beets icon indicating copy to clipboard operation
beets copied to clipboard

Published 20 hours ago verified publisher icon beetbox

build(deps): bump tj-actions/changed-files from 44 to 46 in /.github/workflows

Open dependabot[bot] opened this issue 7 months ago • 1 comments

Bumps tj-actions/changed-files from 44 to 46.

Release notes

Sourced from tj-actions/changed-files's releases.

v46

Changes in v46.0.5

What's Changed

Full Changelog: https://github.com/tj-actions/changed-files/compare/v46...v46.0.5

Changes in v46.0.4

What's Changed

Full Changelog: https://github.com/tj-actions/changed-files/compare/v46...v46.0.4

Changes in v46.0.3

What's Changed

Full Changelog: https://github.com/tj-actions/changed-files/compare/v46...v46.0.3

Changes in v46.0.2

What's Changed

... (truncated)

Changelog

Sourced from tj-actions/changed-files's changelog.

Changelog

46.0.5 - (2025-04-09)

⚙️ Miscellaneous Tasks

  • deps: Bump yaml from 2.7.0 to 2.7.1 (#2520) (ed68ef8) - (dependabot[bot])
  • deps-dev: Bump typescript from 5.8.2 to 5.8.3 (#2516) (a7bc14b) - (dependabot[bot])
  • deps-dev: Bump @​types/node from 22.13.11 to 22.14.0 (#2517) (3d751f6) - (dependabot[bot])
  • deps-dev: Bump eslint-plugin-prettier from 5.2.3 to 5.2.6 (#2519) (e2fda4e) - (dependabot[bot])
  • deps-dev: Bump ts-jest from 29.2.6 to 29.3.1 (#2518) (0bed1b1) - (dependabot[bot])
  • deps: Bump github/codeql-action from 3.28.12 to 3.28.15 (#2530) (6802458) - (dependabot[bot])
  • deps: Bump tj-actions/branch-names from 8.0.1 to 8.1.0 (#2521) (cf2e39e) - (dependabot[bot])
  • deps: Bump tj-actions/verify-changed-files from 20.0.1 to 20.0.4 (#2523) (6abeaa5) - (dependabot[bot])

⬆️ Upgrades

  • Upgraded to v46.0.4 (#2511)

Co-authored-by: github-actions[bot] (6f67ee9) - (github-actions[bot])

46.0.4 - (2025-04-03)

🐛 Bug Fixes

  • Bug modified_keys and changed_key outputs not set when no changes detected (#2509) (6cb76d0) - (Tonye Jack)

📚 Documentation

⬆️ Upgrades

  • Upgraded to v46.0.3 (#2506)

Co-authored-by: github-actions[bot] Co-authored-by: Tonye Jack [email protected] (27ae6b3) - (github-actions[bot])

46.0.3 - (2025-03-23)

🔄 Update

  • Updated README.md (#2501)

Co-authored-by: github-actions[bot] (41e0de5) - (github-actions[bot])

  • Updated README.md (#2499)

Co-authored-by: github-actions[bot] (9457878) - (github-actions[bot])

📚 Documentation

... (truncated)

Commits
  • ed68ef8 chore(deps): bump yaml from 2.7.0 to 2.7.1 (#2520)
  • a7bc14b chore(deps-dev): bump typescript from 5.8.2 to 5.8.3 (#2516)
  • 3d751f6 chore(deps-dev): bump @​types/node from 22.13.11 to 22.14.0 (#2517)
  • e2fda4e chore(deps-dev): bump eslint-plugin-prettier from 5.2.3 to 5.2.6 (#2519)
  • 0bed1b1 chore(deps-dev): bump ts-jest from 29.2.6 to 29.3.1 (#2518)
  • 6802458 chore(deps): bump github/codeql-action from 3.28.12 to 3.28.15 (#2530)
  • cf2e39e chore(deps): bump tj-actions/branch-names from 8.0.1 to 8.1.0 (#2521)
  • 6abeaa5 chore(deps): bump tj-actions/verify-changed-files from 20.0.1 to 20.0.4 (#2523)
  • 6f67ee9 Upgraded to v46.0.4 (#2511)
  • 6cb76d0 fix: bug modified_keys and changed_key outputs not set when no changes detect...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

dependabot[bot] avatar Apr 22 '25 16:04 dependabot[bot]

I had a look at workflow logs, and it seems we didn't run anything on Mar 14/15:

This is just before (Mar 13)

  • lint run #1076 https://github.com/beetbox/beets/actions/runs/13830068268/job/38692168362
  • ci run '#4352` https://github.com/beetbox/beets/actions/runs/13901313003/job/38893541291

This is afterwards (Mar 17)

  • lint run #1077 https://github.com/beetbox/beets/actions/runs/13901218919/job/38893219000
  • ci run #4351 https://github.com/beetbox/beets/actions/runs/13901218899/job/38893219036

These issues are about the action compromise:

  • https://github.com/tj-actions/changed-files/issues/2464
  • https://github.com/tj-actions/changed-files/issues/2463
  • https://github.com/reviewdog/reviewdog/issues/2079

We don't need to update, since the malicious commit of changed-files has been removed. I've read the suggestion to pin actions to specific SHA hashes rather than tags. Should we do something like that?

wisp3rwind avatar Apr 22 '25 17:04 wisp3rwind

I had a look at workflow logs, and it seems we didn't run anything on Mar 14/15:

This is just before (Mar 13)

* lint run `#1076` https://github.com/beetbox/beets/actions/runs/13830068268/job/38692168362

* ci run '[Extend Spotify plugin to obtain (popularity and audio features) track attributes #4352](https://github.com/beetbox/beets/pull/4352)` https://github.com/beetbox/beets/actions/runs/13901313003/job/38893541291

This is afterwards (Mar 17)

* lint run `#1077` https://github.com/beetbox/beets/actions/runs/13901218919/job/38893219000

* ci run `#4351` https://github.com/beetbox/beets/actions/runs/13901218899/job/38893219036

These issues are about the action compromise:

* [[BUG] Pretty sure this repo got hacked and if you use this it will send your secrets to a hacker tj-actions/changed-files#2464](https://github.com/tj-actions/changed-files/issues/2464)

* [Multiple tags in this action are compromised tj-actions/changed-files#2463](https://github.com/tj-actions/changed-files/issues/2463)

* [[Security Advisory] Supply Chain Attack on reviewdog GitHub Actions during a specific time period reviewdog/reviewdog#2079](https://github.com/reviewdog/reviewdog/issues/2079)

We don't need to update, since the malicious commit of changed-files has been removed. I've read the suggestion to pin actions to specific SHA hashes rather than tags. Should we do something like that?

I doubt it's worth it, given how rarely such an issue occurs.

snejus avatar Jun 30 '25 08:06 snejus

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot[bot] avatar Jun 30 '25 08:06 dependabot[bot]