chore(deps): bump the github-actions group with 8 updates by dependabot[bot] · Pull Request #59 · cmeans/mcp-synology (original) (raw)

cmeans-claude-dev Bot added a commit that referenced this pull request

Apr 26, 2026

Closes the auto-CHANGELOG empty-versions bug surfaced by live Dependabot PR #59.

Root cause: dependabot/fetch-metadata@v2.5.0 returns empty-string prevVersion / newVersion for every package in a grouped update. The workflow's inline Python used d.get('prevVersion', '?'), which only falls back on missing keys — empty strings render as nothing.

Upstream PR dependabot/fetch-metadata#632 (shipped v3.0.0, refined v3.1.0) added body-metadata parsing for multi-dependency PRs, so the durable fix is just the SHA bump:

dependabot/fetch-metadata 21025c705c08248db411dc16f3619e6b5f9ea21a (v2.5.0) → 25dd0e34f4fe68f24cc83900b1fe3fe149efef98 (v3.1.0)

No inline-Python changes needed. v3 also requires Node.js 24 as the Actions runtime, clearing the Node.js-20 deprecation warning the v2 line was emitting on every run.

Verification gate (per don't-propagate-unverified-fixes rule):

1. ✅ Land this fix on main
2. @dependabot recreate PR #59
3. Confirm the recreated PR's CHANGELOG entry reads correctly
4. ONLY THEN consider cascading the broader Dependabot-PR-hygiene work + the doubled-prefix fix from #57 to cmeans/pypi-winnow-downloads

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

dependabot Bot deleted the dependabot/github_actions/github-actions-12aaac794f branch

April 26, 2026 21:32

cmeans-claude-dev Bot pushed a commit that referenced this pull request

Apr 26, 2026

…updates (#61)

Bumps the github-actions group across .github/workflows/ and .github/actions/ with 7 updates:

• actions/checkout 4 → 6
• astral-sh/setup-uv 5 → 7
• actions/setup-python 5 → 6
• codecov/codecov-action 4 → 6
• actions/upload-artifact 4 → 7
• actions/download-artifact 4 → 8
• actions/cache 4 → 5

(dependabot/fetch-metadata was already bumped separately in #60 to unblock the auto-CHANGELOG workflow's empty-versions bug; this PR's predecessor #59 was auto-closed when that bump landed.)

This is the first Dependabot PR in this repo to exercise the fixed auto-CHANGELOG workflow end-to-end:

• Auto-CHANGELOG entry was authored correctly with version arrows (actions/checkout 4→6, ...) — confirming the v3.1.0 fetch-metadata upstream fix from #60 works as expected
• App-token push from the workflow re-fired all required CI checks on the workflow's HEAD SHA, satisfying main-protection
• Idempotency and loop guards behaved correctly

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})