Skip to content

Bump dependabot/fetch-metadata from 2 to 3#43

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dependabot/fetch-metadata-3
Open

Bump dependabot/fetch-metadata from 2 to 3#43
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dependabot/fetch-metadata-3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 12, 2026

Bumps dependabot/fetch-metadata from 2 to 3.

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.0.0

The breaking change is requiring Node.js version v24 as the Actions runtime.

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v2...v3.0.0

v2.5.0

What's Changed

... (truncated)

Commits
  • 25dd0e3 v3.1.0 (#692)
  • e073f50 Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.14
  • 0670e16 build(deps-dev): bump hono from 4.12.12 to 4.12.14
  • 7a7fe10 Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...
  • 5168191 Updating dist build
  • 23882e1 build(deps): bump @​actions/github in the dependencies group
  • 1072469 Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...
  • 43f8a00 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
  • b4d904a Merge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0
  • c8046bb build(deps-dev): bump globals from 17.4.0 to 17.5.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump dependabot/fetch-metadata from 2 to 3
6517dca 
Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 2 to 3.
- [Release notes](https://github.com/dependabot/fetch-metadata/releases)
- [Commits](dependabot/fetch-metadata@v2...v3)

---
updated-dependencies:
- dependency-name: dependabot/fetch-metadata
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 12, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 12, 2026
edited
Loading

Summary by CodeRabbit

  • Chores
    • Updated CI/CD automation tooling to use the latest version of dependency management action.

Walkthrough

The Dependabot auto-merge GitHub Actions workflow's fetch-metadata action is updated from version 2 to version 3. No other workflow logic, conditions, or steps were modified.

Changes

Dependabot Auto-Merge Action Version Upgrade

Layer / File(s) Summary
Fetch metadata action version update
.github/workflows/dependabot-auto-merge.yml		 The dependabot/fetch-metadata action in the auto-merge workflow is bumped from @v2 to @v3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title directly and concisely describes the main change: bumping dependabot/fetch-metadata from version 2 to version 3.
Description check ✅ Passed The description provides comprehensive details about the version bump, including release notes with breaking changes (Node.js v24 requirement) and a complete changelog of modifications and dependency updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/github_actions/dependabot/fetch-metadata-3

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from gdbranco and jfrazierRedHat May 12, 2026 23:47
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 12, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign bmeng for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label May 12, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 12, 2026

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a openshift-online member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

coderabbitai[bot]
coderabbitai Bot reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Line 24: Replace the mutable tag in the GitHub Actions step that currently
reads "uses: dependabot/fetch-metadata@v3" with a full immutable commit SHA for
dependabot/fetch-metadata; locate the "uses: dependabot/fetch-metadata@v3" entry
in the workflow and swap the "@v3" suffix for the repository commit hash (e.g.,
@<full-commit-sha>) so the action is pinned to a specific commit.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 2c3832dd-45b1-4128-ad82-8f737da423d8

📥 Commits

Reviewing files that changed from the base of the PR and between 956a903 and 6517dca.

📒 Files selected for processing (1)
  • .github/workflows/dependabot-auto-merge.yml

Comment thread .github/workflows/dependabot-auto-merge.yml
- name: Fetch Dependabot Metadata
id: metadata
uses: dependabot/fetch-metadata@v2
uses: dependabot/fetch-metadata@v3
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="dependabot/fetch-metadata"
TAG="v3"

echo "Latest release tag:"
LATEST_TAG=$(gh api "repos/${REPO}/releases/latest" --jq '.tag_name')
echo "$LATEST_TAG"

echo "Commit SHA for ${TAG} (dereferenced if annotated):"
SHA=$(git ls-remote "https://github.com/${REPO}.git" "refs/tags/${TAG}^{}" | awk '{print $1}')
if [[ -z "${SHA}" ]]; then
  SHA=$(git ls-remote "https://github.com/${REPO}.git" "refs/tags/${TAG}" | awk '{print $1}')
fi
echo "${SHA}"

Repository: openshift-online/rosa-e2e

Length of output: 184

Pin dependabot/fetch-metadata to a full commit SHA instead of a mutable tag.

Using @v3 keeps this workflow vulnerable to tag retargeting. Pinning to an immutable SHA materially improves supply-chain safety with minimal maintenance cost.

🔒 Suggested change 
-        uses: dependabot/fetch-metadata@v3
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: dependabot/fetch-metadata@v3
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml at line 24, Replace the mutable
tag in the GitHub Actions step that currently reads "uses:
dependabot/fetch-metadata@v3" with a full immutable commit SHA for
dependabot/fetch-metadata; locate the "uses: dependabot/fetch-metadata@v3" entry
in the workflow and swap the "@v3" suffix for the repository commit hash (e.g.,
@<full-commit-sha>) so the action is pinned to a specific commit.

@dustman9000
Copy link
Copy Markdown
Collaborator

dustman9000 commented May 13, 2026

/ok-to-test

@openshift-ci openshift-ci Bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@gdbranco gdbranco Awaiting requested review from gdbranco

@jfrazierRedHat jfrazierRedHat Awaiting requested review from jfrazierRedHat

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code ok-to-test Indicates a non-member PR verified by an org member that is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dustman9000