Skip to content

chore: batch dependabot updates 2026-07-09#55

Merged
MDzaja merged 2 commits into
mainfrom
chore/batch-dependabot-2026-07-09
Jul 9, 2026
Merged

chore: batch dependabot updates 2026-07-09#55
MDzaja merged 2 commits into
mainfrom
chore/batch-dependabot-2026-07-09

Conversation

@MDzaja

@MDzaja MDzaja commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Batch dependabot updates — 2026-07-09

Branch: chore/batch-dependabot-2026-07-09 (2 commits, based on origin/main @ d7c538ecc)

PR title: chore(deps): batch dependabot updates 2026-07-09

Summary

Batches the open dependabot github-actions updates into a single PR by cherry-picking each dependabot commit.

Action From To
actions/cache v5.0.5 v6.1.0 (major)
actions/checkout df4cb1c0… 9c091bb2…
actions/setup-go v6.4.0 v6.5.0
actions/setup-java v5.2.0 v5.4.0
actions/setup-python v6.2.0 v6.3.0
ruby/setup-ruby v1.308.0 v1.316.0
denoland/setup-deno 667a34cd… 22d081ff…

Touches: setup-toolchain/action.yml + 6 workflows (deploy-pages, e2e_pr_tests, pr_checks, prepare-release, release, sdk_publish).

Closes

Closes #3
Closes #36

Excluded

#8 (pip-prod group, 14 updates) is excluded — do not merge as-is, two independent blockers:

  1. Breaks the Python version contract: it raises the urllib3 floor to >=2.7.0, which requires Python ≥ 3.10, while all Python packages declare requires-python >= 3.9. poetry lock fails to solve (urllib3 is forbidden).
  2. Fights the client generator: the 4 bumped pyproject.toml files are generated; hack/python-client/postprocess.sh force-pins the urllib3 floor back to 2.1.0 on every yarn generate:api-client, so the next regeneration reverts the bump and the "generated clients out of date" CI gate fails.

Suggested follow-up for #8: bump the floors in the generator templates/postprocess (and decide whether to drop py3.9 first), and add a dependabot ignore/exclusion for generated client manifests so it stops proposing un-mergeable bumps there.

Conflict resolutions during cherry-pick

Validation

  • actionlint clean on all changed workflow files (composite-action false positives and the known blacksmith-* runner-label warning aside).
  • All YAML parses.
  • Every action resolves to a single consistent SHA across the repo (no split pins).
  • poetry lock solves with zero lock drift after excluding chore(deps): Bump the pip-prod group across 5 directories with 14 updates #8.
  • No Go/Node/Python dependency changes remain in the batch → no build-level validation required.

Risk notes

  • actions/cache v5 → v6 is a major bump; used in pr_checks.yaml + setup-toolchain/action.yml. Cache actions have historically been drop-in across majors, but the first CI run on this PR is the real verification — watch the cache save/restore steps.

Summary by cubic

Batch updates GitHub Actions across workflows to keep CI current and pins consistent. Major bumps to actions/checkout v7 and actions/cache v6; closes #3 and #36.

  • Dependencies

    • Major: actions/checkout v7.0.0, actions/cache v6.1.0
    • Others: actions/setup-go v6.5.0, actions/setup-java v5.4.0, actions/setup-python v6.3.0, ruby/setup-ruby v1.316.0, actions/upload-pages-artifact v5.0.0, actions/deploy-pages v5.0.0, denoland/setup-deno v2.0.5, golangci/golangci-lint-action v9.3.0, apache/skywalking-eyes/header updated
  • Migration

    • No app code changes. First CI run may warm caches; watch actions/cache restore/save steps.

Written for commit 8483368. Summary will update on new commits.

Review in cubic

dependabot Bot added 2 commits July 9, 2026 13:48
…updates

Bumps the github-actions group with 5 updates in the /.github/actions/setup-toolchain directory:

| Package | From | To |
| --- | --- | --- |
| [actions/setup-go](https://github.com/actions/setup-go) | `6.4.0` | `6.5.0` |
| [actions/setup-java](https://github.com/actions/setup-java) | `5.2.0` | `5.4.0` |
| [actions/setup-python](https://github.com/actions/setup-python) | `6.2.0` | `6.3.0` |
| [ruby/setup-ruby](https://github.com/ruby/setup-ruby) | `1.308.0` | `1.316.0` |
| [actions/cache](https://github.com/actions/cache) | `5.0.5` | `6.1.0` |



Updates `actions/setup-go` from 6.4.0 to 6.5.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@4a36011...924ae3a)

Updates `actions/setup-java` from 5.2.0 to 5.4.0
- [Release notes](https://github.com/actions/setup-java/releases)
- [Commits](actions/setup-java@be666c2...1bcf9fb)

Updates `actions/setup-python` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a309ff8...ece7cb0)

Updates `ruby/setup-ruby` from 1.308.0 to 1.316.0
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Changelog](https://github.com/ruby/setup-ruby/blob/master/release.rb)
- [Commits](ruby/setup-ruby@97ecb7b...d45b1a4)

Updates `actions/cache` from 5.0.5 to 6.1.0
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-go
  dependency-version: 6.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/setup-java
  dependency-version: 5.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: ruby/setup-ruby
  dependency-version: 1.314.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
…updates

Bumps the github-actions group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.3` | `7.0.0` |
| [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) | `4.0.0` | `5.0.0` |
| [actions/deploy-pages](https://github.com/actions/deploy-pages) | `4.0.5` | `5.0.0` |
| [denoland/setup-deno](https://github.com/denoland/setup-deno) | `2.0.4` | `2.0.5` |
| [actions/setup-go](https://github.com/actions/setup-go) | `6.4.0` | `6.5.0` |
| [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) | `9.2.1` | `9.3.0` |
| [actions/cache](https://github.com/actions/cache) | `5.0.5` | `6.1.0` |
| [apache/skywalking-eyes/header](https://github.com/apache/skywalking-eyes) | `ab3d1fe50d23f9c82eff489297167e2dde8ba6cb` | `29bd646002b63bb4c0ed1648d1654c35fb8ff027` |

Updates `actions/checkout` from 6.0.3 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)

Updates `actions/upload-pages-artifact` from 4.0.0 to 5.0.0
- [Release notes](https://github.com/actions/upload-pages-artifact/releases)
- [Commits](actions/upload-pages-artifact@7b1f4a7...fc324d3)

Updates `actions/deploy-pages` from 4.0.5 to 5.0.0
- [Release notes](https://github.com/actions/deploy-pages/releases)
- [Commits](actions/deploy-pages@d6db901...cd2ce8f)

Updates `denoland/setup-deno` from 2.0.4 to 2.0.5
- [Release notes](https://github.com/denoland/setup-deno/releases)
- [Commits](denoland/setup-deno@667a34c...22d081f)

Updates `actions/setup-go` from 6.4.0 to 6.5.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@4a36011...924ae3a)

Updates `golangci/golangci-lint-action` from 9.2.1 to 9.3.0
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](golangci/golangci-lint-action@82606bf...ba0d7d2)

Updates `actions/cache` from 5.0.5 to 6.1.0
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

Updates `apache/skywalking-eyes/header` from ab3d1fe50d23f9c82eff489297167e2dde8ba6cb to 29bd646002b63bb4c0ed1648d1654c35fb8ff027
- [Release notes](https://github.com/apache/skywalking-eyes/releases)
- [Changelog](https://github.com/apache/skywalking-eyes/blob/main/CHANGES.md)
- [Commits](apache/skywalking-eyes@ab3d1fe...29bd646)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/deploy-pages
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-go
  dependency-version: 6.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: actions/upload-pages-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: apache/skywalking-eyes/header
  dependency-version: 29bd646002b63bb4c0ed1648d1654c35fb8ff027
  dependency-type: direct:production
  dependency-group: github-actions
- dependency-name: denoland/setup-deno
  dependency-version: 2.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: golangci/golangci-lint-action
  dependency-version: 9.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 7 files

Re-trigger cubic

@MDzaja MDzaja merged commit 61512a6 into main Jul 9, 2026
23 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant