chore(deps): bump the minor-and-patch group with 3 updates#41620
Open
dependabot[bot] wants to merge 1 commit into
Open
chore(deps): bump the minor-and-patch group with 3 updates#41620dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
github_actions
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
Bumps the minor-and-patch group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [shivammathur/setup-php](https://github.com/shivammathur/setup-php) and [actionhippie/calens](https://github.com/actionhippie/calens). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6.0.2...df4cb1c) Updates `shivammathur/setup-php` from 2.37.0 to 2.37.2 - [Release notes](https://github.com/shivammathur/setup-php/releases) - [Commits](shivammathur/setup-php@2.37.0...f3e473d) Updates `actionhippie/calens` from 1.13.4 to 1.13.5 - [Release notes](https://github.com/actionhippie/calens/releases) - [Changelog](https://github.com/actionhippie/calens/blob/master/CHANGELOG.md) - [Commits](actionhippie/calens@0b8ceba...6340fdc) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: shivammathur/setup-php dependency-version: 2.37.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch - dependency-name: actionhippie/calens dependency-version: 1.13.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com>
phil-davis
force-pushed
the
dependabot/github_actions/minor-and-patch-cf13385e61
branch
from
381c4f7 to
71aded9
Compare
phil-davis
approved these changes
Jun 15, 2026
DeepDiver1975
left a comment
DeepDiver1975
left a comment
Member
There was a problem hiding this comment.
Code Review
Overview
Dependabot grouped minor/patch bump across three GitHub Actions:
actions/checkout6.0.2 → 6.0.3shivammathur/setup-php2.37.0 → 2.37.2 (skips 2.37.1)actionhippie/calens1.13.4 → 1.13.5
All changes are pinned-SHA updates in .github/workflows/ — no production code touched.
Analysis
actions/checkout6.0.3: Patch fix for SHA-256 repository checkout init and merge commit SHA regex. No behaviour change for standard SHA-1 repos. ✅shivammathur/setup-php2.37.2: This release includes two security fixes from 2.37.1 (CVE-2026-46420: shell command escaping, CVE-2026-45793: GitHub auth handling for affected Composer versions) plus macOS/Windows fixes. The jump from 2.37.0 directly to 2.37.2 means the security fixes from 2.37.1 are included. ✅ — this is a recommended security update.actionhippie/calens1.13.5: Docker digest update only, no functional change. ✅- Pin style is correct: All SHAs are updated to match the tagged releases referenced in the inline comments.
- Four workflow files touched (
acceptance.yml,ci.yml,lint-and-codestyle.yml,php-unit.yml): changes are consistent across all files — no workflow was missed.
Summary
Clean, safe dependency update. The setup-php 2.37.1→2.37.2 security fixes make this worth merging promptly. No concerns.
Contributor
|
@DeepDiver1975 does this need whitelisting of the bumped SHAs to get CI to run? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the minor-and-patch group with 3 updates: actions/checkout, shivammathur/setup-php and actionhippie/calens.
Updates
actions/checkoutfrom 6.0.2 to 6.0.3Release notes
Sourced from actions/checkout's releases.
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
df4cb1cUpdate changelog for v6.0.3 (#2446)1cce339Fix checkout init for SHA-256 repositories (#2439)900f221fix: expand merge commit SHA regex and add SHA-256 test cases (#2414)0c366fdUpdate changelog (#2357)Updates
shivammathur/setup-phpfrom 2.37.0 to 2.37.2Release notes
Sourced from shivammathur/setup-php's releases.
... (truncated)
Commits
f3e473dBump version to 2.37.28be473cTrust brew taps083d523Bump the github-actions group with 2 updates (#1085)a919ff5Update FUNDING.ymldeb2299Harden GitHub Actions workflows5825be4Harden environment lookup8d45593Add CODEOWNERSba8d163Update PHP versions in SECURITY.md7c071dfBump version to 2.37.1eeef37eGHSA-pqwm-q9pv-ph8r - Fix CWE-78 [skip ci]Updates
actionhippie/calensfrom 1.13.4 to 1.13.5Release notes
Sourced from actionhippie/calens's releases.
Changelog
Sourced from actionhippie/calens's changelog.
... (truncated)
Commits
6340fdcchore: release 1.13.54c49113chore(flake): updated lockfile [skip ci]40077f1deps(patch): update docker digests45d52a5docs: automated release update [skip ci]2b682d1chore(flake): updated lockfile [skip ci]0014987docs: automated release update [skip ci]76b438fchore(flake): updated lockfile [skip ci]6269b1bdocs: automated release update [skip ci]1be88b8chore(flake): updated lockfile [skip ci]Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions