chore(deps): update github actions #70
Conversation
📝 WalkthroughWalkthroughMultiple GitHub Actions workflow files had pinned action commit SHAs refreshed. Updates occur across .github/workflows/build.yml, ci.yml, check-release.yml, prep-release.yml, publish-release.yml, and update-integration-tests.yml and touch actions/checkout, jupyterlab/maintainer-tools (base-setup and update-snapshots), actions/setup-python, actions/setup-node, qlty-action/install, codecov actions, jupyter-server/jupyter_releaser, and related steps. Changes are limited to version pins (commit SHAs); no workflow control flow, conditions, inputs/outputs, tests, or exported/public code signatures were modified. Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #70 +/- ##
=======================================
Coverage 69.56% 69.56%
=======================================
Files 13 13
Lines 253 253
Branches 28 28
=======================================
Hits 176 176
Misses 73 73
Partials 4 4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
7ac98cb to
a1f63c6
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
a1f63c6 to
9ead0be
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
9ead0be to
a349898
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
a349898 to
44933d6
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml(3 hunks).github/workflows/check-release.yml(2 hunks).github/workflows/ci.yml(6 hunks).github/workflows/prep-release.yml(1 hunks).github/workflows/publish-release.yml(2 hunks).github/workflows/update-integration-tests.yml(3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: check_release
- GitHub Check: build
🔇 Additional comments (10)
.github/workflows/prep-release.yml (1)
32-32: Action SHA update verified for consistency.The base-setup action is correctly updated with proper version tag alignment. This aligns with updates across other workflows.
.github/workflows/build.yml (3)
19-19: Checkout action SHA correctly updated with version alignment.SHA
93cb6efmaps to v5, matching the inline version comment.
22-22: Base-setup action SHA consistent across all references.Both instances use SHA
7a3e704with v1 tag maintained.Also applies to: 96-96
187-187: Check-links action shares same SHA as base-setup.Both reference
7a3e704, suggesting they're from the same release commit. Verify this is intentional behavior by the maintainer-tools project..github/workflows/publish-release.yml (2)
29-29: Checkout and base-setup actions maintain version consistency.SHAs align with previously reviewed updates across other workflows.
Also applies to: 39-39
41-41: Verify create-github-app-token SHA is valid for v2.SHA
7e473effor v2 should be cross-checked against GitHub's official action repository to confirm it corresponds to an expected v2 release..github/workflows/update-integration-tests.yml (1)
32-32: All action SHAs correctly updated with maintained version tags.Consistent with updates across other workflows: checkout v5, base-setup and update-snapshots both v1 with shared SHA
7a3e704.Also applies to: 72-72, 83-83
.github/workflows/check-release.yml (1)
20-20: Action SHAs align with coordinated updates across the repository.Checkout v5 and base-setup v1 follow the established pattern from other workflows.
Also applies to: 31-31
.github/workflows/ci.yml (2)
26-26: Checkout actions consistently updated across all jobs.All 6 instances of
actions/checkoutcorrectly point to SHA93cb6efwith v5 tag.Also applies to: 45-45, 69-69, 93-93, 116-116, 131-131
48-48: Base-setup actions consistently pinned across all jobs.All instances use SHA
7a3e704with v1 tag—consistent with other workflow files.Also applies to: 72-72, 96-96, 118-118, 134-134
.github/workflows/ci.yml
Outdated
|
|
||
| - name: Install qlty | ||
| uses: qltysh/qlty-action/install@92420f3093ba65970fed22ce5f162ecb8a5c1700 | ||
| uses: qltysh/qlty-action/install@c1d9ae56aba737dfb3c83921007a2610f1dad51c |
There was a problem hiding this comment.
