-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump github/codeql-action from 2 to 3 #151
Bump github/codeql-action from 2 to 3 #151
Conversation
Bumps [dotenv-rails](https://github.com/bkeepers/dotenv) from 2.7.6 to 2.8.1. - [Release notes](https://github.com/bkeepers/dotenv/releases) - [Changelog](https://github.com/bkeepers/dotenv/blob/master/Changelog.md) - [Commits](bkeepers/dotenv@v2.7.6...v2.8.1) --- updated-dependencies: - dependency-name: dotenv-rails dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pg](https://github.com/ged/ruby-pg) from 1.4.1 to 1.4.2. - [Release notes](https://github.com/ged/ruby-pg/releases) - [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc) - [Commits](ged/ruby-pg@v1.4.1...v1.4.2) --- updated-dependencies: - dependency-name: pg dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [faker](https://github.com/faker-ruby/faker) from 2.21.0 to 2.22.0. - [Release notes](https://github.com/faker-ruby/faker/releases) - [Changelog](https://github.com/faker-ruby/faker/blob/master/CHANGELOG.md) - [Commits](faker-ruby/faker@v2.21.0...v2.22.0) --- updated-dependencies: - dependency-name: faker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [webmock](https://github.com/bblimke/webmock) from 3.14.0 to 3.16.0. - [Release notes](https://github.com/bblimke/webmock/releases) - [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md) - [Commits](bblimke/webmock@v3.14.0...v3.16.0) --- updated-dependencies: - dependency-name: webmock dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [webmock](https://github.com/bblimke/webmock) from 3.16.0 to 3.17.0. - [Release notes](https://github.com/bblimke/webmock/releases) - [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md) - [Commits](bblimke/webmock@v3.16.0...v3.17.0) --- updated-dependencies: - dependency-name: webmock dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Rails 5.0 and 5.1 already reached end-of-life, and 5.2 will reach it next week. Time to drop support for them. Additionally, removed gemfiles/sass_3_4.gemfile, which was a leftover from thoughtbot#1197 https://guides.rubyonrails.org/maintenance_policy.html#severe-security-issues thoughtbot#1197
When referring to a route in the code, we run two checks: * `valid_action?` is `true` if the route is defined, `false` otherwise. * `show_action?` is expected to be overridden by developers in order to implement authorization. For example, it's implemented by `Administrate::Punditize` in order to integrate Administrate with Pundit. It should return `true` if the current user can access a given route, `false` otherwise. These two check should (almost) always happen together. For this reason, our code is peppered with `if` statements where both are checked... and a few others where we forget one or the other. These checks should be unified into a single method call, in order to avoid issues like the one described at thoughtbot#1861. This introduces a new method, called `accessible_action?`. The original methods should still exist, as they do have their uses individually. The new method will delegate to the existing ones. We also rename the two existing methods to something that will make their intent clear: * `valid_action?` becomes `existing_action?` * `show_action?` becomes `authorized_action?` In order to provide a clear upgrade path, the old names still exist and work, but they show a deprecation warning when used. They can be removed properly at a later version of Administrate.
This also fixes a typo in the associate spec.
Fixes thoughtbot#1978 This includes the namespace of the associated class. If the associated class is `System::Build`, the previous code would tell us that the name was `Build`. This code gets the right name.
Bumps [selenium-webdriver](https://github.com/SeleniumHQ/selenium) from 4.3.0 to 4.4.0. - [Release notes](https://github.com/SeleniumHQ/selenium/releases) - [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES) - [Commits](SeleniumHQ/selenium@selenium-4.3.0...selenium-4.4.0) --- updated-dependencies: - dependency-name: selenium-webdriver dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [webmock](https://github.com/bblimke/webmock) from 3.17.0 to 3.17.1. - [Release notes](https://github.com/bblimke/webmock/releases) - [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md) - [Commits](bblimke/webmock@v3.17.0...v3.17.1) --- updated-dependencies: - dependency-name: webmock dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pg](https://github.com/ged/ruby-pg) from 1.4.2 to 1.4.3. - [Release notes](https://github.com/ged/ruby-pg/releases) - [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc) - [Commits](ged/ruby-pg@v1.4.2...v1.4.3) --- updated-dependencies: - dependency-name: pg dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The template `app/views/fields/has_one/_show.html.erb` wasn't using the correct i18n key to translate the field names of the associated record. This PR includes a heavy revamp of `spec/administrate/views/fields/has_one/_show_spec.rb`, which needed some TLC in order to work with it. The diff for `lib/administrate/field/associative.rb` looks a bit misleading. The actual change is the definition of associated_class_name is now above the private declaration. Fixes thoughtbot#2185
Following the GitHub Actions pattern of having one check per service, rather than one big check for faster feedback. This also means we no longer need to bundle `bundler-audit`.
this fixes an issue where the embedded collection is using the parent's class to define i18n headers
Bumps [webmock](https://github.com/bblimke/webmock) from 3.17.1 to 3.18.1. - [Release notes](https://github.com/bblimke/webmock/releases) - [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md) - [Commits](bblimke/webmock@v3.17.1...v3.18.1) --- updated-dependencies: - dependency-name: webmock dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [faker](https://github.com/faker-ruby/faker) from 2.22.0 to 2.23.0. - [Release notes](https://github.com/faker-ruby/faker/releases) - [Changelog](https://github.com/faker-ruby/faker/blob/master/CHANGELOG.md) - [Commits](faker-ruby/faker@v2.22.0...v2.23.0) --- updated-dependencies: - dependency-name: faker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [webdrivers](https://github.com/titusfortner/webdrivers) from 5.0.0 to 5.1.0. - [Release notes](https://github.com/titusfortner/webdrivers/releases) - [Changelog](https://github.com/titusfortner/webdrivers/blob/main/CHANGELOG.md) - [Commits](titusfortner/webdrivers@v5.0.0...v5.1.0) --- updated-dependencies: - dependency-name: webdrivers dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [i18n-tasks](https://github.com/glebm/i18n-tasks) from 1.0.11 to 1.0.12. - [Release notes](https://github.com/glebm/i18n-tasks/releases) - [Changelog](https://github.com/glebm/i18n-tasks/blob/main/CHANGES.md) - [Commits](glebm/i18n-tasks@v1.0.11...v1.0.12) --- updated-dependencies: - dependency-name: i18n-tasks dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…tbot#2391) This commit allows a field definition like this: ATTRIBUTE_TYPES = { listable: Field::Polymorphic.with_options(classes: -> { Listable.listable_classes }) }
Bumps [capybara](https://github.com/teamcapybara/capybara) from 3.39.0 to 3.39.2. - [Changelog](https://github.com/teamcapybara/capybara/blob/master/History.md) - [Commits](teamcapybara/capybara@3.39.0...3.39.2) --- updated-dependencies: - dependency-name: capybara dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Recent updates to the Ruby version and `selenium-webdriver` haven't been kept up with the Appraisal `gemfile`s.
This fixes a vulnerability: Name: actionpack Version: 7.0.4.3 CVE: CVE-2023-28362 Criticality: Unknown URL: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132 Title: Possible XSS via User Supplied Values to redirect_to Solution: upgrade to '~> 6.1.7.4', '>= 7.0.5.1'
The majority of the effort in making a new release is in putting together a good CHANGELOG. Back in thoughtbot#1968, we added a script to generate a list of templates that had changed since the last (provided) tag. This helped ensure we'd communicate any template changes, whilst requiring little effort to do so. The next step in assembling a CHANGELOG was to put together a list of commits the release would include. By convention this has been: [KEY] [PR NUMBER] Commit Message So far, this has required a lot of manual text manipulation, and when the commit wasn't introduced via a squash on GitHub, the PR reference needed to be tracked down (which could take some time). This script attempts to automate the rest of this process by assembling a draft that needs much less effort to publish. By using the GitHub CLI, we're able to match commits back to the originating pull request and then automate much of the text manipulation which was needed before. We then pull over the template warning checker from before, but in this implementation skip over the `spec` changes, as they shouldn't matter to end users. We can also assume we want changes since the last tag, to remove the need to provide an argument. An example run (trimmed): The following templates have changed since v0.18.0: app/views/administrate/application/_collection.html.erb app/views/administrate/application/_index_header.html.erb If your application overrides any of them, make sure to review your custom templates to ensure that they remain compatible. * [] [thoughtbot#2367] Update to Ruby 3.2.2 * [] [thoughtbot#2371] Adapt to deprecations in the Faker API * [] [thoughtbot#2348] Field::Select to handle ActiveRecord enums correctly https://cli.github.com/ https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-trailersoptions https://stackoverflow.com/a/18558871 https://stackoverflow.com/a/30035045
Bumps [jquery-rails](https://github.com/rails/jquery-rails) from 4.5.1 to 4.6.0. - [Changelog](https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md) - [Commits](rails/jquery-rails@v4.5.1...v4.6.0) --- updated-dependencies: - dependency-name: jquery-rails dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Back when we upgraded Rails, we added this as it's now standard. But we still support 6.0 which doesn't have this. This was noticed when running `bundle exec appraisal rails60 rails rspec` locally where the tests all fail for this version of Rails. Running `rails s` hinted that this might be the problem and not calling it means the tests now run. thoughtbot#1841
Bumps [appraisal](https://github.com/thoughtbot/appraisal) from 2.4.1 to 2.5.0. - [Release notes](https://github.com/thoughtbot/appraisal/releases) - [Commits](thoughtbot/appraisal@v2.4.1...v2.5.0) --- updated-dependencies: - dependency-name: appraisal dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pundit](https://github.com/varvet/pundit) from 2.3.0 to 2.3.1. - [Changelog](https://github.com/varvet/pundit/blob/main/CHANGELOG.md) - [Commits](varvet/pundit@v2.3.0...v2.3.1) --- updated-dependencies: - dependency-name: pundit dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [faker](https://github.com/faker-ruby/faker) from 3.2.0 to 3.2.1. - [Release notes](https://github.com/faker-ruby/faker/releases) - [Changelog](https://github.com/faker-ruby/faker/blob/main/CHANGELOG.md) - [Commits](faker-ruby/faker@v3.2.0...v3.2.1) --- updated-dependencies: - dependency-name: faker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [timecop](https://github.com/travisjeffery/timecop) from 0.9.6 to 0.9.8. - [Changelog](https://github.com/travisjeffery/timecop/blob/master/History.md) - [Commits](travisjeffery/timecop@v0.9.6...v0.9.8) --- updated-dependencies: - dependency-name: timecop dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [activesupport](https://github.com/rails/rails) from 7.0.5.1 to 7.0.7.2. - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v7.0.7.2/activesupport/CHANGELOG.md) - [Commits](rails/rails@v7.0.5.1...v7.0.7.2) --- updated-dependencies: - dependency-name: activesupport dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [webmock](https://github.com/bblimke/webmock) from 3.18.1 to 3.19.1. - [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md) - [Commits](bblimke/webmock@v3.18.1...v3.19.1) --- updated-dependencies: - dependency-name: webmock dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This should help keep us on top of Actions versions, without having to do it manually. This commit also formats using yamllint, to avoid some common YAML mistakes. https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
Bumps [pg](https://github.com/ged/ruby-pg) from 1.5.3 to 1.5.4. - [Changelog](https://github.com/ged/ruby-pg/blob/master/History.md) - [Commits](ged/ruby-pg@v1.5.3...v1.5.4) --- updated-dependencies: - dependency-name: pg dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [globalid](https://github.com/rails/globalid) from 1.1.0 to 1.2.1. - [Release notes](https://github.com/rails/globalid/releases) - [Commits](rails/globalid@v1.1.0...v1.2.1) --- updated-dependencies: - dependency-name: globalid dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1 to 2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v1...v2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Latest Administrate
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Bumps github/codeql-action from 2 to 3.
Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
Commits
3a9f6a8
update javascript filescc4fead
update version in various hardcoded locations183559c
Merge branch 'main' into update-bundle/codeql-bundle-v2.15.45b52b36
reintroduce PR check that confirm action can be still be compiled on node165b19bef
change to node20 for all actionsf2d0c2e
upgrade node type definitionsd651fbc
change to node20 for all actions382a50a
Merge pull request #2021 from github/mergeback/v2.22.9-to-main-c0d1daa7458b422
Update checked-in dependencies5e0f9db
Update changelog and version after v2.22.9Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)