chore(deps): bump the all-actions group across 1 directory with 6 updates#2182
chore(deps): bump the all-actions group across 1 directory with 6 updates#2182dependabot[bot] wants to merge 1 commit into
Conversation
…ates Bumps the all-actions group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4` | `7` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `2.1.4` | `3.2.0` | | [actions/github-script](https://github.com/actions/github-script) | `8.0.0` | `9.0.0` | | [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `2` | `3` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `5` | `7` | | [actions/setup-python](https://github.com/actions/setup-python) | `5` | `6` | Updates `actions/checkout` from 4 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](actions/checkout@v4...v7) Updates `actions/create-github-app-token` from 2.1.4 to 3.2.0 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md) - [Commits](actions/create-github-app-token@6701853...bcd2ba4) Updates `actions/github-script` from 8.0.0 to 9.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@ed59741...3a2844b) Updates `dependabot/fetch-metadata` from 2 to 3 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@v2...v3) Updates `astral-sh/setup-uv` from 5 to 7 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@v5...v7) Updates `actions/setup-python` from 5 to 6 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions - dependency-name: actions/create-github-app-token dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions - dependency-name: dependabot/fetch-metadata dependency-version: '3' dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions - dependency-name: astral-sh/setup-uv dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
There was a problem hiding this comment.
📋 Maintainability Review Summary
I have performed a maintainability review of the changes in this Pull Request. The changes consist exclusively of version bumps to various GitHub Actions workflows under .github/workflows/. No source code logic has been modified.
🔍 Findings
- No maintainability issues (such as poor naming, magic numbers, or obvious code duplication) were identified. The workflow updates are clean and well-structured.
There was a problem hiding this comment.
📋 Security Review Summary
No concrete security vulnerabilities were found in the analyzed changes of this pull request. The changes consist of dependency version upgrades of standard GitHub Actions, which improve the security and maintainability of the workflows.
🔍 Findings
- No security vulnerabilities were found.
There was a problem hiding this comment.
📋 Correctness Review Summary
I have conducted a correctness-focused code review on the proposed changes.
A critical correctness bug was identified in python/agents/financial-advisor/financial_advisor/__init__.py where os.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id) is called. Since google.auth.default() can return None as the project ID, this call will raise TypeError: str expected, not NoneType and cause the application to crash at import time. Additionally, google.auth.default() can raise DefaultCredentialsError in environments without active Google Cloud credentials, which will also prevent the module from being imported or tested locally without GCP credentials.
I have provided a correction suggestion below to handle these scenarios safely.
🔍 Findings
🟠 critical · Unhandled Exception and Type Error in __init__.py
In financial_advisor/__init__.py, os.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id) will crash with TypeError: str expected, not NoneType if google.auth.default() returns None for the project ID (which is common if no default project is configured).
Furthermore, calling google.auth.default() at import time without a try/except block will raise an unhandled DefaultCredentialsError in offline or local environments without Google Cloud credentials, completely blocking package imports.
Please wrap the credential fetching and check that the project ID is a string before setting it.
try:
_, project_id = google.auth.default()
if project_id:
os.environ.setdefault("GOOGLE_CLOUD_PROJECT", project_id)
except google.auth.exceptions.DefaultCredentialsError:
pass
Bumps the all-actions group with 6 updates in the / directory:
472.1.43.2.08.0.09.0.0235756Updates
actions/checkoutfrom 4 to 7Release notes
Sourced from actions/checkout's releases.
... (truncated)
Commits
9c091bbupdate error wording (#2467)1044a6dgetting ready for checkout v7 release (#2464)f028218Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)d914b26upgrade module to esm and update dependencies (#2463)537c7efBump@actions/coreand@actions/tool-cacheand Remove uuid (#2459)130a169Bump js-yaml from 4.1.0 to 4.2.0 (#2461)7d09575Bump flatted from 3.3.1 to 3.4.2 (#2460)0f9f3aaBump actions/publish-immutable-action (#2458)f9e715ablock checking out fork pr for pull_request_target and workflow_run (#2454)df4cb1cUpdate changelog for v6.0.3 (#2446)Updates
actions/create-github-app-tokenfrom 2.1.4 to 3.2.0Release notes
Sourced from actions/create-github-app-token's releases.
