chore(deps): bump codecov/codecov-action from 5 to 6 in the github-actions group across 1 directory#23
Merged
cmeans-claude-dev[bot] merged 2 commits intoApr 26, 2026
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
github-actions
Bot
added
Awaiting CI
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
9 tasks
Owner
|
@dependabot recreate |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/github-actions-7980569b8c
branch
from
ce13822 to
8315fb6
Compare
github-actions
Bot
added
Awaiting CI
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
Apr 26, 2026
…+ prefix fix (#25) Cascades the validated mcp-synology pattern (decision `decision:mcp-synology:dependabot-pr-hygiene-2026-04-26`, playbook `dependabot-pr-hygiene-playbook`) to this repo so Dependabot PRs satisfy the per-PR CHANGELOG rule and don't get blocked by the `main-protection` ruleset's required-status-checks rule on the bot's follow-up commit. Three pieces, bundled because they're a single coherent fix: - `.github/PULL_REQUEST_TEMPLATE.md` — Summary / Test plan / CHANGELOG checklists for human-authored PRs. Test-plan commands match this repo's CI (`uv run pytest --cov`, `ruff check src/ tests/`, `mypy src/pypi_winnow_downloads/`). - `.github/workflows/dependabot-changelog.yml` — `pull_request_target` workflow that mints a GitHub App installation token via `actions/create-github-app-token`, fetches metadata via `dependabot/fetch-metadata@v3.1.0`, composes a single-line `### Changed` entry, and pushes under the `cmeans-claude-dev[bot]` identity so required CI re-fires on the new HEAD SHA. Loop guard + idempotency guard included. One adaptation vs the mcp-synology source: the heading matcher accepts both `## Unreleased` and `## [Unreleased]` so the workflow is portable to Keep-a-Changelog-style CHANGELOGs (this repo's format). - `.github/dependabot.yml` — commit-message prefix changed from `"chore(deps)"` to `"chore"` across all three ecosystems. Combined with `include: scope`, this restores the canonical `chore(deps): bump <pkg>` title format. Open PRs #23 and #24 exhibit the doubled-prefix bug; after this lands, future Dependabot PRs will have correct titles. Operator pre-merge prerequisites (one-time, both must be done before the workflow can run on real Dependabot PRs): 1. Add repo secrets `BOT_APP_ID` (numeric App ID) and `BOT_APP_PRIVATE_KEY` (PEM contents) at github.com/cmeans/pypi-winnow-downloads/settings/secrets/actions 2. Create the missing labels named in dependabot.yml so they stop being silently dropped: `python`, `github-actions`, `docker`. (`dependencies` already exists.) Post-merge verification (validates the full pipeline end-to-end on this repo, per the playbook's verification gate): - Comment `@dependabot recreate` on PRs #23 and #24. The recreated PRs should have correct `chore(deps): bump …` titles and the auto-CHANGELOG workflow should append a populated `### Changed` entry under `## [Unreleased]` with version arrows like `actions/checkout 4→6`. Cross-repo source: `cmeans/mcp-synology` PRs #57 + #58 + #60 + #61 (the latter is live verification on a real grouped Dependabot bump). Workflow file copied verbatim from mcp-synology main; PR template adapted for this repo's CI commands. Co-authored-by: cmeans-claude-dev[bot] <272174644+cmeans-claude-dev[bot]@users.noreply.github.com>
Contributor
|
@dependabot recreate |
Contributor
Author
|
Sorry, only users with push access can use that command. |
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/github_actions/github-actions-7980569b8c
branch
from
8315fb6 to
4937474
Compare
github-actions
Bot
added
Awaiting CI
github-actions
Bot
added
Ready for QA
Owner
|
@dependabot recreate |
Bumps the github-actions group with 1 update in the / directory: [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `codecov/codecov-action` from 5 to 6 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v5...v6) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/github-actions-7980569b8c
branch
from
6ed49f6 to
fad248d
Compare
github-actions
Bot
added
Awaiting CI
github-actions
Bot
added
Ready for QA
cmeans
added
QA Active
cmeans
reviewed
Apr 26, 2026
cmeans
left a comment
cmeans
left a comment
Owner
There was a problem hiding this comment.
QA round 1 — clean (LIVE-VERIFICATION GATE PASSED for PR #25's cascade)
This is the live-verification PR the #25 cascade was designed for. All four playbook signals are visible end-to-end on this Dependabot PR:
| #25 cascade signal | Expected | Observed on PR #23 head f6713f9 |
|---|---|---|
| Doubled-prefix fix (#57 of mcp-synology) | single chore(deps): |
title is chore(deps): bump codecov/codecov-action from 5 to 6 in the github-actions group across 1 directory ✓ |
| Bot commit identity (Gotcha 4) | cmeans-claude-dev[bot] with 272174644+cmeans-claude-dev[bot]@users.noreply… |
author cmeans-claude-dev[bot], email 272174644+cmeans-claude-dev[bot]@users.noreply.github.com ✓ |
| App-token push re-fires required CI (Gotcha 2) | required checks run on bot HEAD SHA | lint + typecheck + test 3.11/3.12/3.13 all SUCCESS on f6713f9 ✓ |
fetch-metadata@v3.1.0 populates arrows (Gotcha 3) |
<pkg> X→Y, not empty arrows |
**Bump github-actions group: codecov/codecov-action 5→6** (#23) ✓ |
Auto-CHANGELOG entry placement: lands under existing ### Changed in ## [Unreleased] — happy path, the issue #26 edge case (insertion above existing ### Added) does not trigger here. Entry includes (#23) reference — idempotency guard would correctly skip on re-run.
Bump correctness (codecov-action v5→v6):
| Check | Result |
|---|---|
Diff vs current main |
.github/workflows/ci.yml (@v5→@v6, single line) + CHANGELOG.md (single line) |
ci.yml runner |
runs-on: ubuntu-latest — Ubuntu 24.04 LTS, ships with node24 by default; v6's only breaking change (node24 requirement) is satisfied |
| Action argument compatibility | files: coverage.xml + fail_ci_if_error: false — both still supported in v6 (no arg changes between v5 and v6 per upstream release notes; v6 = node24 + github-script bump only) |
Local uv run pytest -q |
56 passed, 0 deselected, 0.14s |
Local uv run ruff check + ruff format --check |
clean |
Local uv run mypy src |
0 issues, 5 source files |
| CI on PR head | all SUCCESS (test 3.11/3.12/3.13, lint, typecheck, changelog workflow, on-push, qa-approved) |
dependencies label |
auto-applied by Dependabot ✓ — confirms the labels-exist prereq from #25 landed correctly |
No findings. The cascade works as designed; #25's verification gate is satisfied. Transitioning label to Ready for QA Signoff.
Owner
|
Applying |
cmeans
added
Ready for QA Signoff
cmeans-claude-dev
Bot
deleted the
dependabot/github_actions/github-actions-7980569b8c
branch
7 tasks
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
Apr 27, 2026
Three mechanical edits: - pyproject.toml: version "0.1.0" -> "0.1.1" - CHANGELOG.md: insert `## [0.1.1] - 2026-04-26` directly under the (still empty) `## [Unreleased]` header so all 12 PRs' worth of bullets that have been accumulating since v0.1.0 ship are now categorized under the 0.1.1 release. Updated the link refs at the bottom: [Unreleased] now compares from v0.1.1, and a new [0.1.1] entry compares v0.1.0...v0.1.1. - uv.lock: refreshed by `uv lock` so the locked pypi-winnow-downloads version (0.1.1) matches pyproject.toml. What ships in v0.1.1 (highlights — full changelog under ## [0.1.1]): Library fixes (operator-visible): - collector: _write_health OSError no longer escapes per-package isolation. Disk-full / perm errors now produce structured `winnow-collect: ...; health file write failed: [Errno 28] No space left on device` exit instead of a raw traceback. Closes #32. - collector: stale_threshold_days is now actually consulted — the "warn if previous run is older than N days" feature documented in config.example.yaml since v0.1.0 finally fires. Log-only per the documented v1 contract; degrades silently on first-run / unreadable / malformed / future- timestamped previous _health.json. Closes #33. Documentation: - README acknowledgments / license / BigQuery dataset link refresh (PR #15) - README shields.io URL canonicalization (PR #27, closes #16) - deploy/README.md Tailscale Funnel as alternative HTTPS exposure (PR #22) - deploy/README.md "Pick an approach" table updated to reflect the new Caddy logging shape (in PR #30) CI / project infrastructure (no PyPI consumer impact, but hardens future releases): - Community health files: CONTRIBUTING / CoC / SECURITY / issue templates (PR #20) - .github/dependabot.yml across pip + github-actions + docker ecosystems (PR #21) - Dependabot PR hygiene cascade from cmeans/mcp-synology: PULL_REQUEST_TEMPLATE.md + auto-CHANGELOG workflow (App- token authenticated so required CI re-fires on the bot's HEAD SHA) + dependabot.yml prefix fix (PR #25). Validated end-to-end via the first two real Dependabot bumps PR #23 (codecov-action 5->6) and PR #24 (python 3.13-slim -> 3.14-slim). - deploy-smoke CI job that builds the Dockerfile, smokes the entrypoint, validates compose+Caddyfile against caddy:2 (PR #29, closes #7). Promoted to required status check on the main-protection ruleset 2026-04-26 22:43 (issue #31 closed via operator action). - deploy/caddy/Caddyfile.example gains global error logger + per-site access logger with built-in lumberjack rotation, documents the validate-as-root gotcha (PR #30). Live CT 112 deployment fixed in the same change. - 100% coverage on src/ via real tests (no `# pragma: no cover`), with `fail_under = 100` gate in pyproject.toml so future regressions trip CI (PR #38, closes #37). Verified locally: 71/71 pytest pass, ruff/format/mypy clean, coverage gate green at 100.00%. After this merges: 1. Tag the squash-merge commit as v0.1.1 and push the tag — publish.yml fires and uploads to PyPI via the existing trusted-publisher OIDC flow. 2. Update the live CT 112 deployment to install pypi-winnow-downloads==0.1.1 from PyPI (currently runs a wheel built from main, but pinning to the released version keeps deploy reproducible). 3. Close any post-release follow-ups Chris wants tracked. Co-authored-by: cmeans-claude-dev[bot] <272174644+cmeans-claude-dev[bot]@users.noreply.github.com>
7 tasks
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
Apr 27, 2026
…HANGELOG (closes #26) Cascades the validated cmeans/mcp-synology PR #63 fix (squash 8a4df0d, merged 2026-04-26 23:24Z) to this repo's .github/workflows/dependabot-changelog.yml. The bug: When `## [Unreleased]` already contained a subsection (e.g., `### Added`) but no `### Changed` block, the auto-CHANGELOG workflow's else-branch inserted the new `### Changed` block at `unreleased_idx + 1` regardless of what subsections already existed. With `### Added` at unreleased_idx + 2, the new `### Changed` landed ABOVE the existing `### Added`, violating Keep-a-Changelog v1.1.0's mandated order: Added → Changed → Deprecated → Removed → Fixed → Security Dormant on this repo until #36 release wave: post-PR #25 cascade the workflow ran on PRs #23 and #24 with both `### Added` and `### Changed` already populated in `## [Unreleased]`, so the if-branch (insert under existing `### Changed`) fired both times — the buggy else-branch never executed. The next time it WOULD fire is post-v0.1.1 release: fresh empty Unreleased section, then a feature PR adds `### Added`, then the next weekly Dependabot Monday bump triggers the workflow's else-branch and produces an out-of-order CHANGELOG. The fix: Walk forward from `## Unreleased` to find either: (a) the first subsection that should sort AFTER `### Changed` per KaC ordering (i.e., `### Deprecated`, `### Removed`, `### Fixed`, `### Security`), or (b) the next `## ` release heading. Insert the new `### Changed` block immediately before whichever comes first. Default insertion point is the end of the Unreleased section (just before the next `## ` heading) when no later-sorting subsections exist. Adaptation preserved from our heading-tolerant variant: the matcher accepts both `## Unreleased` (mcp-synology's form) and `## [Unreleased]` (this repo's Keep-a-Changelog bracketed form). Only the else-branch changes; the if-branch (insert under existing `### Changed`) and the loop guard / idempotency guard / token mint / Dependabot filter are byte-for-byte unchanged. Verification: Reproduced upstream QA's algorithm-extraction smoke test against six KaC layouts on the cascaded fix: A. Empty Unreleased → Changed ✓ B. Added only (the bug case) → Added → Changed ✓ C. Changed already exists → Added → Changed ✓ D. Added + Fixed → Added → Changed → Fixed ✓ E. Fixed only → Changed → Fixed ✓ F. Bracketless heading (## Unreleased) → Added → Changed ✓ All six KaC arrangements produce correctly-ordered subsections. Workflow YAML parses (PyYAML safe_load). The verification gate from the dependabot-pr-hygiene-playbook ("validate on real data before cascading") was met on mcp-synology side via the upstream QA smoke test; live Dependabot validation via @dependabot recreate is belt-and- suspenders that can be exercised on this repo's next weekly Dependabot bump. Per CLAUDE.md: this is a CI/automation fix (not user-visible library behavior), so no operator-impact framing in the CHANGELOG bullet — just the categorization-correctness description.
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
Apr 28, 2026
…HANGELOG (#26) (#41) * fix(workflow): insert ### Changed in Keep-a-Changelog order on auto-CHANGELOG (closes #26) Cascades the validated cmeans/mcp-synology PR #63 fix (squash 8a4df0d, merged 2026-04-26 23:24Z) to this repo's .github/workflows/dependabot-changelog.yml. The bug: When `## [Unreleased]` already contained a subsection (e.g., `### Added`) but no `### Changed` block, the auto-CHANGELOG workflow's else-branch inserted the new `### Changed` block at `unreleased_idx + 1` regardless of what subsections already existed. With `### Added` at unreleased_idx + 2, the new `### Changed` landed ABOVE the existing `### Added`, violating Keep-a-Changelog v1.1.0's mandated order: Added → Changed → Deprecated → Removed → Fixed → Security Dormant on this repo until #36 release wave: post-PR #25 cascade the workflow ran on PRs #23 and #24 with both `### Added` and `### Changed` already populated in `## [Unreleased]`, so the if-branch (insert under existing `### Changed`) fired both times — the buggy else-branch never executed. The next time it WOULD fire is post-v0.1.1 release: fresh empty Unreleased section, then a feature PR adds `### Added`, then the next weekly Dependabot Monday bump triggers the workflow's else-branch and produces an out-of-order CHANGELOG. The fix: Walk forward from `## Unreleased` to find either: (a) the first subsection that should sort AFTER `### Changed` per KaC ordering (i.e., `### Deprecated`, `### Removed`, `### Fixed`, `### Security`), or (b) the next `## ` release heading. Insert the new `### Changed` block immediately before whichever comes first. Default insertion point is the end of the Unreleased section (just before the next `## ` heading) when no later-sorting subsections exist. Adaptation preserved from our heading-tolerant variant: the matcher accepts both `## Unreleased` (mcp-synology's form) and `## [Unreleased]` (this repo's Keep-a-Changelog bracketed form). Only the else-branch changes; the if-branch (insert under existing `### Changed`) and the loop guard / idempotency guard / token mint / Dependabot filter are byte-for-byte unchanged. Verification: Reproduced upstream QA's algorithm-extraction smoke test against six KaC layouts on the cascaded fix: A. Empty Unreleased → Changed ✓ B. Added only (the bug case) → Added → Changed ✓ C. Changed already exists → Added → Changed ✓ D. Added + Fixed → Added → Changed → Fixed ✓ E. Fixed only → Changed → Fixed ✓ F. Bracketless heading (## Unreleased) → Added → Changed ✓ All six KaC arrangements produce correctly-ordered subsections. Workflow YAML parses (PyYAML safe_load). The verification gate from the dependabot-pr-hygiene-playbook ("validate on real data before cascading") was met on mcp-synology side via the upstream QA smoke test; live Dependabot validation via @dependabot recreate is belt-and- suspenders that can be exercised on this repo's next weekly Dependabot bump. Per CLAUDE.md: this is a CI/automation fix (not user-visible library behavior), so no operator-impact framing in the CHANGELOG bullet — just the categorization-correctness description. * docs(changelog): fix dormancy timeline — "#36 release" → "the v0.1.1 release" QA round 1 finding: the CHANGELOG bullet conflated PR #36 (the stale_threshold_days warning fix that landed during the v0.1.1 pre-release cycle) with a release version. PR #36 is not a release — v0.1.1 is. Future readers couldn't map "#36 release" to a release tag without spelunking. PR body's narrative already says "v0.1.1 ship" correctly; only the CHANGELOG bullet was off. CHANGELOG-only edit. No workflow change, no test change. Verified at HEAD: pytest 71/71, ruff clean, mypy clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: cmeans-claude-dev[bot] <272174644+cmeans-claude-dev[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the github-actions group with 1 update in the / directory: codecov/codecov-action.
Updates
codecov/codecov-actionfrom 5 to 6Release notes
Sourced from codecov/codecov-action's releases.
... (truncated)
Changelog
Sourced from codecov/codecov-action's changelog.
... (truncated)
Commits
57e3a13Th/6.0.0 (#1928)f67d33dRevert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0""...