chore(deps): bump the actions group with 10 updates#938
Closed
dependabot[bot] wants to merge 1951 commits intodevelopfrom
Closed
chore(deps): bump the actions group with 10 updates#938dependabot[bot] wants to merge 1951 commits intodevelopfrom
dependabot[bot] wants to merge 1951 commits intodevelopfrom
Conversation
Investigates why GitHub labels are not being applied to PRs (never) and inconsistently to issues (only when envoy is running). Identifies root causes: PR labeling was never assigned to any agent, envoy has no startup catch-up for issues missed during downtime. Provides concrete agent definition changes for merge-queue, envoy, and supervisor.
docs: label usage gap analysis — research artifact
…72.4) Based on label usage gap analysis (PR #806). Wire label application into agent workflows: merge-queue PR labeling (title-prefix inference), envoy startup catch-up + context exhaustion warning + mutual exclusivity, supervisor label discipline, and retroactive cleanup. Agent definition and operational doc changes only — no application code.
docs: plan Epic 72 — Operationalize GitHub Label Usage (4 stories)
… mutual exclusivity (Story 72.2) - Add startup catch-up scan to envoy rhythm: scan open issues for zero labels, apply triage.new + type.* to catch issues created during downtime - Add Context Exhaustion Risk section matching merge-queue/pr-shepherd format - Add Label Mutual Exclusivity enforcement subsection with remove-before-add protocol for exclusive scopes (type.*, priority.*, triage.*, scope.*, resolution.*)
feat: Story 72.2 — Envoy Label Resilience
Add PR Labeling section to merge-queue.md with rules for inferring type.*, scope.in-scope, and agent.worker labels from PR metadata. Update the Labels reference table, Authority table, and label-authority.md to reflect merge-queue's new labeling capabilities.
…tory 71.1) Drop Apple Intel (darwin/amd64) build targets from: - .goreleaser.yml: added darwin/amd64 to ignore list - justfile: removed amd64 line from build-all recipe - ci.yml: removed amd64 builds, signing, notarization, app bundles, DMG, pkg, artifact uploads, release notes, and Homebrew formula Intel branch Only darwin/arm64 (Apple Silicon) and linux/amd64 remain as targets. Saves CI runner minutes by eliminating expensive macOS Intel signing.
docs: Story 72.1 — Merge-Queue PR Labeling
docs: governance sync — Stories 72.1, 72.2 Done (Epic 72 2/4)
chore: sync operational data
…on (#813) * docs: supervisor label discipline & resolution.wontfix label (Story 72.3) Add label discipline section to supervisor agent definition with instructions for applying agent.worker, scope.*, and resolution.* labels during issue lifecycle. Create missing resolution.wontfix label on GitHub. Update label-authority.md summary table to include resolution.* in supervisor's Can Set column. * docs: mark Story 72.3 Done (PR #813)
feat: Story 71.1 — Remove darwin/amd64 from CI build and alpha release pipeline
* docs: retroactive label cleanup — fix mutual exclusivity violations (Story 72.4) Fixed mutual exclusivity violations on three closed issues: - #330: removed triage.in-progress (kept triage.complete) - #296: removed type.bug (kept type.infra) - #283: removed type.bug (kept type.infra) All seven originally unlabeled issues were already closed; per dev notes, retroactive labeling of closed issues was skipped. Final scan of all issues: zero violations remaining. * docs: update story 72.4 status with PR number (Story 72.4)
Remove all darwin/amd64 references from the sign-stable job in release.yml. Since only arm64 remains, loops are eliminated in favor of direct commands for: download, sign, notarize, pkg build, pkg notarize, checksums, and re-upload steps.
