Skip to content

chore(deps): bump the actions group across 1 directory with 2 updates#177

Merged
ion-alpha-dev merged 1 commit into
mainfrom
dependabot/github_actions/actions-431689bfb8
Jul 2, 2026
Merged

chore(deps): bump the actions group across 1 directory with 2 updates#177
ion-alpha-dev merged 1 commit into
mainfrom
dependabot/github_actions/actions-431689bfb8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

What

Dependabot bumps the actions group in release.yml: sigstore/cosign-installer 3.9.1 -> 4.1.2 (SHA-pinned) and goreleaser/goreleaser-action to the latest v7 pin.

Why

Keeps the SHA-pinned release actions current. The cosign-installer major now installs cosign v3 (was v2.x), which includes bug fixes the upstream project recommends adopting.

How to verify

CI green is sufficient for the pin change itself; the workflow only runs on release. Our .goreleaser.yaml signs with cosign sign-blob --yes --output-certificate --output-signature, all of which remain supported in cosign v3 - confirm on the next tagged release that keyless signing still produces the .pem/.sig pair.

Notes for reviewers

Body rewritten from the dependabot original to satisfy the PR-template gate; upstream release notes are in the PR's commit and the dependabot compare links: cosign-installer v3.9.1...v4.1.2, goreleaser-action compare.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from ion-alpha-dev as a code owner July 1, 2026 01:11
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@ion-alpha-dev

Copy link
Copy Markdown
Collaborator

@dependabot rebase

Bumps the actions group with 2 updates in the / directory: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action).


Updates `sigstore/cosign-installer` from 3.9.1 to 4.1.2
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@398d4b0...6f9f177)

Updates `goreleaser/goreleaser-action` from 7.2.2 to 7.2.3
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](goreleaser/goreleaser-action@5daf1e9...f06c13b)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-version: 7.2.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump the actions group with 2 updates chore(deps): bump the actions group across 1 directory with 2 updates Jul 2, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-431689bfb8 branch from 6fa5015 to acd5f2d Compare July 2, 2026 03:35
@dependabot @github

dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@ion-alpha-dev ion-alpha-dev reopened this Jul 2, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 2, 2026
@ion-alpha-dev ion-alpha-dev reopened this Jul 2, 2026
@ion-alpha-dev ion-alpha-dev merged commit acd5f2d into main Jul 2, 2026
11 checks passed
@ion-alpha-dev ion-alpha-dev deleted the dependabot/github_actions/actions-431689bfb8 branch July 2, 2026 03:47
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant