Skip to content

action-allowlist-review: bump erlef/setup-beam from 1.24.0 to 1.24.1 in /.github/actions/for-dependabot-triggered-reviews#981

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/erlef/setup-beam-1.24.1
Open

action-allowlist-review: bump erlef/setup-beam from 1.24.0 to 1.24.1 in /.github/actions/for-dependabot-triggered-reviews#981
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/erlef/setup-beam-1.24.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps erlef/setup-beam from 1.24.0 to 1.24.1.

Release notes

Sourced from erlef/setup-beam's releases.

v1.24.1

What's Changed

Full Changelog: erlef/setup-beam@v1...v1.24.1

Commits
  • 54075bc Automation: update setup-beam version output to ea45c80
  • ea45c80 Remove lodash Dependency (#457)
  • b4b8d85 Automation: update setup-beam version output to 20df794
  • 20df794 Bump globals from 17.4.0 to 17.7.0 (#452)
  • 9d5c5ca Automation: update setup-beam version output to ad42943
  • ad42943 Bump prettier from 3.8.1 to 3.9.1 (#454)
  • 135c095 Automation: update setup-beam version output to a04cfbb
  • a04cfbb Bump eslint from 10.1.0 to 10.6.0 (#453)
  • cd1472f Automation: update setup-beam version output to c80fdc9
  • c80fdc9 Bump actions/checkout from 6.0.2 to 7.0.0 (#467)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 29, 2026
@dependabot dependabot Bot requested review from dfoulks1 and potiuk as code owners June 29, 2026 13:20
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 29, 2026
@dependabot dependabot Bot requested a review from ppkarwasz as a code owner June 29, 2026 13:20
@dependabot dependabot Bot added the github_actions Pull requests that update GitHub Actions code label Jun 29, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/erlef/setup-beam-1.24.1 branch from 43b541e to 558aa7b Compare July 1, 2026 13:50
@potiuk

potiuk commented Jul 2, 2026

Copy link
Copy Markdown
Member

@dependabot rebase

Bumps [erlef/setup-beam](https://github.com/erlef/setup-beam) from 1.24.0 to 1.24.1.
- [Release notes](https://github.com/erlef/setup-beam/releases)
- [Commits](erlef/setup-beam@fc68ffb...54075bc)

---
updated-dependencies:
- dependency-name: erlef/setup-beam
  dependency-version: 1.24.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/erlef/setup-beam-1.24.1 branch from 558aa7b to d497488 Compare July 2, 2026 15:33
@potiuk

potiuk commented Jul 2, 2026

Copy link
Copy Markdown
Member

This bumps erlef/setup-beam v1.24.0 → v1.24.1 (patch). CI verify fails on the known unverified-download pattern — src/setup-beam.js fetches OTP/Elixir/Gleam/rebar3 via tc.downloadTool() with no in-file checksum, the same finding we hit when the action was first allowlisted.

That pattern is already tracked upstream at erlef/setup-beam#456 ("Verify downloaded toolchain archives against sha256 checksums"), which is open and actively being discussed by the setup-beam maintainers (last activity 2026-06-28). Per that issue, when v1.24.0 was added (#751 / INFRA-27826) we agreed to allow the action conditional on raising exactly that upstream issue — which is done.

Since this is a patch bump of the already-approved action with no change to the download/verification posture, merging on the same conditional basis looks consistent to me. @ppkarwasz @dfoulks1 — you both looked at #751; OK to approve this bump, or would you rather hold setup-beam bumps until #456 lands a checksum mechanism?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant