Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump github/codeql-action from 2 to 3 #151

Closed

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Dec 18, 2023

Bumps github/codeql-action from 2 to 3.

Release notes

Sourced from github/codeql-action's releases.

CodeQL Bundle v2.15.4

Bundles CodeQL CLI v2.15.4

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.15.4:

CodeQL Bundle

Bundles CodeQL CLI v2.15.3

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.15.3:

CodeQL Bundle

Bundles CodeQL CLI v2.15.2

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.15.2:

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

Commits
  • 3a9f6a8 update javascript files
  • cc4fead update version in various hardcoded locations
  • 183559c Merge branch 'main' into update-bundle/codeql-bundle-v2.15.4
  • 5b52b36 reintroduce PR check that confirm action can be still be compiled on node16
  • 5b19bef change to node20 for all actions
  • f2d0c2e upgrade node type definitions
  • d651fbc change to node20 for all actions
  • 382a50a Merge pull request #2021 from github/mergeback/v2.22.9-to-main-c0d1daa7
  • 458b422 Update checked-in dependencies
  • 5e0f9db Update changelog and version after v2.22.9
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot bot and others added 30 commits July 28, 2022 15:15
Bumps [dotenv-rails](https://github.com/bkeepers/dotenv) from 2.7.6 to 2.8.1.
- [Release notes](https://github.com/bkeepers/dotenv/releases)
- [Changelog](https://github.com/bkeepers/dotenv/blob/master/Changelog.md)
- [Commits](bkeepers/dotenv@v2.7.6...v2.8.1)

---
updated-dependencies:
- dependency-name: dotenv-rails
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pg](https://github.com/ged/ruby-pg) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/ged/ruby-pg/releases)
- [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc)
- [Commits](ged/ruby-pg@v1.4.1...v1.4.2)

---
updated-dependencies:
- dependency-name: pg
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [faker](https://github.com/faker-ruby/faker) from 2.21.0 to 2.22.0.
- [Release notes](https://github.com/faker-ruby/faker/releases)
- [Changelog](https://github.com/faker-ruby/faker/blob/master/CHANGELOG.md)
- [Commits](faker-ruby/faker@v2.21.0...v2.22.0)

---
updated-dependencies:
- dependency-name: faker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [webmock](https://github.com/bblimke/webmock) from 3.14.0 to 3.16.0.
- [Release notes](https://github.com/bblimke/webmock/releases)
- [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md)
- [Commits](bblimke/webmock@v3.14.0...v3.16.0)

---
updated-dependencies:
- dependency-name: webmock
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [webmock](https://github.com/bblimke/webmock) from 3.16.0 to 3.17.0.
- [Release notes](https://github.com/bblimke/webmock/releases)
- [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md)
- [Commits](bblimke/webmock@v3.16.0...v3.17.0)

---
updated-dependencies:
- dependency-name: webmock
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Rails 5.0 and 5.1 already reached end-of-life, and 5.2 will reach it
next week. Time to drop support for them.

Additionally, removed gemfiles/sass_3_4.gemfile, which was a
leftover from thoughtbot#1197

https://guides.rubyonrails.org/maintenance_policy.html#severe-security-issues
thoughtbot#1197
When referring to a route in the code, we run two checks:

* `valid_action?` is `true` if the route is defined, `false` otherwise.
* `show_action?` is expected to be overridden by developers in order to
  implement authorization. For example, it's implemented by
  `Administrate::Punditize` in order to integrate Administrate with Pundit.
  It should return `true` if the current user can access a given route,
  `false` otherwise.

These two check should (almost) always happen together. For this reason,
our code is peppered with `if` statements where both are checked... and a
few others where we forget one or the other.

These checks should be unified into a single method call, in order to avoid
issues like the one described at thoughtbot#1861. This introduces a new method, called
`accessible_action?`.

The original methods should still exist, as they do have their uses
individually. The new method will delegate to the existing ones.

We also rename the two existing methods to something that will make their
intent clear:

* `valid_action?` becomes `existing_action?`
* `show_action?` becomes `authorized_action?`

In order to provide a clear upgrade path, the old names still exist and
work, but they show a deprecation warning when used. They can be removed
properly at a later version of Administrate.
This also fixes a typo in the associate spec.
Fixes thoughtbot#1978

This includes the namespace of the associated class. If the associated class
is `System::Build`, the previous code would tell us that the name was `Build`.
This code gets the right name.
Bumps [selenium-webdriver](https://github.com/SeleniumHQ/selenium) from 4.3.0 to 4.4.0.
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES)
- [Commits](SeleniumHQ/selenium@selenium-4.3.0...selenium-4.4.0)

