Skip to content

action-allowlist-review: bump 1Password/load-secrets-action from 4.0.0 to 4.0.1 in /.github/actions/for-dependabot-triggered-reviews#932

Merged
potiuk merged 2 commits into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/1Password/load-secrets-action-4.0.1
Jun 22, 2026
Merged

action-allowlist-review: bump 1Password/load-secrets-action from 4.0.0 to 4.0.1 in /.github/actions/for-dependabot-triggered-reviews#932
potiuk merged 2 commits into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/1Password/load-secrets-action-4.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 12, 2026

Copy link
Copy Markdown
Contributor

Bumps 1Password/load-secrets-action from 4.0.0 to 4.0.1.

Release notes

Sourced from 1Password/load-secrets-action's releases.

v4.0.1

What's Changed

Fix

  • Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154)
  • Bump actions/checkout from v5 to v6 in CI workflows. (#156)

Security

  • Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157)

Docs

  • Add 1Password API Terms of Service notice to the README (#166)

New Contributors

Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1

Commits
  • 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1
  • 0f0cd1b create new build
  • be2f36b Add Terms of Service to README (#166)
  • 908aabf Merge pull request #154 from superteppo/main
  • cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security
  • 080cd2d Merge branch '1Password:main' into main
  • 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars
  • 2a9101f Merge pull request #156 from 1Password/jill/bump-actions
  • 5b18565 bump actions
  • a763b8d fix installer error on windows
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 12, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 12, 2026
Bumps [1Password/load-secrets-action](https://github.com/1password/load-secrets-action) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/1password/load-secrets-action/releases)
- [Commits](1Password/load-secrets-action@92467eb...3a12b0a)

---
updated-dependencies:
- dependency-name: 1Password/load-secrets-action
  dependency-version: 4.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/1Password/load-secrets-action-4.0.1 branch from fff64f0 to 99b7db9 Compare June 21, 2026 20:09

@potiuk potiuk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

verify-action-build flags 4 tc.downloadTool() calls fetching the op CLI from cache.agilebits.com with no checksum — but this is the identical shape as the already-approved v4.0.0 (92467eb). No new risk introduced by this patch bump, so approving on parity. The underlying download-verification gap is being raised upstream separately.

Dependabot bumped both `uses:` hashes to the v4.0.1 commit but only
updated the version comment on the `/configure` line, leaving the first
line at `# v4.0.0`. Its comment-updater skips lines that carry a trailing
`# zizmor: ignore[...]` after the version comment. zizmor's
ref-version-mismatch flagged the resulting hash/comment mismatch.

Generated-by: Claude Opus 4.8 (1M context)
@potiuk potiuk merged commit 6a4d63f into main Jun 22, 2026
9 of 10 checks passed
@potiuk potiuk deleted the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/1Password/load-secrets-action-4.0.1 branch June 22, 2026 02:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant