From 5e887339bdcc11ca4b446071cf60a71e3b3cfb09 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Jul 2026 02:11:23 +0000 Subject: [PATCH 1/2] chore: bump the actions group with 3 updates Bumps the actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) and [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance). Updates `actions/checkout` from 6.0.2 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v6.0.2...v7.0.0) Updates `astral-sh/setup-uv` from 8.1.0 to 8.2.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/v8.1.0...fac544c07dec837d0ccb6301d7b5580bf5edae39) Updates `actions/attest-build-provenance` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/v4.1.0...v4.1.1) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: astral-sh/setup-uv dependency-version: 8.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/attest-build-provenance dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] --- .github/workflows/_build-wheels.yaml | 2 +- .github/workflows/charmcraft-pack.yaml | 2 +- .github/workflows/db-charm-tests.yaml | 2 +- .github/workflows/dependency-review.yaml | 2 +- .github/workflows/docs-linkcheck.yaml | 2 +- .github/workflows/docs.yaml | 2 +- .github/workflows/example-charm-charmcraft-test.yaml | 4 ++-- .github/workflows/example-charm-integration-tests.yaml | 4 ++-- .github/workflows/example-charm-tests.yaml | 2 +- .github/workflows/framework-tests.yaml | 8 ++++---- .github/workflows/hello-charm-tests.yaml | 2 +- .github/workflows/integration.yaml | 6 +++--- .github/workflows/observability-charm-tests.yaml | 2 +- .github/workflows/publish.yaml | 4 ++-- .github/workflows/published-charms-tests.yaml | 4 ++-- .github/workflows/sbom-secscan.yaml | 4 ++-- .github/workflows/smoke.yaml | 2 +- .github/workflows/test-publish.yaml | 2 +- .github/workflows/tiobe.yaml | 2 +- .github/workflows/update-best-practice-doc.yaml | 4 ++-- .github/workflows/update-charm-tests.yaml | 2 +- .github/workflows/validate-pr-title.yaml | 2 +- .github/workflows/zizmor.yaml | 2 +- 23 files changed, 34 insertions(+), 34 deletions(-) diff --git a/.github/workflows/_build-wheels.yaml b/.github/workflows/_build-wheels.yaml index 2072fac91..25d40cfc8 100644 --- a/.github/workflows/_build-wheels.yaml +++ b/.github/workflows/_build-wheels.yaml @@ -16,7 +16,7 @@ jobs: artifact-name: ${{ steps.artifact-name.outputs.name }} steps: - name: Checkout the operator repository - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/charmcraft-pack.yaml b/.github/workflows/charmcraft-pack.yaml index 224440af5..e37ab673c 100644 --- a/.github/workflows/charmcraft-pack.yaml +++ b/.github/workflows/charmcraft-pack.yaml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/db-charm-tests.yaml b/.github/workflows/db-charm-tests.yaml index db6b9a4d8..4c14f5e3e 100644 --- a/.github/workflows/db-charm-tests.yaml +++ b/.github/workflows/db-charm-tests.yaml @@ -31,7 +31,7 @@ jobs: commit: 0088c9583f63999ff37d982948e47b9e3e3fba2a # 2026-01-20T15:48:23Z steps: - name: Checkout the ${{ matrix.charm-repo }} repository - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: repository: ${{ matrix.charm-repo }} persist-credentials: false diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 7a79ecf61..b642327cd 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -15,7 +15,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: persist-credentials: false - name: Dependency review diff --git a/.github/workflows/docs-linkcheck.yaml b/.github/workflows/docs-linkcheck.yaml index 8dde256cf..30476068d 100644 --- a/.github/workflows/docs-linkcheck.yaml +++ b/.github/workflows/docs-linkcheck.yaml @@ -15,7 +15,7 @@ jobs: name: Links runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - name: Set up uv diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 215accd81..651207145 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -15,7 +15,7 @@ jobs: name: Spelling runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - name: Set up uv diff --git a/.github/workflows/example-charm-charmcraft-test.yaml b/.github/workflows/example-charm-charmcraft-test.yaml index 23e2c88bd..d11f2d7d0 100644 --- a/.github/workflows/example-charm-charmcraft-test.yaml +++ b/.github/workflows/example-charm-charmcraft-test.yaml @@ -16,7 +16,7 @@ jobs: outputs: jobs: ${{ steps.collect.outputs.jobs }} steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - name: Collect spread jobs @@ -39,7 +39,7 @@ jobs: matrix: include: ${{ fromJson(needs.collect-spread-jobs.outputs.jobs) }} steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - name: Set up LXD diff --git a/.github/workflows/example-charm-integration-tests.yaml b/.github/workflows/example-charm-integration-tests.yaml index f53fd1e0a..6a0c566fd 100644 --- a/.github/workflows/example-charm-integration-tests.yaml +++ b/.github/workflows/example-charm-integration-tests.yaml @@ -17,7 +17,7 @@ jobs: dir: - examples/machine-tinyproxy steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - name: Set up uv @@ -51,7 +51,7 @@ jobs: - examples/k8s-4-action - examples/k8s-5-observe steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - name: Set up uv diff --git a/.github/workflows/example-charm-tests.yaml b/.github/workflows/example-charm-tests.yaml index e6954f69d..0b83d3ea5 100644 --- a/.github/workflows/example-charm-tests.yaml +++ b/.github/workflows/example-charm-tests.yaml @@ -28,7 +28,7 @@ jobs: - examples/k8s-5-observe steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - name: Set up Python 3 diff --git a/.github/workflows/framework-tests.yaml b/.github/workflows/framework-tests.yaml index b9b2c0cce..5a9ae8c59 100644 --- a/.github/workflows/framework-tests.yaml +++ b/.github/workflows/framework-tests.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 @@ -36,7 +36,7 @@ jobs: python-version: ["3.10", "3.12", "3.14"] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 @@ -59,7 +59,7 @@ jobs: python-version: ["3.10", "3.12", "3.14"] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 @@ -93,7 +93,7 @@ jobs: python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 diff --git a/.github/workflows/hello-charm-tests.yaml b/.github/workflows/hello-charm-tests.yaml index 00958e194..cd7928aeb 100644 --- a/.github/workflows/hello-charm-tests.yaml +++ b/.github/workflows/hello-charm-tests.yaml @@ -32,7 +32,7 @@ jobs: python-version: '3.10' - name: Checkout the ${{ matrix.charm-repo }} repository - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: repository: ${{ matrix.charm-repo }} persist-credentials: false diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 313e5ac21..cc48a1f70 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -13,10 +13,10 @@ jobs: outputs: tests: ${{ steps.tests.outputs.result }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Collect integration test files id: tests run: | @@ -50,7 +50,7 @@ jobs: test: test/integration/test_tracing.py steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - run: sudo snap install --classic concierge diff --git a/.github/workflows/observability-charm-tests.yaml b/.github/workflows/observability-charm-tests.yaml index 6755a5e68..50c1960e4 100644 --- a/.github/workflows/observability-charm-tests.yaml +++ b/.github/workflows/observability-charm-tests.yaml @@ -30,7 +30,7 @@ jobs: commit: f3999254035d5f39eda07261af2b86a4454846d4 # 2026-05-20T14:52:38Z steps: - name: Checkout the ${{ matrix.charm-repo }} repository - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: repository: ${{ matrix.charm-repo }} persist-credentials: false diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 883e3a5f4..a71daed5b 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -17,7 +17,7 @@ jobs: contents: read environment: publish-pypi steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 @@ -28,7 +28,7 @@ jobs: run: | set -xueo pipefail uvx --with "$(echo -n dist/ops-*.whl)[testing,tracing]" --with dist/ops_scenario-*.whl --with dist/ops_tracing-*.whl python -c 'import ops, scenario, ops_tracing; print("OK")' - - uses: actions/attest-build-provenance@v4.1.0 + - uses: actions/attest-build-provenance@v4.1.1 with: subject-path: 'dist/*' - uses: pypa/gh-action-pypi-publish@release/v1 diff --git a/.github/workflows/published-charms-tests.yaml b/.github/workflows/published-charms-tests.yaml index 60b5283d5..ab89048e1 100644 --- a/.github/workflows/published-charms-tests.yaml +++ b/.github/workflows/published-charms-tests.yaml @@ -191,7 +191,7 @@ jobs: # END AUTOGENERATED CONTENT steps: - name: Checkout operator repository (for helper scripts) - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: path: operator-repo persist-credentials: false @@ -203,7 +203,7 @@ jobs: rm -rf operator-repo - name: Checkout the ${{ matrix.charm-repo }} repository - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: repository: ${{ matrix.charm-repo }} path: charm-repo diff --git a/.github/workflows/sbom-secscan.yaml b/.github/workflows/sbom-secscan.yaml index 3b2a239b9..4668f783c 100644 --- a/.github/workflows/sbom-secscan.yaml +++ b/.github/workflows/sbom-secscan.yaml @@ -17,7 +17,7 @@ jobs: runs-on: [self-hosted, self-hosted-linux-amd64-jammy-private-endpoint-medium] steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: persist-credentials: false - name: Install dependencies @@ -26,7 +26,7 @@ jobs: sudo apt-get install -y libapt-pkg-dev sudo apt install -y python3-apt - name: Checkout security scanner - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: repository: canonical/sbomber path: scanner diff --git a/.github/workflows/smoke.yaml b/.github/workflows/smoke.yaml index d788f37cf..6a0130493 100644 --- a/.github/workflows/smoke.yaml +++ b/.github/workflows/smoke.yaml @@ -26,7 +26,7 @@ jobs: --charmcraft-channel=3.x/stable -p "${{ matrix.preset }}" - name: Checkout the repository - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/test-publish.yaml b/.github/workflows/test-publish.yaml index 328da1916..cf74ab6ab 100644 --- a/.github/workflows/test-publish.yaml +++ b/.github/workflows/test-publish.yaml @@ -12,7 +12,7 @@ jobs: name: Build and publish to Test PYPI runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 diff --git a/.github/workflows/tiobe.yaml b/.github/workflows/tiobe.yaml index 505e95169..148613604 100644 --- a/.github/workflows/tiobe.yaml +++ b/.github/workflows/tiobe.yaml @@ -11,7 +11,7 @@ jobs: TICS: runs-on: [self-hosted, reactive, amd64, tiobe, noble] steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false diff --git a/.github/workflows/update-best-practice-doc.yaml b/.github/workflows/update-best-practice-doc.yaml index 973b45dac..6dab9017f 100644 --- a/.github/workflows/update-best-practice-doc.yaml +++ b/.github/workflows/update-best-practice-doc.yaml @@ -11,13 +11,13 @@ jobs: update-docs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: token: ${{ secrets.UPDATE_DOCS_ACCESS_TOKEN }} path: operator persist-credentials: true - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: repository: canonical/charmcraft path: charmcraft diff --git a/.github/workflows/update-charm-tests.yaml b/.github/workflows/update-charm-tests.yaml index 54f1e5d3e..c908a4fcc 100644 --- a/.github/workflows/update-charm-tests.yaml +++ b/.github/workflows/update-charm-tests.yaml @@ -13,7 +13,7 @@ jobs: update-pins: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: token: ${{ secrets.UPDATE_CHARM_PINS_ACCESS_TOKEN }} persist-credentials: true diff --git a/.github/workflows/validate-pr-title.yaml b/.github/workflows/validate-pr-title.yaml index 1899bfba6..91a2c73a7 100644 --- a/.github/workflows/validate-pr-title.yaml +++ b/.github/workflows/validate-pr-title.yaml @@ -13,7 +13,7 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v7.0.0 with: persist-credentials: false - run: python3 .github/check-conventional-pr-title.py diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index 53d1ce19e..acf3cc41d 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -16,7 +16,7 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@v7.0.0 with: persist-credentials: false From 1f5c1529c3af1af795f081b67e56f2806de6d256 Mon Sep 17 00:00:00 2001 From: Tony Meyer Date: Mon, 6 Jul 2026 14:34:44 +1200 Subject: [PATCH 2/2] ci: switch from deprecated attest-build-provenance to actions/attest As of v4, actions/attest-build-provenance is a wrapper on actions/attest, and its README directs new implementations to actions/attest directly. Also add the artifact-metadata: write permission that actions/attest requires to create the storage record. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/publish.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index a71daed5b..773bf4336 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -14,6 +14,7 @@ jobs: permissions: id-token: write attestations: write + artifact-metadata: write contents: read environment: publish-pypi steps: @@ -28,7 +29,7 @@ jobs: run: | set -xueo pipefail uvx --with "$(echo -n dist/ops-*.whl)[testing,tracing]" --with dist/ops_scenario-*.whl --with dist/ops_tracing-*.whl python -c 'import ops, scenario, ops_tracing; print("OK")' - - uses: actions/attest-build-provenance@v4.1.1 + - uses: actions/attest@v4.1.1 with: subject-path: 'dist/*' - uses: pypa/gh-action-pypi-publish@release/v1