---
updated-dependencies:
- dependency-name: selenium-webdriver
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [webmock](https://github.com/bblimke/webmock) from 3.17.0 to 3.17.1.
- [Release notes](https://github.com/bblimke/webmock/releases)
- [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md)
- [Commits](bblimke/webmock@v3.17.0...v3.17.1)

---
updated-dependencies:
- dependency-name: webmock
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pg](https://github.com/ged/ruby-pg) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/ged/ruby-pg/releases)
- [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc)
- [Commits](ged/ruby-pg@v1.4.2...v1.4.3)

---
updated-dependencies:
- dependency-name: pg
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The template `app/views/fields/has_one/_show.html.erb` wasn't using the correct
i18n key to translate the field names of the associated record.

This PR includes a heavy revamp of
`spec/administrate/views/fields/has_one/_show_spec.rb`, which needed some TLC
in order to work with it.

The diff for `lib/administrate/field/associative.rb` looks a bit misleading.
The actual change is the definition of associated_class_name is now above the
private declaration.

Fixes thoughtbot#2185
Following the GitHub Actions pattern of having one check per service,
rather than one big check for faster feedback.

This also means we no longer need to bundle `bundler-audit`.
this fixes an issue where the embedded collection is using the parent's class to define i18n headers
Bumps [webmock](https://github.com/bblimke/webmock) from 3.17.1 to 3.18.1.
- [Release notes](https://github.com/bblimke/webmock/releases)
- [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md)
- [Commits](bblimke/webmock@v3.17.1...v3.18.1)

---
updated-dependencies:
- dependency-name: webmock
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [faker](https://github.com/faker-ruby/faker) from 2.22.0 to 2.23.0.
- [Release notes](https://github.com/faker-ruby/faker/releases)
- [Changelog](https://github.com/faker-ruby/faker/blob/master/CHANGELOG.md)
- [Commits](faker-ruby/faker@v2.22.0...v2.23.0)

---
updated-dependencies:
- dependency-name: faker
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [webdrivers](https://github.com/titusfortner/webdrivers) from 5.0.0 to 5.1.0.
- [Release notes](https://github.com/titusfortner/webdrivers/releases)
- [Changelog](https://github.com/titusfortner/webdrivers/blob/main/CHANGELOG.md)
- [Commits](titusfortner/webdrivers@v5.0.0...v5.1.0)

---
updated-dependencies:
- dependency-name: webdrivers
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [i18n-tasks](https://github.com/glebm/i18n-tasks) from 1.0.11 to 1.0.12.
- [Release notes](https://github.com/glebm/i18n-tasks/releases)
- [Changelog](https://github.com/glebm/i18n-tasks/blob/main/CHANGES.md)
- [Commits](glebm/i18n-tasks@v1.0.11...v1.0.12)

---
updated-dependencies:
- dependency-name: i18n-tasks
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
brent-yearone and others added 24 commits June 9, 2023 16:14
…tbot#2391)

This commit allows a field definition like this:

ATTRIBUTE_TYPES = {
  listable: Field::Polymorphic.with_options(classes: -> { Listable.listable_classes })
}
Bumps [capybara](https://github.com/teamcapybara/capybara) from 3.39.0 to 3.39.2.
- [Changelog](https://github.com/teamcapybara/capybara/blob/master/History.md)
- [Commits](teamcapybara/capybara@3.39.0...3.39.2)

---
updated-dependencies:
- dependency-name: capybara
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Recent updates to the Ruby version and `selenium-webdriver` haven't been
kept up with the Appraisal `gemfile`s.
This fixes a vulnerability:

    Name: actionpack
    Version: 7.0.4.3
    CVE: CVE-2023-28362
    Criticality: Unknown
    URL: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
    Title: Possible XSS via User Supplied Values to redirect_to
    Solution: upgrade to '~> 6.1.7.4', '>= 7.0.5.1'
The majority of the effort in making a new release is in putting
together a good CHANGELOG. Back in thoughtbot#1968, we added a script to generate
a list of templates that had changed since the last (provided) tag.
This helped ensure we'd communicate any template changes, whilst
requiring little effort to do so.

The next step in assembling a CHANGELOG was to put together a list of
commits the release would include. By convention this has been:

    [KEY] [PR NUMBER] Commit Message

So far, this has required a lot of manual text manipulation, and when
the commit wasn't introduced via a squash on GitHub, the PR reference
needed to be tracked down (which could take some time).

This script attempts to automate the rest of this process by assembling
a draft that needs much less effort to publish. By using the GitHub
CLI, we're able to match commits back to the originating pull request
and then automate much of the text manipulation which was needed before.

We then pull over the template warning checker from before, but in
this implementation skip over the `spec` changes, as they shouldn't
matter to end users.

We can also assume we want changes since the last tag, to remove the
need to provide an argument.

An example run (trimmed):

    The following templates have changed since v0.18.0:

      app/views/administrate/application/_collection.html.erb
      app/views/administrate/application/_index_header.html.erb

    If your application overrides any of them, make sure to review your
    custom templates to ensure that they remain compatible.

    * [] [thoughtbot#2367] Update to Ruby 3.2.2
    * [] [thoughtbot#2371] Adapt to deprecations in the Faker API
    * [] [thoughtbot#2348] Field::Select to handle ActiveRecord enums correctly

https://cli.github.com/
https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-trailersoptions
https://stackoverflow.com/a/18558871
https://stackoverflow.com/a/30035045
Bumps [jquery-rails](https://github.com/rails/jquery-rails) from 4.5.1 to 4.6.0.
- [Changelog](https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md)
- [Commits](rails/jquery-rails@v4.5.1...v4.6.0)

---
updated-dependencies:
- dependency-name: jquery-rails
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Back when we upgraded Rails, we added this as it's now standard. But we
still support 6.0 which doesn't have this.

This was noticed when running `bundle exec appraisal rails60 rails rspec`
locally where the tests all fail for this version of Rails. Running
`rails s` hinted that this might be the problem and not calling it means
the tests now run.

thoughtbot#1841
Bumps [appraisal](https://github.com/thoughtbot/appraisal) from 2.4.1 to 2.5.0.
- [Release notes](https://github.com/thoughtbot/appraisal/releases)
- [Commits](thoughtbot/appraisal@v2.4.1...v2.5.0)

---
updated-dependencies:
- dependency-name: appraisal
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pundit](https://github.com/varvet/pundit) from 2.3.0 to 2.3.1.
- [Changelog](https://github.com/varvet/pundit/blob/main/CHANGELOG.md)
- [Commits](varvet/pundit@v2.3.0...v2.3.1)

---
updated-dependencies:
- dependency-name: pundit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [faker](https://github.com/faker-ruby/faker) from 3.2.0 to 3.2.1.
- [Release notes](https://github.com/faker-ruby/faker/releases)
- [Changelog](https://github.com/faker-ruby/faker/blob/main/CHANGELOG.md)
- [Commits](faker-ruby/faker@v3.2.0...v3.2.1)

---
updated-dependencies:
- dependency-name: faker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [timecop](https://github.com/travisjeffery/timecop) from 0.9.6 to 0.9.8.
- [Changelog](https://github.com/travisjeffery/timecop/blob/master/History.md)
- [Commits](travisjeffery/timecop@v0.9.6...v0.9.8)

---
updated-dependencies:
- dependency-name: timecop
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [activesupport](https://github.com/rails/rails) from 7.0.5.1 to 7.0.7.2.
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v7.0.7.2/activesupport/CHANGELOG.md)
- [Commits](rails/rails@v7.0.5.1...v7.0.7.2)

---
updated-dependencies:
- dependency-name: activesupport
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [webmock](https://github.com/bblimke/webmock) from 3.18.1 to 3.19.1.
- [Changelog](https://github.com/bblimke/webmock/blob/master/CHANGELOG.md)
- [Commits](bblimke/webmock@v3.18.1...v3.19.1)

---
updated-dependencies:
- dependency-name: webmock
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This should help keep us on top of Actions versions, without having to
do it manually.

This commit also formats using yamllint, to avoid some common YAML
mistakes.

https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
Bumps [pg](https://github.com/ged/ruby-pg) from 1.5.3 to 1.5.4.
- [Changelog](https://github.com/ged/ruby-pg/blob/master/History.md)
- [Commits](ged/ruby-pg@v1.5.3...v1.5.4)

---
updated-dependencies:
- dependency-name: pg
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [globalid](https://github.com/rails/globalid) from 1.1.0 to 1.2.1.
- [Release notes](https://github.com/rails/globalid/releases)
- [Commits](rails/globalid@v1.1.0...v1.2.1)

---
updated-dependencies:
- dependency-name: globalid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1 to 2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v1...v2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v2...v3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 18, 2023
@excid3 excid3 closed this Feb 23, 2024
Copy link
Author

dependabot bot commented on behalf of github Feb 23, 2024

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/github_actions/github/codeql-action-3 branch February 23, 2024 23:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code
Projects
None yet
Development

Successfully merging this pull request may close these issues.