Skip to content

build(deps): bump Songmu/tagpr from 1.18.3 to 1.19.0#334

Merged
masutaka merged 1 commit into
mainfrom
dependabot/github_actions/Songmu/tagpr-1.19.0
Jun 7, 2026
Merged

build(deps): bump Songmu/tagpr from 1.18.3 to 1.19.0#334
masutaka merged 1 commit into
mainfrom
dependabot/github_actions/Songmu/tagpr-1.19.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026

Copy link
Copy Markdown
Contributor

Bumps Songmu/tagpr from 1.18.3 to 1.19.0.

Release notes

Sourced from Songmu/tagpr's releases.

v1.19.0

What's Changed

New Contributors

Full Changelog: Songmu/tagpr@v1.18.3...v1.19.0

Changelog

Sourced from Songmu/tagpr's changelog.

Changelog

v1.20.0 - 2026-06-01

v1.19.0 - 2026-05-09

v1.18.3 - 2026-04-17

v1.18.2 - 2026-04-12

v1.18.1 - 2026-04-05

v1.18.0 - 2026-04-05

v1.17.1 - 2026-02-25

v1.17.0 - 2026-02-14

v1.16.0 - 2026-02-14

... (truncated)

Commits
  • 555e72c Merge pull request #351 from Songmu/tagpr-from-v1.18.3
  • 50c6546 [tagpr] update CHANGELOG.md
  • 803dccb [tagpr] prepare for the next release
  • 4f07f84 Merge pull request #350 from gfx/gfx/cargo_toml
  • 743eafb Merge pull request #348 from Songmu/dependabot/github_actions/Songmu/tagpr-1....
  • 28dd9f5 Merge pull request #349 from Songmu/dependabot/go_modules/github.com/Mastermi...
  • a0886ac Support Cargo.toml as a version file for Rust projects
  • bb0b2b8 build(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0
  • 9b542d7 build(deps): bump Songmu/tagpr from 1.18.2 to 1.18.3
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [Songmu/tagpr](https://github.com/songmu/tagpr) from 1.18.3 to 1.19.0.
- [Release notes](https://github.com/songmu/tagpr/releases)
- [Changelog](https://github.com/Songmu/tagpr/blob/main/CHANGELOG.md)
- [Commits](Songmu/tagpr@9bbb945...555e72c)

---
updated-dependencies:
- dependency-name: Songmu/tagpr
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 2, 2026
@dependabot dependabot Bot requested a review from masutaka as a code owner June 2, 2026 05:37

@masutaka masutaka left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

  • Package: Songmu/tagpr 1.18.3 → 1.19.0
  • Dependency type: Development dependency (GitHub Actions, used in .github/workflows/release.yml for release automation)
  • Version change: Minor

Key Findings

  • Breaking Changes: None. The changes in v1.19.0 are (1) support for Cargo.toml as a version file for Rust projects, (2) bumping github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0, and (3) tagpr's own self-bump. This repository is written in Go and does not use Cargo.toml, so the new feature has no impact, and no breaking changes to the existing release flow were found.
  • Security: None. After cross-checking against the repository's open Dependabot alerts, no alert matches this PR's package (Songmu/tagpr) or manifest. This is therefore judged to be a regular version-up rather than a security fix.
  • Supported versions: No change (used as a GitHub Action; no change to the minimum runtime version).
  • CI status: pass. actionlint / codeql / dependency_review / test all succeeded (CodeQL, pushover, and add-assignee are skipping due to their conditions).
  • Cascading updates: None. The change is limited to a single line (+1 / -1): the tagpr reference SHA and version comment in release.yml.

Impact Scope

The diff is limited to the following single line in .github/workflows/release.yml. There is no impact on application code (Go sources).

- uses: Songmu/tagpr@9bbb945b2fb025126186661e27d55485e3fc6df6 # v1.18.3
+ uses: Songmu/tagpr@555e72cee68c09d43dc2337dc9ba890955b630da # v1.19.0

The SHA-pinning practice is maintained. The new SHA 555e72cee68c09d43dc2337dc9ba890955b630da was confirmed to exactly match the commit SHA pointed to by the upstream refs/tags/v1.19.0 (tag and pinned SHA are consistent).

The upstream compare (v1.18.3...v1.19.0, 9 commits) changed the files action.yml / go.mod / go.sum / version.go / versionfile.go / versionfile_test.go / testdata/rust/Cargo.toml / CHANGELOG.md / workflow, all of which are consistent with the contents of the public release notes (Cargo.toml support, semver bump). No indicators of suspicious URLs or injected scripts were found.

Conclusion

No problems.

This is a minor version bump of a GitHub Action used for development (CI / release automation), with the diff being only a single line updating the pinned SHA. The pinned SHA matches the v1.19.0 tag, there is no associated security alert, and CI all passes. No breaking changes affecting this repository's usage were found, so it is safe to merge.

@masutaka masutaka merged commit e336942 into main Jun 7, 2026
8 checks passed
@masutaka masutaka deleted the dependabot/github_actions/Songmu/tagpr-1.19.0 branch June 7, 2026 04:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant