langchain

mirror of https://github.com/hwchase17/langchain.git synced 2026-05-14 19:05:21 +00:00

Author	SHA1	Message	Date
Mason Daugherty	6443612fa3	ci: pin all actions to full-length commit SHAs (#36621 ) Pin all remaining GitHub Actions references to full-length commit SHAs, matching the convention already established by third-party actions in this repo. This is a prerequisite for enabling GitHub's "Require actions to be pinned to a full-length commit SHA" repository ruleset, which mitigates tag-hijacking supply chain attacks.	2026-04-08 19:02:58 -04:00
dependabot[bot]	b8caf9ef10	chore: bump mikefarah/yq from 88a31ae8c6b34aad77d2efdecc146113cb3315d0 to 17f66dc6c6a177fafd8b71a6abea6d6340aa1e16 (#36422 ) Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 88a31ae8c6b34aad77d2efdecc146113cb3315d0 to 17f66dc6c6a177fafd8b71a6abea6d6340aa1e16. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/mikefarah/yq/blob/master/release_notes.txt">mikefarah/yq's changelog</a>.</em></p> <blockquote> <p>4.52.5:</p> <ul> <li>Fix: reset TOML decoder state between files (<a href="https://redirect.github.com/mikefarah/yq/issues/2634">#2634</a>) thanks <a href="https://github.com/terminalchai"><code>@terminalchai</code></a></li> <li>Fix: preserve original filename when using --front-matter (<a href="https://redirect.github.com/mikefarah/yq/issues/2613">#2613</a>) thanks <a href="https://github.com/cobyfrombrooklyn-bot"><code>@cobyfrombrooklyn-bot</code></a></li> <li>Fix typo in filename (<a href="https://redirect.github.com/mikefarah/yq/issues/2611">#2611</a>) thanks <a href="https://github.com/alexandear"><code>@alexandear</code></a></li> <li>Bumped dependencies</li> </ul> <p>4.52.4:</p> <ul> <li>Dropping windows/arm - no longer supported in cross-compile</li> </ul> <p>4.52.3:</p> <ul> <li>Fixing comments in TOML arrays (<a href="https://redirect.github.com/mikefarah/yq/issues/2592">#2592</a>)</li> <li>Bumped dependencies</li> </ul> <p>4.52.2:</p> <ul> <li>Fixed bad instructions file breaking go-install (<a href="https://redirect.github.com/mikefarah/yq/issues/2587">#2587</a>) Thanks <a href="https://github.com/theyoprst"><code>@theyoprst</code></a></li> <li>Fixed TOML table scope after comments (<a href="https://redirect.github.com/mikefarah/yq/issues/2588">#2588</a>) Thanks <a href="https://github.com/tomers"><code>@tomers</code></a></li> <li>Multiply uses a readonly context (<a href="https://redirect.github.com/mikefarah/yq/issues/2558">#2558</a>)</li> <li>Fixed merge globbing wildcards in keys (<a href="https://redirect.github.com/mikefarah/yq/issues/2564">#2564</a>)</li> <li>Fixing TOML subarray parsing issue (<a href="https://redirect.github.com/mikefarah/yq/issues/2581">#2581</a>)</li> </ul> <p>4.52.1:</p> <ul> <li> <p>TOML encoder support - you can now roundtrip! <a href="https://redirect.github.com/mikefarah/yq/issues/1364">#1364</a></p> </li> <li> <p>Parent now supports negative indices, and added a 'root' command for referencing the top level document</p> </li> <li> <p>Fixed scalar encoding for HCL</p> </li> <li> <p>Add --yaml-compact-seq-indent / -c flag for compact sequence indentation (<a href="https://redirect.github.com/mikefarah/yq/issues/2583">#2583</a>) Thanks <a href="https://github.com/jfenal"><code>@jfenal</code></a></p> </li> <li> <p>Add symlink check to file rename util (<a href="https://redirect.github.com/mikefarah/yq/issues/2576">#2576</a>) Thanks <a href="https://github.com/Elias-elastisys"><code>@Elias-elastisys</code></a></p> </li> <li> <p>Powershell fixed default command used for __completeNoDesc alias (<a href="https://redirect.github.com/mikefarah/yq/issues/2568">#2568</a>) Thanks <a href="https://github.com/teejaded"><code>@teejaded</code></a></p> </li> <li> <p>Unwrap scalars in shell output mode. (<a href="https://redirect.github.com/mikefarah/yq/issues/2548">#2548</a>) Thanks <a href="https://github.com/flintwinters"><code>@flintwinters</code></a></p> </li> <li> <p>Added K8S KYAML output format support (<a href="https://redirect.github.com/mikefarah/yq/issues/2560">#2560</a>) Thanks <a href="https://github.com/robbat2"><code>@robbat2</code></a></p> </li> <li> <p>Bumped dependencies</p> </li> <li> <p>Special shout out to <a href="https://github.com/ccoVeille"><code>@ccoVeille</code></a> for reviewing my PRs!