fix(deps): update bfra-me/renovate-action to v9.125.1 by marcusrbrown · Pull Request #2336 · bfra-me/.github · GitHub
Skip to content

fix(deps): update bfra-me/renovate-action to v9.125.1#2336

Merged
marcusrbrown merged 3 commits into
mainfrom
plum-zestful-koala
Jun 25, 2026
Merged

fix(deps): update bfra-me/renovate-action to v9.125.1#2336
marcusrbrown merged 3 commits into
mainfrom
plum-zestful-koala

Conversation

@marcusrbrown

Copy link
Copy Markdown
Member

No description provided.

@marcusrbrown marcusrbrown self-assigned this Jun 25, 2026
@bfra-me bfra-me Bot added documentation Improvements or additions to documentation renovate Renovate bot updates workflows Changes to GitHub Actions workflows labels Jun 25, 2026
@bfra-me bfra-me Bot requested a review from fro-bot June 25, 2026 04:40

@fro-bot fro-bot left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: CONDITIONAL

Blocking issues

  • .changeset/old-mirrors-change.md:4 — changeset narrative does not match the bump. The changeset body reads Bump bfra-me/renovate-action to 9.124.1 (resolves bfra-me/renovate-action#3418)., but the workflow change and PR title both target 9.125.1 (and the diff jumps from 9.124.39.125.1, skipping 9.124.1). If merged as-is, the release note for @bfra.me/.github will describe a version that was never applied in this PR, and the linked issue (#3418 — the RENOVATE_VERSION 43.234.0 abort bug) is not the rationale for landing on 9.125.1. Either:

    • rewrite the changeset to Bump bfra-me/renovate-action to 9.125.1 (resolves bfra-me/renovate-action#3419 — bump Renovate to 43.242.0)., or
    • re-target the bump to 9.124.1 if that was the actual intent (note: 9.124.1 is not strictly required to resolve #3418 since the fixed Renovate >= 43.234.1 is what matters, and the action’s pin was last advanced through 9.124.2/9.124.3/9.125.0/9.125.1 — pick the version that matches the PR title and update the body accordingly).

    Concrete remediation: edit .changeset/old-mirrors-change.md so the body mirrors the PR title (v9.125.1) and references the correct upstream issue (#3419 for the 9.125.1 Renovate bump, or the merged feature issue if 9.125.0 / 9.125.1 is the change you want to call out).

Non-blocking concerns

  • .changeset/old-mirrors-change.md:6 — file is missing a trailing newline. The diff shows \ No newline at end of file. Most POSIX tools and the Changesets bot expect a final \n; please add one. The repo’s lint/prettier CI should also flag this — verify the pipeline is actually running on the .changeset/ path.
  • Version gap skipped (informational). The jump 9.124.3 → 9.125.1 transitively includes 9.124.1 (esbuild override — security), 9.124.2 (protected renovate overrides), 9.124.3 (fast-uri pin), 9.125.0 (post-upgrade task allowlist for Rust/Go/Ruby), and 9.125.1 (Renovate → 43.242.0). Consider whether any of these — especially the security ones — should be called out in the changeset body or release notes for traceability. Not blocking; the bump is semver-compatible.

Missing tests

None. Workflow-only change; the action’s own test suite is exercised in bfra-me/renovate-action. The @bfra.me/.github package is type-checked/lint-only, so no new tests are required for this PR.

Risk assessment: LOW

Rationale:

  • The action is SHA-pinned to a verified commit (f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747 matches tag 9.125.1), satisfying the org’s "actions pinned to SHA" convention (AGENTS.md).
  • No run: block, secret, or permission scope is changed — the diff is a single-line action version bump.
  • The bump pulls in upstream Renovate 43.242.0, which is past the 43.234.1 fix for the productLinks / repository-changed regression referenced in bfra-me/renovate-action#3418, so this is a net-positive security/stability change.
  • Sole blocker is documentation accuracy in the changeset; once the version string and issue reference are aligned, this is a clean PASS.

Run Summary
Field Value
Event pull_request
Repository bfra-me/.github
Run ID 28147299239
Cache hit
Session ses_102eac57affeuRSendDNEmc6Sk
Verdict CONDITIONAL
Review event request-changes
Files reviewed .changeset/old-mirrors-change.md, .github/workflows/renovate.yaml
SHA verified f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747 → tag 9.125.1 (matches)
Upstream issues cross-referenced bfra-me/renovate-action#3417 (9.125.0), #3418 (9.124.x security context), #3419 (9.125.1)

@bfra-me bfra-me Bot requested a review from fro-bot June 25, 2026 04:44
fro-bot
fro-bot previously approved these changes Jun 25, 2026

@fro-bot fro-bot left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: PASS

The previously blocking findings have been resolved in commit 2246d6b chore: fix typo:

  • Changeset version string aligned with the bump. .changeset/old-mirrors-change.md:4 now reads Bump bfra-me/renovate-action to 9.125.1 (resolves bfra-me/renovate-action#3418). — matches the PR title, the workflow SHA pin, and the verified tag.
  • Trailing newline added. The new diff no longer shows \ No newline at end of file. Confirmed clean.

Blocking issues

None.

Non-blocking concerns

  • .changeset/old-mirrors-change.md:4 — issue reference is accurate but indirect. #3418 (the RENOVATE_VERSION 43.234.0 productLinks abort) is genuinely resolved by this bump because 9.125.1 ships Renovate 43.242.0, which is past the 43.234.1 upstream fix. However, the immediate change in 9.125.1 is tracked in bfra-me/renovate-action#3419 (bump Renovate to 43.242.0). For traceability, consider appending the direct reference, e.g. (resolves bfra-me/renovate-action#3418, includes bfra-me/renovate-action#3419). Purely informational — not worth a re-review.
  • Version-gap release-note enrichment (informational, retained from prior review). The 9.124.3 → 9.125.1 jump transitively includes 9.124.1 (esbuild override — security), 9.124.2 (protected renovate overrides), 9.124.3 (fast-uri pin), 9.125.0 (Rust/Go/Ruby postUpgradeTasks allowlist), and 9.125.1 (Renovate 43.242.0). The security-relevant items (9.124.1 esbuild, 9.124.3 fast-uri) are worth calling out in the generated release notes if @bfra.me/.github ever surfaces dependency changelogs. Optional.

Missing tests

None. Workflow-only change; action’s own test suite is exercised in bfra-me/renovate-action. No new tests required.

Risk assessment: LOW

Rationale:

  • Action SHA pin verified: f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747 resolves to tag 9.125.1 (re-verified this run).
  • No run: block, secret, permission scope, or workflow injection surface is changed — single-line action version bump on an already-minimal permissions: { contents: read } job.
  • Bump advances Renovate from 43.234.043.242.0, closing the productLinks / repository-changed regression originally reported in bfra-me/renovate-action#3418 and pulling in the upstream 43.234.1 fix plus three additional patch releases. Net-positive security and stability.
  • Changeset narrative now matches the diff, and the file is well-formed (trailing newline present). Ready to merge.

Run Summary
Field Value
Event pull_request
Repository bfra-me/.github
Run ID 28147430508
Cache hit
Session ses_102eac57affeuRSendDNEmc6Sk
Verdict PASS
Review event approve
Files reviewed .changeset/old-mirrors-change.md, .github/workflows/renovate.yaml
New commit on this push 2246d6b (chore: fix typo)
SHA re-verified f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747 → tag 9.125.1 (matches)
Prior review 4567906663 CHANGES_REQUESTED (superseded by this approval)

@fro-bot fro-bot left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verdict: PASS

The informational suggestion from the prior review has been adopted in commit 3f16652 chore: add reference.

Changes since the last review

  • .changeset/old-mirrors-change.md:4 — direct upstream issue reference added. Body now reads Bump bfra-me/renovate-action to 9.125.1 (resolves bfra-me/renovate-action#3418, includes bfra-me/renovate-action#3419). This closes the only remaining nit from pr-review-002: the changeset now points at both the originally-tracked abort bug (#3418, transitively fixed by the Renovate 43.234.1+ bump) and the immediate change in 9.125.1 (#3419, Renovate → 43.242.0). Trailing newline still present, frontmatter untouched (still @bfra.me/.github: patch).
  • .github/workflows/renovate.yaml:166 — unchanged from prior review. SHA pin f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747 → tag 9.125.1 re-verified this run.

Blocking issues

None.

Non-blocking concerns

  • Version-gap release-note enrichment (informational, retained). The 9.124.3 → 9.125.1 jump transitively includes 9.124.1 (esbuild override — security), 9.124.2 (protected renovate overrides), 9.124.3 (fast-uri pin), 9.125.0 (Rust/Go/Ruby postUpgradeTasks allowlist), and 9.125.1 (Renovate 43.242.0). The security-relevant items (9.124.1 esbuild, 9.124.3 fast-uri) are worth surfacing in the generated release notes if @bfra.me/.github ever emits dependency changelogs. Optional and out of scope for this PR.

Missing tests

None. Workflow-only change; action’s own test suite is exercised in bfra-me/renovate-action. No new tests required.

Risk assessment: LOW

Rationale (unchanged from prior review, re-confirmed):

  • Action SHA pin re-verified: f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747 resolves to tag 9.125.1.
  • No run: block, secret, permission scope, or workflow injection surface is touched — single-line action version bump on an already-minimal permissions: { contents: read } job.
  • Bump advances Renovate from 43.234.043.242.0, closing the productLinks / repository-changed regression reported in bfra-me/renovate-action#3418 and pulling in the upstream 43.234.1 fix plus three additional patch releases (esbuild override, fast-uri pin, protected-override guard). Net-positive security and stability.
  • Changeset is now fully accurate (version, transitive resolution, direct fix), well-formed, and bump type (patch) matches the workflow-only change scope. Ready to merge.

Run Summary
Field Value
Event pull_request
Repository bfra-me/.github
Run ID 28147527388
Cache hit
Session ses_102eac57affeuRSendDNEmc6Sk
Verdict PASS
Review event approve
Files reviewed .changeset/old-mirrors-change.md, .github/workflows/renovate.yaml
New commit on this push 3f16652 (chore: add reference)
SHA re-verified f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747 → tag 9.125.1 (matches)
Prior reviews 4567906663 CHANGES_REQUESTED (superseded), 4567917980 DISMISSED (superseded by this approval)

@marcusrbrown marcusrbrown merged commit a017301 into main Jun 25, 2026
13 checks passed
@marcusrbrown marcusrbrown deleted the plum-zestful-koala branch June 25, 2026 04:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation renovate Renovate bot updates workflows Changes to GitHub Actions workflows

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants