chore(deps): update group-github-actions (major) #82

renovate · 2025-04-24T15:08:03Z

This PR contains the following updates:

Package	Type	Update	Change
astral-sh/setup-uv	action	major	`v5` -> `v6`
python-semantic-release/publish-action	action	major	`v9.21.0` -> `v10.0.2`
python-semantic-release/python-semantic-release	action	major	`v9.21.0` -> `v10.0.2`

Release Notes

astral-sh/setup-uv (astral-sh/setup-uv)

`v6`

Compare Source

python-semantic-release/publish-action (python-semantic-release/publish-action)

`v10.0.2`

Compare Source

v10.0.2 (2025-05-26)

Build System

deps: Bump python-semantic-release from 10.0.1 to 10.0.2 (#63, 7198fce)

Detailed Changes: v10.0.1...v10.0.2

`v10.0.1`

Compare Source

v10.0.1 (2025-05-25)

Build System

deps: Bump python-semantic-release from 10.0.0 to 10.0.1 (#60, c62a2bc)

Detailed Changes: v10.0.0...v10.0.1

`v10.0.0`

Compare Source

v10.0.0 (2025-05-25)

Bug Fixes

github-action: Resolve command injection vulnerability in action script (#56, 1863c50)

Build System

deps: Bump python-semantic-release from 9.21.1 to 10.0.0 (#59, 155d667)

Breaking Changes

github-action: The root_options action input parameter has been removed because it created a command injection vulnerability for arbitrary code to execute within the container context of the GitHub action if a command injection code was provided as part of the root_options parameter string. To eliminate the vulnerability, each relevant option that can be provided to semantic-release has been individually added as its own parameter and will be processed individually to prevent command injection. Please review our Github Actions Configuration page on the Python Semantic Release Documentation website to review the newly available configuration options that replace the root_options parameter.

Resolved Issues

#55: bug: command injection through GH action inputs

Detailed Changes: v9.21.1...v10.0.0

`v9.21.1`

Compare Source

v9.21.1 (2025-05-05)

Build System

deps: Bump python-semantic-release from 9.21.0 to 9.21.1 (#53, 48d162b)

Detailed Changes: v9.21.0...v9.21.1

python-semantic-release/python-semantic-release (python-semantic-release/python-semantic-release)

`v10.0.2`

Compare Source

====================

🪲 Bug Fixes

github-actions: Add filesystem UID/GID fixer after action workspace modification (PR#1262,
93e23c8)

.. _93e23c8: python-semantic-release/python-semantic-release@93e23c8
.. _PR#1262https://github.com/python-semantic-release/python-semantic-release/pull/126262

.. _changelog-v10.0.1:

`v10.0.1`

Compare Source

====================

🪲 Bug Fixes

github-actions: Bump the github-actions dependency to v10.0.0 (PR#1255, 2803676)

.. _2803676: python-semantic-release/python-semantic-release@2803676
.. _PR#1255https://github.com/python-semantic-release/python-semantic-release/pull/125555

.. _changelog-v10.0.0:

`v10.0.0`

Compare Source

====================

✨ Features

cmd-version: Enable version_variables version stamp of vars with double-equals
(PR#1244, 080e4bc)
parser-conventional: Set parser to evaluate all squashed commits by default (6fcdc99_)
parser-conventional: Set parser to ignore merge commits by default (59bf084_)
parser-emoji: Set parser to evaluate all squashed commits by default (514a922_)
parser-emoji: Set parser to ignore merge commits by default (8a51525_)
parser-scipy: Set parser to evaluate all squashed commits by default (634fffe_)
parser-scipy: Set parser to ignore merge commits by default (d4f128e_)

🪲 Bug Fixes

changelog-md: Change to 1-line descriptions in markdown template, closes #733_ (e7ac155_)
changelog-rst: Change to 1-line descriptions in the default ReStructuredText template, closes
#733_ (731466f_)
cli: Adjust verbosity parameter to enable silly-level logging (bd3e7bf_)
github-action: Resolve command injection vulnerability in action script (fb3da27_)
parser-conventional: Remove breaking change footer messages from commit descriptions
(b271cbb_)
parser-conventional: Remove issue footer messages from commit descriptions (b1bb0e5_)
parser-conventional: Remove PR/MR references from commit subject line (eed63fa_)
parser-conventional: Remove release notice footer messages from commit descriptions
(7e8dc13_)
parser-emoji: Remove issue footer messages from commit descriptions (b757603_)
parser-emoji: Remove PR/MR references from commit subject line (16465f1_)
parser-emoji: Remove release notice footer messages from commit descriptions (b6307cb_)
parser-scipy: Remove issue footer messages from commit descriptions (3cfee76_)
parser-scipy: Remove PR/MR references from commit subject line (da4140f_)
parser-scipy: Remove release notice footer messages from commit descriptions (58308e3_)

📖 Documentation

Refactor documentation page navigation (4e52f4b_)
algorithm: Remove out-of-date algorithm description (6cd0fbe_)
commit-parsing: Define limitation of revert commits with the scipy parser (5310d0c_)
configuration: Change default value for allow_zero_version in the description (203d29d_)
configuration: Change the default for the base changelog's mask_initial_release value
(5fb02ab_)
configuration: Change the default value for changelog.mode in the setting description
(0bed906_)
configuration: Update version_variables section to include double-equals operand support
(PR#1244, 080e4bc)
contributing: Refactor contributing & contributors layout (8bed5bc_)
github-actions: Add reference to manual release workflow example (6aad7f1_)
github-actions: Change recommended workflow to separate release from deploy (67b2ae0_)
github-actions: Update python-semantic-release/publish-action parameter notes (c4d45ec_)
github-actions: Update PSR action parameter documentation (a082896_)
upgrading: Re-locate version upgrade guides into Upgrading PSR (a5f5e04_)
upgrading-v10: Added migration guide for v9 to v10 (4ea92ec_)

⚙️ Build System

deps: Prevent update to [email protected] (PR#1245, 4aa6a6e)

♻️ Refactoring

config: Change allow_zero_version default to false (c6b6eab_)
config: Change changelog.default_templates.mask_initial_release default to true
(0e114c3_)
config: Change changelog.mode default to update (7d39e76_)

💥 Breaking Changes

.. seealso::
For a summarized walkthrough, check out our |v10 migration guide|_ as well.

.. _v10 migration guide: ../upgrading/10-upgrade.html
.. |v10 migration guide| replace:: v10 migration guide

changelog-md: The default Markdown changelog template and release notes template will no
longer print out the entire commit message contents, instead, it will only print the commit
subject line. This comes to meet the high demand of better formatted changelogs and requests for
subject line only. Originally, it was a decision to not hide commit subjects that were included in
the commit body via the git merge --squash command and PSR did not have another alternative.
At this point, all the built-in parsers have the ability to parse squashed commits and separate
them out into their own entry on the changelog. Therefore, the default template no longer needs to
write out the full commit body. See the commit parser options if you want to enable/disable
parsing squash commits.
changelog-rst: The default ReStructured changelog template will no longer print out the entire
commit message contents, instead, it will only print the commit subject line. This comes to meet
the high demand of better formatted changelogs and requests for subject line only. Originally, it
was a decision to not hide commit subjects that were included in the commit body via the git merge --squash command and PSR did not have another alternative. At this point, all the built-in
parsers have the ability to parse squashed commits and separate them out into their own entry on
the changelog. Therefore, the default template no longer needs to write out the full commit body.
See the commit parser options if you want to enable/disable parsing squash commits.
config: This release switches the allow_zero_version default to false. This change is
to encourage less 0.x releases as the default but rather allow the experienced developer to
choose when 0.x is appropriate. There are way too many projects in the ecosystems that never
leave 0.x and that is problematic for the industry tools that help auto-update based on
SemVer. We should strive for publishing usable tools and maintaining good forethought for when
compatibility must break. If your configuration already sets the allow_zero_version value,
this change will have no effect on your project. If you want to use 0.x versions, from the
start then change allow_zero_version to true in your configuration.
config: This release switches the changelog.default_templates.mask_initial_release default
to true. This change is intended to toggle better recommended outputs of the default
changelog. Conceptually, the very first release is hard to describe--one can only provide new
features as nothing exists yet for the end user. No changelog should be written as there is no
start point to compare the "changes" to. The recommendation instead is to only list a simple
message as Initial Release. This is now the default for PSR when providing the very first
release (no pre-existing tags) in the changelog and release notes. If your configuration already
sets the changelog.default_templates.mask_initial_release value, then this change will have no
effect on your project. If you do NOT want to mask the first release information, then set
changelog.default_templates.mask_initial_release to false in your configuration.
config: This release switches the changelog.mode default to update. In this mode, if a
changelog exists, PSR will update the changelog IF AND ONLY IF the configured insertion flag
exists in the changelog. The Changelog output will remain unchanged if no insertion flag exists.
The insertion flag may be configured with the changelog.insertion_flag setting. When upgrading
to v10, you must add the insertion flag manually or you can just delete the changelog file and
run PSR's changelog generation and it will rebuild the changelog (similar to init mode) but it
will add the insertion flag. If your configuration already sets the changelog.mode value, then
this change will have no effect on your project. If you would rather the changelog be generated
from scratch every release, than set the changelog.mode value to init in your
configuration.
github-action: The root_options action input parameter has been removed because it created
a command injection vulnerability for arbitrary code to execute within the container context of
the GitHub action if a command injection code was provided as part of the root_options
parameter string. To eliminate the vulnerability, each relevant option that can be provided to
semantic-release has been individually added as its own parameter and will be processed
individually to prevent command injection. Please review our Github Actions Configuration__ page
to review the newly available configuration options that replace the root_options parameter.

__ https://github.com/python-semantic-release/python-semantic-release/blob/v10.0.0/docs/configuration/automatic-releases/github-actions.rst
parser-conventional: Any breaking change footer messages that the conventional commit parser
detects will now be removed from the commit.descriptions[] list but maintained in and only in
the commit.breaking_descriptions[] list. Previously, the descriptions included all text from
the commit message but that was redundant as the default changelog now handles breaking change
footers in its own section.
parser-conventional, parser-emoji, parser-scipy: Any issue resolution footers that the parser
detects will now be removed from the commit.descriptions[] list. Previously, the descriptions
included all text from the commit message but now that the parser pulls out the issue numbers the
numbers will be included in the commit.linked_issues tuple for user extraction in any
changelog generation.
parser-conventional, parser-emoji, parser-scipy: Any release notice footer messages that the
commit parser detects will now be removed from the commit.descriptions[] list but maintained
in and only in the commit.notices[] list. Previously, the descriptions included all text from
the commit message but that was redundant as the default changelog now handles release notice
footers in its own section.
parser-conventional, parser-emoji, parser-scipy: Generally, a pull request or merge request
number reference is included in the subject line at the end within parentheses on some common
VCS's like GitHub. PSR now looks for this reference and extracts it into the
commit.linked_merge_request and the commit.linked_pull_request attributes of a commit
object. Since this is now pulled out individually, it is cleaner to remove this from the first
line of the commit.descriptions list (ie. the subject line) so that changelog macros do not
have to replace the text but instead only append a PR/MR link to the end of the line. The
reference does maintain the PR/MR prefix indicator (# or !).
parser-conventional, parser-emoji, parser-scipy: The configuration setting
commit_parser_options.ignore_merge_commits is now set to true by default. The feature to
ignore squash commits was introduced in v9.18.0 and was originally set to false to
prevent unexpected results on a non-breaking update. The ignore merge commits feature prevents
additional unnecessary processing on a commit message that likely will not match a commit message
syntax. Most merge commits are syntactically pre-defined by Git or Remote Version Control System
(ex. GitHub, etc.) and do not follow a commit convention (nor should they). The larger issue with
merge commits is that they ultimately are a full copy of all the changes that were previously
created and committed. The merge commit itself ensures that the previous commit tree is
maintained in history, therefore the commit message always exists. If merge commits are parsed,
it generally creates duplicate messages that will end up in your changelog, which is less than
desired in most cases. If you have previously used the changelog.exclude_commit_patterns
functionality to ignore merge commit messages then you will want this setting set to true to
improve parsing speed. You can also now remove the merge commit exclude pattern from the list as
well to improve parsing speed. If this functionality is not desired, you will need to update your
configuration to change the new setting to false.
parser-conventional, parser-emoji, parser-scipy: The configuration setting
commit_parser_options.parse_squash_commits is now set to true by default. The feature to
parse squash commits was introduced in v9.17.0 and was originally set to false to prevent
unexpected results on a non-breaking update. The parse squash commits feature attempts to find
additional commits of the same commit type within the body of a single commit message. When
squash commits are found, Python Semantic Release will separate out each commit into its own
artificial commit object and parse them individually. This potentially can change the resulting
version bump if a larger bump was detected within the squashed components. It also allows for the
changelog and release notes to separately order and display each commit as originally written. If
this is not desired, you will need to update your configuration to change the new setting to
false.

.. _changelog-v9.21.1:

`v9.21.1`

Compare Source

====================

🪲 Bug Fixes

changelog-filters: Fixes url resolution when prefix & path share letters, closes #1204_
(PR#1239, f61f8a3)

📖 Documentation

github-actions: Expound on monorepo example to include publishing actions (PR#1229,
550e85f)

⚙️ Build System

deps: Bump rich dependency from 13.0 to 14.0 (PR#1224, 691536e)
deps: Expand python-gitlab dependency to include v5.0.0 (PR#1228, a0cd1be)

.. _changelog-v9.21.0:

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2025-04-24T15:08:26Z

No release will be made.

renovate bot requested a review from watermarkhu as a code owner April 24, 2025 15:08

watermarkhu previously approved these changes Apr 28, 2025

View reviewed changes

watermarkhu enabled auto-merge (squash) April 28, 2025 06:05

renovate bot dismissed watermarkhu’s stale review via 345662a May 25, 2025 10:15

renovate bot force-pushed the renovate-major-group-github-actions branch from caee4d7 to 345662a Compare May 25, 2025 10:15

renovate bot changed the title ~~chore(deps): update astral-sh/setup-uv action to v6~~ chore(deps): update group-github-actions (major) May 25, 2025

renovate bot force-pushed the renovate-major-group-github-actions branch 2 times, most recently from ec4a446 to 6e2785d Compare May 26, 2025 02:39

chore(deps): update group-github-actions

ef6bd2e

renovate bot force-pushed the renovate-major-group-github-actions branch from 6e2785d to ef6bd2e Compare May 26, 2025 10:13

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update group-github-actions (major) #82

chore(deps): update group-github-actions (major) #82

Uh oh!

renovate bot commented Apr 24, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Apr 24, 2025

Uh oh!

Uh oh!

chore(deps): update group-github-actions (major) #82

Are you sure you want to change the base?

chore(deps): update group-github-actions (major) #82

Uh oh!

Conversation

renovate bot commented Apr 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v10.0.2 (2025-05-26)

Build System

v10.0.1 (2025-05-25)

Build System

v10.0.0 (2025-05-25)

Bug Fixes

Build System

Breaking Changes

Resolved Issues

v9.21.1 (2025-05-05)

Build System

🪲 Bug Fixes

🪲 Bug Fixes

✨ Features

🪲 Bug Fixes

📖 Documentation

⚙️ Build System

♻️ Refactoring

💥 Breaking Changes

🪲 Bug Fixes

📖 Documentation

⚙️ Build System

Configuration

Uh oh!

github-actions bot commented Apr 24, 2025

Uh oh!

Uh oh!

renovate bot commented Apr 24, 2025 •

edited

Loading