Skip to content

chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dependabot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 #327

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/release-on-tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
} > release_notes.md

- name: Create GitHub Release
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2

Check warning on line 74 in .github/workflows/release-on-tag.yml

View check run for this annotation

Claude / Claude Code Review

Stale version comment after major bump 

Both workflow files pin the action to SHA b4309332981a82ec1c5618f44dd2e27cc8bfbfda (the v3.0.0 release commit) but the trailing comment still reads `# v2` — it should be `# v3`. Update the comment in both `.github/workflows/release-on-tag.yml` (line 74) and `.github/workflows/release.yml` (line 120).
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Outdated version comment

The pinned commit hash now points to v3.0.0, but the trailing comment still reads # v2. This is misleading for anyone auditing the pinned hash.

Suggested change
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/release-on-tag.yml
Line: 74

Comment:
**Outdated version comment**

The pinned commit hash now points to v3.0.0, but the trailing comment still reads `# v2`. This is misleading for anyone auditing the pinned hash.

```suggestion
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
```

How can I resolve this? If you propose a fix, please make it concise.

Copy link
Copy Markdown

@claude claude Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Both workflow files pin the action to SHA b4309332981a82ec1c5618f44dd2e27cc8bfbfda (the v3.0.0 release commit) but the trailing comment still reads # v2 — it should be # v3. Update the comment in both .github/workflows/release-on-tag.yml (line 74) and .github/workflows/release.yml (line 120).

Extended reasoning...

What the bug is and how it manifests

Both workflow files were updated by this PR to pin softprops/action-gh-release to SHA b4309332981a82ec1c5618f44dd2e27cc8bfbfda, but the human-readable version comment appended to each uses: line was left unchanged as # v2. The SHA is the v3.0.0 release commit, making the comment factually incorrect.

The specific code path that triggers it

The stale comment appears in two places:

  • .github/workflows/release-on-tag.yml, line 74: uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2
  • .github/workflows/release.yml, line 120: uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2

In both cases the diff shows the old line also had # v2 — the Dependabot PR updated only the SHA and left the comment as-is.

Why existing code doesn't prevent it

Dependabot automates SHA updates but does not parse or update trailing version comments. There is no CI lint rule checking that the comment matches the actual version tag the SHA resolves to, so the mismatch goes undetected automatically.

What the impact would be

There is no runtime impact — GitHub Actions resolves the action by SHA, ignoring the comment entirely. The SHA b4309332981a82ec1c5618f44dd2e27cc8bfbfda will correctly execute v3.0.0 regardless. The harm is purely informational: any engineer auditing the workflow to verify the action version (e.g., during a security review or incident) will read # v2 and incorrectly conclude the workflow is running the v2 line, potentially spending time investigating a non-issue or missing that Node 24 is in use.

How to fix it

Change # v2 to # v3 on both affected lines:

uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3

Step-by-step proof

  1. The PR description's commit list confirms: b430933 release: cut v3.0.0 for Node 24 upgrade (#670) — the SHA b4309332981a82ec1c5618f44dd2e27cc8bfbfda is the v3.0.0 release commit.
  2. The diff shows both files changed from @153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 to @b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2 — the SHA was updated but # v2 was preserved verbatim.
  3. An engineer reading either file today sees # v2 and infers the workflow uses a v2.x release, but the SHA actually points to v3.0.0. The comment is wrong in both files.

Note on the duplicate refutation

One verifier argued bug_002 is a duplicate of bug_001. While bug_001's description mentions "both workflow files", the two occurrences are in separate files at separate lines and each requires its own edit. The synthesis agent correctly merged them into a single unified report covering both locations.

with:
tag_name: v${{ steps.version.outputs.version }}
name: v${{ steps.version.outputs.version }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ jobs:
echo -e "$NOTES" > release_notes.md

- name: Create GitHub Release
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Outdated version comment

Same issue as release-on-tag.yml — the commit hash resolves to v3.0.0, not v2.

Suggested change
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 117

Comment:
**Outdated version comment**

Same issue as `release-on-tag.yml` — the commit hash resolves to v3.0.0, not v2.

```suggestion
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
```

How can I resolve this? If you propose a fix, please make it concise.

with:
tag_name: v${{ steps.version.outputs.version }}
name: v${{ steps.version.outputs.version }}
Expand Down
Loading