Skip to content

action-allowlist-review: bump carabiner-dev/actions from 1.1.7 to 1.2.0 in /.github/actions/for-dependabot-triggered-reviews#856

Merged
potiuk merged 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/carabiner-dev/actions-1.2.0
May 24, 2026
Merged

action-allowlist-review: bump carabiner-dev/actions from 1.1.7 to 1.2.0 in /.github/actions/for-dependabot-triggered-reviews#856
potiuk merged 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/carabiner-dev/actions-1.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 18, 2026

Copy link
Copy Markdown
Contributor

Bumps carabiner-dev/actions from 1.1.7 to 1.2.0.

Release notes

Sourced from carabiner-dev/actions's releases.

v1.2.0

This release marks a new minor release where all actions now can trace their trust root to a pinned ampel version. In v1.1.7 we migrated all installers. v1.2.0 now updates all actions to use the anchored installers.

No utility version bumps. Only the non-installer actions are now migrated to install/download-and-verify/ - based installers.

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 18, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 18, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/carabiner-dev/actions-1.2.0 branch from c57ed7a to 5122d1d Compare May 19, 2026 01:43
@potiuk

potiuk commented May 22, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [carabiner-dev/actions](https://github.com/carabiner-dev/actions) from 1.1.7 to 1.2.0.
- [Release notes](https://github.com/carabiner-dev/actions/releases)
- [Commits](carabiner-dev/actions@v1.1.7...v1.2.0)

---
updated-dependencies:
- dependency-name: carabiner-dev/actions
  dependency-version: 1.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/carabiner-dev/actions-1.2.0 branch from 5122d1d to e1bf0fb Compare May 22, 2026 18:57
@ppkarwasz

ppkarwasz commented May 23, 2026

Copy link
Copy Markdown
Member

We should not merge this one, until carabiner-dev/actions#57 is solved.

Dependabot tries to update carabiner-dev/actions/install/download-and-verify to the latest commit (not release) in the repository, because the commit currently allowed is not tagged. What we want instead is to upgrade it to whatever SHA1 is used by carabiner-dev/actions/install/ampel.

@potiuk potiuk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — pinned SHA bump verified by Verify Dependabot Action Build, zizmor + CodeQL Actions analysis green.

@potiuk potiuk merged commit 9c6e758 into main May 24, 2026
12 checks passed
@potiuk potiuk deleted the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/carabiner-dev/actions-1.2.0 branch May 24, 2026 13:03
potiuk added a commit to kevingurney/infrastructure-actions that referenced this pull request May 27, 2026
update_refs crashed with AttributeError when actions.yml contained
an entry where the SHA key had no nested value (parses as None in
Python). Two such untagged-transitive entries were added in apache#853
(carabiner-dev install/{ampel-bootstrap,download-and-verify}),
which made the update_actions workflow fail on every subsequent
dependabot bump touching those keys (e.g. PR apache#856 bumping
carabiner-dev/actions 1.1.7 -> 1.2.0).

Initialize the empty dict in place so the expiry update path runs
on these entries the same way it does on any other.

Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants