Skip to content

build(deps): bump the github-actions group across 1 directory with 6 updates#4

Open
dependabot[bot] wants to merge 9 commits into
mainfrom
dependabot/github_actions/github-actions-1cd977729b
Open

build(deps): bump the github-actions group across 1 directory with 6 updates#4
dependabot[bot] wants to merge 9 commits into
mainfrom
dependabot/github_actions/github-actions-1cd977729b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown

Bumps the github-actions group with 6 updates in the / directory:

Package From To
actions/checkout 4 7
actions/setup-go 5 7
astral-sh/setup-uv 6 7
actions/configure-pages 5 6
actions/upload-pages-artifact 3 5
actions/deploy-pages 4 5

Updates actions/checkout from 4 to 7

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Updates actions/setup-go from 5 to 7

Release notes

Sourced from actions/setup-go's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/setup-go@v6...v7.0.0

v6.5.0

What's Changed

Dependency update

New Contributors

Full Changelog: actions/setup-go@v6...v6.5.0

v6.4.0

What's Changed

Enhancement

Dependency update

Documentation update

New Contributors

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

What's Changed

Full Changelog: actions/setup-go@v6...v6.3.0

v6.2.0

What's Changed

... (truncated)

Commits

Updates astral-sh/setup-uv from 6 to 7

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.3.2 🌈 update known checksums for 0.11.28

Changes

Just a maintenance release

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v8.3.1 🌈 update known checksums for 0.11.27

Changes

Just a maintenance release

🧰 Maintenance

📚 Documentation

v7.2.1 🌈 update known checksums up to 0.9.28

Changes

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

... (truncated)

Commits
  • 37802ad Fetch uv from Astral's mirror by default (#809)
  • 9f00d18 chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#808)
  • fd8f376 Switch to ESM for source and test, use CommonJS for dist (#806)
  • f9070de Bump deps (#805)
  • cadb67b chore: update known checksums for 0.10.10 (#804)
  • e06108d Use astral-sh/versions as primary version provider (#802)
  • 0f6ec07 docs: replace copilot instructions with AGENTS.md (#794)
  • 821e5c9 docs: add cross-client dependabot rollup skill (#793)
  • 6ee6290 chore(deps): bump versions (#792)
  • 9f332a1 Add riscv64 architecture support to platform detection (#791)
  • Additional commits viewable in compare view

Updates actions/configure-pages from 5 to 6

Release notes

Sourced from actions/configure-pages's releases.

v6.0.0

Changelog

See details of all code changes since previous release.

Commits
  • 45bfe01 Merge pull request #186 from salmanmkc/node24
  • d8770c2 Update Node version from 20 to 24 in action.yml
  • cb8a1a3 upgrade to node 24
  • d560657 Merge pull request #165 from actions/Jcambass-patch-1
  • 35e0ac4 Upgrade IA Publish
  • 1dfbcbf Merge pull request #163 from actions/Jcambass-patch-1
  • 2f4f988 Add workflow file for publishing releases to immutable action package
  • 0d7570c Merge pull request #162 from actions/pin-draft-release-verssion
  • 3ea1966 pin draft release version
  • aabcbc4 Merge pull request #160 from actions/dependabot/npm_and_yarn/espree-10.1.0
  • Additional commits viewable in compare view

Updates actions/upload-pages-artifact from 3 to 5

Release notes

Sourced from actions/upload-pages-artifact's releases.

v5.0.0

Changelog

See details of all code changes since previous release.

v4.0.0

What's Changed

Full Changelog: actions/upload-pages-artifact@v3.0.1...v4.0.0

v3.0.1

Changelog

See details of all code changes since previous release.

Commits
  • fc324d3 Merge pull request #139 from Tom-van-Woudenberg/patch-1
  • fe9d4b7 Merge branch 'main' into patch-1
  • 0ca1617 Merge pull request #137 from jonchurch/include-hidden-files
  • 57f0e84 Update action.yml
  • 4a90348 v7 --> hash
  • 56f665a Update upload-artifact action to version 7
  • f7615f5 Add include-hidden-files input
  • 7b1f4a7 Merge pull request #127 from heavymachinery/pin-sha
  • 4cc19c7 Pin actions/upload-artifact to SHA
  • 2d163be Merge pull request #107 from KittyChiu/main
  • Additional commits viewable in compare view

Updates actions/deploy-pages from 4 to 5

Release notes

Sourced from actions/deploy-pages's releases.

v5.0.0

Changelog


See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v4.0.5

Changelog


See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v4.0.4

Changelog


See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

v4.0.3

Changelog

... (truncated)

Commits
  • cd2ce8f Merge pull request #404 from salmanmkc/node24
  • bbe2a95 Update Node.js version to 24.x
  • 854d7aa Merge pull request #374 from actions/Jcambass-patch-1
  • 306bb81 Add workflow file for publishing releases to immutable action package
  • b742728 Merge pull request #360 from actions/dependabot/npm_and_yarn/npm_and_yarn-513...
  • 7273294 Bump braces in the npm_and_yarn group across 1 directory
  • 963791f Merge pull request #361 from actions/dependabot-friendly
  • 51bb29d Make the rebuild dist workflow safer for Dependabot
  • 89f3d10 Merge pull request #358 from actions/dependabot/npm_and_yarn/non-breaking-cha...
  • bce7355 Merge branch 'main' into dependabot/npm_and_yarn/non-breaking-changes-99c12deb21
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

thomas-mangin and others added 9 commits July 16, 2026 07:06
Ground truth from the keepalived IPv6 interop lab plus the address-owner
source: the first IPv6 advert sources from the macvlan's transient
EUI-64 link-local, not fe80::1, because iface.RegisterOwnedAddresses
(address_owner.go) applies asynchronously -- the kernel installs fe80::1
on a later reconcile pass, after the first SendAdvert has already
resolved a source. Reordering promoteToMaster to install-first was tried
and proven ineffective (ordering cannot win an async race) and only
churns the spec-annotated AC-3/R-4 order. Record the root cause and a
do-not-retry warning; the behavior is cosmetic (both are valid RFC 9568
link-local sources, keepalived accepts both, election/failover/dataplane
unaffected).
TestPeerTeardownWithdrawsSubscriberRoute and
TestDeadPeerKeepaliveTeardownWithdrawsRoute called SetRouteObserver
AFTER buildLogReactorWithClock had already started the reactor, so the
test goroutine's write to r.routeObserver raced the run loop's read in
notifyRouteObserverDown. -race reports it on the first run, not 1-in-3:
reactor_setters.go:114 (write) vs reactor_kernel.go:263 (read).

This is the test misusing the API, not a product bug. SetRouteObserver
documents 'MUST be called before Start(); the goroutine creation barrier
synchronizes the write here with reads in the run loop', and the sole
production caller honours it -- subsystem.go installs the observer at
:241 and starts the reactor 72 lines later at :313, the same discipline
its neighbour comment spells out for SetKernelWorker. The lock-free
write is deliberate: the reload-time setters (setHelloRetries and
friends) DO take tunnelsMu because subsystem_reload.go calls them on a
live reactor, while the install-time setters trade the lock for the
Start() happens-before edge. Adding a mutex would weaken a working
design to accommodate a misusing test.

Fixed by giving the builder an observer parameter that installs before
Start(), via buildLogReactorWithClockObserver; the existing 11 callers
are untouched and the wrapper passes nil (a documented no-op).
setHelloRetries stays after Start(), which is safe -- it locks.

Verified: the two tests 5/5 under -race, and the whole
internal/component/l2tp/... tree green under -race (was: race on run 1).
make ze-lint-changed: 0 issues.
appliance-kernel-runtime failed with 'CONFIG_MACVLAN did not resolve to
=y'. gokrazy/kernel/runtime.require gained CONFIG_MACVLAN for the VRRP
macvlan work, but this test's fake docker kernel config was not updated
to match, so enforceKernelRequirements rejected it (kernelreq.go:36
reads the require manifests at :41 and errors at :54 on any symbol that
is not =y).

The test file already documents exactly this coupling in the comment
above the fake config: 'Adding a symbol to runtime.require (e.g.
CONFIG_HUGETLBFS for VPP) requires adding it here too, or this test
fails with <SYMBOL> did not resolve to =y'. This is that case; the fix
is the one the comment prescribes.

Worth noting for triage: run.sh does cd "$repo" and reads the WORKING
TREE runtime.require, not the committed one. So this red reproduces
against any commit you build while runtime.require is dirty, which is
why it looked like a pre-existing failure rather than a consequence of
the uncommitted VRRP change.

