Skip to content

Update github actions (main) (patch)#3338

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-patch-github-actions
Open

Update github actions (main) (patch)#3338
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/main-patch-github-actions

Conversation

@renovate

@renovate renovate Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/cache action patch v5.0.4v5.0.5
actions/checkout action patch v6.0.2v6.0.3
codecov/codecov-action action patch v5.5.4v5.5.5
peter-evans/create-pull-request action patch v8.1.0v8.1.1

Release Notes

actions/cache (actions/cache)

v5.0.5

Compare Source

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

actions/checkout (actions/checkout)

v6.0.3

Compare Source

codecov/codecov-action (codecov/codecov-action)

v5.5.5

Compare Source

This release only contains the keybase.io change as described here.

Full Changelog: codecov/codecov-action@v5.5.4...v5.5.5

peter-evans/create-pull-request (peter-evans/create-pull-request)

v8.1.1: Create Pull Request v8.1.1

Compare Source

What's Changed

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:03 AM UTC · Completed 1:09 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 14, 2026

Copy link
Copy Markdown

Review — Approve ✅

PR: Update github actions (main) (patch)
Author: renovate[bot]
Scope: 6 GitHub Actions workflow files, 21 additions / 21 deletions

Summary

Routine Renovate patch-version bump for four GitHub Actions dependencies:

Action Old Version New Version
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Analysis

Correctness: All 21 action references across 6 workflow files are updated consistently — every occurrence of each old SHA is replaced with the corresponding new SHA. No action references were missed. Version comments match the declared patch versions. No logic, configuration, or behavioral changes.

Security: All action references remain pinned to full commit SHAs (not mutable tags), which is the security best practice for GitHub Actions. The updated actions are from well-known, trusted publishers (actions/*, codecov/*, peter-evans/*). Release notes indicate only bug fixes and dependency updates — no permission or scope changes.

Intent & coherence: The PR is generated by Renovate bot and matches the repository's renovate.json configuration. The change is narrowly scoped to patch-level version bumps as declared.

Style/conventions: Follows the existing uses: action@sha # version-tag convention consistently across all files.

Documentation: No documentation impact.

Cross-repo contracts: No cross-repo impact — internal CI workflow updates only.

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run

Review

Verdict: ✅ Approve

Automated Renovate patch-level dependency update for four GitHub Actions across six workflow files. All changes are 1:1 SHA pin replacements with corresponding version comment updates.

Changes verified

Action Old version New version SHA verified
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

All four SHA pins were independently verified against their upstream release tags via the GitHub API — each pin resolves to the correct tagged commit.

Completeness

All 21 occurrences of the old action references across the 6 workflow files (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml) are updated. No stale references remain.

Upstream release highlights

  • actions/cache v5.0.5: Updates ts-http-runtime dependency
  • actions/checkout v6.0.3: Fixes checkout init for SHA-256 repositories
  • codecov/codecov-action v5.5.5: Addresses keybase.io change (#1956)
  • peter-evans/create-pull-request v8.1.1: Retries post-creation API calls on 422 eventual consistency errors; dependency bumps

No functional, security, or configuration concerns identified.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (2)

Review

Verdict: approve ✅

Summary

This is a standard Renovate bot PR that bumps four GitHub Actions dependencies to their latest patch versions across six workflow files. All changes are mechanical version pin updates with no behavioral modifications.

Changes reviewed

Action Update Files affected
actions/checkout v6.0.2 → v6.0.3 6 files (9 references)
actions/cache v5.0.4 → v5.0.5 6 files (7 references)
codecov/codecov-action v5.5.4 → v5.5.5 1 file (4 references)
peter-evans/create-pull-request v8.1.0 → v8.1.1 1 file (1 reference)

Verification

  • SHA pinning: All action references use full 40-character commit SHA pins (supply-chain security best practice)
  • Version comments: Each SHA pin has a matching version comment that was updated alongside the pin
  • Completeness: Every occurrence of the old SHAs across all workflow files is updated — no stale pins remain
  • Scope: Changes are strictly limited to .github/workflows/ YAML files; no source code, build config, or other files are modified
  • Risk level: All four updates are patch-level bumps from well-established, widely-used GitHub Actions maintained by GitHub (actions org), Codecov, and peter-evans

Upstream release notes (verified)

  • actions/checkout v6.0.3: Fix checkout init for SHA-256 repositories; expand merge commit SHA regex
  • actions/cache v5.0.5: Update ts-http-runtime dependency
  • codecov/codecov-action v5.5.5: keybase.io change (infrastructure)
  • peter-evans/create-pull-request v8.1.1: Dependency bumps + retry post-creation API calls on 422 eventual consistency errors

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (3)

Review of #3338 — Update github actions (main) (patch)

Verdict: ✅ Approve

Summary

Automated Renovate bot PR bumping 4 GitHub Actions to their latest patch versions across 6 workflow files. All changes are mechanical SHA pin updates with matching version comments — no logic, behavioral, or structural modifications.

Changes

Action Old version New version SHA verified
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification

  • SHA pin integrity: All 4 commit SHAs were verified against the upstream GitHub repository tags via the Git refs API. Each SHA resolves to the claimed version tag (annotated tags were dereferenced to their target commits).
  • Coverage completeness: Every occurrence of these actions across the 6 modified workflow files (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml) is updated — no stale pins remain.
  • Scope: No other files are modified. The diff contains only uses: line changes with updated SHAs and version comments.
  • Upstream changes: The release notes indicate bug fixes and dependency bumps only (ts-http-runtime update, SHA-256 repo fix, keybase.io change, 422 retry fix).
  • PR body injection defense: PR body contains standard Renovate bot output with release notes. The HTML comment is benign Renovate metadata (createdInVer, updatedInVer, targetBranch, labels). No instruction-like patterns detected.

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (4)

Review — Approve

Verdict: Safe to merge. All SHA pins verified against upstream release tags.

Summary

Routine Renovate patch update of 4 GitHub Actions across 6 workflow files (21 additions, 21 deletions — all 1:1 SHA replacements):

Action Old Version New Version SHA Verified
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification performed

  • SHA pin integrity: Each commit SHA in the uses: directives was dereferenced against the upstream repository's Git tag objects via the GitHub API. All 4 SHAs resolve to the claimed version tags.
  • Completeness: All references to the old versions across all .github/workflows/ files are updated — no stale pins remain.
  • Scope: Changes are confined to .github/workflows/ YAML files. No application code, build scripts, or configuration files are modified.
  • Upstream changelogs: All updates are patch-level maintenance (dependency bumps, bug fixes). No breaking changes or new features introduced.

Dimensions

  • Correctness: Mechanical version pin updates; no logic changes. ✅
  • Security: Full commit SHA pinning maintained (supply chain best practice). All actions are from trusted, widely-used publishers. ✅
  • Intent & coherence: Matches Renovate's configured scope (main branch, GitHub Actions, patch updates). ✅
  • Style/conventions: Version comment annotations (# v6.0.3) match the actual pinned versions. Consistent formatting preserved. ✅
  • Documentation: No documentation impact — CI-only changes. ✅
  • Cross-repo contracts: No cross-repo contract impact. ✅

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (5)

Review — approve

PR: #3338Update github actions (main) (patch)
Author: renovate[bot] | Base: main | Head: 81c52e9

Summary

Routine Renovate-managed patch bump of four GitHub Actions dependencies across six workflow files:

Action Old New
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification

  • SHA integrity — all four commit-pinned SHAs verified against their upstream tags via the GitHub API:
    • actions/checkout@df4cb1c0 → annotated tag v6.0.3 resolves to this commit
    • actions/cache@27d5ce7f → tag v5.0.5 points directly to this commit
    • codecov/codecov-action@0fb71748 → annotated tag v5.5.5 resolves to this commit
    • peter-evans/create-pull-request@5f6978fa → tag v8.1.1 points directly to this commit
  • Completeness — every reference to the four actions across all 10 workflow files is updated; the four workflow files not touched (auto-merge.yaml, fullsend.yaml, label-pr-size.yaml, website.yaml) do not reference any of these actions
  • Consistency — each action uses a single SHA across all workflow files (no mixed-version references)
  • Scope — changes are limited to uses: lines in .github/workflows/; no logic, permissions, or configuration changes
  • No injection vectors — PR body contains standard Renovate release notes; no instruction-like patterns detected

Assessment

No findings. This is a safe, well-scoped dependency update following the project's established pattern of commit-SHA pinning with version comments.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (6)

Review of #3338 — Update github actions (main) (patch)

Verdict: ✅ Approve

Summary

Routine Renovate patch-level bump of 4 GitHub Actions across 6 workflow files. All changes are mechanical SHA-pin and version-comment updates with no structural, behavioral, or security-relevant modifications.

Action From To
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Review dimensions

Dimension Result
Correctness No findings. All old SHA references are fully covered by the PR; no stale references remain.
Security No findings. SHA pins are consistent across all files. No permissions:, secrets:, or trigger changes. No injection patterns. All SHAs are valid 40-char hex.
Intent & coherence Mechanical change — authorization implicit from Renovate bot + patch-level bumps.
Style & conventions No findings. Changes follow existing uses: action@SHA # vX.Y.Z pattern.
Documentation currency No findings. No behavioral changes requiring doc updates.
Cross-repo contracts Skipped — no exported interfaces or APIs modified.

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (7)

Review — ✅ Approve

PR: #3338 — Update github actions (main) (patch)
Author: renovate[bot]
Verdict: Approve — no findings

Summary

Routine Renovate patch-level bump of four GitHub Actions across six workflow files:

Action Old Version New Version
actions/cache v5.0.4 v5.0.5
actions/checkout v6.0.2 v6.0.3
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Review dimensions

Dimension Result
Correctness ✅ All SHA pins consistently updated across all 21 occurrences. Each old SHA is fully replaced with the correct new SHA. No occurrences missed.
Security ✅ No permissions, secrets, or trigger changes. All actions remain pinned to full 40-character commit SHAs with version comments. SHA-to-tag mappings verified against upstream repos.
Intent & coherence ✅ Mechanical dependency bump by Renovate bot. Authorization implicit from automated tooling.
Style & conventions ✅ Value-only changes follow existing action@SHA # vX.Y.Z pin format consistently.
Documentation ✅ No code behavior changes; no documentation impact.
Cross-repo contracts ⏭ Skipped — no exported interfaces or APIs modified.

Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml

Labels: PR updates GitHub Actions workflow dependencies

Previous run (8)

Review — Approve ✅

PR: #3338 — Update github actions (main) (patch)
Author: renovate[bot]
Head SHA: 5f7063c7b1f72089e1e3446c66cf34275553dc9d

Summary

Automated Renovate patch-level update of four GitHub Actions across six workflow files. All changes are symmetric SHA-pin replacements with matching version comments — no workflow logic, step ordering, or configuration changes.

Actions Updated

Action Old Version New Version SHA Verified
actions/checkout v6.0.2 v6.0.3
actions/cache v5.0.4 v5.0.5
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification Performed

  • SHA authenticity: All four new commit SHA pins were verified against upstream GitHub tag refs (dereferencing annotated tags where applicable). Each SHA resolves to the claimed version tag.
  • Coverage completeness: Searched all workflow files under .github/workflows/ for old SHA references. All 21 occurrences of old pins are replaced — zero stale references remain.
  • No logic changes: The diff is strictly oldsha → newsha and # vOLD → # vNEW on each uses: line. No steps were added, removed, reordered, or reconfigured.
  • Supply chain posture: The project correctly pins actions by full commit SHA with version comments, which is a supply chain security best practice. This PR maintains that discipline.