🧩 Analysis chain
Script executed:
#!/bin/bash
# Read the CI workflow file to see the full context
cat -n .github/workflows/ci.yml | head -50Repository: deepnote/jupyterlab-deepnote
<shell_result>
Repository: deepnote/jupyterlab-deepnote
Exit code: 0
stdout:
1 name: CI
2
3 on:
4 push:
5 branches:
6 - main
7 pull_request:
8
9 concurrency:
10 group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
11 cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
12
13 permissions:
14 contents: read
15 pull-requests: read
16 packages: read
17
18 jobs:
19 qlty:
20 name: Qlty Check
21 runs-on: ubuntu-latest
22 timeout-minutes: 3
23
24 steps:
25 - name: Checkout code
26 uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
27 with:
28 fetch-depth: 0
29
30 - name: Install qlty
31 uses: qltysh/qlty-action/install@c1d9ae56aba737dfb3c83921007a2610f1dad51c
32
33 - name: Run qlty check
34 run: qlty check
35
36 - name: Run qlty code smells analysis
37 run: qlty smells
38
39 lint-and-format:
40 name: Lint & Format
41 runs-on: ubuntu-latest
42 timeout-minutes: 15
43 steps:
44 - name: Checkout
45 uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
46
47 - name: Base Setup
48 uses: jupyterlab/maintainer-tools/.github/actions/base-setup@7a3e70473eff6cce4988f449decedc61d1304379 # v1
49
50 - name: Install dependencies
</shell_result>
qltysh/qlty-action GitHub repository commit c1d9ae56aba737dfb3c83921007a2610f1dad51c
<web_search_result>
I couldn't find any public GitHub commit with hash c1d9ae56aba737dfb3c83921007a2610f1dad51c in the qltysh/qlty-action repository. The repository’s public page (commit history and tags) shows recent activity but that specific commit hash does not appear. [1]
If you want, I can (a) open the repository’s full commit history and look again, (b) check whether that commit exists on another branch or a fork, or (c) fetch the raw commit URL you gave and show the page contents — which one do you prefer? [1]
Sources:
[1] qltysh/qlty-action (GitHub repository).
</web_search_result>
qltysh/qlty-action install action GitHub
<web_search_result>
You can install the Qlty CLI in a GitHub Actions workflow using the reusable install action at qltysh/qlty-action/install. Example (use the latest tag, e.g. v2):
- uses: qltysh/qlty-action/install@v2
A minimal workflow example:
- uses: actions/checkout@v3
- uses: qltysh/qlty-action/install@v2
- run: qlty --version # verify installation
(Then run qlty commands like qlty check, qlty fmt, or upload coverage with qltysh/qlty-action/coverage.)
Sources: qlty-action README (actions list and install action). [1] Qlty CI docs (GitHub Actions integration / coverage example). [2]
Sources:
[1] https://github.com/qltysh/qlty-action — README / Actions list.
[2] https://docs.qlty.sh/coverage/ci — CI integration (GitHub Actions example).
</web_search_result>
Based on my verification, I have found that:
-
Missing version comment is confirmed: Other actions in the same file (lines 26, 45, 48) all have version comments (e.g.,
# v5,# v1), while line 31 lacks one. -
SHA verification issue is real: The SHA
c1d9ae56aba737dfb3c83921007a2610f1dad51cdoes not appear in the public qltysh/qlty-action repository's commit history. -
Best practice violation: Official documentation for qltysh/qlty-action recommends using semantic version tags (e.g.,
@v2) rather than commit SHAs.
The original review comment is valid and identifies genuine issues. Here is the rewritten comment:
Add version tag comment and verify action reference.
Line 31 lacks a version comment unlike other actions in this workflow (see lines 26, 45, 48 with # v5, # v1, etc.). Additionally, the referenced SHA c1d9ae56aba737dfb3c83921007a2610f1dad51c does not appear in the public qltysh/qlty-action repository. Consider using a semantic version tag (e.g., @v2) with a corresponding comment for consistency and maintainability.
🤖 Prompt for AI Agents
.github/workflows/ci.yml around line 31: the action reference uses a raw SHA
without the version comment used elsewhere and the SHA does not match the public
repo; replace the SHA with the appropriate semantic version tag (e.g., @v2) and
add a trailing inline comment like "# v2" to match the other entries, and verify
the chosen tag exists in the qltysh/qlty-action repository before committing.
9a68fdb to
5ab7043
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/ci.yml (1)
31-31: qlty-action reference lacks version comment and requires SHA verification.Line 31 omits the version comment pattern used consistently elsewhere (lines 26, 45, 69, 93, 116, 131 all include
# v5or# v1). Additionally, the SHAc1d9ae5...was previously flagged as not appearing in the public qltysh/qlty-action repository.Verify the qlty-action SHA validity and add an appropriate version comment (e.g.,
# v2) to match the pattern.#!/bin/bash # Verify qlty-action SHA exists and is accessible gh api repos/qltysh/qlty-action/commits/c1d9ae56aba737dfb3c83921007a2610f1dad51c --jq '.sha' 2>/dev/null || echo "SHA not found in public repo" # Check latest tags/releases to identify correct version gh api repos/qltysh/qlty-action/releases --jq '.[0:5] | .[] | "\(.tag_name): \(.target_commitish)"'
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml(3 hunks).github/workflows/check-release.yml(1 hunks).github/workflows/ci.yml(6 hunks).github/workflows/prep-release.yml(1 hunks).github/workflows/publish-release.yml(2 hunks).github/workflows/update-integration-tests.yml(3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build
- GitHub Check: check_release
🔇 Additional comments (10)
.github/workflows/prep-release.yml (1)
32-32: Action SHA updates are consistent and properly annotated.Both external action references have been updated with version comments intact. Changes align with the PR objectives.
Also applies to: 36-36
.github/workflows/ci.yml (2)
26-26: Checkout action updates are consistent and properly annotated.All six instances of actions/checkout have been updated to SHA 93cb6efe... with the
# v5version comment preserved.Also applies to: 45-45, 69-69, 93-93, 116-116, 131-131
48-48: Base-setup action updates are consistent and properly annotated.All five instances of jupyterlab/maintainer-tools base-setup have been updated to SHA d734fad... with the
# v1version comment preserved.Also applies to: 72-72, 96-96, 118-118, 134-134
.github/workflows/update-integration-tests.yml (1)
32-32: Action SHA updates are consistent and properly annotated.All three external actions (checkout, base-setup, update-snapshots) have been updated with version comments intact. Both maintainer-tools actions correctly reference the same SHA.
Also applies to: 72-72, 83-83
.github/workflows/build.yml (3)
19-19: Checkout and base-setup updates are consistent.Both actions updated with version comments preserved.
Also applies to: 22-22
185-187: Check-links job action updates are consistent.All three actions (checkout, base-setup, check-links) properly updated with version comments.
96-96: No compatibility concerns with actions/setup-python v6.The v6 upgrade is compatible with this workflow. The only breaking change is the Node.js runtime upgrade (20→24), which requires runner v2.327.1+ but does not affect Python installation, caching, or downstream steps. Python 3.9 installation works without issues, and the workflow's standard invocation pattern remains fully supported.
.github/workflows/check-release.yml (2)
20-20: Checkout, base-setup, and check-release updates are consistent.All actions properly updated with version comments. Consistent with other workflow files.
Also applies to: 31-31, 34-34
23-23: Review always-auth removal in actions/setup-node v6.v6 has breaking changes:
- The
always-authinput was removed (npm deprecated it). Remove anywith: always-auth: true/falsefrom the workflow.- Automatic dependency caching is now npm-only; if using other package managers or explicit cache configuration, verify it's still set up correctly.
- Registry authentication via
NODE_AUTH_TOKENandregistry-url/scopeinputs remains compatible—no changes needed there.Node 22.x installation and basic NPM operations work without issues on v6.
.github/workflows/publish-release.yml (1)
29-29: Action updates are consistent and properly annotated.Checkout, base-setup, create-github-app-token, and releaser actions all properly updated with version comments. Changes align with PR objectives.
Also applies to: 39-39, 41-41, 49-49, 60-60
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 | ||
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
actions/setup-node v6 breaking changes compared to v5
💡 Result:
Summary of breaking changes from actions/setup-node v5 → v6:
-
Automatic caching behavior changed:
- v5: enabled automatic package-manager detection and caching by default when no explicit cache input provided. [1][2]
- v6: automatic caching is limited to npm only (caching for yarn/pnpm is disabled by default and must be configured explicitly). You can control this with the package-manager-cache input. [1][3]
-
Removal of deprecated input:
- v6 removes the always-auth input (it was deprecated). Remove any uses of always-auth to avoid warnings/errors. [3]
Sources:
- Release notes (v5, v6) — actions/setup-node releases. [1][2]
- README / documentation (caching details and removed inputs). [3]
References:
[1] actions/setup-node release v5.0.0.
[2] actions/setup-node release v6.0.0.
[3] actions/setup-node README / documentation on caching and inputs.
🏁 Script executed:
cat -n .github/workflows/publish-release.ymlRepository: deepnote/jupyterlab-deepnote
Length of output: 3182
Remove always-auth: true — no longer supported in actions/setup-node v6.
Line 37 uses the deprecated always-auth input, which was removed in v6. This will cause the setup-node step to fail or emit errors. Remove line 37. The registry-url and scope inputs (lines 35–36) work correctly in v6, and Node 22.x is fully supported.
🤖 Prompt for AI Agents
In .github/workflows/publish-release.yml around lines 32–37, the
actions/setup-node step is using the removed always-auth input (line 37); remove
the always-auth: true line so the workflow uses setup-node v6 correctly while
keeping registry-url and scope inputs on lines 35–36 unchanged; ensure no other
references to always-auth remain in the file and commit the updated workflow.
5ab7043 to
3731938
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (2)
.github/workflows/ci.yml (1)
31-31: Unresolved from prior review: Add version tag comment and verify action reference.Line 31 lacks a version comment unlike other actions in this workflow, and the referenced SHA does not appear in the qltysh/qlty-action public repository. Consider switching to a semantic version tag (e.g.,
@v2) with a version comment for consistency and maintainability..github/workflows/publish-release.yml (1)
32-37: Unresolved from prior review: Removealways-auth: true— deprecated in actions/setup-node v6.Line 37 uses the deprecated
always-authinput, removed in v6. This will cause workflow failures. Remove the line;registry-urlandscopeinputs function correctly in v6.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml(3 hunks).github/workflows/check-release.yml(1 hunks).github/workflows/ci.yml(6 hunks).github/workflows/prep-release.yml(1 hunks).github/workflows/publish-release.yml(2 hunks).github/workflows/update-integration-tests.yml(3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: check_release
- GitHub Check: build
.github/workflows/check-release.yml
Outdated
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 | ||
| with: | ||
| cache: 'npm' | ||
| node-version: ${{ env.NODE_VERSION }} | ||
| registry-url: 'https://npm.pkg.github.com' | ||
| scope: '@deepnote' | ||
| always-auth: true |
There was a problem hiding this comment.
Remove always-auth: true — deprecated in actions/setup-node v6.
Line 29 uses the always-auth input, which was removed in v6. This will cause workflow failures. Remove the line; the cache, node-version, registry-url, and scope inputs function correctly in v6.
Apply this diff to remove the deprecated input:
- name: Setup Node.js
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
with:
cache: 'npm'
node-version: ${{ env.NODE_VERSION }}
registry-url: 'https://npm.pkg.github.com'
scope: '@deepnote'
- always-auth: true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 | |
| with: | |
| cache: 'npm' | |
| node-version: ${{ env.NODE_VERSION }} | |
| registry-url: 'https://npm.pkg.github.com' | |
| scope: '@deepnote' | |
| always-auth: true | |
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 | |
| with: | |
| cache: 'npm' | |
| node-version: ${{ env.NODE_VERSION }} | |
| registry-url: 'https://npm.pkg.github.com' | |
| scope: '@deepnote' |
🤖 Prompt for AI Agents
.github/workflows/check-release.yml around lines 23 to 29: the workflow uses
actions/setup-node v6 but includes the deprecated input always-auth: true which
will cause failures; remove the line containing always-auth: true so the step
only passes cache, node-version, registry-url and scope inputs supported by v6.
cd14a66 to
ed2a5b4
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
ed2a5b4 to
ddf5c98
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (3)
.github/workflows/publish-release.yml (1)
32-37: Remove deprecatedalways-authinput.Line 37 uses
always-auth: true, which was removed in setup-node v6 and will cause failures. Remove it.🔎 Proposed fix
- name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true.github/workflows/ci.yml (1)
31-31: Add version comment for consistency.Line 31 lacks a version comment unlike other actions in this file (see lines 26, 45, 48, etc. with
# v5,# v1).🔎 Suggested addition
- name: Install qlty - uses: qltysh/qlty-action/install@ea1f343351856554424688e75be09f7fd59936a6 + uses: qltysh/qlty-action/install@ea1f343351856554424688e75be09f7fd59936a6 # v2.github/workflows/check-release.yml (1)
23-29: Remove deprecatedalways-authinput.Line 29 uses
always-auth: true, which was removed in setup-node v6 and will cause failures. Remove it.🔎 Proposed fix
- name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build
- GitHub Check: check_release
🔇 Additional comments (5)
.github/workflows/publish-release.yml (1)
29-29: LGTM — SHA refreshes are clean.Action digest pins updated correctly with appropriate version comments.
Also applies to: 39-41, 49-49, 60-60
.github/workflows/prep-release.yml (1)
32-32: LGTM — SHA updates are clean.Action pins refreshed with correct version comments.
Also applies to: 36-36
.github/workflows/update-integration-tests.yml (1)
32-32: LGTM — SHA updates are clean.Action digest pins updated with appropriate version tags.
Also applies to: 72-72, 83-83
.github/workflows/ci.yml (1)
26-26: LGTM — SHA updates are clean.Action pins refreshed consistently with version comments.
Also applies to: 45-48, 69-72, 93-96, 116-118, 131-134
.github/workflows/check-release.yml (1)
20-20: LGTM — SHA updates are clean.Action digest pins refreshed with correct version tags.
Also applies to: 31-31, 34-34
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
ddf5c98 to
c313ca9
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
c313ca9 to
815980e
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/build.yml:
- Around line 19-22: The maintainer-tools action pin is inconsistent: the uses
line references
jupyterlab/maintainer-tools/.github/actions/base-setup@d734fad2dc3aadbe56a5fd530037656e770e1a8d
but the comment says # v1; update the pin to the real v1 tag (use
`@cc93cd104e7bcd29438a12c1c1c8d64d62555a33`) or change the comment to reflect the
current SHA so the uses entry for base-setup and its accompanying comment match.
♻️ Duplicate comments (4)
.github/workflows/publish-release.yml (1)
32-37: Removealways-auth: true— removed in setup-node v6.Line 37 uses a deprecated input that will cause failures. Delete the line.
Proposed fix
- name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true.github/workflows/ci.yml (1)
30-31: Add version comment for consistency.Other actions have version comments (e.g.,
# v5,# v1). This line lacks one.Proposed fix
- name: Install qlty - uses: qltysh/qlty-action/install@781c27d0ba52e67907ade4064dff08d1a797212e + uses: qltysh/qlty-action/install@781c27d0ba52e67907ade4064dff08d1a797212e # v2.github/workflows/check-release.yml (1)
22-29: Removealways-auth: true— removed in setup-node v6.Line 29 uses a deprecated input. Delete the line.
Proposed fix
- name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true.github/workflows/build.yml (1)
59-71: Codecov action SHAs updated.Security concerns about codecov-action v5 were raised in prior review. The 2021 incident targeted the Bash Uploader; current v5 includes mitigations.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build
- GitHub Check: check_release
🔇 Additional comments (7)
.github/workflows/publish-release.yml (1)
28-29: SHA updates look good.Action pins refreshed consistently across Checkout, base-setup, create-github-app-token, and jupyter_releaser steps.
Also applies to: 39-41, 47-49, 56-60
.github/workflows/prep-release.yml (1)
32-36: LGTM.SHA pins updated for base-setup and prep-release actions. Version comments preserved.
.github/workflows/ci.yml (1)
25-26: LGTM.Checkout and base-setup SHAs updated consistently across all jobs.
Also applies to: 44-48, 68-72, 92-96, 115-118, 130-134
.github/workflows/update-integration-tests.yml (1)
31-32: LGTM.SHA pins updated for checkout, base-setup, and update-snapshots. Version comments intact.
Also applies to: 71-72, 83-88
.github/workflows/check-release.yml (1)
19-20: LGTM.SHA pins updated for checkout, base-setup, and check-release actions.
Also applies to: 30-34
.github/workflows/build.yml (2)
96-99: Setup-python updated to v6.SHA 83679a8 corresponds to v6.1.0 which includes urllib3 2.5.0 with security fixes.
185-187: Check_links job SHAs consistent with build job.All three actions updated to match the pins used elsewhere in the workflow.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | ||
|
|
||
| - name: Base Setup | ||
| uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d72f5cb72b472c1e59036840891e918c9bda4dae # v1 | ||
| uses: jupyterlab/maintainer-tools/.github/actions/base-setup@d734fad2dc3aadbe56a5fd530037656e770e1a8d # v1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
# First, check if the file exists and view the relevant lines
head -25 .github/workflows/build.yml | tail -10Repository: deepnote/jupyterlab-deepnote
Length of output: 421
🏁 Script executed:
# Check full context around lines 19-22 and other changed lines
sed -n '19,22p' .github/workflows/build.ymlRepository: deepnote/jupyterlab-deepnote
Length of output: 289
🏁 Script executed:
# Verify the checkout SHA - check if v5 tag matches the pinned SHA
curl -s https://api.github.com/repos/actions/checkout/releases/tags/v5 | grep '"sha"' | head -1Repository: deepnote/jupyterlab-deepnote
Length of output: 54
🏁 Script executed:
# Verify the maintainer-tools SHA - check if v1 tag matches
curl -s https://api.github.com/repos/jupyterlab/maintainer-tools/git/refs/tags/v1 | grep '"sha"'Repository: deepnote/jupyterlab-deepnote
Length of output: 126
🏁 Script executed:
# Get the correct SHA for jupyterlab/maintainer-tools v1 tag
curl -s https://api.github.com/repos/jupyterlab/maintainer-tools/git/refs/tags/v1 2>/dev/null | jq '.object.sha // empty' 2>/dev/nullRepository: deepnote/jupyterlab-deepnote
Length of output: 114
🏁 Script executed:
# Also verify actions/checkout v5 more explicitly
curl -s "https://api.github.com/repos/actions/checkout/git/refs/tags/v5" 2>/dev/null | jq '.object.sha'Repository: deepnote/jupyterlab-deepnote
Length of output: 114
🏁 Script executed:
# Verify what commit the maintainer-tools pinned SHA actually points to
curl -s "https://api.github.com/repos/jupyterlab/maintainer-tools/commits/d734fad2dc3aadbe56a5fd530037656e770e1a8d" 2>/dev/null | jq '{sha: .sha, message: .commit.message, date: .commit.author.date}' | head -20Repository: deepnote/jupyterlab-deepnote
Length of output: 400
🏁 Script executed:
# Check what v1 tag actually contains (get tag details)
curl -s "https://api.github.com/repos/jupyterlab/maintainer-tools/git/tags/cc93cd104e7bcd29438a12c1c1c8d64d62555a33" 2>/dev/null | jq '{tagger: .tagger.date, message: .message}'Repository: deepnote/jupyterlab-deepnote
Length of output: 150
Fix maintainer-tools pin: SHA does not match v1 tag.
The actions/checkout SHA is correctly pinned to v5. However, the jupyterlab/maintainer-tools base-setup action is pinned to d734fad2dc3aadbe56a5fd530037656e770e1a8d (version 0.30.0), not the v1 tag (cc93cd104e7bcd29438a12c1c1c8d64d62555a33). The version comment # v1 is incorrect and creates supply-chain confusion. Update the pin to the actual v1 tag or correct the version comment.
🤖 Prompt for AI Agents
In @.github/workflows/build.yml around lines 19 - 22, The maintainer-tools
action pin is inconsistent: the uses line references
jupyterlab/maintainer-tools/.github/actions/base-setup@d734fad2dc3aadbe56a5fd530037656e770e1a8d
but the comment says # v1; update the pin to the real v1 tag (use
`@cc93cd104e7bcd29438a12c1c1c8d64d62555a33`) or change the comment to reflect the
current SHA so the uses entry for base-setup and its accompanying comment match.
815980e to
33f143f
Compare
This PR contains the following updates:
08c6903→93cb6ef6701853→29824e62028fbc→6044e13e797f83→83679a85a10915→671740a47f89e9→0fa95f06accaa3→3e74486d72f5cb→d734fad92420f3→781c27dConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.