Scope checked: appliance-kernel-runtime.ci is the only test carrying
that fake config (sole file with CONFIG_VETH=y). kernel-wiring.ci also
names --target runtime but only greps a make -n dry run, so it never
enforces requirements.

Verified: ze-test install --pattern appliance-kernel-runtime PASS; full
install suite 37/37 PASS (3 environment skips).
TestInProcessChaosReconnect failed 3/3 in 92.00s with established==1. It
was logged as a -race flake ('passes 3/3 without -race'); it is neither
flaky nor -race-specific -- it fails identically in both modes, i.e. a
deterministic red, which plan/known-failures.md's own scope rule says
never belongs there.

Bisected (8 steps, git archive per commit -- git bisect needs a
forbidden checkout) to 44ad25d 'reconnect backoff floor 5s, not 120s'.
That fix is CORRECT and stays: it only changed WHEN ze lands in the
sleep below. The latent defect predates it.

A goroutine dump 30s into the freeze pinned the mechanism, after three
plausible theories (the new iface chaos weights; the blocking timer send
at virtualclock.go:168; 'the advance loop is slow') were each disproven
by experiment:

  runner     -> simWg.Wait() (runner.go:594)   -- advance loop ALREADY
  finished
  ze session -> VirtualClock.Sleep (virtualclock.go:49) from
  session.go:767

The advance loop costs what runner.go:427-430 implies -- 60s of virtual
time in ~0.6s real -- then exits, and nothing advances the clock again.
session.Run() polls for its connection with s.clock.Sleep(10ms)
(session.go:762-768), and VirtualClock.Sleep is a bare <-ch
(virtualclock.go:47-50): clock.Clock.Sleep takes no ctx, so simCancel()
cannot reach a goroutine parked there -- only Advance can. ze's session
was stranded mid-sleep, never finished the handshake, the simulator
blocked forever on the reply that never came (executeReconnectStorm ->
readMsg, simulator_actions.go:233), and simWg.Wait() hung until the
caller's 90s context tore the sockets down. Hence 92.00s, and
established==1 because the peer was asleep, not because reconnect was
broken.

Because the advance loop finishes in ~0.6s real, a chaos action firing
late in the virtual window is still mid-handshake when time stops. The
old 120s floor parked the retry outside the window and hid it.

Fix: advance the clock from a goroutine during teardown until both the
simulators and the reactor are down. Real time does not stop while a
system shuts down, and neither may virtual time. runner.go:370 already
warned that session.Run()'s handshake 'cannot complete until the virtual
clock advances'; that requirement just did not survive past the loop.

Verified: 3/3 PASS in 3.70s -- matching 3.69s measured at 8f5f2ff
(2026-07-08, pre-regression) vs 92.00s broken. Full ./internal/chaos/...
tree green; target test 2/2 green under -race. make ze-lint-changed: 0
issues.
parseBracketLeafList stored only the joined scalar mirror (tree.Set),
never the members (tree.SetSlice). Set writes t.values
(tree.go:141-152); SetSlice writes t.multiValues (tree.go:176-181);
GetSlice reads multiValues (tree.go:186-190). Different maps -- so
GetSlice returned nil for EVERY bracket leaf-list, and ToMap emitted the
joined text as one string. Consumers saw '[ a b ]' as the single value
'a b'. The sibling path storeValueOrArray (parser_list.go:414) always
did both; this one just forgot the SetSlice.

Proven, not inferred: the new test run against the unfixed parser gives
  expected: []string{"foo", "bar", "baz"}
  actual  : []string(nil)

Reachable from real config, not just the hand-built schema:
yang_schema.go:319-322 builds a BracketLeafListNode for any leaf
annotated ze:syntax "bracket", and three modules use it --
  ze-iface-conf.yang    address (:266, :354), member (:608), allowed-ips
  (:1004), sysctl-profile (:253)
  ze-vrrp-conf.yang     virtual-address (:54, :163) -- min-elements 1,
  max-elements 16
  exabgp.yang           processes, processes-match

Two production consumers read those back as slices and got nil:
config/graph.go:339 (fam.GetSlice("address")) and
web/page_interfaces.go:157 (familyTree.GetSlice("address")). So an
interface unit could not carry two addresses -- ParseAddr saw the joined
"10.0.0.1/24 10.0.0.2/24" as one value. It stayed invisible because
every config in the tree used exactly one member.

Get() still returns the joined form, so the consumers reading the scalar
mirror are unaffected.

Verified: ./internal/component/config/... ,
./internal/component/bgp/config/ and ./internal/component/iface/ all
green with the fix; the new test FAILS on the unfixed parser (above).
9af30c4 fixed TestPeerTeardownWithdrawsSubscriberRoute but left its
known-failures entry open -- exactly the stale-entry problem this file
warns about, where a resolved red sends the next session hunting.

Closes it, and corrects two claims for the record. It was NOT
load-sensitive and NOT 1-in-3: -race reports the race on the first run,
3/3, alone and in the full package. And it was never a product bug --
SetRouteObserver documents 'MUST be called before Start()'
(reactor_setters.go:106-109) and the sole production caller honours it
(subsystem.go:241 installs, :313 starts). The original diagnosis and
suggested fix were both right; only the severity and framing were off.
TestReactorKernelDisabledReturnsNil asserted require.Nil(t, teardowns)
and had failed deterministically since e231fbf deliberately made the
teardown drain unconditional. The assertion was stale, not the code --
the diagnosis in plan/known-failures.md was correct, and this is the fix
it prescribed.

Producer: collectKernelEventsLocked drains tunnel.pendingKernelTeardowns
and nils the list BEFORE the worker check, then returns (nil, teardowns)
when r.kernelWorker == nil (reactor_kernel.go:19-27). The drain is
deliberately not gated on the worker so the route observer learns of
torn sessions where no kernel worker exists -- the mechanism
TestPeerTeardownWithdrawsSubscriberRoute depends on, i.e. the same
teardown-withdraw path whose -race bug was fixed in 9af30c4.

VERIFIED BY EXECUTION, not by reading. The file is _linux_test.go so it
does not build on this macOS host (go test reports 'no tests to run'),
which is why the entry sat open since 2026-07-10. Run in a golang:1.26
container -- the test is pure logic, no netlink and no privileges, so a
container suffices:

  committed HEAD : FAIL  reactor_kernel_linux_test.go:159:
                         Expected nil, but got:
                         []l2tp.kernelTeardownEvent{{localTID:0x66,
                         localSID:0x9}}
  with the fix   : PASS; full ./internal/component/l2tp/... tree green
  on linux/amd64

0x66/0x9 are exactly the event the test seeds, which confirms the
producer above.

The assertion is REPLACED, not dropped: a stricter require.Equal on the
exact drained event plus a drained-list check, so the test now carries 4
assertions where it carried 3. The surviving assertions (setups nil,
kernelSetupNeeded not cleared) were correct and are kept. Renamed to
TestReactorKernelDisabledSkipsSetupsButStillDrainsTeardowns because
'ReturnsNil' now describes only the setups; leaving the old name would
misdescribe the contract.

Also closes the plan/known-failures.md entry. Like the chaos entry
closed earlier today, this was a DETERMINISTIC red parked in a file
whose own scope rule is non-deterministic failures only.

Verified: make ze-lint-changed 0 issues; GOOS=linux go vet
./internal/component/l2tp/ clean (the darwin lint cannot see a
_linux_test.go).
…updates

Bumps the github-actions group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4` | `7` |
| [actions/setup-go](https://github.com/actions/setup-go) | `5` | `7` |
| [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `6` | `7` |
| [actions/configure-pages](https://github.com/actions/configure-pages) | `5` | `6` |
| [actions/upload-pages-artifact](https://github.com/actions/upload-pages-artifact) | `3` | `5` |
| [actions/deploy-pages](https://github.com/actions/deploy-pages) | `4` | `5` |



Updates `actions/checkout` from 4 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v7)

Updates `actions/setup-go` from 5 to 7
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@v5...v7)

Updates `astral-sh/setup-uv` from 6 to 7
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@v6...v7)

Updates `actions/configure-pages` from 5 to 6
- [Release notes](https://github.com/actions/configure-pages/releases)
- [Commits](actions/configure-pages@v5...v6)

Updates `actions/upload-pages-artifact` from 3 to 5
- [Release notes](https://github.com/actions/upload-pages-artifact/releases)
- [Commits](actions/upload-pages-artifact@v3...v5)

Updates `actions/deploy-pages` from 4 to 5
- [Release notes](https://github.com/actions/deploy-pages/releases)
- [Commits](actions/deploy-pages@v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-go
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: astral-sh/setup-uv
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/configure-pages
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/upload-pages-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/deploy-pages
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant