fix(deps): update bfra-me/renovate-action to v9.125.1#2336
Conversation
fro-bot
left a comment
There was a problem hiding this comment.
Verdict: CONDITIONAL
Blocking issues
-
.changeset/old-mirrors-change.md:4— changeset narrative does not match the bump. The changeset body readsBump bfra-me/renovate-action to 9.124.1 (resolves bfra-me/renovate-action#3418)., but the workflow change and PR title both target 9.125.1 (and the diff jumps from9.124.3→9.125.1, skipping9.124.1). If merged as-is, the release note for@bfra.me/.githubwill describe a version that was never applied in this PR, and the linked issue (#3418— theRENOVATE_VERSION 43.234.0abort bug) is not the rationale for landing on9.125.1. Either:- rewrite the changeset to
Bump bfra-me/renovate-action to 9.125.1 (resolves bfra-me/renovate-action#3419 — bump Renovate to 43.242.0)., or - re-target the bump to
9.124.1if that was the actual intent (note:9.124.1is not strictly required to resolve#3418since the fixed Renovate>= 43.234.1is what matters, and the action’s pin was last advanced through9.124.2/9.124.3/9.125.0/9.125.1— pick the version that matches the PR title and update the body accordingly).
Concrete remediation: edit
.changeset/old-mirrors-change.mdso the body mirrors the PR title (v9.125.1) and references the correct upstream issue (#3419for the9.125.1Renovate bump, or the merged feature issue if9.125.0/9.125.1is the change you want to call out). - rewrite the changeset to
Non-blocking concerns
.changeset/old-mirrors-change.md:6— file is missing a trailing newline. The diff shows\ No newline at end of file. Most POSIX tools and the Changesets bot expect a final\n; please add one. The repo’s lint/prettier CI should also flag this — verify the pipeline is actually running on the.changeset/path.- Version gap skipped (informational). The jump
9.124.3 → 9.125.1transitively includes9.124.1(esbuild override — security),9.124.2(protected renovate overrides),9.124.3(fast-uri pin),9.125.0(post-upgrade task allowlist for Rust/Go/Ruby), and9.125.1(Renovate → 43.242.0). Consider whether any of these — especially the security ones — should be called out in the changeset body or release notes for traceability. Not blocking; the bump is semver-compatible.
Missing tests
None. Workflow-only change; the action’s own test suite is exercised in bfra-me/renovate-action. The @bfra.me/.github package is type-checked/lint-only, so no new tests are required for this PR.
Risk assessment: LOW
Rationale:
- The action is SHA-pinned to a verified commit (
f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747matches tag9.125.1), satisfying the org’s "actions pinned to SHA" convention (AGENTS.md). - No
run:block, secret, or permission scope is changed — the diff is a single-line action version bump. - The bump pulls in upstream Renovate
43.242.0, which is past the43.234.1fix for theproductLinks/repository-changedregression referenced inbfra-me/renovate-action#3418, so this is a net-positive security/stability change. - Sole blocker is documentation accuracy in the changeset; once the version string and issue reference are aligned, this is a clean PASS.
Run Summary
fro-bot
left a comment
There was a problem hiding this comment.
Verdict: PASS
The previously blocking findings have been resolved in commit 2246d6b chore: fix typo:
- Changeset version string aligned with the bump.
.changeset/old-mirrors-change.md:4now readsBump bfra-me/renovate-action to 9.125.1 (resolves bfra-me/renovate-action#3418).— matches the PR title, the workflow SHA pin, and the verified tag. - Trailing newline added. The new diff no longer shows
\ No newline at end of file. Confirmed clean.
Blocking issues
None.
Non-blocking concerns
.changeset/old-mirrors-change.md:4— issue reference is accurate but indirect.#3418(theRENOVATE_VERSION 43.234.0productLinksabort) is genuinely resolved by this bump because9.125.1ships Renovate43.242.0, which is past the43.234.1upstream fix. However, the immediate change in9.125.1is tracked inbfra-me/renovate-action#3419(bump Renovate to43.242.0). For traceability, consider appending the direct reference, e.g.(resolves bfra-me/renovate-action#3418, includes bfra-me/renovate-action#3419). Purely informational — not worth a re-review.- Version-gap release-note enrichment (informational, retained from prior review). The
9.124.3 → 9.125.1jump transitively includes9.124.1(esbuild override — security),9.124.2(protected renovate overrides),9.124.3(fast-uri pin),9.125.0(Rust/Go/RubypostUpgradeTasksallowlist), and9.125.1(Renovate43.242.0). The security-relevant items (9.124.1esbuild,9.124.3fast-uri) are worth calling out in the generated release notes if@bfra.me/.githubever surfaces dependency changelogs. Optional.
Missing tests
None. Workflow-only change; action’s own test suite is exercised in bfra-me/renovate-action. No new tests required.
Risk assessment: LOW
Rationale:
- Action SHA pin verified:
f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747resolves to tag9.125.1(re-verified this run). - No
run:block, secret, permission scope, or workflow injection surface is changed — single-line action version bump on an already-minimalpermissions: { contents: read }job. - Bump advances Renovate from
43.234.0→43.242.0, closing theproductLinks/repository-changedregression originally reported inbfra-me/renovate-action#3418and pulling in the upstream43.234.1fix plus three additional patch releases. Net-positive security and stability. - Changeset narrative now matches the diff, and the file is well-formed (trailing newline present). Ready to merge.
Run Summary
| Field | Value |
|---|---|
| Event | pull_request |
| Repository | bfra-me/.github |
| Run ID | 28147430508 |
| Cache | hit |
| Session | ses_102eac57affeuRSendDNEmc6Sk |
| Verdict | PASS |
| Review event | approve |
| Files reviewed | .changeset/old-mirrors-change.md, .github/workflows/renovate.yaml |
| New commit on this push | 2246d6b (chore: fix typo) |
| SHA re-verified | f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747 → tag 9.125.1 (matches) |
| Prior review | 4567906663 CHANGES_REQUESTED (superseded by this approval) |
fro-bot
left a comment
There was a problem hiding this comment.
Verdict: PASS
The informational suggestion from the prior review has been adopted in commit 3f16652 chore: add reference.
Changes since the last review
.changeset/old-mirrors-change.md:4— direct upstream issue reference added. Body now readsBump bfra-me/renovate-action to 9.125.1 (resolves bfra-me/renovate-action#3418, includes bfra-me/renovate-action#3419).This closes the only remaining nit frompr-review-002: the changeset now points at both the originally-tracked abort bug (#3418, transitively fixed by the Renovate43.234.1+bump) and the immediate change in9.125.1(#3419, Renovate →43.242.0). Trailing newline still present, frontmatter untouched (still@bfra.me/.github: patch)..github/workflows/renovate.yaml:166— unchanged from prior review. SHA pinf3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747→ tag9.125.1re-verified this run.
Blocking issues
None.
Non-blocking concerns
- Version-gap release-note enrichment (informational, retained). The
9.124.3 → 9.125.1jump transitively includes9.124.1(esbuild override — security),9.124.2(protected renovate overrides),9.124.3(fast-uri pin),9.125.0(Rust/Go/RubypostUpgradeTasksallowlist), and9.125.1(Renovate43.242.0). The security-relevant items (9.124.1esbuild,9.124.3fast-uri) are worth surfacing in the generated release notes if@bfra.me/.githubever emits dependency changelogs. Optional and out of scope for this PR.
Missing tests
None. Workflow-only change; action’s own test suite is exercised in bfra-me/renovate-action. No new tests required.
Risk assessment: LOW
Rationale (unchanged from prior review, re-confirmed):
- Action SHA pin re-verified:
f3ca82b2ae2439d5c75f04f5ac80f3ca7ace1747resolves to tag9.125.1. - No
run:block, secret, permission scope, or workflow injection surface is touched — single-line action version bump on an already-minimalpermissions: { contents: read }job. - Bump advances Renovate from
43.234.0→43.242.0, closing theproductLinks/repository-changedregression reported inbfra-me/renovate-action#3418and pulling in the upstream43.234.1fix plus three additional patch releases (esbuild override, fast-uri pin, protected-override guard). Net-positive security and stability. - Changeset is now fully accurate (version, transitive resolution, direct fix), well-formed, and bump type (
patch) matches the workflow-only change scope. Ready to merge.

No description provided.