Findings

No findings at or above the reporting threshold.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (9)

Review — ✅ Approve

PR: #3338 — Update github actions (main) (patch)
Author: renovate[bot]
Scope: 6 GitHub Actions workflow files (patch-level dependency updates)

Summary

This is an automated Renovate PR that bumps four GitHub Actions to their latest patch versions:

Action Old Version New Version SHA Verified
actions/cache v5.0.4 v5.0.5
actions/checkout v6.0.2 v6.0.3
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification

  • SHA pin integrity: All four commit SHA pins were verified against the upstream repositories' tag references. Each pin resolves to the correct tagged release.
  • Consistency: Each action's SHA is updated consistently across all workflow files that reference it (e.g., actions/checkout updated identically in all 6 workflows).
  • Scope: Every changed line is a uses: directive — no workflow logic, permissions, step additions, environment variables, or secrets were modified.
  • Release notes: All upstream changes are routine maintenance (dependency bumps, bug fixes for SHA-256 repos, keybase.io changes, retry logic improvements).

Assessment

Pure mechanical patch-level version bumps with verified SHA pins. No behavioral or security-relevant changes to the workflows themselves.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (10)

Review — Approve

PR: #3338 — Update github actions (main) (patch)
Author: renovate[bot]
Scope: 6 workflow files, 21 additions / 21 deletions

Summary

Automated Renovate patch-version bumps for four GitHub Actions:

Action Old Version New Version SHA Verified
actions/cache v5.0.4 v5.0.5
actions/checkout v6.0.2 v6.0.3
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Verification

  • SHA integrity: All four new commit-pin SHAs were verified against the upstream repositories by resolving the version tags (including annotated tag dereferencing) to their commit objects. Every SHA in the diff matches the corresponding upstream release.
  • Old SHA integrity: The old SHAs in the removed lines were also verified to match the prior version tags.
  • Scope: Changes are strictly limited to uses: action references and their version comments in .github/workflows/ YAML files. No workflow logic, permissions, environment variables, secrets access, or step configuration was altered.
  • Actions provenance: All four actions (actions/cache, actions/checkout, codecov/codecov-action, peter-evans/create-pull-request) are well-known, widely-used GitHub Actions from trusted maintainers.

Affected Workflows

  • checks-codecov.yaml — 11 pin updates (checkout, cache, codecov-action)
  • codeql.yaml — 2 pin updates (checkout, cache)
  • lint.yaml — 2 pin updates (checkout, cache)
  • release.yaml — 2 pin updates (checkout, cache)
  • scorecard.yml — 1 pin update (checkout)
  • update-go-containerregistry.yaml — 3 pin updates (checkout, cache, create-pull-request)

Assessment

This is a routine, low-risk dependency update. All changes are mechanical pin-hash updates generated by Renovate with no behavioral impact on workflow execution. The upstream release notes confirm these are minor fixes (dependency bumps, SHA-256 repo support, keybase.io change, retry logic improvement).

No findings.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (11)

Review — Approve ✅

Verdict: approve
Findings: none

Summary

This is a standard Renovate automated patch-version bump of four GitHub Actions dependencies across six workflow files:

Action Old Version New Version
actions/cache v5.0.4 v5.0.5
actions/checkout v6.0.2 v6.0.3
codecov/codecov-action v5.5.4 v5.5.5
peter-evans/create-pull-request v8.1.0 v8.1.1

Analysis

Correctness: All 21 changes are mechanical 1:1 commit-SHA pin replacements with matching version comments. Every occurrence of each action across all workflow files is updated consistently — no stale pins remain. No workflow logic, step configuration, environment variables, or action inputs are modified.

Security: The repository follows the recommended practice of pinning GitHub Actions to full commit SHAs (rather than mutable tags). This PR maintains that convention, updating each SHA to match the new patch release. All four actions are well-known, widely used first-party or popular community actions.

Scope & intent: The PR is appropriately scoped to a single Renovate grouping (patch-level GitHub Actions updates for the main branch). No unrelated changes are included.

Style & conventions: The existing uses: action@sha # vX.Y.Z comment convention is preserved throughout.

Documentation: No documentation updates are needed for CI dependency version bumps.


Protected paths detected — this PR modifies files under one or more
protected paths. The review agent cannot approve PRs that touch these paths.
A human reviewer must approve this PR.

Protected files in this PR:

  • .github/workflows/checks-codecov.yaml
  • .github/workflows/codeql.yaml
  • .github/workflows/lint.yaml
  • .github/workflows/release.yaml
  • .github/workflows/scorecard.yml
  • .github/workflows/update-go-containerregistry.yaml
Previous run (12)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under the .github/ protected path. This PR has no linked issue providing explicit authorization for modifying governance/infrastructure files. While renovate.json is configured in the repository and the author is renovate[bot], human approval is required for all protected-path changes. Affected files: checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml.
    Remediation: A maintainer should verify the commit SHAs correspond to the claimed patch versions (v6.0.3, v5.0.5, v5.5.5, v8.1.1) and approve.
Previous run (13)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under the protected .github/ path. This PR has no linked issue providing justification for modifying governance/infrastructure files. While the changes are mechanical Renovate patch updates to GitHub Actions (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1), human approval is required for protected-path changes.
    Remediation: A human reviewer should verify the version bumps and approve. All SHA pins have been verified against upstream release tags.
Previous run (14)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml). This PR has no linked issue authorizing changes to governance/infrastructure files. While the changes are mechanical Renovate patch-version bumps of GitHub Actions (actions/checkout v6.0.2→v6.0.3, actions/cache v5.0.4→v5.0.5, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1) and pose no code-level risk, human approval is required for all .github/ modifications per repository policy.

Labels: PR exclusively modifies GitHub Actions workflow files with Renovate-managed version bumps.

Previous run (15)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 modified files are under .github/, which is a protected path requiring human approval. The PR has no linked issue providing authorization for modifying governance/infrastructure files. Affected files: .github/workflows/checks-codecov.yaml, .github/workflows/codeql.yaml, .github/workflows/lint.yaml, .github/workflows/release.yaml, .github/workflows/scorecard.yml, .github/workflows/update-go-containerregistry.yaml.
    Remediation: A human maintainer must review and approve this CI dependency update. The code changes themselves (patch-level GitHub Actions version bumps by Renovate bot) are mechanically correct with no correctness or security findings.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 unavailable on this deployment. Given this is a mechanical version-bump PR, no style findings were expected.
Previous run (16)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path. This PR has no linked issue providing explicit authorization for modifying governance/infrastructure files. Modified protected files: .github/workflows/checks-codecov.yaml, .github/workflows/codeql.yaml, .github/workflows/lint.yaml, .github/workflows/release.yaml, .github/workflows/scorecard.yml, .github/workflows/update-go-containerregistry.yaml. Human approval is required for all protected-path changes regardless of context.
    Remediation: A repository maintainer should review and approve these workflow changes directly. Consider linking a tracking issue to provide authorization context for future Renovate workflow updates.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. This is a mechanical version-bump PR with no style surface area, so impact is negligible.

  • [sub-agent-failure] N/A — The intent-coherence sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. For a mechanical Renovate patch-bump PR, scope authorization is implicit from the automated nature of the change.

Previous run (17)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 files modified in this PR are under the .github/ protected path (checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml). The PR has no linked issue providing explicit authorization for modifying governance/infrastructure files. Human approval is always required for protected-path changes.
    Remediation: A human maintainer should review and approve these workflow changes. While the changes are routine Renovate patch version bumps for GitHub Actions (actions/cache v5.0.4→v5.0.5, actions/checkout v6.0.2→v6.0.3, codecov/codecov-action v5.5.4→v5.5.5, peter-evans/create-pull-request v8.1.0→v8.1.1), protected-path policy requires explicit human sign-off.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model not available on the deployment. Given the mechanical nature of this diff (value-only SHA and version comment updates), no style findings are expected.
Previous run (18)

Review

Findings

High

  • [protected-path] .github/workflows/ — All 6 changed files are under the .github/ protected path: checks-codecov.yaml, codeql.yaml, lint.yaml, release.yaml, scorecard.yml, update-go-containerregistry.yaml. This PR has no linked issue justifying the modification of governance/infrastructure files. Human approval is required for all changes to protected paths, regardless of whether the changes are automated dependency bumps.
    Remediation: A maintainer should verify that the updated commit SHAs correspond to the expected patch releases (actions/cache v5.0.5, actions/checkout v6.0.3, codecov/codecov-action v5.5.5, peter-evans/create-pull-request v8.1.1) and approve.

Info

  • [sub-agent-failure] N/A — The style-conventions sub-agent did not return findings: model claude-sonnet-4-5@20250929 is not available on the deployment. Given the mechanical nature of this version-bump PR, no style findings are expected.

fullsend-ai-review[bot]

This comment was marked as outdated.

@codecov

codecov Bot commented Jun 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
acceptance 54.26% <ø> (+<0.01%) ⬆️
generative 16.80% <ø> (ø)
integration 27.97% <ø> (ø)
unit 71.74% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from a498b34 to 2ed129f Compare June 17, 2026 13:09
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 17, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:11 PM UTC · Completed 1:17 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 2ed129f to 29b3eba Compare June 17, 2026 18:49
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 17, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 6:51 PM UTC · Completed 6:57 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 29b3eba to a1895a9 Compare June 22, 2026 13:42
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 22, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:44 PM UTC · Completed 1:50 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from a1895a9 to 939a4df Compare June 26, 2026 20:27
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 26, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 8:30 PM UTC · Completed 8:37 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the github_actions Pull requests that update GitHub Actions code label Jun 26, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 939a4df to 2ca9be4 Compare July 1, 2026 14:36
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:39 PM UTC · Completed 2:47 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 2ca9be4 to 0ea6d2d Compare July 1, 2026 19:50
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:53 PM UTC · Completed 8:01 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 0ea6d2d to ff4bdab Compare July 6, 2026 09:40
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 6, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 9:43 AM UTC · Completed 9:46 AM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot dismissed their stale review July 6, 2026 09:46

Superseded by updated review

@fullsend-ai-review fullsend-ai-review Bot added the requires-manual-review Review requires human judgment label Jul 8, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 8890028 to e740baa Compare July 8, 2026 23:41
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 11:42 PM UTC · Completed 11:49 PM UTC
Commit: 8f05d87 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 8, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from e740baa to 81c52e9 Compare July 9, 2026 15:39
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 9, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 3:40 PM UTC · Completed 3:44 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 9, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 81c52e9 to c527462 Compare July 13, 2026 19:20
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 13, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:20 PM UTC · Completed 7:24 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 13, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from c527462 to 223bd05 Compare July 14, 2026 12:13
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:14 PM UTC · Completed 12:18 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 14, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 223bd05 to 514ff1b Compare July 14, 2026 12:48
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 12:49 PM UTC · Completed 12:52 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 14, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 514ff1b to 4bce923 Compare July 14, 2026 13:04
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:05 PM UTC · Completed 1:09 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 14, 2026
@renovate renovate Bot force-pushed the renovate/main-patch-github-actions branch from 4bce923 to b0761b5 Compare July 14, 2026 19:56
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 14, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 7:57 PM UTC · Completed 8:01 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added requires-manual-review Review requires human judgment and removed requires-manual-review Review requires human judgment labels Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update GitHub Actions code main renovate requires-manual-review Review requires human judgment size: S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants