, generated by Renovate (MintMaker). All changes are SHA-pin bumps with corresponding version comments — no workflow logic or configuration changes.

Updates verified

Action Old version New version SHA verified
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification details

  • SHA pin integrity: All 4 action SHAs were independently verified against their upstream Git tags (including annotated tag dereferencing for actions/checkout and codecov/codecov-action). Each SHA in the diff matches the commit pointed to by the claimed version tag.
  • Completeness: All 21 instances of these actions across .github/workflows/ are updated — no stale references remain.
  • Scope: Changes are confined to .github/workflows/ YAML files. No source code, configuration, or documentation files were modified.
  • Release notes: All updates are routine maintenance — dependency bumps, bug fixes (checkout SHA-256 repo support, codecov keybase.io change, create-pull-request 422 retry), and build dependency updates. No breaking changes or new features.

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (5)

Looks good to me — routine patch-level GitHub Actions version bumps via Renovate. All files are under .github/ (protected path); human approval is required per repository policy.

Previous run (6)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under the .github/ protected path. This PR has no linked issue to authorize changes to governance/infrastructure files. Affected files: .github/workflows/checks-codecov.yaml, .github/workflows/codeql.yaml, .github/workflows/lint.yaml, .github/workflows/release.yaml, .github/workflows/scorecard.yml, .github/workflows/update-go-containerregistry.yaml. Human approval is required for protected-path changes.
    Remediation: A maintainer should review and approve this automated dependency update. The changes themselves are mechanical patch-version bumps of pinned GitHub Actions (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1) with no behavioral or permission changes.

Labels: All changes are to GitHub Actions workflow files.

Previous run (7)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under .github/, a protected path. This PR has no linked issue providing authorization for modifying governance/infrastructure files. While the change is an automated Renovate patch version bump (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1) and the diff contains only commit SHA pin updates with no permission, trigger, or secrets changes, human approval is required for all protected-path modifications.
    Remediation: A human reviewer must approve this PR. The changes themselves are mechanically correct — all actions remain pinned by full commit SHA, no permissions or workflow triggers were modified.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model unavailable on vertex deployment. For this mechanical version bump, the sub-agent would have triggered early-exit criteria (no style findings expected).
Previous run (8)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml). This PR has no linked issue justifying the modification of governance/infrastructure files. Human approval is required for all protected-path changes.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available. This is a low-risk gap for a mechanical version-bump PR.

The code changes themselves are a straightforward, mechanical Renovate bot update of four GitHub Actions to their latest patch versions (actions/cache v5.0.4 → v5.0.5, actions/checkout v6.0.2 → v6.0.3, codecov/codecov-action v5.5.4 → v5.5.5, peter-evans/create-pull-request v8.1.0 → v8.1.1). All SHA pins are consistent across workflow files, no permissions or secrets handling changed, and no new injection surfaces were introduced. The correctness and security sub-agents found no issues.

Previous run (9)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under .github/, a protected path. This PR has no linked issue authorizing changes to governance/infrastructure files. While the changes are automated Renovate patch-level version bumps (actions/checkout v6.0.2→v6.0.3, actions/cache v5.0.4→v5.0.5, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1) and the code changes themselves are correct and safe (verified: no permission changes, no structural workflow changes, no new secrets, SHA-pinning preserved), human approval is required for all protected-path modifications.
    Remediation: A human maintainer must review and approve this PR. The version bumps themselves are mechanically correct.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 not available on vertex deployment. This sub-agent would have early-exited with no findings for this mechanical version-bump PR.
Previous run (10)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml). The PR has no linked issue providing authorization for modifying governance/infrastructure files. Human approval is required for all protected-path changes.
    Remediation: A human reviewer with appropriate permissions must approve this PR. Consider linking a tracking issue that authorizes CI dependency updates.

Info

  • [supply-chain-verification] .github/workflows/checks-codecov.yaml — The PR bumps three GitHub Actions to new patch versions (actions/checkout v6.0.2→v6.0.3, actions/cache v5.0.4→v5.0.5, peter-evans/create-pull-request v8.1.0→v8.1.1) using full SHA pins. All instances across all 6 workflow files are consistently updated. No permissions, run steps, or workflow structure changes are introduced. SHA-to-tag mappings should be verified against upstream GitHub releases.

  • [sub-agent-failure] N/A — The style-conventions and intent-coherence sub-agents did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. These are sonnet-tier (non-blocking) dimensions; correctness and security reviews completed successfully.

Previous run (11)

Review

Findings

Medium

  • [protected-path] .github/workflows/ — All 6 modified files are under the .github/ protected path. This is an automated Renovate patch-version bump (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, peter-evans/create-pull-request v8.1.0→v8.1.1) with clear rationale, but human approval is always required for protected-path changes regardless of context.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. This dimension is non-critical for a SHA-pin-only dependency update.

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jun 4, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from c0069f3 to aec622c Compare June 5, 2026 02:37
fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot removed the requires-manual-review Review requires human judgment label Jun 5, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from aec622c to 32a05db Compare June 16, 2026 00:55
@github-actions github-actions Bot added size: S and removed size: XS labels Jun 16, 2026
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 16, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:57 AM UTC · Completed 1:01 AM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from 32a05db to 1505a16 Compare June 18, 2026 01:19
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 18, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:20 AM UTC · Completed 1:26 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 2, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:43 AM UTC · Completed 1:50 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot dismissed stale reviews from themself July 2, 2026 01:50

Superseded by updated review

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jul 2, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch 3 times, most recently from de11e74 to a18891c Compare July 8, 2026 01:48
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:49 AM UTC · Completed 1:53 AM UTC
Commit: 7c8ccca · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 8, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from a18891c to 8db962e Compare July 9, 2026 01:39
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 9, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:39 AM UTC · Completed 1:43 AM UTC
Commit: 8f05d87 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 9, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from 8db962e to c893bdc Compare July 10, 2026 01:32
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 10, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:33 AM UTC · Completed 1:36 AM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 10, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from c893bdc to 6879426 Compare July 14, 2026 01:30
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:31 AM UTC · Completed 1:35 AM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 14, 2026
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/patch-github-actions branch from 6879426 to 17e1272 Compare July 15, 2026 01:22
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 15, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:23 AM UTC · Completed 1:27 AM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update GitHub Actions code main renovate requires-manual-review Review requires human judgment size: S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants