Skip to content

ci(deps): bump the actions-minor group with 2 updates#328

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions-minor-ffd8b3b0d8
Closed

ci(deps): bump the actions-minor group with 2 updates#328
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions-minor-ffd8b3b0d8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 23, 2026

Bumps the actions-minor group with 2 updates: actions/cache and anthropics/claude-code-action.

Updates actions/cache from 5.0.3 to 5.0.4

Release notes

Sourced from actions/cache's releases.

v5.0.4

What's Changed

New Contributors

Full Changelog: actions/cache@v5...v5.0.4

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

  • Bump @actions/cache to v5.0.3 #1692

5.0.1

  • Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

Updates anthropics/claude-code-action from 1.0.72 to 1.0.77

Release notes

Sourced from anthropics/claude-code-action's releases.

v1.0.77

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

What's Changed

Full Changelog: anthropics/claude-code-action@v1.0.76...v1.0.77

v1.0.76

Full Changelog: anthropics/claude-code-action@v1...v1.0.76

v1.0.75

Full Changelog: anthropics/claude-code-action@v1...v1.0.75

v1.0.74

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.74

v1.0.73

Full Changelog: anthropics/claude-code-action@v1...v1.0.73

Commits
  • ff9acae Auto-set subprocess env scrub when allowed_non_write_users is configured (#1093)
  • 6062f37 chore: bump Claude Code to 2.1.81 and Agent SDK to 0.2.81
  • df37d2f chore: bump Claude Code to 2.1.79 and Agent SDK to 0.2.79
  • 1ba15be Remove redundant git status/diff/log from tag mode allowlist (#1075)
  • 9ddce40 Restore .claude/ and .mcp.json from PR base branch before CLI runs (#1066)
  • 1b422b3 chore: bump Claude Code to 2.1.78 and Agent SDK to 0.2.77
  • 4c044bb chore: bump Claude Code to 2.1.77 and Agent SDK to 0.2.77
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
ci(deps): bump the actions-minor group with 2 updates
2e7bf7a 
Bumps the actions-minor group with 2 updates: [actions/cache](https://github.com/actions/cache) and [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action).


Updates `actions/cache` from 5.0.3 to 5.0.4
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@cdf6c1f...6682284)

Updates `anthropics/claude-code-action` from 1.0.72 to 1.0.77
- [Release notes](https://github.com/anthropics/claude-code-action/releases)
- [Commits](anthropics/claude-code-action@cd77b50...ff9acae)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor
- dependency-name: anthropics/claude-code-action
  dependency-version: 1.0.77
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 23, 2026

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot requested a review from stranske as a code owner March 23, 2026 13:21
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 23, 2026

⚠️ Action Required: Unable to determine source issue for PR #328. The PR title, branch name, or body must contain the issue number (e.g. #123, branch: issue-123, or the hidden marker ).

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 23, 2026

Health 45 Agents Guard stopped this pull request.

What we found

  • Protected workflows modified:
    • .github/workflows/agents-auto-pilot.yml
  • Missing agents:allow-change label.
  • Request approval from a CODEOWNER (@stranske).

Next steps

  • Apply the agents:allow-change label to this pull request once the change is justified.
  • Ask a CODEOWNER (@stranske) to review and approve the change.
  • Push an update or re-run this workflow after addressing the issues.

Files seen in this run

  • .github/workflows/agents-auto-pilot.yml (modified)

@agents-workflows-bot
Copy link
Copy Markdown
Contributor

agents-workflows-bot bot commented Mar 23, 2026
edited
Loading

🤖 Keepalive Loop Status

PR #328 | Agent: Codex | Iteration 0/5

Current State

Metric Value
Iteration progress [----------] 0/5
Action wait (missing-agent-label)
Disposition skipped (transient)
Gate success
Tasks 0/8 complete
Timeout 45 min (default)
Timeout usage 0m elapsed (2%, 45m remaining)
Keepalive ❌ disabled
Autofix ❌ disabled

🔍 Failure Classification

| Error type | infrastructure |
| Error category | resource |
| Suggested recovery | Confirm the referenced resource exists (repo, PR, branch, workflow, or file). |

@agents-workflows-bot
Copy link
Copy Markdown
Contributor

agents-workflows-bot bot commented Mar 23, 2026
edited
Loading

Keepalive Work Log (click to expand)
# Time (UTC) Agent Action Result Files Tasks Progress Commit Gate
0 2026-03-23 13:28:09 Codex wait (missing-agent-label-transient) skipped 0 0/8 success
0 2026-03-23 13:38:44 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 14:31:34 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 15:28:42 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 16:26:49 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 17:24:09 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 18:24:37 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 19:24:01 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 20:19:01 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 21:17:22 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 22:13:06 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-23 23:14:17 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 00:42:04 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 01:40:01 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 03:07:49 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 04:42:52 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 05:34:53 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 06:31:34 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 07:29:16 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 08:22:54 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 09:25:22 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 10:23:55 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 11:22:28 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 12:25:53 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 13:37:37 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 14:34:08 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 15:32:00 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 16:32:54 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 17:26:52 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 18:27:52 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success
0 2026-03-24 19:29:12 Codex wait (missing-agent-label-transient) retry skipped 0 0/8 success

stranske pushed a commit that referenced this pull request Mar 24, 2026
@claude
ci: bump anthropics/claude-code-action to ff9acae5886d41a99ed4ec14b7d…
f852104 
…c147d55834722

From dependabot PR #328 — applying only the maint-76-claude-code-review.yml
change. The agents-auto-pilot.yml change is excluded as that file is managed
by the stranske/Workflows sync.

https://claude.ai/code/session_01D7662TN52iZPqh1HgAFBRQ
@stranske Claude
Copy link
Copy Markdown
Owner

stranske commented Mar 24, 2026

This PR cannot be merged as-is because it modifies agents-auto-pilot.yml, which is a protected workflow file synced from stranske/Workflows. The Agents Guard correctly blocks this.

Action taken:

  • The maint-76-claude-code-review.yml change (bumping anthropics/claude-code-action) has been applied manually on the claude/dependabot-updates-counter-risk-jZ8vg branch.
  • The agents-auto-pilot.yml update (actions/cache pin bump) should be handled via the Workflows repo sync.

Closing this PR to keep the queue clean.

@stranske stranske closed this Mar 24, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 24, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/github_actions/actions-minor-ffd8b3b0d8 branch March 24, 2026 20:18
@stranske stranske mentioned this pull request Mar 24, 2026
Merged
9 tasks
stranske added a commit that referenced this pull request Mar 24, 2026
@stranske @claude
ci: bump anthropics/claude-code-action pin in maint-76-claude-code-re…
6dcf60d 
…view

From dependabot PR #328 — applying only the maint-76-claude-code-review.yml
change. The agents-auto-pilot.yml change is excluded as that file is managed
by the stranske/Workflows sync.

https://claude.ai/code/session_01D7662TN52iZPqh1HgAFBRQ

Co-authored-by: Claude <noreply@anthropic.com>
stranske added a commit that referenced this pull request Mar 28, 2026
@stranske @claude
feat: add remote trigger scripts and complete bundle operator entrypo…
3e5fae5 
…int (#333)

* ci: bump anthropics/claude-code-action to ff9acae5886d41a99ed4ec14b7dc147d55834722

From dependabot PR #328 — applying only the maint-76-claude-code-review.yml
change. The agents-auto-pilot.yml change is excluded as that file is managed
by the stranske/Workflows sync.

https://claude.ai/code/session_01D7662TN52iZPqh1HgAFBRQ

* feat: add remote trigger scripts and fix bundle to include Runner.xlsm

- Add scripts/windows/request_counter_risk_remote.cmd — operator submits
  a run request by dropping a .request file in a shared folder
- Add scripts/windows/process_counter_risk_remote.cmd — worker polls the
  shared folder, runs the CLI for each request, marks .done/.failed
- Add docs/remote_trigger_testing.md — full flow documentation
- Update release.py to:
    - Copy Runner.xlsm into bundle as counter_risk_runner.xlsm (operator
      entrypoint as documented in deployment instructions)
    - Copy remote cmd scripts into bundle root
    - Update README_HOW_TO_RUN.md to reference all three entry points

Resolves the four missing items flagged in the deployment instructions review.

https://claude.ai/code/session_01D7662TN52iZPqh1HgAFBRQ

* fix: address PR #333 review comments

- request_counter_risk_remote.cmd: add PowerShell fallback for wmic
  timestamp generation; validate TIMESTAMP before use; align input_root
  prompt text with actual worker default (bundle folder)
- process_counter_risk_remote.cmd: guard for loop body with `if exist`
  to prevent false FOUND=1 when no .request files match the wildcard;
  use per-request unique settings filename (%BASE%) to avoid collision
  when multiple workers run concurrently; delete settings file after run
- docs/remote_trigger_testing.md: fix Runner.xlsm -> counter_risk_runner.xlsm
  in prerequisites table
- release.py: fail fast (ValueError) when Runner.xlsm is absent; add
  _copy_remote_trigger_doc() to include remote_trigger_testing.md at
  bundle root; fix README reference from docs/ path to bundle-root path
- tests/test_release_bundle.py: seed Runner.xlsm, remote scripts, and
  remote_trigger_testing.md in _write_fake_repo; add five new tests:
  copy_runner_xlsm copies / raises-when-missing, copy_remote_scripts,
  assemble_release includes all new artifacts in bundle + manifest,
  assemble_release fails fast when Runner.xlsm missing

https://claude.ai/code/session_01D7662TN52iZPqh1HgAFBRQ

---------

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stranske stranske Awaiting requested review from stranske stranske is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stranske