chore(deps): update release-plz/action digest to e879257#171
Conversation
|
PR author is in the excluded authors list. |
📝 WalkthroughWalkthroughThe PR updates the pinned commit SHA for the ChangesRelease Workflow Maintenance
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release-plz.yml:
- Line 20: The workflow uses a pinned commit for release-plz/action
(`release-plz/action@e8792575c7f2366cf6ff3ccc33ead9ace5b691c7`) but the trailing
comment `# v0.5` points to a different commit; fix by updating the pinned SHA to
the commit that the v0.5 tag references (or remove/update the `# v0.5` comment
if you intend to pin a different commit) so the pin and tag annotation are
consistent in the release-plz action invocation; ensure tokens/permissions
(RELEASE_PLZ_TOKEN, CARGO_REGISTRY_TOKEN and contents: write / pull-requests:
write) remain intact.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 95332f2b-ead3-406a-a57b-3cbd13cb0315
📒 Files selected for processing (1)
.github/workflows/release-plz.yml
| fetch-depth: 0 | ||
| - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable | ||
| - uses: release-plz/action@064f4d1e36c843611ddf013be726beaa4ad804db # v0.5 | ||
| - uses: release-plz/action@e8792575c7f2366cf6ff3ccc33ead9ace5b691c7 # v0.5 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify the release-plz/action commit SHA corresponds to v0.5
# Fetch the v0.5 tag and verify the commit SHA
echo "Checking if commit e8792575c7f2366cf6ff3ccc33ead9ace5b691c7 exists and matches v0.5..."
gh api repos/release-plz/action/commits/e8792575c7f2366cf6ff3ccc33ead9ace5b691c7 --jq '{sha: .sha, commit_message: .commit.message, author_date: .commit.author.date}'
echo -e "\nFetching v0.5 tag information..."
gh api repos/release-plz/action/git/ref/tags/v0.5 --jq '{ref: .ref, sha: .object.sha}'
echo -e "\nChecking for security advisories..."
gh api graphql -f query='
{
repository(owner: "release-plz", name: "action") {
vulnerabilityAlerts(first: 5) {
nodes {
securityVulnerability {
advisory {
summary
severity
publishedAt
}
}
}
}
}
}'Repository: jdx/demand
Length of output: 595
🌐 Web query:
release-plz/action v0.5 changelog or commit e879257
💡 Result:
I can’t reliably identify the changelog entry for commit e879257 in release-plz/action v0.5, because none of the web results I found contain that commit hash (e879257) or map it to a specific release (v0.5.x) / changelog section in the action repository. What I can confirm from authoritative sources: 1) The official repository release feed exists at https://github.com/release-plz/action/releases, and it lists many “What’s Changed” items per tag, but the search results shown here don’t surface an entry for e879257 specifically. 2) release-plz/action’s latest recorded release (as surfaced in the results) is v0.5.128 (2026-03-07), but that still doesn’t connect to e879257. If you can provide either (a) the full commit SHA for e879257 (7 hex is ambiguous), or (b) the specific v0.5.x tag that contains that commit, I can pinpoint the exact changelog lines for that change. As-is, any attempt to attribute “e879257” to a particular v0.5 changelog would be guesswork.
Citations:
- 1: https://github.com/release-plz/action/releases
- 2: https://github.com/release-plz/action
- 3: release-plz/action@db75300...476794e
- 4: https://release-plz.dev/docs/github/quickstart
- 5: https://github.com/release-plz/release-plz/
Fix release-plz/action pin/tag mismatch (v0.5)
This workflow has contents: write / pull-requests: write and uses RELEASE_PLZ_TOKEN + CARGO_REGISTRY_TOKEN, so the action version pin needs to be consistent. The commit release-plz/action@e8792575c7f2366cf6ff3ccc33ead9ace5b691c7 exists, but the v0.5 tag points to d22c02a7cf6d7870bd163be7c7d9518d331aef34, so the # v0.5 annotation is inconsistent with the pinned SHA.
Update the pinned SHA to the v0.5 tag’s commit (or remove/update the # v0.5 comment if intentionally not using the v0.5 tag).
Security-advisory lookup for release-plz/action requires authenticated GitHub API access (the unauthenticated call fails); run it with proper auth or check the repo’s security advisories before merging.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release-plz.yml at line 20, The workflow uses a pinned
commit for release-plz/action
(`release-plz/action@e8792575c7f2366cf6ff3ccc33ead9ace5b691c7`) but the trailing
comment `# v0.5` points to a different commit; fix by updating the pinned SHA to
the commit that the v0.5 tag references (or remove/update the `# v0.5` comment
if you intend to pin a different commit) so the pin and tag annotation are
consistent in the release-plz action invocation; ensure tokens/permissions
(RELEASE_PLZ_TOKEN, CARGO_REGISTRY_TOKEN and contents: write / pull-requests:
write) remain intact.
This PR contains the following updates:
064f4d1→e879257Configuration
📅 Schedule: (in timezone America/Chicago)
* * * * 5)🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
Summary by CodeRabbit