... (truncated)
Changelog
Sourced from actions/create-github-app-token's changelog.
Commits
bcd2ba4chore(main): release 3.2.0 (#370)f24bbd8fix: validate private-key input (#376)363531bdocs: capitalize Git as a proper noun in README (#374)fd28011docs: update procedure to configure Git (#287)85eb8ddfeat: support full repository names inrepositoriesinput (#372)c9aabb8build(deps-dev): bump yaml from 2.8.3 to 2.8.4 in the development-dependencie...e02e816build(deps-dev): bump undici from 7.24.6 to 8.2.0 (#366)8d835bfbuild(deps-dev): bump esbuild from 0.27.4 to 0.28.0 in the development-depend...952a2a7feat: add support for enterprise-level GitHub Apps (#263)43e5c34fix(deps): bump@actions/corefrom 3.0.0 to 3.0.1 in the production-dependenc...Updates
actions/github-scriptfrom 8.0.0 to 9.0.0Release notes
Sourced from actions/github-script's releases.
Commits
3a2844bMerge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...ca10bbdfix: use@octokit/core/types import for v7 compatibility86e48e2merge: incorporate main branch changesc108472chore: rebuild dist for v9 upgrade and getOctokit factoryafff112Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...ff8117eci: fix user-agent test to handle orchestration ID81c6b78ci: use deployment: false to suppress deployment noise from integration tests3953cafdocs: update README examples from@v8to@v9, add getOctokit docs and v9 brea...c17d55bci: add getOctokit integration test joba047196test: add getOctokit integration tests via callAsyncFunctionUpdates
dependabot/fetch-metadatafrom 2 to 3Release notes
Sourced from dependabot/fetch-metadata's releases.
... (truncated)
Commits
25dd0e3v3.1.0 (#692)e073f50Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.140670e16build(deps-dev): bump hono from 4.12.12 to 4.12.147a7fe10Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...5168191Updating dist build23882e1build(deps): bump@actions/githubin the dependencies group1072469Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...43f8a00build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1b4d904aMerge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0c8046bbbuild(deps-dev): bump globals from 17.4.0 to 17.5.0Updates
astral-sh/setup-uvfrom 5 to 7Release notes
Sourced from astral-sh/setup-uv's releases.
... (truncated)
Commits
37802adFetch uv from Astral's mirror by default (#809)9f00d18chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#808)fd8f376Switch to ESM for source and test, use CommonJS for dist (#806)f9070deBump deps (#805)cadb67bchore: update known checksums for 0.10.10 (#804)e06108dUse astral-sh/versions as primary version provider (#802)0f6ec07docs: replace copilot instructions with AGENTS.md (#794)821e5c9docs: add cross-client dependabot rollup skill (#793)6ee6290chore(deps): bump versions (#792)9f332a1Add riscv64 architecture support to platform detection (#791)Updates
actions/setup-pythonfrom 5 to 6Release notes
Sourced from actions/setup-python's releases.
... (truncated)
Commits
ece7cb0Fix pip cache error handling on Windows. (#1040)1d18d7aUpdate advanced-usage.md (#811)d2b357aUpdate dependency versions and test workflow configuration (#1322)8f639b1Merge pull request #1324 from jasongin/update-actions-cache-5.1.06731c2bResolve high-severity audit issues0cb1a84Add RHEL support and include Linux distro in cache keys (#1323)dc6eab6Update dist6f4b74bStrict equalityfa8bde1Bump@actions/cacheto 5.1.0, log cache write deniedc8813baUpgrade@actionsdependencies and update licenses (#1303)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions