)]}' { "log": [ { "commit": "0e7faad7ab29978a4d0d7d6622f18905ca22d889", "tree": "7f20732ceec501a9f5aa1e496df24a53f222b78b", "parents": [ "f0a947cc54bf38f29aa857f6c4885f4a3430eb94", "19eabf4d49e716052ac0f81fc6e953f758ebbb19" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri May 01 15:48:05 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 01 15:48:05 2026 +0200" }, "message": "Merge pull request #788 from apache/dependabot/uv/utils/pygments-2.20.0\n\nbuild(deps): bump pygments from 2.19.2 to 2.20.0 in /utils" }, { "commit": "f0a947cc54bf38f29aa857f6c4885f4a3430eb94", "tree": "aa95d2893b7ecf5cff53dc3651c9c37bde2ad9d8", "parents": [ "190f77a50d0d40390bfd1dfabf666ec7d54b7d9c" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Fri May 01 13:40:52 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Fri May 01 13:40:52 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "190f77a50d0d40390bfd1dfabf666ec7d54b7d9c", "tree": "a3b66a1ba32d9b8574bf4dd4bd2809436465cdf3", "parents": [ "1584652aecc828615080b18f2c47d321e098940d", "40a4cd3bb234d81dc0d4551c5a7d056bd46e018b" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri May 01 15:40:07 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 01 15:40:07 2026 +0200" }, "message": "Merge pull request #783 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/SonarSource/sonarqube-scan-action-8.0.0\n\naction-allowlist-review: bump SonarSource/sonarqube-scan-action from 7.1.0 to 8.0.0 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "19eabf4d49e716052ac0f81fc6e953f758ebbb19", "tree": "fd6c7a29819157b4c84d84f13606169e0cdc2eb3", "parents": [ "1584652aecc828615080b18f2c47d321e098940d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri May 01 13:23:20 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 01 13:23:20 2026 +0000" }, "message": "build(deps): bump pygments from 2.19.2 to 2.20.0 in /utils\n\nBumps [pygments](https://github.com/pygments/pygments) from 2.19.2 to 2.20.0.\n- [Release notes](https://github.com/pygments/pygments/releases)\n- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)\n- [Commits](https://github.com/pygments/pygments/compare/2.19.2...2.20.0)\n\n---\nupdated-dependencies:\n- dependency-name: pygments\n dependency-version: 2.20.0\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "1584652aecc828615080b18f2c47d321e098940d", "tree": "2cf1ec83b04999e4319615323a3306e27be2f588", "parents": [ "71741d379d2d9fa9f91bd3b3346de1e371635013", "85c837f7803e0d5f30464a55eb8c4876674d2886" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri May 01 15:21:44 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 01 15:21:44 2026 +0200" }, "message": "Merge pull request #785 from apache/dependabot/uv/pelican/mypy-1.20.2\n\nbuild(deps-dev): bump mypy from 1.20.1 to 1.20.2 in /pelican" }, { "commit": "71741d379d2d9fa9f91bd3b3346de1e371635013", "tree": "9bd43e9f63d5a81c99efd43484fe1ec2c0bf5e35", "parents": [ "ea1fdb9966f72bdbe12269db150e215453948e6d", "48a1949f8f99c287ff96268ee4eb7102d4c74ece" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri May 01 15:21:22 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 01 15:21:22 2026 +0200" }, "message": "Merge pull request #786 from apache/dependabot/uv/stash/mypy-1.20.2\n\nbuild(deps-dev): bump mypy from 1.20.1 to 1.20.2 in /stash" }, { "commit": "48a1949f8f99c287ff96268ee4eb7102d4c74ece", "tree": "9bd43e9f63d5a81c99efd43484fe1ec2c0bf5e35", "parents": [ "ea1fdb9966f72bdbe12269db150e215453948e6d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri May 01 01:07:05 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 01 01:07:05 2026 +0000" }, "message": "build(deps-dev): bump mypy from 1.20.1 to 1.20.2 in /stash\n\nBumps [mypy](https://github.com/python/mypy) from 1.20.1 to 1.20.2.\n- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)\n- [Commits](https://github.com/python/mypy/compare/v1.20.1...v1.20.2)\n\n---\nupdated-dependencies:\n- dependency-name: mypy\n dependency-version: 1.20.2\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "85c837f7803e0d5f30464a55eb8c4876674d2886", "tree": "0f280191db7c57af6d0406ed885dcb04338cdd06", "parents": [ "ea1fdb9966f72bdbe12269db150e215453948e6d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri May 01 01:06:51 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 01 01:06:51 2026 +0000" }, "message": "build(deps-dev): bump mypy from 1.20.1 to 1.20.2 in /pelican\n\nBumps [mypy](https://github.com/python/mypy) from 1.20.1 to 1.20.2.\n- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)\n- [Commits](https://github.com/python/mypy/compare/v1.20.1...v1.20.2)\n\n---\nupdated-dependencies:\n- dependency-name: mypy\n dependency-version: 1.20.2\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "40a4cd3bb234d81dc0d4551c5a7d056bd46e018b", "tree": "d717150a2170bd3df007d0c73f4005c264e90026", "parents": [ "ea1fdb9966f72bdbe12269db150e215453948e6d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed Apr 29 13:25:33 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Apr 29 13:25:33 2026 +0000" }, "message": "action-allowlist-review: bump SonarSource/sonarqube-scan-action\n\nBumps [SonarSource/sonarqube-scan-action](https://github.com/sonarsource/sonarqube-scan-action) from 7.1.0 to 8.0.0.\n- [Release notes](https://github.com/sonarsource/sonarqube-scan-action/releases)\n- [Commits](https://github.com/sonarsource/sonarqube-scan-action/compare/299e4b793aaa83bf2aba7c9c14bedbb485688ec4...59db25f34e16620e48ab4bb9e4a5dce155cb5432)\n\n---\nupdated-dependencies:\n- dependency-name: SonarSource/sonarqube-scan-action\n dependency-version: 8.0.0\n dependency-type: direct:production\n update-type: version-update:semver-major\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "ea1fdb9966f72bdbe12269db150e215453948e6d", "tree": "9cd8347b724c3380253643f6071bc3a51eb383fd", "parents": [ "f80e4c49a51e619aec9a20a637e1631b6a74bfe3", "a3499e94ba02d1999f4704372a34c84150065e86" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Wed Apr 29 03:39:12 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Apr 29 03:39:12 2026 +0200" }, "message": "Merge pull request #781 from potiuk/check-transitive-failures-hourly-gate\n\ncheck-for-transitive-failures: hourly cron with change-aware gate" }, { "commit": "f80e4c49a51e619aec9a20a637e1631b6a74bfe3", "tree": "aff472f1cdb764a3d5f1dd587f707f4be1a4a1e5", "parents": [ "57519feb7d96f880a872a4216e4bfa1ea197d051", "77e347e4f30c2da50827722d62ee8e88ba7739be" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Wed Apr 29 01:24:51 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Apr 29 01:24:51 2026 +0200" }, "message": "Merge pull request #748 from apache/add-codeowners\n\nci: add CODEOWNERS for default reviewer requests" }, { "commit": "57519feb7d96f880a872a4216e4bfa1ea197d051", "tree": "1163f0888ad383159f1cda155ecf8ae47eacaaab", "parents": [ "c1aaf11a43302b9915a6e2e160337bd10b2daa8c", "02bd41d7e3b38afdb6662342aa58cee1a9736f4a" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 21:28:53 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 21:28:53 2026 +0200" }, "message": "Merge pull request #775 from potiuk/verify-action-build-skip-data-fetches\n\nverify-action-build: skip binary-download check for pure data fetches" }, { "commit": "77e347e4f30c2da50827722d62ee8e88ba7739be", "tree": "251088fd881fc122d9269d8f8f508aa0a9cf16af", "parents": [ "8ea0373de7631e108eed65b6665a2fb721f0a3f5" ], "author": { "name": "Dave Fisher", "email": "dave2wave@comcast.net", "time": "Tue Apr 28 11:27:55 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 11:27:55 2026 -0700" }, "message": "Update CODEOWNERS to correct username\n\nSigned-off-by: Dave Fisher \u003cdave2wave@comcast.net\u003e" }, { "commit": "8ea0373de7631e108eed65b6665a2fb721f0a3f5", "tree": "175573746559f2e6a232229b320251be3427c4cc", "parents": [ "81d1b4ceeb760d73303d1b7ec5ce31c3be757615" ], "author": { "name": "Dave Fisher", "email": "dave2wave@comcast.net", "time": "Tue Apr 28 11:27:27 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 11:27:27 2026 -0700" }, "message": "Fix id in CODEOWNERS file\n\nSigned-off-by: Dave Fisher \u003cdave2wave@comcast.net\u003e" }, { "commit": "c1aaf11a43302b9915a6e2e160337bd10b2daa8c", "tree": "c1545e2f8bcfe3be1a29a4338ca3028b73e1850b", "parents": [ "a60093a343f8cb1002197d9a60a2ce786702a3aa" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 17:31:50 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 17:31:50 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "a60093a343f8cb1002197d9a60a2ce786702a3aa", "tree": "d8decf95ddef0bf090eb2726a280ac82abdef04d", "parents": [ "0d027d6e44ec706798e5e5ef557352e5469bca81", "639dd39c4fdcce0cb6ff8c12e02394b9eab9e2da" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 19:24:26 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 19:24:26 2026 +0200" }, "message": "Merge pull request #780 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/dawidd6/action-send-mail-17\n\naction-allowlist-review: bump dawidd6/action-send-mail from 16 to 17 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "81d1b4ceeb760d73303d1b7ec5ce31c3be757615", "tree": "251088fd881fc122d9269d8f8f508aa0a9cf16af", "parents": [ "125262ea8d9572a3a5f41899993a09138c1ca427" ], "author": { "name": "Dave Fisher", "email": "dave2wave@comcast.net", "time": "Tue Apr 28 10:22:58 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 10:22:58 2026 -0700" }, "message": "Add @ppkarwasz as a code owner\n\nSigned-off-by: Dave Fisher \u003cdave2wave@comcast.net\u003e" }, { "commit": "a3499e94ba02d1999f4704372a34c84150065e86", "tree": "645208f3a7020cafdd7773555bb0320bc7af86f2", "parents": [ "0d027d6e44ec706798e5e5ef557352e5469bca81" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 19:22:08 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 19:22:08 2026 +0200" }, "message": "check-for-transitive-failures: hourly cron with change-aware gate\n\nThe push trigger fired immediately after every Dependabot merge to main,\nbut the org-level allowlist sync (an external ASF Infra job) hadn\u0027t\ncaught up yet, so the workflow consistently failed with \u0027action ... is\nnot allowed\u0027 before any step ran. The daily cron always succeeded; push\nruns almost always failed. PR #721 attempted to fix this by scoping push\nto main on the assumption that update_actions.yml would land first, but\nboth workflows fire concurrently on the same merge commit and the org\nsync is asynchronous to either.\n\nReplace the trigger model:\n\n- Drop push entirely.\n- Run hourly via cron.\n- Add a \u0027gate\u0027 job that decides whether the actual check needs to run\n by diffing the composite action.yml against the SHA of the last\n successful run. Skips when nothing has changed, so most hours we\n burn ~5 seconds on the gate and exit.\n- 30-minute grace period after a composite change before probing,\n giving the org-level sync time to land. Tunable.\n- 24-hour safety net: always run if it\u0027s been a day since last\n success, preserving the original \u0027detect transitive deps that fall\n out of the allowlist without any local edit\u0027 purpose.\n" }, { "commit": "639dd39c4fdcce0cb6ff8c12e02394b9eab9e2da", "tree": "d8decf95ddef0bf090eb2726a280ac82abdef04d", "parents": [ "0d027d6e44ec706798e5e5ef557352e5469bca81" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Apr 28 13:25:59 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 13:25:59 2026 +0000" }, "message": "action-allowlist-review: bump dawidd6/action-send-mail\n\nBumps [dawidd6/action-send-mail](https://github.com/dawidd6/action-send-mail) from 16 to 17.\n- [Release notes](https://github.com/dawidd6/action-send-mail/releases)\n- [Commits](https://github.com/dawidd6/action-send-mail/compare/d38f3f7cd391cdebfe0d38efc3998b935e951c4f...42942bc2f8fba4e611b459a018967a6a7c78c68c)\n\n---\nupdated-dependencies:\n- dependency-name: dawidd6/action-send-mail\n dependency-version: \u002717\u0027\n dependency-type: direct:production\n update-type: version-update:semver-major\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "0d027d6e44ec706798e5e5ef557352e5469bca81", "tree": "e997f615455a7e00ee127a1cb7ae3d06595d782e", "parents": [ "b2cbb21b278101bfcbc6a38c22e0dba7ae341640" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 07:40:26 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 07:40:26 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "b2cbb21b278101bfcbc6a38c22e0dba7ae341640", "tree": "6be03665e4302a0a0bcc0502e45d1141c8469a7d", "parents": [ "aa619211237dc022790803a3af058e40b745035c", "262390650270fa8bc43063bc3780d97fb9c0731e" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 09:40:09 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 09:40:09 2026 +0200" }, "message": "Merge pull request #724 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/posit-dev/setup-air-1.0.1\n\naction-allowlist-review: bump posit-dev/setup-air from 1.0.0 to 1.0.1 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "aa619211237dc022790803a3af058e40b745035c", "tree": "4bd26031087fabebf699984e172b4e4e70dceb3b", "parents": [ "3edb576bc72a1e88f7290ef54440d31d75ed73d5" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 07:38:40 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 07:38:40 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "3edb576bc72a1e88f7290ef54440d31d75ed73d5", "tree": "b9180394264f945664f3331685c7d513c76f7324", "parents": [ "b6cdec77e5074b3960c635facc5c0e291b02b703", "6fd2564620241cf9336918890d2610c4e88ccfc0" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 09:38:26 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 09:38:26 2026 +0200" }, "message": "Merge pull request #769 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/leafo/gh-actions-luarocks-6.1.0\n\naction-allowlist-review: bump leafo/gh-actions-luarocks from 6.0.0 to 6.1.0 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "b6cdec77e5074b3960c635facc5c0e291b02b703", "tree": "5eec1879056f43d9cfabbff7732ce966ae60b669", "parents": [ "acdd6b8fe6d9dda25a283cc39e9e2033bcaf34e4" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 07:38:11 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 07:38:11 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "acdd6b8fe6d9dda25a283cc39e9e2033bcaf34e4", "tree": "d1c396374c4a47cbfd68d96d8a48431ff0fb81a4", "parents": [ "95ae96cdaa6ecca325c30b1699bb6355ed1b58ae", "409bd9e7b4a9813f56e3cd61e83f4adda29f7e43" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 09:37:52 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 09:37:52 2026 +0200" }, "message": "Merge pull request #752 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/dependabot/fetch-metadata-3.1.0\n\naction-allowlist-review: bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "95ae96cdaa6ecca325c30b1699bb6355ed1b58ae", "tree": "19a67caf59b31d84b9aa03b2be3a39d83b69abd8", "parents": [ "625a6ca502710ad5d6c69ce1179e6f839ab2191e" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 03:18:26 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 28 03:18:26 2026 +0000" }, "message": "Remove Expired Refs\n\nGenerated by .github/workflows/remove_expired.yml\n" }, { "commit": "625a6ca502710ad5d6c69ce1179e6f839ab2191e", "tree": "64cd210a9f3f2f310240ea89d87b1dd31a9c6470", "parents": [ "fddd2534dae5380496ab8319bf9799995c9e532e" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Mon Apr 27 23:38:19 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Mon Apr 27 23:38:19 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "fddd2534dae5380496ab8319bf9799995c9e532e", "tree": "e6caefc344c45916d0686508e3329279b4cefc31", "parents": [ "92addabd6dce4d74629a830dff0941d885210587", "69ecc3d3e3b2216af51dd17b82b9ad8902dc8ef9" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 01:38:06 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 01:38:06 2026 +0200" }, "message": "Merge pull request #778 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/JetBrains/qodana-action-2026.1.0\n\naction-allowlist-review: bump JetBrains/qodana-action from 2025.3.2 to 2026.1.0 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "92addabd6dce4d74629a830dff0941d885210587", "tree": "9c944904683f984fd98049f6b4ca699ce2b3f3ca", "parents": [ "a754096878290f5a73f381b4903969660e827b13" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Mon Apr 27 23:26:16 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Mon Apr 27 23:26:16 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "a754096878290f5a73f381b4903969660e827b13", "tree": "79f25ec57c8c1fe1d97674af56f822c8da3f4d82", "parents": [ "38760c3c95cd520c77f36a7be1b370fd53bd18c2", "8019fb1f44316a2faa0e1322344e504556ccca34" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 01:25:59 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 28 01:25:59 2026 +0200" }, "message": "Merge pull request #779 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/uraimo/run-on-arch-action-3.1.0\n\naction-allowlist-review: bump uraimo/run-on-arch-action from 3.0.1 to 3.1.0 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "02bd41d7e3b38afdb6662342aa58cee1a9736f4a", "tree": "91290e0fa08b5ffd0abe22e74ef3b58f95097db5", "parents": [ "38760c3c95cd520c77f36a7be1b370fd53bd18c2" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sat Apr 25 20:24:41 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 28 00:57:07 2026 +0200" }, "message": "verify-action-build: skip binary-download check for pure data fetches\n\nThe binary-download check flags any tc.downloadTool / fetch / https.get\nin JS source unless the file also has a verification pattern (sha256,\ngpg --verify, etc.). That over-flags actions that fetch HTTP responses\npurely as data — a metadata badge regex\u0027d for an integer, an API JSON\nparsed for a version number — where there is no binary or executable\nto verify in the first place.\n\nAdd a per-file heuristic: a download is exempt iff the file contains\ndata-parse markers (.match, .matchAll, JSON.parse, parseInt, .split,\n.test, .replace, .startsWith, etc.) AND no binary-handling markers\n(tc.extractTar/Zip/7z/Xar, tc.cacheFile/Dir, fs.writeFile family,\nexec.exec, child_process, spawn, chmod). Both conditions must hold —\na file that mixes a metadata fetch and a real archive download keeps\nthe strict check, since per-finding scoping without a real AST would\nbe fragile.\n\nThe motivating false-positive was apache/infrastructure-actions PR\nthis code in src/dependabot/verified_commits.ts:\n\n https.get(`https://dependabot-badges.githubapp.com/.../compatibility_score?...`, res \u003d\u003e { ... })\n const scoreChunk \u003d svg.match(/\u003ctitle\u003ecompatibility: (?\u003cscore\u003e\\d+)%/)\n return scoreChunk?.groups ? parseInt(scoreChunk.groups.score) : 0\n\nA computed-on-demand badge with no possible \u0027expected hash\u0027 to pin\nagainst, and a regex-extracted integer with no security boundary\ncrossed. With this change the file is recognised as a data fetch and\nthe check passes; meanwhile leafo/gh-actions-luarocks (real\ntc.downloadTool + tc.extractTar) is still correctly flagged.\n" }, { "commit": "8019fb1f44316a2faa0e1322344e504556ccca34", "tree": "79f25ec57c8c1fe1d97674af56f822c8da3f4d82", "parents": [ "38760c3c95cd520c77f36a7be1b370fd53bd18c2" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Apr 27 17:06:07 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 27 17:06:07 2026 +0000" }, "message": "action-allowlist-review: bump uraimo/run-on-arch-action\n\nBumps [uraimo/run-on-arch-action](https://github.com/uraimo/run-on-arch-action) from 3.0.1 to 3.1.0.\n- [Release notes](https://github.com/uraimo/run-on-arch-action/releases)\n- [Commits](https://github.com/uraimo/run-on-arch-action/compare/d94c13912ea685de38fccc1109385b83fd79427d...f9b26e3a1a408d5fd530d20c17b9f3f4428ff8d9)\n\n---\nupdated-dependencies:\n- dependency-name: uraimo/run-on-arch-action\n dependency-version: 3.1.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "69ecc3d3e3b2216af51dd17b82b9ad8902dc8ef9", "tree": "388eaba5f886640d0d88bc5d4b69b43d4958ec11", "parents": [ "38760c3c95cd520c77f36a7be1b370fd53bd18c2" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Apr 27 17:04:56 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 27 17:04:56 2026 +0000" }, "message": "action-allowlist-review: bump JetBrains/qodana-action\n\nBumps [JetBrains/qodana-action](https://github.com/jetbrains/qodana-action) from 2025.3.2 to 2026.1.0.\n- [Release notes](https://github.com/jetbrains/qodana-action/releases)\n- [Commits](https://github.com/jetbrains/qodana-action/compare/89eb4357efd2b52e639f3216e63edaf33b82622b...d7b5ec2fbec32197ef447c450e00589ed5f34fd5)\n\n---\nupdated-dependencies:\n- dependency-name: JetBrains/qodana-action\n dependency-version: 2026.1.0\n dependency-type: direct:production\n update-type: version-update:semver-major\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "125262ea8d9572a3a5f41899993a09138c1ca427", "tree": "07ce91a5510f40062ae73cd608dc7bc3d7f73fd6", "parents": [ "f75352a838693be280a3fb2b089d01ddd6a1c09e" ], "author": { "name": "Dave Fisher", "email": "dave2wave@comcast.net", "time": "Mon Apr 27 08:57:57 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 27 08:57:57 2026 -0700" }, "message": "Remove @raboof from CODEOWNERS\n\nSigned-off-by: Dave Fisher \u003cdave2wave@comcast.net\u003e" }, { "commit": "38760c3c95cd520c77f36a7be1b370fd53bd18c2", "tree": "16eb3401e3cb752eb6abd98a2a9c644e07c02ef3", "parents": [ "c4fcdc2d660ded8ee9008b8fd6019f24146b6036" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Mon Apr 27 15:24:31 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Mon Apr 27 15:24:31 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "c4fcdc2d660ded8ee9008b8fd6019f24146b6036", "tree": "611f3af42bb2dbd9d4a124eb1a6a255168a9b22a", "parents": [ "6782e73a966b9b8aa74998aa972dff99a69a1636", "3c5063ab7e7440f6513d452d119e6e67db590148" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Mon Apr 27 16:57:48 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 27 16:57:48 2026 +0200" }, "message": "Merge pull request #776 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/orhun/git-cliff-action-4.8.0\n\naction-allowlist-review: bump orhun/git-cliff-action from 4.7.1 to 4.8.0 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "6782e73a966b9b8aa74998aa972dff99a69a1636", "tree": "dd79017321be86550082a0db25943cd4cd47b840", "parents": [ "c56de6a2affd950e89f38cdebb94bfc488d2de78", "48156b9655ae3cd7f96865a94cf0eb2f17597091" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Mon Apr 27 16:42:10 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 27 16:42:10 2026 +0200" }, "message": "Merge pull request #770 from potiuk/verify-action-build-require-lock-files\n\nverify-action-build: require a lock file for every dependency manifest" }, { "commit": "c56de6a2affd950e89f38cdebb94bfc488d2de78", "tree": "2dbb3682ad63c2eb71b7a83ee8351a3a261d59dd", "parents": [ "fc02cef4382e68725f059a2cb8d6104ce63290d1" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Mon Apr 27 13:50:40 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 27 13:50:40 2026 +0200" }, "message": "ci: auto-insert Apache license headers via Lucas-C/insert-license (#771)\n\nAdd Lucas-C/pre-commit-hooks insert-license to .pre-commit-config.yaml\ncovering every file type that\u0027s actually present in the repo:\n\n .py .yml/.yaml .toml .sh .ezt Dockerfile/*.Dockerfile .md\n\nHooks share a single license template (scripts/license-templates/LICENSE.txt)\nand the canonical wrapped \u0027#\u0027-comment style (\u0027#|#|#\u0027) used by the majority\nof existing files. Markdown uses \u0027\u003c!--| |--\u003e\u0027 to match the existing\n2-space-indented HTML-comment style.\n\nExclusions are scoped narrowly:\n * approved_patterns.yml — auto-generated from actions.yml.\n * stash/* (except stash/pyproject.toml) — uses the short-form\n \u0027Copyright (c) The stash contributors / Licensed under Apache 2.0\u0027\n style which RAT accepts.\n * .github/workflows/stash-action-test.yml — same short-form.\n * AGENTS.md / CLAUDE.md — agentic-tooling docs that follow the\n short-license convention used in apache/airflow.\n\nDrive-by normalisation across files outside stash/:\n * 17 files had unwrapped headers (\u0027# Licensed\u0027 on line 1, no\n surrounding \u0027#\u0027 lines) — wrapped to the canonical style so the hook\n is a no-op on subsequent runs.\n * pelican/plugins/spu.py and pelican/plugin_paths.py had legacy\n near-identical license blocks (slightly different wrap, https vs\n http URL) — replaced with the canonical block; the duplicate that\n insert-license added on first run was removed manually.\n\nMotivation: PR #770 shipped a new file (lock_file_exemptions.yml)\nwithout an ASF license header, which the rat check correctly caught\nbut only after the PR was opened and reviewed. Running this hook\nlocally would have flagged it before push." }, { "commit": "fc02cef4382e68725f059a2cb8d6104ce63290d1", "tree": "f1b3aca7d91b7d2b74fadc88445995d161b55f3c", "parents": [ "947601d90247075260504b59f06d0700c16f023c" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Mon Apr 27 12:33:58 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 27 12:33:58 2026 +0200" }, "message": "verify-action-build: show release date + weekday in summary (#773)\n\nAdd a \u0027Released\u0027 (or \u0027Commit date\u0027 fallback) info row to the verification\nsummary, formatted as \u0027Weekday YYYY-MM-DD HH:MM UTC\u0027 — e.g.\n Released v0.0.10 — Wednesday 2026-04-22 22:27 UTC\n\nResolution order in get_release_or_commit_time():\n 1. Find every tag pointing at the commit, most-specific first.\n 2. For each tag, query the GitHub Releases API for published_at.\n 3. If no release exists, fall back to the commit\u0027s committer date.\n\nWhy weekday and not \u0027N days ago\u0027: the same verification output may be\nre-read days or weeks later (in a CI log, a quoted PR comment, a saved\ntranscript). \u0027N days ago\u0027 silently rots in those contexts; the absolute\ntimestamp is self-validating, and the weekday gives a reader an instant\nsense of how recent it is relative to today\u0027s weekday — without baking\na stale relative phrase into the output." }, { "commit": "947601d90247075260504b59f06d0700c16f023c", "tree": "0b2a2dcaa203a7bc3830f9c80043ee2daaa90cc9", "parents": [ "f46dddd47a8886180d779603779795a937a28650" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Mon Apr 27 03:18:50 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Mon Apr 27 03:18:50 2026 +0000" }, "message": "Remove Expired Refs\n\nGenerated by .github/workflows/remove_expired.yml\n" }, { "commit": "f46dddd47a8886180d779603779795a937a28650", "tree": "68cbcb9ad6fd789f1304faeb9f23d274945d2661", "parents": [ "030329fae62648d3d6b0cd745070fbccf0b78814" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 26 21:46:19 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 26 21:46:19 2026 +0200" }, "message": "verify-action-build: keep non-minified compiled JS, diff vs approved (#777)\n\nA clean rebuild of non-minified bundles (Deno\u0027s `deno task bundle`,\nDart\u0027s `dart compile js`, esbuild non-minified output) tends to differ\nfrom the committed `dist/` only in toolchain-version noise — esbuild,\nncc and webpack boilerplate evolve between versions and the diff isn\u0027t\nactionable for review. Until now those files showed up as\n\"non-minified — rebuild differs\" warnings that reviewers couldn\u0027t act\non; surfaced again on PR #736 against `Kesin11/actions-timeline`.\n\nTreat them differently: in the pre-rebuild deletion step the Dockerfile\nnow skips files that look non-minified (\u003c10 lines, or average line\nlength \u003e500 chars — same heuristic as `is_minified()` in `diff_js.py`)\nand records each kept path in `/kept-js.log`. The rebuild comparison\nshort-circuits these files with a yellow note pointing at the\napproved-vs-new diff, and `diff_approved_vs_new()` now diffs them\nagainst the previously-approved version (overriding its `dist/`\nexclusion) with `beautify_js()` applied so huge bundles render\nreadably. Reviewers see real source changes between versions instead of\ntoolchain artifacts.\n\nMinified bundles still take the full delete-and-rebuild path, so\nhand-written or unbuilt JS in `dist/` is still caught.\n\nTests: `test_keeps_non_minified_compiled_js` guards the Dockerfile\nheuristic; `TestDiffJsKeptFiles` covers the `kept_files` short-circuit\nin `diff_js`. README updated to describe the behaviour.\n\nGenerated-by: Claude Opus 4.7 (1M context) \u003cnoreply@anthropic.com\u003e" }, { "commit": "6fd2564620241cf9336918890d2610c4e88ccfc0", "tree": "3742175c329ccc4ce10471a80c687f54c26b04c7", "parents": [ "030329fae62648d3d6b0cd745070fbccf0b78814" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun Apr 26 15:54:55 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 26 15:54:55 2026 +0000" }, "message": "action-allowlist-review: bump leafo/gh-actions-luarocks\n\nBumps [leafo/gh-actions-luarocks](https://github.com/leafo/gh-actions-luarocks) from 6.0.0 to 6.1.0.\n- [Release notes](https://github.com/leafo/gh-actions-luarocks/releases)\n- [Commits](https://github.com/leafo/gh-actions-luarocks/compare/97053c556d6ce2c8e26eb7ac93743437c7af7248...35d062def313a7699a0d513e996bcf4352f05389)\n\n---\nupdated-dependencies:\n- dependency-name: leafo/gh-actions-luarocks\n dependency-version: 6.1.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "030329fae62648d3d6b0cd745070fbccf0b78814", "tree": "6e8945120d99fd31a3eb1bfa28a2a223f8a9b916", "parents": [ "c88ac69b389709930ac9bd442af3032793b268b4" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sun Apr 26 15:53:47 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sun Apr 26 15:53:47 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "c88ac69b389709930ac9bd442af3032793b268b4", "tree": "f037de8fad631753b8af9e8ae7e4fdf25806042f", "parents": [ "f53b3a06897a0fb99a9af172de153e635633c9c5", "37f2767f603fa0327c63eca30557abcf40d2c163" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 26 17:53:29 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 26 17:53:29 2026 +0200" }, "message": "Merge pull request #736 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/Kesin11/actions-timeline-3.1.0\n\naction-allowlist-review: bump Kesin11/actions-timeline from 3.0.0 to 3.1.0 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "3c5063ab7e7440f6513d452d119e6e67db590148", "tree": "b9de6573cc0f8f767499a00fd68332b9551c6011", "parents": [ "f53b3a06897a0fb99a9af172de153e635633c9c5" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun Apr 26 13:18:03 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 26 13:18:03 2026 +0000" }, "message": "action-allowlist-review: bump orhun/git-cliff-action\n\nBumps [orhun/git-cliff-action](https://github.com/orhun/git-cliff-action) from 4.7.1 to 4.8.0.\n- [Release notes](https://github.com/orhun/git-cliff-action/releases)\n- [Commits](https://github.com/orhun/git-cliff-action/compare/c93ef52f3d0ddcdcc9bd5447d98d458a11cd4f72...f50e11560dce63f7c33227798f90b924471a88b5)\n\n---\nupdated-dependencies:\n- dependency-name: orhun/git-cliff-action\n dependency-version: 4.8.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "37f2767f603fa0327c63eca30557abcf40d2c163", "tree": "f037de8fad631753b8af9e8ae7e4fdf25806042f", "parents": [ "f53b3a06897a0fb99a9af172de153e635633c9c5" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sat Apr 25 18:30:28 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Apr 25 18:30:28 2026 +0000" }, "message": "action-allowlist-review: bump Kesin11/actions-timeline\n\nBumps [Kesin11/actions-timeline](https://github.com/kesin11/actions-timeline) from 3.0.0 to 3.1.0.\n- [Release notes](https://github.com/kesin11/actions-timeline/releases)\n- [Commits](https://github.com/kesin11/actions-timeline/compare/e018cfefea60b4f44266998551211a35a58b8097...44c9c178ffb2fb1d9859614a3ffa79ccfb77565e)\n\n---\nupdated-dependencies:\n- dependency-name: Kesin11/actions-timeline\n dependency-version: 3.1.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "f53b3a06897a0fb99a9af172de153e635633c9c5", "tree": "6a4bff29ab5634b9e5c7993bcfa9c99dfa7cf412", "parents": [ "ec5e5024121364b28634ddefd3ba6cbaa6fbdd4a" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sat Apr 25 17:49:03 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sat Apr 25 17:49:03 2026 +0000" }, "message": "Update approved_patterns.yml and .github/actions/for-dependabot-triggered-reviews/action.yml based on actions.yml\n\nGenerated by .github/workflows/update_composite_action.yml\n" }, { "commit": "ec5e5024121364b28634ddefd3ba6cbaa6fbdd4a", "tree": "ab3ccd0d0ff9ebe164778bf9ac165d157ec9d170", "parents": [ "637aefea45158bb5a60a879aa547ce96971c5f67", "adffd10ad34089375d9d923386d4bf6b729f7be6" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sat Apr 25 19:48:47 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Apr 25 19:48:47 2026 +0200" }, "message": "Merge pull request #751 from fresh-borzoni/allowlist-erlef-setup-beam\n\nAllow erlef/setup-beam v1.24.0" }, { "commit": "637aefea45158bb5a60a879aa547ce96971c5f67", "tree": "547fac929cdcad645b1a24dcc2c2360048c550e1", "parents": [ "6226d4dced66ce62525df15444adf795f9c6c8dc" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sat Apr 25 17:45:30 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sat Apr 25 17:45:30 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "6226d4dced66ce62525df15444adf795f9c6c8dc", "tree": "e4e8799c509a9cb3ec609eb6552ae592e716fb43", "parents": [ "1dead01f69f75154e78b115628efe10270483042", "1f60484119f402ced0135e07d205f0d1d51ac750" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sat Apr 25 19:45:16 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Apr 25 19:45:16 2026 +0200" }, "message": "Merge pull request #753 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/dart-lang/setup-dart-1.7.2\n\naction-allowlist-review: bump dart-lang/setup-dart from 1.7.1 to 1.7.2 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "1dead01f69f75154e78b115628efe10270483042", "tree": "e41fe0e4b8d9d0300ef90b0b27f32fe66f355733", "parents": [ "15afa675561ce8b6ecf4bb8dde6fffe2ddc688e8" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sat Apr 25 17:19:59 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sat Apr 25 17:19:59 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "15afa675561ce8b6ecf4bb8dde6fffe2ddc688e8", "tree": "d3b30a768b66a930288c96c5e7b82d7d70df1c47", "parents": [ "c3d4987edb5ebca32d09d0ccf9b9b494a35da7a7", "0af9bf0c9d7a6af10ed0181d3677ea0739467e2c" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sat Apr 25 19:19:46 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Apr 25 19:19:46 2026 +0200" }, "message": "Merge pull request #762 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/slackapi/slack-github-action-3.0.2\n\naction-allowlist-review: bump slackapi/slack-github-action from 3.0.1 to 3.0.2 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "48156b9655ae3cd7f96865a94cf0eb2f17597091", "tree": "9d8e79ccd69e280a96956e61335d6a580efae084", "parents": [ "0327f65b0b70ffd37706ccadc7eb4aea46fe3d35" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sat Apr 25 17:54:12 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sat Apr 25 17:54:12 2026 +0200" }, "message": "lock_file_exemptions: add ASF license header\n\nRAT (Release Audit Tool) check on apache/infrastructure-actions requires\nall source files to carry the Apache License v2 header. The new\nlock_file_exemptions.yml was missing it, blocking the rat check on #770.\nSpotted by @dave2wave.\n" }, { "commit": "f75352a838693be280a3fb2b089d01ddd6a1c09e", "tree": "6fafd1b01b8ac01080a641b39f7a5f68bfb8ca6e", "parents": [ "c3d4987edb5ebca32d09d0ccf9b9b494a35da7a7" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 19 20:07:32 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sat Apr 25 17:45:54 2026 +0200" }, "message": "ci: add CODEOWNERS for default reviewer requests\n\nAdds @dave2wave, @raboof and @potiuk as default codeowners on every\npath, so they\u0027re auto-requested on new PRs and don\u0027t have to be added\nas reviewers by hand. Additional reviewers (e.g. area experts or PMC\nmembers) can still be added ad hoc.\n\nGenerated-by: Claude Opus 4.7 (1M context) \u003cnoreply@anthropic.com\u003e\n" }, { "commit": "0327f65b0b70ffd37706ccadc7eb4aea46fe3d35", "tree": "670c65b73f85b7fbf439a891e89082661d3eb140", "parents": [ "c2488ba3c00cc27b75b86aae54c069349229d361" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 20:08:50 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 20:08:50 2026 +0200" }, "message": "verify-action-build: per-ecosystem exemption list for lock-file check\n\nSome upstream projects are libraries or CLI tools that also ship a GitHub\nAction wrapper — e.g. pypa/cibuildwheel (Python library on PyPI),\ndart-lang/setup-dart (Dart package on pub.dev). These repos legitimately\ndon\u0027t commit a lock file because doing so would over-constrain their\nlibrary consumers. Hard-failing on those would block otherwise-valid\nDependabot bumps.\n\nAdd lock_file_exemptions.yml at the repo root listing per-(org/repo)\nper-ecosystem exemptions. analyze_lock_files consults this file and\nreports an exempted manifest as a dim skipped entry (⊘) instead of a\nred failure. Exemptions are scoped per-ecosystem, so an action exempted\nfor one ecosystem is still checked for others it declares (e.g.\ndart-lang/setup-dart\u0027s node side must still have package-lock.json).\n\nPreseeded entries:\n pypa/cibuildwheel → python (library on PyPI)\n dart-lang/setup-dart → dart (Dart library convention)\n\nLookups lowercase org/repo so case mismatches don\u0027t silently miss.\n" }, { "commit": "409bd9e7b4a9813f56e3cd61e83f4adda29f7e43", "tree": "8bb07b816da543847aa092e000631ccf96c9d38b", "parents": [ "c3d4987edb5ebca32d09d0ccf9b9b494a35da7a7" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Apr 24 18:07:11 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 18:07:11 2026 +0000" }, "message": "action-allowlist-review: bump dependabot/fetch-metadata\n\nBumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 3.0.0 to 3.1.0.\n- [Release notes](https://github.com/dependabot/fetch-metadata/releases)\n- [Commits](https://github.com/dependabot/fetch-metadata/compare/ffa630c65fa7e0ecfa0625b5ceda64399aea1b36...25dd0e34f4fe68f24cc83900b1fe3fe149efef98)\n\n---\nupdated-dependencies:\n- dependency-name: dependabot/fetch-metadata\n dependency-version: 3.1.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "1f60484119f402ced0135e07d205f0d1d51ac750", "tree": "90f8f6e6e7e65f4256a8adbafa484208ccf32e7a", "parents": [ "c3d4987edb5ebca32d09d0ccf9b9b494a35da7a7" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Apr 24 18:06:40 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 18:06:40 2026 +0000" }, "message": "action-allowlist-review: bump dart-lang/setup-dart\n\nBumps [dart-lang/setup-dart](https://github.com/dart-lang/setup-dart) from 1.7.1 to 1.7.2.\n- [Release notes](https://github.com/dart-lang/setup-dart/releases)\n- [Changelog](https://github.com/dart-lang/setup-dart/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/dart-lang/setup-dart/compare/e51d8e571e22473a2ddebf0ef8a2123f0ab2c02c...65eb853c7ba17dde3be364c3d2858773e7144260)\n\n---\nupdated-dependencies:\n- dependency-name: dart-lang/setup-dart\n dependency-version: 1.7.2\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "0af9bf0c9d7a6af10ed0181d3677ea0739467e2c", "tree": "d3b30a768b66a930288c96c5e7b82d7d70df1c47", "parents": [ "c3d4987edb5ebca32d09d0ccf9b9b494a35da7a7" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Apr 24 18:06:28 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 18:06:28 2026 +0000" }, "message": "action-allowlist-review: bump slackapi/slack-github-action\n\nBumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 3.0.1 to 3.0.2.\n- [Release notes](https://github.com/slackapi/slack-github-action/releases)\n- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/slackapi/slack-github-action/compare/af78098f536edbc4de71162a307590698245be95...03ea5433c137af7c0495bc0cad1af10403fc800c)\n\n---\nupdated-dependencies:\n- dependency-name: slackapi/slack-github-action\n dependency-version: 3.0.2\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "c2488ba3c00cc27b75b86aae54c069349229d361", "tree": "3297e2be6906671453425ad59031f2e89769aa8f", "parents": [ "c3d4987edb5ebca32d09d0ccf9b9b494a35da7a7" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 19:44:20 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 19:44:20 2026 +0200" }, "message": "verify-action-build: require a lock file for every dependency manifest\n\nEvery action type — node, python, deno, dart, ruby, go, rust — now fails\nverification if a dependency manifest (package.json, pyproject.toml, go.mod,\n...) is found without a matching lock file. Without a lock file, a rebuild\nof the action pulls whatever transitive versions are latest at build time,\nwhich makes the dist/ we verify non-reproducible.\n\nThe new analyze_lock_files check runs for every action type (not just\ncomposite/docker, where analyze_dependency_pinning already runs), since JS\nactions are the primary case where a missing lock file breaks our rebuild\ncomparison.\n\nRecognised manifest-to-lock mappings:\n package.json -\u003e package-lock.json / yarn.lock / pnpm-lock.yaml / bun.lock\n pyproject.toml -\u003e uv.lock / poetry.lock / pdm.lock / requirements.txt\n Pipfile -\u003e Pipfile.lock\n deno.json(c) -\u003e deno.lock\n pubspec.yaml -\u003e pubspec.lock\n Gemfile -\u003e Gemfile.lock\n go.mod -\u003e go.sum\n Cargo.toml -\u003e Cargo.lock\n\nHeuristics to avoid false positives:\n - pyproject.toml with only tool config (ruff/black/mypy) is skipped.\n - go.mod with no require directives is skipped.\n - Rust library crates ([lib] without [[bin]]) skip the Cargo.lock\n requirement per Cargo convention; binary crates and workspaces don\u0027t.\n - Sub-path manifests fall back to repo-root manifests when absent.\n" }, { "commit": "c3d4987edb5ebca32d09d0ccf9b9b494a35da7a7", "tree": "2565e80c37c257cc03ce590b4ae11aa7dad6eaa4", "parents": [ "95115d14d5331f51ed8517c3881f77f0f692a39a", "a6b95b7fd91c84c1b1daec86452200a461e11487" ], "author": { "name": "Dave Fisher", "email": "dave2wave@comcast.net", "time": "Fri Apr 24 09:21:53 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 09:21:53 2026 -0700" }, "message": "Merge pull request #768 from apache/verify-action-build-source-detached-tags\n\nverify-action-build: handle source-detached orphan release tags" }, { "commit": "95115d14d5331f51ed8517c3881f77f0f692a39a", "tree": "7324f60d82384a8216d12d19996e4d1fc1281a3b", "parents": [ "3c48a45496bcbc037b62673f425d7fd47f78fa4a" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Fri Apr 24 16:20:02 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Fri Apr 24 16:20:02 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "3c48a45496bcbc037b62673f425d7fd47f78fa4a", "tree": "228d67d3bc63b5ac3b9f05bcff6e8d727bc29d47", "parents": [ "1113551f48633ee25aa68855336bcce262a9c802", "3e608e6f5e13a6e6899f6b94682fb0d6db8378fb" ], "author": { "name": "Dave Fisher", "email": "dave2wave@comcast.net", "time": "Fri Apr 24 09:19:35 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 09:19:35 2026 -0700" }, "message": "Merge pull request #761 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/mozilla-actions/sccache-action-0.0.10\n\naction-allowlist-review: bump mozilla-actions/sccache-action from 0.0.9 to 0.0.10 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "1113551f48633ee25aa68855336bcce262a9c802", "tree": "e3278155dba19f76b16447bf9be5d196f9ceb9c6", "parents": [ "7ae7fc55fe8aac02d934e948252cf8fcd3d25e4e", "87bc8cf0b960ae888204f0ee2672699653064925" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 14:26:08 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 14:26:08 2026 +0200" }, "message": "Merge pull request #767 from apache/dependabot/uv/stash/ruff-0.15.11\n\nbuild(deps-dev): bump ruff from 0.15.10 to 0.15.11 in /stash" }, { "commit": "a6b95b7fd91c84c1b1daec86452200a461e11487", "tree": "514902e137758a477d8d20ae261b9ce6c894be9b", "parents": [ "7ae7fc55fe8aac02d934e948252cf8fcd3d25e4e" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 13:29:34 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 13:29:34 2026 +0200" }, "message": "verify-action-build: handle source-detached orphan release tags\n\nSome actions (e.g. slackapi/slack-github-action with its changesets-driven\nrelease flow) publish their version tag as a rootless orphan commit whose\ntree contains only distributable artifacts — action.yml, dist/, LICENSE,\nREADME.md. Consumers pin to that commit SHA, so the verifier clones it and\nruns npm run build, but there is no src/ and no package.json at the tag\nand the rebuild silently produces nothing, causing a misleading\n\"DIFFERENCES DETECTED\" failure.\n\nDetect that pattern and resolve the corresponding default-branch source\ncommit via the GitHub Releases API: find the tag(s) pointing at the\ncommit, read published_at, and pick the most recent default-branch commit\nat or just before published_at that has a buildable package.json —\npreferring \"chore: release\"-style messages (changesets / release-please /\nVersion Packages). The Docker build then captures /original-dist from\nthe orphan tag and git-checkouts to the resolved source commit before\nbuilding, so the rebuild runs against real source and the diff is\nagainst the tag\u0027s published dist.\n\nThe detection is narrow: only top-level tags whose tree has dist/ but no\npackage.json and no src/. Monorepo sub-actions and normal actions are\nuntouched. Verified end-to-end against slackapi/slack-github-action@\nv3.0.2 (byte-identical rebuild) and v3.0.1, with regression checks on\nactions/checkout, astral-sh/setup-uv, and scacap/action-surefire-report\n(not flagged as detached, normal path preserved).\n" }, { "commit": "3e608e6f5e13a6e6899f6b94682fb0d6db8378fb", "tree": "e102b52848799a07974f39e9e117a8f47e895af0", "parents": [ "7ae7fc55fe8aac02d934e948252cf8fcd3d25e4e" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Apr 24 10:23:00 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 10:23:00 2026 +0000" }, "message": "action-allowlist-review: bump mozilla-actions/sccache-action\n\nBumps [mozilla-actions/sccache-action](https://github.com/mozilla-actions/sccache-action) from 0.0.9 to 0.0.10.\n- [Release notes](https://github.com/mozilla-actions/sccache-action/releases)\n- [Commits](https://github.com/mozilla-actions/sccache-action/compare/7d986dd989559c6ecdb630a3fd2557667be217ad...9e7fa8a12102821edf02ca5dbea1acd0f89a2696)\n\n---\nupdated-dependencies:\n- dependency-name: mozilla-actions/sccache-action\n dependency-version: 0.0.10\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "7ae7fc55fe8aac02d934e948252cf8fcd3d25e4e", "tree": "fbc23cdf6b2d736017c9afc1770f6288f883c1df", "parents": [ "315a6ec714b799da97ffa1d6e39a68ffeb920bea" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Fri Apr 24 10:21:35 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Fri Apr 24 10:21:35 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "315a6ec714b799da97ffa1d6e39a68ffeb920bea", "tree": "130fbcf702a91754cf6cbf1ff0dd8a7871853ffd", "parents": [ "19500da1095ad76fdd8f155c5ad6b1ca54aaf66e", "8913b693a671d9f64694f08301482868868773b1" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 12:21:22 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 12:21:22 2026 +0200" }, "message": "Merge pull request #759 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/scacap/action-surefire-report-1.10.0\n\naction-allowlist-review: bump scacap/action-surefire-report from 1.9.1 to 1.10.0 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "19500da1095ad76fdd8f155c5ad6b1ca54aaf66e", "tree": "338218a038015f235592261debe94156e7a0e49b", "parents": [ "002c46ab55b610dfd337e78d7b4e09083b841954", "39849fa746b73bab26f9951e86a517345864f628" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 12:19:20 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 12:19:20 2026 +0200" }, "message": "Merge pull request #765 from apache/dependabot/uv/pelican/ruff-0.15.11\n\nbuild(deps-dev): bump ruff from 0.15.10 to 0.15.11 in /pelican" }, { "commit": "002c46ab55b610dfd337e78d7b4e09083b841954", "tree": "4790eb8a5d1035579fb080f707fc8ae6e17328e9", "parents": [ "db6b17e68a86055597ac000432a8876524f5efc8", "bd7d2b74117e7aec116fff073ab5d8caad289bc8" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 12:18:46 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 12:18:46 2026 +0200" }, "message": "Merge pull request #760 from apache/dependabot/github_actions/dot-github/workflows/github/codeql-action-4.35.2\n\nbuild(deps): bump github/codeql-action from 4.35.1 to 4.35.2 in /.github/workflows" }, { "commit": "87bc8cf0b960ae888204f0ee2672699653064925", "tree": "0eac81d3efe81454908e084a5f1d4733ff009fbc", "parents": [ "db6b17e68a86055597ac000432a8876524f5efc8" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Apr 24 10:17:12 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 10:17:12 2026 +0000" }, "message": "build(deps-dev): bump ruff from 0.15.10 to 0.15.11 in /stash\n\nBumps [ruff](https://github.com/astral-sh/ruff) from 0.15.10 to 0.15.11.\n- [Release notes](https://github.com/astral-sh/ruff/releases)\n- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/astral-sh/ruff/compare/0.15.10...0.15.11)\n\n---\nupdated-dependencies:\n- dependency-name: ruff\n dependency-version: 0.15.11\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "db6b17e68a86055597ac000432a8876524f5efc8", "tree": "31b22e0083616f1d3053766e3411117d229d1c11", "parents": [ "f244f6bb5a581b58189353c9732234e05602e9dd", "e3b06ac88f3eddb8db7acdaae2e1096b48e922fe" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 12:16:26 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 12:16:26 2026 +0200" }, "message": "Merge pull request #763 from apache/dependabot/github_actions/dot-github/workflows/astral-sh/setup-uv-8.1.0\n\nbuild(deps): bump astral-sh/setup-uv from 8.0.0 to 8.1.0 in /.github/workflows" }, { "commit": "39849fa746b73bab26f9951e86a517345864f628", "tree": "6472a9c9c6d7ed159f6a7e3a299ac1428af83501", "parents": [ "f244f6bb5a581b58189353c9732234e05602e9dd" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Apr 24 10:16:17 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 10:16:17 2026 +0000" }, "message": "build(deps-dev): bump ruff from 0.15.10 to 0.15.11 in /pelican\n\nBumps [ruff](https://github.com/astral-sh/ruff) from 0.15.10 to 0.15.11.\n- [Release notes](https://github.com/astral-sh/ruff/releases)\n- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/astral-sh/ruff/compare/0.15.10...0.15.11)\n\n---\nupdated-dependencies:\n- dependency-name: ruff\n dependency-version: 0.15.11\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "f244f6bb5a581b58189353c9732234e05602e9dd", "tree": "fe3260fbbd612835c6efe92b203d1e14db7e7cf4", "parents": [ "3d29243563b970382a78ba27eebf3b894175f5ba", "673d47057ffb81c2d5de71ddacc4af836dccd987" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 12:15:42 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 12:15:42 2026 +0200" }, "message": "Merge pull request #764 from apache/dependabot/uv/pelican/mypy-1.20.1\n\nbuild(deps-dev): bump mypy from 1.20.0 to 1.20.1 in /pelican" }, { "commit": "3d29243563b970382a78ba27eebf3b894175f5ba", "tree": "9bc5ad6a86478df560f4e7d7c9200cc7f60c262a", "parents": [ "bbced376b6c6ad0861842cf5a713d762be22291a", "93468d8a5a321e0ad274ed699ddbfbd9600cfea0" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Fri Apr 24 12:14:49 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 12:14:49 2026 +0200" }, "message": "Merge pull request #766 from apache/dependabot/uv/stash/mypy-1.20.1\n\nbuild(deps-dev): bump mypy from 1.20.0 to 1.20.1 in /stash" }, { "commit": "bbced376b6c6ad0861842cf5a713d762be22291a", "tree": "27c2f2192ebe40d7d5f3a41db393a8a8e530e06b", "parents": [ "2b6ec5f38ac73c7c5970f3b4f863e8d15bf12d7d" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Fri Apr 24 03:16:27 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Fri Apr 24 03:16:27 2026 +0000" }, "message": "Remove Expired Refs\n\nGenerated by .github/workflows/remove_expired.yml\n" }, { "commit": "93468d8a5a321e0ad274ed699ddbfbd9600cfea0", "tree": "36a6caf6ba60ce3ec25a1cf8c36a9848e03390f2", "parents": [ "2b6ec5f38ac73c7c5970f3b4f863e8d15bf12d7d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Apr 24 00:56:52 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 00:56:52 2026 +0000" }, "message": "build(deps-dev): bump mypy from 1.20.0 to 1.20.1 in /stash\n\nBumps [mypy](https://github.com/python/mypy) from 1.20.0 to 1.20.1.\n- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)\n- [Commits](https://github.com/python/mypy/compare/v1.20.0...v1.20.1)\n\n---\nupdated-dependencies:\n- dependency-name: mypy\n dependency-version: 1.20.1\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "673d47057ffb81c2d5de71ddacc4af836dccd987", "tree": "40440519d289d3f6b24aabd6116b2b4313a4034a", "parents": [ "2b6ec5f38ac73c7c5970f3b4f863e8d15bf12d7d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Apr 24 00:56:31 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Apr 24 00:56:31 2026 +0000" }, "message": "build(deps-dev): bump mypy from 1.20.0 to 1.20.1 in /pelican\n\nBumps [mypy](https://github.com/python/mypy) from 1.20.0 to 1.20.1.\n- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)\n- [Commits](https://github.com/python/mypy/compare/v1.20.0...v1.20.1)\n\n---\nupdated-dependencies:\n- dependency-name: mypy\n dependency-version: 1.20.1\n dependency-type: direct:development\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "e3b06ac88f3eddb8db7acdaae2e1096b48e922fe", "tree": "48e8aeaf4412762200b39ab96197f632b3733c5f", "parents": [ "2b6ec5f38ac73c7c5970f3b4f863e8d15bf12d7d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Apr 23 13:49:10 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Apr 23 13:49:10 2026 +0000" }, "message": "build(deps): bump astral-sh/setup-uv in /.github/workflows\n\nBumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 8.0.0 to 8.1.0.\n- [Release notes](https://github.com/astral-sh/setup-uv/releases)\n- [Commits](https://github.com/astral-sh/setup-uv/compare/cec208311dfd045dd5311c1add060b2062131d57...08807647e7069bb48b6ef5acd8ec9567f424441b)\n\n---\nupdated-dependencies:\n- dependency-name: astral-sh/setup-uv\n dependency-version: 8.1.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "bd7d2b74117e7aec116fff073ab5d8caad289bc8", "tree": "ef07ef43fb477cb767c642dbc87e00499bcdb561", "parents": [ "2b6ec5f38ac73c7c5970f3b4f863e8d15bf12d7d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed Apr 22 13:50:30 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Apr 22 13:50:30 2026 +0000" }, "message": "build(deps): bump github/codeql-action in /.github/workflows\n\nBumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.35.2.\n- [Release notes](https://github.com/github/codeql-action/releases)\n- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...95e58e9a2cdfd71adc6e0353d5c52f41a045d225)\n\n---\nupdated-dependencies:\n- dependency-name: github/codeql-action\n dependency-version: 4.35.2\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "8913b693a671d9f64694f08301482868868773b1", "tree": "98393a2b39949dc127054aa8bf184957f6cde0fc", "parents": [ "2b6ec5f38ac73c7c5970f3b4f863e8d15bf12d7d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed Apr 22 13:22:03 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Apr 22 13:22:03 2026 +0000" }, "message": "action-allowlist-review: bump scacap/action-surefire-report\n\nBumps [scacap/action-surefire-report](https://github.com/scacap/action-surefire-report) from 1.9.1 to 1.10.0.\n- [Release notes](https://github.com/scacap/action-surefire-report/releases)\n- [Commits](https://github.com/scacap/action-surefire-report/compare/5609ce4db72c09db044803b344a8968fd1f315da...fa13579fdd93ed8fc7e717a25eceedcfcbc39dda)\n\n---\nupdated-dependencies:\n- dependency-name: scacap/action-surefire-report\n dependency-version: 1.10.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "2b6ec5f38ac73c7c5970f3b4f863e8d15bf12d7d", "tree": "1c8fc3f906abb17dd92f69bf264c05780551365a", "parents": [ "b0ef4e25064d7140e9b70876feb041a2084a899f" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 21 21:15:44 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 21 21:15:44 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "b0ef4e25064d7140e9b70876feb041a2084a899f", "tree": "788ba6bb4d6033933c47ae8847371be88f170ec6", "parents": [ "bdffe5b195757cdc1dc8f8459a2a49192f17f47b", "91e93b3ff72545e5a55580a8e2a6f72efbb655e3" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 21 23:15:25 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 21 23:15:25 2026 +0200" }, "message": "Merge pull request #758 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/commit-check/commit-check-action-2.6.0\n\naction-allowlist-review: bump commit-check/commit-check-action from 2.5.0 to 2.6.0 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "bdffe5b195757cdc1dc8f8459a2a49192f17f47b", "tree": "8d9119f7af216986bb3c8f6b848fe975723e99ff", "parents": [ "c51b02dddc8916845d9faee562842b2dba8d8b77" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 21 20:10:24 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 21 20:10:24 2026 +0200" }, "message": "pytest: enable colored output in CI (#757)\n\nPass --color\u003dyes to pytest and export FORCE_COLOR\u003d1 / PY_COLORS\u003d1\nso pytest and Rich-based test output render ANSI colors in the\nGitHub Actions log viewer, making failures easier to read." }, { "commit": "91e93b3ff72545e5a55580a8e2a6f72efbb655e3", "tree": "a7d3c3a361dd805185bf937fdf71dd5125d1ed44", "parents": [ "c51b02dddc8916845d9faee562842b2dba8d8b77" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Apr 21 13:34:29 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 21 13:34:29 2026 +0000" }, "message": "action-allowlist-review: bump commit-check/commit-check-action\n\nBumps [commit-check/commit-check-action](https://github.com/commit-check/commit-check-action) from 2.5.0 to 2.6.0.\n- [Release notes](https://github.com/commit-check/commit-check-action/releases)\n- [Commits](https://github.com/commit-check/commit-check-action/compare/2fe41833054c561710099d8e3e22bbeab4fe204a...7c158d4541309c5952de3343151750882b036d10)\n\n---\nupdated-dependencies:\n- dependency-name: commit-check/commit-check-action\n dependency-version: 2.6.0\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "c51b02dddc8916845d9faee562842b2dba8d8b77", "tree": "d941106dfac4e87dfcb0947351565d81fd33eb7c", "parents": [ "0d16f2ee985ac12c8146ce0a74e057e4152d3f1b" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 21 10:25:24 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 21 10:25:24 2026 +0200" }, "message": "verify-action-build: fix RESULT panel cause on binary-download failure (#747)\n\nWhen a JS action rebuilds cleanly but fails only the binary-download\nverification check, the RESULT panel incorrectly reported \"Differences\ndetected between published and rebuilt JS\" because the failure branch\nselected its message on `is_js_action` rather than the actual cause.\n\nReorder the branches to dispatch on the real failure condition:\nall_match\u003dFalse → JS-mismatch message; otherwise binary download\nfailures → binary-download message. Observed on PR #724 (posit-dev/\nsetup-air): JS row was ✓ pass, Binary row was ✗ fail, yet the RESULT\npanel still referenced a JS mismatch.\n\nAdds regression tests for both paths (JS action with unverified\ndownload; JS action with actual JS mismatch).\n\nGenerated-by: Claude Opus 4.7 (1M context) \u003cnoreply@anthropic.com\u003e" }, { "commit": "0d16f2ee985ac12c8146ce0a74e057e4152d3f1b", "tree": "84c98bc1a53fd72ed8281c81c0e882783ddb0aae", "parents": [ "547aef83eec292b4dd55717dd8ed81cf9505471a" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 21 08:24:24 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Tue Apr 21 08:24:24 2026 +0000" }, "message": "Update approved_patterns.yml and .github/actions/for-dependabot-triggered-reviews/action.yml based on actions.yml\n\nGenerated by .github/workflows/update_composite_action.yml\n" }, { "commit": "547aef83eec292b4dd55717dd8ed81cf9505471a", "tree": "6572d20d69c53462f2d8f0bb56aeb60b14e90391", "parents": [ "4ec78e97e41d24fc8e27a43fa6964fe0897d0482" ], "author": { "name": "tison", "email": "wander4096@gmail.com", "time": "Tue Apr 21 16:24:07 2026 +0800" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 21 10:24:07 2026 +0200" }, "message": "Add pip-audit action with version and expiration (#756)\n\n* Add pip-audit action with version and expiration\n\nThis works around https://github.com/apache/infrastructure-actions/pull/452#issuecomment-4286855602.\r\n\r\nNot sure if there is any better options.\n\nSigned-off-by: tison \u003cwander4096@gmail.com\u003e\n\n* Update actions.yml to modify pip-audit entry\n\nRemoved deprecated pypa/gh-action-pip-audit entry and added it back with the same version.\n\nSigned-off-by: tison \u003cwander4096@gmail.com\u003e\n\n---------\n\nSigned-off-by: tison \u003cwander4096@gmail.com\u003e" }, { "commit": "4ec78e97e41d24fc8e27a43fa6964fe0897d0482", "tree": "fe289aaef3a907333d679f7acf812b343f658d59", "parents": [ "e8b6918689d01c1523f2f19ad41521a63c8cdeb4" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Tue Apr 21 10:10:03 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Apr 21 10:10:03 2026 +0200" }, "message": "verify-action-build: support Deno-based actions (deno task bundle) (#749)\n\nActions such as Kesin11/actions-timeline compile their source with\n`deno task bundle`, typically driving `@deno/dnt` or `esbuild` to emit\nthe committed `dist/` files. The node:slim base has no `deno` binary,\nso the npm build loop fell through (pure Deno actions have no\npackage.json either), producing an empty rebuild and a false\n\"Differences detected between published and rebuilt JS\" failure.\n\nWhen `deno.json` or `deno.jsonc` is detected at the repo root, install\nthe official `deno` binary into `/usr/local` and run `deno task bundle`\nas the first build step. Mirrors the `pubspec.yaml` → Dart SDK pattern\nadded in 9f87136.\n\nVerified against Kesin11/actions-timeline@44c9c178ffb2 (PR #736) — JS\nbuild verification now reports \"compiled JS matches rebuild\" and the\noverall run exits 0.\n\nTests: `TestReadDockerfileTemplate.test_deno_support_present` asserts\nthe key Dockerfile markers (`deno.json`, `deno.land/install.sh`,\n`deno task bundle`) are in the template, plus a matching regression\nguard for the Dart branch.\n\nREADME: updated the \"The script will:\" rebuild description to list\nNode.js / Dart / Deno toolchains rather than a bare `npm ci \u0026\u0026 npm run\nbuild`.\n\nGenerated-by: Claude Opus 4.7 (1M context) \u003cnoreply@anthropic.com\u003e" }, { "commit": "e8b6918689d01c1523f2f19ad41521a63c8cdeb4", "tree": "1a1e7fe4b1f8caa199c8935e2b6b024c3d4490b8", "parents": [ "2474a5a8d3ed5e3faf3001e7d8a06cd723ace447", "5c54054bed3fab501bffd3947c9389625d857bab" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Mon Apr 20 18:50:13 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 20 18:50:13 2026 +0200" }, "message": "Merge pull request #750 from apache/verify-action-build-consolidate-recursion\n\nverify-action-build: unified walker over composite action graph (closes #744)" }, { "commit": "2474a5a8d3ed5e3faf3001e7d8a06cd723ace447", "tree": "adfe445501b089edf14891e2cbae8b86ba010abb", "parents": [ "40b6028d4e8ebd5eedad1478145886a09f37b127", "d630252b5de2666cd30445de247f641c1ace0cec" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Mon Apr 20 18:43:44 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 20 18:43:44 2026 +0200" }, "message": "Merge pull request #754 from apache/dependabot/github_actions/dot-github/workflows/zizmorcore/zizmor-action-0.5.3\n\nbuild(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 in /.github/workflows" }, { "commit": "d630252b5de2666cd30445de247f641c1ace0cec", "tree": "adfe445501b089edf14891e2cbae8b86ba010abb", "parents": [ "40b6028d4e8ebd5eedad1478145886a09f37b127" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Apr 20 16:13:10 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Apr 20 16:13:10 2026 +0000" }, "message": "build(deps): bump zizmorcore/zizmor-action in /.github/workflows\n\nBumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.2 to 0.5.3.\n- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)\n- [Commits](https://github.com/zizmorcore/zizmor-action/compare/71321a20a9ded102f6e9ce5718a2fcec2c4f70d8...b1d7e1fb5de872772f31590499237e7cce841e8e)\n\n---\nupdated-dependencies:\n- dependency-name: zizmorcore/zizmor-action\n dependency-version: 0.5.3\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "adffd10ad34089375d9d923386d4bf6b729f7be6", "tree": "87f95c00e4e6862ee9a87a6c1c4d3073733a623d", "parents": [ "40b6028d4e8ebd5eedad1478145886a09f37b127" ], "author": { "name": "Anton Borisov", "email": "anton.borisov@fresha.com", "time": "Mon Apr 20 16:24:05 2026 +0100" }, "committer": { "name": "Anton Borisov", "email": "anton.borisov@fresha.com", "time": "Mon Apr 20 16:47:18 2026 +0100" }, "message": "Allow erlef/setup-beam v1.24.0\n" }, { "commit": "5c54054bed3fab501bffd3947c9389625d857bab", "tree": "f2d28f087181d741e0540d84208f352ad45eda21", "parents": [ "40b6028d4e8ebd5eedad1478145886a09f37b127" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 19 23:04:03 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 19 23:04:03 2026 +0200" }, "message": "verify-action-build: unified walker over the composite action graph\n\nCloses #744.\n\nEach security check previously did its own recursion over the nested\naction graph: `analyze_nested_actions` and\n`analyze_binary_downloads_recursive` each re-fetched the same\n`action.yml` files, re-parsed the same `uses:` refs, and carried their\nown `_depth` / `_visited` bookkeeping. As more checks are added (e.g.\nthe compatible-licensing check from #686), that cost compounds:\nN checks × M nested actions \u003d N × M redundant fetches.\n\nThis commit introduces a single depth-first pre-order walker,\n`walk_actions`, that yields one `VisitedAction` per unique\n`org/repo/sub_path@commit` reached from the root. Each check is now a\npure function that consumes the iterator:\n\n for visited in walk_actions(root_org, root_repo, root_commit, root_sub_path):\n do_check(visited)\n\nThe walker enforces the shared descent rules in one place: local and\ndocker refs are terminal stubs, non-hash-pinned refs are yielded but\nnot descended, trusted orgs (`actions`, `github`) at depth \u003e 0 are\nyielded as stubs without fetching their `action.yml`, and depth is\ncapped at 3.\n\n`analyze_nested_actions` and `analyze_binary_downloads_recursive` are\nrewritten as pure consumers of the walker — no recursion, no private\n`_depth` / `_visited` / `_checked` kwargs. They can be called by a\ncaller that enumerates visits once and dispatches to multiple checks.\n\n`fetch_action_yml` is also `@lru_cache`-wrapped so any remaining\nsame-commit fetch inside a check (e.g. the nested-action display\ncheck\u0027s lazy type lookup for a trusted-org ref) reuses the walker\u0027s\nearlier hit.\n\nAll 135 existing tests pass unchanged, and end-to-end verification\nstill flags the unverified `tc.downloadTool` call in\n`posit-dev/setup-air` as before.\n\nGenerated-by: Claude Opus 4.7 (1M context) \u003cnoreply@anthropic.com\u003e\n" }, { "commit": "40b6028d4e8ebd5eedad1478145886a09f37b127", "tree": "115ab29022f20fd00afb638ba95efe18240620a0", "parents": [ "48835811d844455fbc0e6f82fcafe0389bce774e", "65329b460f9fd90dcb624c0d41d4761cf69300bb" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 19 20:08:24 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 19 20:08:24 2026 +0200" }, "message": "Merge pull request #745 from apache/verify-manual-action-workflow\n\nci: verify manual allowlist PRs via verify-action-build" }, { "commit": "65329b460f9fd90dcb624c0d41d4761cf69300bb", "tree": "197a4491db030d3dbfbb0a2a0c9f0965947991de", "parents": [ "f14688b8d26b4110cea30e4df93c64c4107d299a" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 19 20:04:54 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 19 20:04:54 2026 +0200" }, "message": "docs: document verify_manual_action.yml and require doc updates for features\n\n- README: rewrite the \"Automated Verification in CI\" section to list both\n verify workflows (dependabot + manual) and describe their triggers,\n permissions, and pass/fail semantics.\n- AGENTS.md: add a \"Documentation\" section requiring user-visible changes\n (workflows, scripts, CLI flags) to ship with reference-doc updates in\n the same PR.\n\nGenerated-by: Claude Opus 4.7 (1M context) \u003cnoreply@anthropic.com\u003e\n" }, { "commit": "48835811d844455fbc0e6f82fcafe0389bce774e", "tree": "cd5c9ebcde05b28f73a29fcfa01877edcfbe4105", "parents": [ "df36e1152a484bfb39276a97e5b99d3c5633cb96" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sun Apr 19 17:26:25 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sun Apr 19 17:26:25 2026 +0000" }, "message": "Update actions.yml and approved_patterns.yml based on .github/actions/for-dependabot-triggered-reviews/action.yml\n\nGenerated by .github/workflows/update_actions.yml\n" }, { "commit": "df36e1152a484bfb39276a97e5b99d3c5633cb96", "tree": "b2b0d10b95c272a2f19a19e593f41bce2820b0ce", "parents": [ "9e9510454ef2ee3edc58adb528501365c4844d94", "c53c05c471a3e13868f2708ad4bd664642a01acc" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 19 19:26:13 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 19 19:26:13 2026 +0200" }, "message": "Merge pull request #720 from apache/dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/JustinBeckwith/linkinator-action-2.4.2\n\naction-allowlist-review: bump JustinBeckwith/linkinator-action from 2.4.1 to 2.4.2 in /.github/actions/for-dependabot-triggered-reviews" }, { "commit": "262390650270fa8bc43063bc3780d97fb9c0731e", "tree": "76eff91385ea6589155306f9592d38aa4b82e3ea", "parents": [ "9e9510454ef2ee3edc58adb528501365c4844d94" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun Apr 19 17:25:49 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Apr 19 17:25:49 2026 +0000" }, "message": "action-allowlist-review: bump posit-dev/setup-air\n\nBumps [posit-dev/setup-air](https://github.com/posit-dev/setup-air) from 1.0.0 to 1.0.1.\n- [Release notes](https://github.com/posit-dev/setup-air/releases)\n- [Changelog](https://github.com/posit-dev/setup-air/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/posit-dev/setup-air/compare/63e80dedb6d275c94a3841e15e5ff8691e1ab237...cf390573ff4fe0f198f35df3a642b1409328d859)\n\n---\nupdated-dependencies:\n- dependency-name: posit-dev/setup-air\n dependency-version: 1.0.1\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "f14688b8d26b4110cea30e4df93c64c4107d299a", "tree": "4db582f54ceb13dac57c17affdaeab8a09368b06", "parents": [ "87ca552749c19ff6533bb78404ba1988a5f544ce" ], "author": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 19 19:21:42 2026 +0200" }, "committer": { "name": "Jarek Potiuk", "email": "jarek@potiuk.com", "time": "Sun Apr 19 19:21:42 2026 +0200" }, "message": "ci: verify manually opened allowlist PRs via verify-action-build\n\nAdds a workflow that runs verify-action-build on PRs which touch\nactions.yml or approved_patterns.yml and are not authored by dependabot.\nMirrors the existing verify_dependabot_action.yml pattern — regular\npull_request trigger with read-only permissions, exits with the verify\nscript\u0027s rc so the status check reflects pass/fail.\n\nGenerated-by: Claude Opus 4.7 (1M context) \u003cnoreply@anthropic.com\u003e\n" }, { "commit": "9e9510454ef2ee3edc58adb528501365c4844d94", "tree": "a6e0cf7ec9229afa8d6fae0458ae8456cb61fe18", "parents": [ "6b2ecfebe172926c69c89359e4690ada3bdb1fdf" ], "author": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sun Apr 19 17:15:37 2026 +0000" }, "committer": { "name": "asfgit", "email": "asfgit@users.noreply.github.com", "time": "Sun Apr 19 17:15:37 2026 +0000" }, "message": "Update approved_patterns.yml and .github/actions/for-dependabot-triggered-reviews/action.yml based on actions.yml\n\nGenerated by .github/workflows/update_composite_action.yml\n" } ], "next": "6b2ecfebe172926c69c89359e4690ada3bdb1fdf" }