build(deps): bump Songmu/tagpr from 1.18.3 to 1.19.0#334
Conversation
Bumps [Songmu/tagpr](https://github.com/songmu/tagpr) from 1.18.3 to 1.19.0. - [Release notes](https://github.com/songmu/tagpr/releases) - [Changelog](https://github.com/Songmu/tagpr/blob/main/CHANGELOG.md) - [Commits](Songmu/tagpr@9bbb945...555e72c) --- updated-dependencies: - dependency-name: Songmu/tagpr dependency-version: 1.19.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
masutaka
left a comment
There was a problem hiding this comment.
Overview
- Package: Songmu/tagpr 1.18.3 → 1.19.0
- Dependency type: Development dependency (GitHub Actions, used in
.github/workflows/release.ymlfor release automation) - Version change: Minor
Key Findings
- Breaking Changes: None. The changes in v1.19.0 are (1) support for
Cargo.tomlas a version file for Rust projects, (2) bumpinggithub.com/Masterminds/semver/v3from 3.4.0 to 3.5.0, and (3) tagpr's own self-bump. This repository is written in Go and does not useCargo.toml, so the new feature has no impact, and no breaking changes to the existing release flow were found. - Security: None. After cross-checking against the repository's open Dependabot alerts, no alert matches this PR's package (Songmu/tagpr) or manifest. This is therefore judged to be a regular version-up rather than a security fix.
- Supported versions: No change (used as a GitHub Action; no change to the minimum runtime version).
- CI status: pass. actionlint / codeql / dependency_review / test all succeeded (CodeQL, pushover, and add-assignee are skipping due to their conditions).
- Cascading updates: None. The change is limited to a single line (+1 / -1): the tagpr reference SHA and version comment in
release.yml.
Impact Scope
The diff is limited to the following single line in .github/workflows/release.yml. There is no impact on application code (Go sources).
- uses: Songmu/tagpr@9bbb945b2fb025126186661e27d55485e3fc6df6 # v1.18.3
+ uses: Songmu/tagpr@555e72cee68c09d43dc2337dc9ba890955b630da # v1.19.0
The SHA-pinning practice is maintained. The new SHA 555e72cee68c09d43dc2337dc9ba890955b630da was confirmed to exactly match the commit SHA pointed to by the upstream refs/tags/v1.19.0 (tag and pinned SHA are consistent).
The upstream compare (v1.18.3...v1.19.0, 9 commits) changed the files action.yml / go.mod / go.sum / version.go / versionfile.go / versionfile_test.go / testdata/rust/Cargo.toml / CHANGELOG.md / workflow, all of which are consistent with the contents of the public release notes (Cargo.toml support, semver bump). No indicators of suspicious URLs or injected scripts were found.
Conclusion
No problems.
This is a minor version bump of a GitHub Action used for development (CI / release automation), with the diff being only a single line updating the pinned SHA. The pinned SHA matches the v1.19.0 tag, there is no associated security alert, and CI all passes. No breaking changes affecting this repository's usage were found, so it is safe to merge.
Bumps Songmu/tagpr from 1.18.3 to 1.19.0.
Release notes
Sourced from Songmu/tagpr's releases.
Changelog
Sourced from Songmu/tagpr's changelog.
... (truncated)
Commits
555e72cMerge pull request #351 from Songmu/tagpr-from-v1.18.350c6546[tagpr] update CHANGELOG.md803dccb[tagpr] prepare for the next release4f07f84Merge pull request #350 from gfx/gfx/cargo_toml743eafbMerge pull request #348 from Songmu/dependabot/github_actions/Songmu/tagpr-1....28dd9f5Merge pull request #349 from Songmu/dependabot/go_modules/github.com/Mastermi...a0886acSupport Cargo.toml as a version file for Rust projectsbb0b2b8build(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.09b542d7build(deps): bump Songmu/tagpr from 1.18.2 to 1.18.3Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)