From 0e6339a68d452bb29ff56ce138e5a39517b2e22b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Jul 2026 09:38:31 +0000 Subject: [PATCH 1/2] chore(ci): bump the github-actions group with 3 updates Bumps the github-actions group with 3 updates: [EmbarkStudios/cargo-deny-action](https://github.com/embarkstudios/cargo-deny-action), [taiki-e/install-action](https://github.com/taiki-e/install-action) and [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv). Updates `EmbarkStudios/cargo-deny-action` from 2.0.20 to 2.1.0 - [Release notes](https://github.com/embarkstudios/cargo-deny-action/releases) - [Commits](https://github.com/embarkstudios/cargo-deny-action/compare/bb137d7af7e4fb67e5f82a49c4fce4fad40782fe...6f99e342a8f0f8f8d1bdc9dc43e9a6f2dd611259) Updates `taiki-e/install-action` from 2.82.9 to 2.83.2 - [Release notes](https://github.com/taiki-e/install-action/releases) - [Commits](https://github.com/taiki-e/install-action/compare/v2.82.9...v2.83.2) Updates `astral-sh/setup-uv` from 8.3.0 to 8.3.2 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/d31148d669074a8d0a63714ba94f3201e7020bc3...11f9893b081a58869d3b5fccaea48c9e9e46f990) --- updated-dependencies: - dependency-name: EmbarkStudios/cargo-deny-action dependency-version: 2.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: taiki-e/install-action dependency-version: 2.83.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: astral-sh/setup-uv dependency-version: 8.3.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 6 +++--- .github/workflows/coverage.yml | 8 ++++---- .github/workflows/publish-python.yml | 4 ++-- .github/workflows/python.yml | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5b5b670e..04e3c94b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -84,12 +84,12 @@ jobs: ignore: RUSTSEC-2023-0071 - name: License check (cargo-deny) - uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2 + uses: EmbarkStudios/cargo-deny-action@6f99e342a8f0f8f8d1bdc9dc43e9a6f2dd611259 # v2 with: command: check licenses sources - name: Install cargo-vet - uses: taiki-e/install-action@4684b8405694ae9dd42c9f39ba901a70ae83f4a3 # v2 + uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2 with: tool: cargo-vet @@ -126,7 +126,7 @@ jobs: - name: Install uutils coreutils multicall for differential tests id: install_uutils continue-on-error: true - uses: taiki-e/install-action@4684b8405694ae9dd42c9f39ba901a70ae83f4a3 # v2 + uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2 with: tool: coreutils - name: Verify uutils on PATH diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 36626f63..1124e28a 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -37,7 +37,7 @@ jobs: - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install cargo-tarpaulin - uses: taiki-e/install-action@3d6bdc41132a93ae9dbd2217ccd2bcb56d84eaa8 # cargo-tarpaulin + uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # cargo-tarpaulin # `rg` differential tests compare against real ripgrep. Pin the # binary so coverage does not depend on the runner image package set. @@ -83,7 +83,7 @@ jobs: - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install cargo-llvm-cov - uses: taiki-e/install-action@4684b8405694ae9dd42c9f39ba901a70ae83f4a3 # v2 + uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2 with: tool: cargo-llvm-cov @@ -91,7 +91,7 @@ jobs: with: python-version: "3.12" - - uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 + - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 - name: Generate Python-driven Rust coverage run: | @@ -132,7 +132,7 @@ jobs: - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 - name: Install cargo-llvm-cov - uses: taiki-e/install-action@4684b8405694ae9dd42c9f39ba901a70ae83f4a3 # v2 + uses: taiki-e/install-action@43aecc8d72668fbcfe75c31400bc4f890f1c5853 # v2 with: tool: cargo-llvm-cov diff --git a/.github/workflows/publish-python.yml b/.github/workflows/publish-python.yml index 7fc56000..22bb934f 100644 --- a/.github/workflows/publish-python.yml +++ b/.github/workflows/publish-python.yml @@ -212,7 +212,7 @@ jobs: echo "---" echo "Total files: $(ls -1 dist/ | wc -l)" - - uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 + - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 - run: uvx twine check dist/* # Smoke-test wheels on each OS, including the new cp314 artifacts @@ -282,7 +282,7 @@ jobs: - name: List dist files run: ls -lhR dist/ - - uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 + - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 - name: Publish to PyPI run: uv publish --trusted-publishing always dist/* diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 546958dc..41490192 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -42,7 +42,7 @@ jobs: steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - - uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 + - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 - name: Ruff check run: uvx ruff check crates/bashkit-python @@ -111,7 +111,7 @@ jobs: with: python-version: "3.12" - - uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 + - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@e081816240890017053eacbb1bdf337761dc5582 # 1.95.0 From 1bd8d9493720caa969b1056e5327aa5763b345ff Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Tue, 14 Jul 2026 09:19:09 +0000 Subject: [PATCH 2/2] ci: hold cargo-deny-action at v2.0.20 (v2.1.0 breaks license check) v2.1.0 bundles cargo-deny 0.20.2, whose CLI rejects the `--log-level warn` the action still injects, failing `check licenses sources` in the Audit job. Keep the taiki-e/install-action and setup-uv bumps from the group; drop only the cargo-deny-action bump until upstream reconciles. --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04e3c94b..b110b119 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -84,7 +84,10 @@ jobs: ignore: RUSTSEC-2023-0071 - name: License check (cargo-deny) - uses: EmbarkStudios/cargo-deny-action@6f99e342a8f0f8f8d1bdc9dc43e9a6f2dd611259 # v2 + # Held at v2.0.20: v2.1.0 (6f99e34) bundles cargo-deny 0.20.2, whose + # CLI no longer accepts the `--log-level warn` the action still injects, + # breaking `check licenses sources`. Re-bump once upstream reconciles. + uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20 with: command: check licenses sources