</p> </li> </ul> <p>4.50.1:</p> <ul> <li>Added HCL support!</li> <li>Fixing handling of CRLF <a href="https://redirect.github.com/mikefarah/yq/issues/2352">#2352</a></li> <li>Bumped dependencies</li> </ul> <p>4.49.2:</p> <ul> <li>Fixing escape character bugs 😓 <a href="https://redirect.github.com/mikefarah/yq/issues/2517">#2517</a></li> <li>Fixing snap release pipeline <a href="https://redirect.github.com/mikefarah/yq/issues/2518">#2518</a> Thanks <a href="https://github.com/aalexjo"><code>@aalexjo</code></a></li> </ul> <p>4.49.1:</p> <ul> <li>Added <code>--security</code> flags to disable env and file ops <a href="https://redirect.github.com/mikefarah/yq/issues/2515">#2515</a></li> <li>Fixing TOML ArrayTable parsing issues <a href="https://redirect.github.com/mikefarah/yq/issues/1758">#1758</a></li> <li>Fixing parsing of escaped characters <a href="https://redirect.github.com/mikefarah/yq/issues/2506">#2506</a></li> </ul> <p>4.48.2:</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`17f66dc6c6`"><code>17f66dc</code></a> Bump github.com/goccy/go-json from 0.10.5 to 0.10.6 (<a href="https://redirect.github.com/mikefarah/yq/issues/2636">#2636</a>)</li> <li><a href="`dcb9c2a543`"><code>dcb9c2a</code></a> Bump github.com/pelletier/go-toml/v2 from 2.2.4 to 2.3.0 (<a href="https://redirect.github.com/mikefarah/yq/issues/2637">#2637</a>)</li> <li><a href="`8f5d876bf0`"><code>8f5d876</code></a> Bump github.com/fatih/color from 1.18.0 to 1.19.0 (<a href="https://redirect.github.com/mikefarah/yq/issues/2638">#2638</a>)</li> <li><a href="`7d8d3ab902`"><code>7d8d3ab</code></a> Replace gopkg.in/op/go-logging.v1 with log/slog (<a href="https://redirect.github.com/mikefarah/yq/issues/2635">#2635</a>)</li> <li><a href="`11f4dc1a03`"><code>11f4dc1</code></a> Bumping version</li> <li><a href="`0f4fb8d35e`"><code>0f4fb8d</code></a> Bumping version</li> <li><a href="`80c319aa0c`"><code>80c319a</code></a> Fixing tests with latest linting rules</li> <li><a href="`b25ae78545`"><code>b25ae78</code></a> fix: reset TOML decoder state between files (<a href="https://redirect.github.com/mikefarah/yq/issues/2634">#2634</a>)</li> <li><a href="`b151522485`"><code>b151522</code></a> fix: preserve original filename when using --front-matter (<a href="https://redirect.github.com/mikefarah/yq/issues/2613">#2613</a>)</li> <li><a href="`c5cbf9760b`"><code>c5cbf97</code></a> Bump golang.org/x/net from 0.50.0 to 0.52.0 (<a href="https://redirect.github.com/mikefarah/yq/issues/2628">#2628</a>)</li> <li>Additional commits viewable in <a href="`88a31ae8c6...17f66dc6c6`">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-03 23:41:41 -04:00
dependabot[bot]	8b4e848c4a	chore: bump EndBug/add-and-commit from 9.1.4 to 10.0.0 (#36421 ) Bumps [EndBug/add-and-commit](https://github.com/endbug/add-and-commit) from 9.1.4 to 10.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/endbug/add-and-commit/releases">EndBug/add-and-commit's releases</a>.</em></p> <blockquote> <h2>v10.0.0</h2> <h2>What's Changed</h2> <ul> <li>chore(deps-dev): bump husky from 8.0.3 to 9.0.6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/617">EndBug/add-and-commit#617</a></li> <li>chore(deps-dev): bump <code>@typescript-eslint/parser</code> from 6.19.0 to 6.19.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/618">EndBug/add-and-commit#618</a></li> <li>chore(deps-dev): bump prettier from 3.2.4 to 3.2.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/619">EndBug/add-and-commit#619</a></li> <li>chore(deps-dev): bump <code>@typescript-eslint/eslint-plugin</code> from 6.19.1 to 6.21.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/623">EndBug/add-and-commit#623</a></li> <li>chore(deps-dev): bump <code>@typescript-eslint/parser</code> from 6.19.1 to 6.21.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/624">EndBug/add-and-commit#624</a></li> <li>chore(deps-dev): bump husky from 9.0.6 to 9.0.11 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/626">EndBug/add-and-commit#626</a></li> <li>chore: switch to GTS for linting by <a href="https://github.com/EndBug"><code>@EndBug</code></a> in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/636">EndBug/add-and-commit#636</a></li> <li>chore(deps-dev): bump gts from 5.2.0 to 5.3.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/637">EndBug/add-and-commit#637</a></li> <li>chore(deps-dev): bump typescript from 5.2.2 to 5.4.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/639">EndBug/add-and-commit#639</a></li> <li>chore(deps-dev): bump gts from 5.3.0 to 5.3.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/642">EndBug/add-and-commit#642</a></li> <li>chore(deps-dev): bump braces from 3.0.2 to 3.0.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/641">EndBug/add-and-commit#641</a></li> <li>chore(deps-dev): bump typescript from 5.4.5 to 5.5.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/644">EndBug/add-and-commit#644</a></li> <li>Adds examples of input arrays. by <a href="https://github.com/tommie"><code>@tommie</code></a> in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/645">EndBug/add-and-commit#645</a></li> <li>chore(deps-dev): bump typescript from 5.5.2 to 5.5.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/649">EndBug/add-and-commit#649</a></li> <li>docs: add tommie as a contributor for doc by <a href="https://github.com/allcontributors"><code>@allcontributors</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/647">EndBug/add-and-commit#647</a></li> <li>chore(deps-dev): bump husky from 9.0.11 to 9.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/650">EndBug/add-and-commit#650</a></li> <li>chore(deps-dev): bump typescript from 5.5.3 to 5.5.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/653">EndBug/add-and-commit#653</a></li> <li>chore(deps-dev): bump husky from 9.1.1 to 9.1.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/655">EndBug/add-and-commit#655</a></li> <li>chore(deps-dev): bump husky from 9.1.4 to 9.1.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/659">EndBug/add-and-commit#659</a></li> <li>chore(deps-dev): bump husky from 9.1.5 to 9.1.6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/660">EndBug/add-and-commit#660</a></li> <li>chore(deps-dev): bump typescript from 5.5.4 to 5.6.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/661">EndBug/add-and-commit#661</a></li> <li>chore(deps-dev): bump <code>@vercel/ncc</code> from 0.38.1 to 0.38.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/662">EndBug/add-and-commit#662</a></li> <li>chore(deps): bump <code>@actions/core</code> from 1.10.1 to 1.11.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/663">EndBug/add-and-commit#663</a></li> <li>chore(deps-dev): bump typescript from 5.6.2 to 5.6.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/664">EndBug/add-and-commit#664</a></li> <li>chore(deps-dev): bump gts from 5.3.1 to 6.0.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/665">EndBug/add-and-commit#665</a></li> <li>chore(deps-dev): bump gts from 6.0.0 to 6.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/666">EndBug/add-and-commit#666</a></li> <li>chore(deps-dev): bump <code>@vercel/ncc</code> from 0.38.2 to 0.38.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/669">EndBug/add-and-commit#669</a></li> <li>chore(deps): bump cross-spawn by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/670">EndBug/add-and-commit#670</a></li> <li>docs: add icemac as a contributor for doc by <a href="https://github.com/allcontributors"><code>@allcontributors</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/674">EndBug/add-and-commit#674</a></li> <li>chore(deps-dev): bump husky from 9.1.6 to 9.1.7 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/672">EndBug/add-and-commit#672</a></li> <li>chore(deps-dev): bump typescript from 5.6.3 to 5.7.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/671">EndBug/add-and-commit#671</a></li> <li>chore(deps-dev): bump typescript from 5.7.2 to 5.7.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/676">EndBug/add-and-commit#676</a></li> <li>chore(deps-dev): bump eslint-config-prettier from 9.1.0 to 10.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/677">EndBug/add-and-commit#677</a></li> <li>chore(deps-dev): bump eslint-config-prettier from 10.0.1 to 10.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/678">EndBug/add-and-commit#678</a></li> <li>chore(deps-dev): bump typescript from 5.7.3 to 5.8.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/679">EndBug/add-and-commit#679</a></li> <li>chore(deps-dev): bump eslint-config-prettier from 10.0.2 to 10.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/680">EndBug/add-and-commit#680</a></li> <li>chore(deps-dev): bump typescript from 5.8.2 to 5.8.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/681">EndBug/add-and-commit#681</a></li> <li>chore(deps-dev): bump eslint-config-prettier from 10.1.1 to 10.1.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/682">EndBug/add-and-commit#682</a></li> <li>chore(deps-dev): bump eslint-config-prettier from 10.1.2 to 10.1.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/683">EndBug/add-and-commit#683</a></li> <li>chore(deps-dev): bump eslint-config-prettier from 10.1.5 to 10.1.8 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/686">EndBug/add-and-commit#686</a></li> <li>ci(deps): bump actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/688">EndBug/add-and-commit#688</a></li> <li>ci(deps): bump actions/setup-node from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/690">EndBug/add-and-commit#690</a></li> <li>chore(deps-dev): bump <code>@vercel/ncc</code> from 0.38.3 to 0.38.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/691">EndBug/add-and-commit#691</a></li> <li>chore(deps-dev): bump typescript from 5.8.3 to 5.9.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/694">EndBug/add-and-commit#694</a></li> <li>ci(deps): bump actions/setup-node from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/697">EndBug/add-and-commit#697</a></li> <li>ci(deps): bump github/codeql-action from 3 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/696">EndBug/add-and-commit#696</a></li> <li>Removes the redundant JSON array parsing. by <a href="https://github.com/tommie"><code>@tommie</code></a> in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/652">EndBug/add-and-commit#652</a></li> <li>docs: add tommie as a contributor for code, and test by <a href="https://github.com/allcontributors"><code>@allcontributors</code></a>[bot] in <a href="https://redirect.github.com/EndBug/add-and-commit/pull/699">EndBug/add-and-commit#699</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`290ea2c423`"><code>290ea2c</code></a> 10.0.0</li> <li><a href="`5190a0ab62`"><code>5190a0a</code></a> docs: prepare for v10</li> <li><a href="`9ac38785ff`"><code>9ac3878</code></a> chore: npm audit fix</li> <li><a href="`7b015bddf5`"><code>7b015bd</code></a> docs: add CodeReaper as a contributor for maintenance (<a href="https://redirect.github.com/endbug/add-and-commit/issues/723">#723</a>)</li> <li><a href="`300836dd70`"><code>300836d</code></a> chore(deps-dev): bump flatted from 3.3.3 to 3.4.2 (<a href="https://redirect.github.com/endbug/add-and-commit/issues/722">#722</a>)</li> <li><a href="`f6e20ed3c4`"><code>f6e20ed</code></a> feat!: use node version 24 (<a href="https://redirect.github.com/endbug/add-and-commit/issues/720">#720</a>)</li> <li><a href="`62806537b4`"><code>6280653</code></a> chore(deps-dev): bump jest from 30.2.0 to 30.3.0 (<a href="https://redirect.github.com/endbug/add-and-commit/issues/721">#721</a>)</li> <li><a href="`1539a6ad10`"><code>1539a6a</code></a> chore(deps): bump <code>@actions/core</code> from 2.0.2 to 3.0.0 (<a href="https://redirect.github.com/endbug/add-and-commit/issues/716">#716</a>)</li> <li><a href="`af611dd65b`"><code>af611dd</code></a> chore(deps): bump minimatch (<a href="https://redirect.github.com/endbug/add-and-commit/issues/718">#718</a>)</li> <li><a href="`2df77c10fb`"><code>2df77c1</code></a> chore(deps-dev): bump eslint-plugin-prettier from 5.5.4 to 5.5.5 (<a href="https://redirect.github.com/endbug/add-and-commit/issues/712">#712</a>)</li> <li>Additional commits viewable in <a href="`a94899bca5...290ea2c423`">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=EndBug/add-and-commit&package-manager=github_actions&previous-version=9.1.4&new-version=10.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-03 23:41:34 -04:00
John Kennedy	bb8b057ac3	ci(infra): add top-level permissions and SHA-pin third-party actions [INF-0000] (#35588 ) ## Summary - Adds top-level `permissions: contents: read` to 5 workflows that only had job-level permissions: `pr_labeler_file`, `pr_labeler_title`, `tag-external-contributions`, `v03_api_doc_build`, `auto-label-by-package` - SHA-pins all 14 third-party actions to full commit SHAs to prevent supply chain attacks via tag hijacking ## Why Missing top-level permissions: Without an explicit top-level `permissions` block, workflows inherit the repository/org default token permissions, which may be overly broad. Adding `contents: read` as the default restricts the blast radius if a dependency or action step is compromised. SHA pinning: Mutable tags (`@v1`, `@master`) can be force-pushed by the action maintainer or an attacker who compromises their account. Pinning to a full 40-character SHA ensures the exact reviewed code always runs. Tag comments are preserved for readability. ### Actions pinned \| Action \| File(s) \| \|--------\|---------\| \| `pypa/gh-action-pypi-publish` \| `_release.yml` (2 uses) \| \| `ncipollo/release-action` \| `_release.yml` \| \| `Ana06/get-changed-files` \| `check_diffs.yml` \| \| `astral-sh/setup-uv` \| `check_diffs.yml`, `uv_setup/action.yml` \| \| `CodSpeedHQ/action` \| `check_diffs.yml` \| \| `google-github-actions/auth` \| `integration_tests.yml` \| \| `aws-actions/configure-aws-credentials` \| `integration_tests.yml` \| \| `amannn/action-semantic-pull-request` \| `pr_lint.yml` \| \| `bcoe/conventional-release-labels` \| `pr_labeler_title.yml` \| \| `mikefarah/yq` \| `v03_api_doc_build.yml` \| \| `EndBug/add-and-commit` \| `v03_api_doc_build.yml` \| \| `peter-evans/create-pull-request` \| `refresh_model_profiles.yml` \| ## Test plan - [x] CI passes — all workflows still resolve their actions correctly - [x] Verify no functional change: SHA refs point to the same code as the previous tags --- > This PR was generated with assistance from an AI coding agent as part of a repository posture check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-06 07:20:05 +00:00
dependabot[bot]	7fe1c4b78f	chore(deps): bump actions/checkout from 5 to 6 (#34083 ) Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v6.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update README to include Node.js 24 support details and requirements by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li> <li>Persist creds to a separate file by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li> <li>v6-beta by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2298">actions/checkout#2298</a></li> <li>update readme/changelog for v6 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2311">actions/checkout#2311</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v5.0.0...v6.0.0">https://github.com/actions/checkout/compare/v5.0.0...v6.0.0</a></p> <h2>v6-beta</h2> <h2>What's Changed</h2> <p>Updated persist-credentials to store the credentials under <code>$RUNNER_TEMP</code> instead of directly in the local git config.</p> <p>This requires a minimum Actions Runner version of <a href="https://github.com/actions/runner/releases/tag/v2.329.0">v2.329.0</a> to access the persisted credentials for <a href="https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action">Docker container action</a> scenarios.</p> <h2>v5.0.1</h2> <h2>What's Changed</h2> <ul> <li>Port v6 cleanup to v5 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v5...v5.0.1">https://github.com/actions/checkout/compare/v5...v5.0.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>V6.0.0</h2> <ul> <li>Persist creds to a separate file by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li> <li>Update README to include Node.js 24 support details and requirements by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li> </ul> <h2>V5.0.1</h2> <ul> <li>Port v6 cleanup to v5 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li> </ul> <h2>V5.0.0</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> </ul> <h2>V4.3.1</h2> <ul> <li>Port v6 cleanup to v4 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li> </ul> <h2>V4.3.0</h2> <ul> <li>docs: update README.md by <a href="https://github.com/motss"><code>@motss</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li>Add internal repos for checking out multiple repositories by <a href="https://github.com/mouismail"><code>@mouismail</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li>Documentation update - add recommended permissions to Readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> <li>Adjust positioning of user email note and permissions heading by <a href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li> <li>Update CODEOWNERS for actions by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li> <li>Update package dependencies by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li> </ul> <h2>v4.2.2</h2> <ul> <li><code>url-helper.ts</code> now leverages well-known environment variables by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li> <li>Expand unit test coverage for <code>isGhes</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li> </ul> <h2>v4.2.1</h2> <ul> <li>Check out other refs/* by commit if provided, fall back to ref by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li> </ul> <h2>v4.2.0</h2> <ul> <li>Add Ref and Commit outputs by <a href="https://github.com/lucacome"><code>@lucacome</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li> <li>Dependency updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>- <a href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a>, <a href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li> </ul> <h2>v4.1.7</h2> <ul> <li>Bump the minor-npm-dependencies group across 1 directory with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1739">actions/checkout#1739</a></li> <li>Bump actions/checkout from 3 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1697">actions/checkout#1697</a></li> <li>Check out other refs/* by commit by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1774">actions/checkout#1774</a></li> <li>Pin actions/checkout's own workflows to a known, good, stable version. by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1776">actions/checkout#1776</a></li> </ul> <h2>v4.1.6</h2> <ul> <li>Check platform to set archive extension appropriately by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1732">actions/checkout#1732</a></li> </ul> <h2>v4.1.5</h2> <ul> <li>Update NPM dependencies by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1703">actions/checkout#1703</a></li> <li>Bump github/codeql-action from 2 to 3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1694">actions/checkout#1694</a></li> <li>Bump actions/setup-node from 1 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1696">actions/checkout#1696</a></li> <li>Bump actions/upload-artifact from 2 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1695">actions/checkout#1695</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="`1af3b93b68`"><code>1af3b93</code></a> update readme/changelog for v6 (<a href="https://redirect.github.com/actions/checkout/issues/2311">#2311</a>)</li> <li><a href="`71cf2267d8`"><code>71cf226</code></a> v6-beta (<a href="https://redirect.github.com/actions/checkout/issues/2298">#2298</a>)</li> <li><a href="`069c695914`"><code>069c695</code></a> Persist creds to a separate file (<a href="https://redirect.github.com/actions/checkout/issues/2286">#2286</a>)</li> <li><a href="`ff7abcd0c3`"><code>ff7abcd</code></a> Update README to include Node.js 24 support details and requirements (<a href="https://redirect.github.com/actions/checkout/issues/2248">#2248</a>)</li> <li>See full diff in <a href="https://github.com/actions/checkout/compare/v5...v6">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=5&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mason Daugherty <mason@langchain.dev>	2025-11-24 19:10:28 -05:00
Mason Daugherty	8446fef00d	fix(infra): v0.3 ref dep (#33336 )	2025-10-07 10:49:20 -04:00

6 Commits