Bump actions/setup-dotnet from 5 to 6#16
Conversation
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 5 to 6. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@v5...v6) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
📝 WalkthroughWalkthroughThe CI, CodeQL, and release workflows update Changes.NET setup action upgrade
Estimated code review effort: 1 (Trivial) | ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 22: Replace the mutable actions/setup-dotnet@v6 reference with the
approved full commit SHA in .github/workflows/ci.yml (line 22),
.github/workflows/codeql.yml (line 23), and .github/workflows/release.yml (line
22), preserving the existing setup-dotnet configuration in each workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 7b02095e-6a1c-4a29-bdfb-1ee6a4ba8526
📒 Files selected for processing (3)
.github/workflows/ci.yml.github/workflows/codeql.yml.github/workflows/release.yml
|
|
||
| - name: Setup .NET | ||
| uses: actions/setup-dotnet@v5 | ||
| uses: actions/setup-dotnet@v6 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '--- workflow refs ---\n'
for f in .github/workflows/ci.yml .github/workflows/codeql.yml .github/workflows/release.yml; do
echo "FILE: $f"
nl -ba "$f" | sed -n '1,120p'
echo
done
printf '--- pinning policy / references ---\n'
rg -n --hidden -S "unpinned-uses|pin|actions/setup-dotnet|uses: .*@" .github README.md docs . || trueRepository: testingbot/testingbot-dotnet
Length of output: 257
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import os, re, json, pathlib
for path in [".github/workflows/ci.yml", ".github/workflows/codeql.yml", ".github/workflows/release.yml"]:
print(path)
text = pathlib.Path(path).read_text()
for m in re.finditer(r'uses:\s*([^\s]+)', text):
print(" ", m.group(1))
print()
PYRepository: testingbot/testingbot-dotnet
Length of output: 537
Pin actions/setup-dotnet to a commit SHA in all three workflows.
.github/workflows/ci.yml, .github/workflows/codeql.yml, and .github/workflows/release.yml still reference the mutable actions/setup-dotnet@v6 tag. Replace each with a full commit SHA to match the repo’s action-pinning policy.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
📍 Affects 3 files
.github/workflows/ci.yml#L22-L22(this comment).github/workflows/codeql.yml#L23-L23.github/workflows/release.yml#L22-L22
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 22, Replace the mutable
actions/setup-dotnet@v6 reference with the approved full commit SHA in
.github/workflows/ci.yml (line 22), .github/workflows/codeql.yml (line 23), and
.github/workflows/release.yml (line 22), preserving the existing setup-dotnet
configuration in each workflow.
Source: Linters/SAST tools
Bumps actions/setup-dotnet from 5 to 6.
Release notes
Sourced from actions/setup-dotnet's releases.
... (truncated)
Commits
a98b568chore(deps): bump@actions/cacheto 6.2.0 (#756)afb2931Bump actions/checkout from 6.0.3 to 7.0.0 (#751)6df8cefMigrate to ESM and upgrade dependencies (#752)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by CodeRabbit