…tests, and agent definitions (#817) * docs: remove darwin/amd64 (Intel Mac) references from docs, tests, and agent definitions (Story 71.3) After Stories 71.1 and 71.2 dropped Intel builds from the build and release pipelines, remaining references to darwin/amd64 in documentation, test tables, and agent definitions are now stale. This cleans them up: - README.md: Remove Intel rows from pkg installer and binary download tables - docs-site installation page: Remove Intel mention from pre-built binary tab - Architecture doc: Remove darwin/amd64 from cross-compile target lists - codesign_test.go: Remove amd64 test case from SignMultipleBinaries - pkg_builder_test.go: Remove amd64 test case from Build_PerArchitecture - release-manager.md: Remove darwin-amd64 from cross-compile description * docs: update Story 71.3 status to Done (PR #817)
feat: Warning threshold engine (Story 76.3)
…plete docs: governance sync — Epic 76 3/6, Epic 77 COMPLETE
…6.5) Implement SnapshotRecord type and SnapshotWriter for recording quota usage snapshots to docs/operations/quota-usage.jsonl. Snapshots contain aggregated metrics (usage %, per-agent breakdown, tier, peak flag, window timing) — no raw per-interaction duplication. OTEL metric mapping documented in type comments for Phase 3 Marvel portability. Provenance: L3
Provenance: L3
feat: /stats usage data integration (Story 76.5)
- Story 76.3 (Warning Threshold Engine): Not Started → Done (PR #883) - Epic 76 progress: 3/6 → 4/6
docs: governance sync — Story 76.3 Done, Epic 76 4/6
Research investigating how to install BMAD as a shared sidecar across multiple repos. Evaluates 7 techniques (symlinks, overlayfs, git submodules, --add-dir wrappers, MCP server, user-level commands). Recommends two-phase approach: Phase 1 copies command stubs to ~/.claude/commands/ for instant global availability; Phase 2 adds symlinks to shared runtime files for power users with 3+ repos. Provenance: L3
docs: BMAD sidecar installation architecture research
- SC2015: Replace A && B || C with if/then in test-cron-scripts.sh - SC2317/SC2329: Suppress false-positive unreachable function warnings in test-verify-mcp-bridge.sh (caused by exit in heredocs) - SC2034: Remove unused variables (QUOTA_SCRIPT, OUTPUT, SESSION, YELLOW, recent_work_commands, TOTAL_TOKENS) - SC2034: Suppress for color vars used in embedded Python (quota-status.sh) - SC2086: Double-quote variable in date flag (sm-sprint-health.sh) - SC2001: Suppress for sed backreference (handover-history.sh) - SC2016: Suppress for intentional literal template tokens (validate-alpha-formula.sh) All scripts now pass shellcheck cleanly. Provenance: L3
fix: resolve pre-existing ShellCheck warnings in test scripts
The git-safety.sh hook from Story 73.3 (PR #840) blocked sync operations (fetch, pull, rebase, merge) universally for ALL Claude agents. This was over-broad -- persistent agents (merge-queue, pr-shepherd) and the multiclaude CLI itself need these operations. Two failure modes: 1. Persistent agents couldn't update PR branches or stay current with main 2. multiclaude CLI couldn't spawn workers (fetch is used internally to create worktrees), creating a catch-22 where the system couldn't self-heal Fix: detect worker worktrees via path pattern (~/.multiclaude/wts/) and only enforce sync restrictions there. Universal protections (unsigned commits, push to main, Co-Authored-By) remain enforced in all contexts. Test suite expanded from 38 to 68 cases covering both worker and main checkout contexts with explicit edge cases for context detection. Provenance: L3
Provenance: L3
- SC2016: disable for intentional literal ${VAR} patterns in validate-alpha-formula.sh
- SC2034: disable for color vars used in embedded Python (quota-status.sh),
remove genuinely unused TOTAL_TOKENS and QUOTA_SCRIPT vars
- SC2034: remove unused YELLOW from rollcall.sh, recent_work_commands from shift-clock.sh
- SC2086: quote variable in date expansion (sm-sprint-health.sh)
- SC2069: fix redirect order in test-shift-snapshot.sh
- SC2001: replace sed with shell builtins in handover-history.sh
- SC2329: suppress false positive for indirectly-invoked function (test-verify-mcp-bridge.sh)
Provenance: L3
fix: scope git safety hook to worker worktrees only (Story 73.8)
Layer 1: 35 ADR nodes (34 bedrock + 1 frontier/deferred) Layer 2: 26 BOARD nodes (18 open questions + 8 research/recommendations) Layer 3: 4 incident report nodes (bedrock — validated by failure) 65 nodes total, 0 validation warnings. Key early signal: adr-0026 (self-driving pipeline) contradicted by 3 of 4 incidents. All incidents share a pattern: assumptions about isolation, atomicity, or message routing never architecturally enforced. Layers 4-6 (architecture, PRD, dark factory) pending.
Switch CI from trunk-based (main) to gitflow (develop + main): - Push trigger: main -> develop for CI, docs, alpha releases - PR trigger: main -> [develop, main] for CI and scope-check - Remove stable binary builds from CI (stable releases via tag-triggered release.yml) - Alpha-only signing: remove installer cert, app bundle, dmg, pkg steps - Update release-verify to watch develop instead of main for alpha tap
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Bumps the actions group with 10 updates: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.3.1` | `6.0.2` | | [dorny/paths-filter](https://github.com/dorny/paths-filter) | `3.0.2` | `4.0.1` | | [actions/github-script](https://github.com/actions/github-script) | `8.0.0` | `9.0.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.2` | `7.0.1` | | [actions/cache](https://github.com/actions/cache) | `4.3.0` | `5.0.4` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.0.0` | `7.1.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.35.1` | `4.35.1` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.2.0` | | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | `9a127d869fb706213d29cdf8eef3a4ea2b869415` | `ec59f474b9834571250b370d4735c50f8e2d1e29` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.0` | `2.4.3` | Updates `actions/checkout` from 4.3.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.3.1...de0fac2) Updates `dorny/paths-filter` from 3.0.2 to 4.0.1 - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](dorny/paths-filter@de90cc6...fbd0ab8) Updates `actions/github-script` from 8.0.0 to 9.0.0 - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@ed59741...3a2844b) Updates `actions/upload-artifact` from 4.6.2 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v4.6.2...043fb46) Updates `actions/cache` from 4.3.0 to 5.0.4 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@v4.3.0...6682284) Updates `docker/build-push-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@d08e5c3...bcafcac) Updates `github/codeql-action` from 3.35.1 to 4.35.1 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5c8a8a6...c10b806) Updates `actions/setup-python` from 5.6.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...a309ff8) Updates `goreleaser/goreleaser-action` from 9a127d869fb706213d29cdf8eef3a4ea2b869415 to ec59f474b9834571250b370d4735c50f8e2d1e29 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@9a127d8...ec59f47) Updates `ossf/scorecard-action` from 2.4.0 to 2.4.3 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@62b2cac...4eaacf0) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: dorny/paths-filter dependency-version: 4.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: goreleaser/goreleaser-action dependency-version: ec59f474b9834571250b370d4735c50f8e2d1e29 dependency-type: direct:production dependency-group: actions - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
the
dependencies
Contributor
Author
|
This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests. To ignore these dependencies, configure ignore rules in dependabot.yml |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the actions group with 10 updates:
4.3.16.0.23.0.24.0.18.0.09.0.04.6.27.0.14.3.05.0.47.0.07.1.03.35.14.35.15.6.06.2.09a127d869fb706213d29cdf8eef3a4ea2b869415ec59f474b9834571250b370d4735c50f8e2d1e292.4.02.4.3Updates
actions/checkoutfrom 4.3.1 to 6.0.2Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
de0fac2Fix tag handling: preserve annotations and explicit fetch-tags (#2356)064fe7fAdd orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (...8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)Updates
dorny/paths-filterfrom 3.0.2 to 4.0.1Release notes
Sourced from dorny/paths-filter's releases.
Changelog
Sourced from dorny/paths-filter's changelog.
... (truncated)
Commits
fbd0ab8feat: add merge_group event supportefb1da7feat: add dist/ freshness check to PR workflowd8f7b06Merge pull request #302 from dorny/issue-299addbc14Update README for v49d7afb8Update CHANGELOG for v4.0.0782470cMerge branch 'releases/v3'd1c1ffeUpdate CHANGELOG for v3.0.3ce10459Merge pull request #294 from saschabratton/master5f40380feat: update action runtime to node24668c092Merge pull request #279 from wardpeet/patch-1Updates
actions/github-scriptfrom 8.0.0 to 9.0.0Release notes
Sourced from actions/github-script's releases.
Commits
3a2844bMerge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...ca10bbdfix: use@octokit/core/types import for v7 compatibility86e48e2merge: incorporate main branch changesc108472chore: rebuild dist for v9 upgrade and getOctokit factoryafff112Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...ff8117eci: fix user-agent test to handle orchestration ID81c6b78ci: use deployment: false to suppress deployment noise from integration tests3953cafdocs: update README examples from@v8to@v9, add getOctokit docs and v9 brea...c17d55bci: add getOctokit integration test joba047196test: add getOctokit integration tests via callAsyncFunctionUpdates
actions/upload-artifactfrom 4.6.2 to 7.0.1Release notes
Sourced from actions/upload-artifact's releases.
... (truncated)
Commits
043fb46Merge pull request #797 from actions/yacaovsnc/update-dependency634250cInclude changes in typespec/ts-http-runtime 0.3.5e454baaReadme: bump all the example versions to v7 (#796)74fad66Update the readme with direct upload details (#795)bbbca2dSupport direct file uploads (#764)589182cUpgrade the module to ESM and bump dependencies (#762)47309c9Merge pull request #754 from actions/Link-/add-proxy-integration-tests02a8460Add proxy integration testb7c566aMerge pull request #745 from actions/upload-artifact-v6-releasee516bc8docs: correct description of Node.js 24 support in READMEUpdates
actions/cachefrom 4.3.0 to 5.0.4Release notes
Sourced from actions/cache's releases.
... (truncated)
Changelog
Sourced from actions/cache's changelog.
... (truncated)
Commits
6682284Merge pull request #1738 from actions/prepare-v5.0.4e340396Update RELEASES8a67110Add licenses1865903Update dependencies & patch security vulnerabilities5656298Merge pull request #1722 from RyPeck/patch-14e380d1Fix cache key in examples.md for bun.lockb7e8d49Merge pull request #1701 from actions/Link-/fix-proxy-integration-tests984a21bAdd traffic sanity check stepacf2f1fFix resolution95a07c5Add wait for proxyUpdates
docker/build-push-actionfrom 7.0.0 to 7.1.0Release notes
Sourced from docker/build-push-action's releases.
Commits
bcafcacMerge pull request #1509 from docker/dependabot/npm_and_yarn/vite-7.3.218e62f1Merge pull request #1510 from docker/dependabot/npm_and_yarn/lodash-4.18.146580d2chore: update generated content3f80b25chore(deps): Bump lodash from 4.17.23 to 4.18.1efeec95Merge pull request #1505 from crazy-max/refactor-git-contextddf04b0Merge pull request #1511 from docker/dependabot/github_actions/crazy-max-dot-...db08d97chore(deps): Bump the crazy-max-dot-github group with 2 updatesef1fb96Merge pull request #1508 from docker/dependabot/github_actions/docker/login-a...2d8f2a1chore: update generated content919ac7bfix test since secrets are not written to temp path anymoreUpdates
github/codeql-actionfrom 3.35.1 to 4.35.1Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.