Skip to content

action-allowlist-review: bump opentofu/setup-opentofu from 2.0.1 to 2.0.2 in /.github/actions/for-dependabot-triggered-reviews#980

Merged
potiuk merged 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/opentofu/setup-opentofu-2.0.2
Jul 2, 2026
Merged

action-allowlist-review: bump opentofu/setup-opentofu from 2.0.1 to 2.0.2 in /.github/actions/for-dependabot-triggered-reviews#980
potiuk merged 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/opentofu/setup-opentofu-2.0.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps opentofu/setup-opentofu from 2.0.1 to 2.0.2.

Release notes

Sourced from opentofu/setup-opentofu's releases.

v2.0.2

What's Changed

New Contributors

Full Changelog: opentofu/setup-opentofu@v2...v2.0.2

Commits
  • a1320f8 release docs and bump to 2.0.2 (#127)
  • d3dc77d feat: verify download against published SHA256SUMS by default (#121)
  • 5600721 chore(deps): Bump semver from 7.8.1 to 7.8.3 (#123)
  • 7051243 chore(deps): Bump actions/checkout from 6.0.2 to 6.0.3 (#124)
  • 50e079f chore(deps): Bump actions/checkout from 6 to 6.0.2
  • 0c73a96 chore(deps): Bump semver from 7.8.0 to 7.8.1 (#119)
  • 7526f4b chore(deps): Bump semver from 7.7.4 to 7.8.0
  • a630d3b chore(deps-dev): Bump jest from 30.3.0 to 30.4.2
  • 7e2b876 chore(deps): Bump @​actions/core from 3.0.0 to 3.0.1
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 29, 2026
@dependabot dependabot Bot requested review from dfoulks1 and potiuk as code owners June 29, 2026 13:20
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 29, 2026
@dependabot dependabot Bot requested a review from ppkarwasz as a code owner June 29, 2026 13:20
@dependabot dependabot Bot added the github_actions Pull requests that update GitHub Actions code label Jun 29, 2026
@potiuk

potiuk commented Jul 2, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [opentofu/setup-opentofu](https://github.com/opentofu/setup-opentofu) from 2.0.1 to 2.0.2.
- [Release notes](https://github.com/opentofu/setup-opentofu/releases)
- [Commits](opentofu/setup-opentofu@847eaa4...a1320f8)

---
updated-dependencies:
- dependency-name: opentofu/setup-opentofu
  dependency-version: 2.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/opentofu/setup-opentofu-2.0.2 branch from 9e89072 to 91245a8 Compare July 2, 2026 15:33

@potiuk potiuk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving on the basis of our internal verify-action-build tooling confirming the download is verified.

The verify CI here is a false positive. opentofu/setup-opentofu's lib/setup-tofu.js downloads via tc.downloadTool() and then validates the artifact — await fileSHA256(pathToCLIZip) checked against the release's SHA256SUMS, rejecting on mismatch. The createHash('sha256') body lives in the sibling lib/util.js, so the in-file evidence is only the fileSHA256(...) call name, which the scanner didn't yet recognize.

Fix is #1001. Running the patched tool against this PR:

✓ lib/setup-tofu.js: 1 JS download(s), verification present in file
Exit code: 0

Since our tooling now confirms the artifact is checksum-verified, merging this v2.0.1 → v2.0.2 bump. Admin-merging to bypass the stale verify check; it'll pass normally once #1001 lands.

@potiuk potiuk merged commit ddaa0c8 into main Jul 2, 2026
12 of 13 checks passed
@potiuk potiuk deleted the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/opentofu/setup-opentofu-2.0.2 branch July 2, 2026 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant