Skip to content

Bump softprops/action-gh-release from 26994186c0ac3ef5cae75ac16aa32e8153525f77 to de2c0eb89ae2a093876385947365aca7b0e5f844#80

Merged
wesm merged 1 commit intomainfrom
dependabot/github_actions/softprops/action-gh-release-de2c0eb89ae2a093876385947365aca7b0e5f844
Feb 5, 2026
Merged

Bump softprops/action-gh-release from 26994186c0ac3ef5cae75ac16aa32e8153525f77 to de2c0eb89ae2a093876385947365aca7b0e5f844#80
wesm merged 1 commit intomainfrom
dependabot/github_actions/softprops/action-gh-release-de2c0eb89ae2a093876385947365aca7b0e5f844

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 5, 2026

Bumps softprops/action-gh-release from 26994186c0ac3ef5cae75ac16aa32e8153525f77 to de2c0eb89ae2a093876385947365aca7b0e5f844.

Changelog

Sourced from softprops/action-gh-release's changelog.

2.5.0

What's Changed

Exciting New Features 🎉

Other Changes 🔄

  • dependency updates

2.4.2

What's Changed

Exciting New Features 🎉

Other Changes 🔄

  • dependency updates

2.4.1

What's Changed

Other Changes 🔄

2.4.0

What's Changed

Exciting New Features 🎉

2.3.4

What's Changed

Bug fixes 🐛

Other Changes 🔄

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump softprops/action-gh-release
f56bd68 
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 26994186c0ac3ef5cae75ac16aa32e8153525f77 to de2c0eb89ae2a093876385947365aca7b0e5f844.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@2699418...de2c0eb)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: de2c0eb89ae2a093876385947365aca7b0e5f844
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 5, 2026
@dependabot dependabot bot requested a review from wesm as a code owner February 5, 2026 21:53
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 5, 2026
github-actions[bot]
github-actions bot reviewed Feb 5, 2026
View reviewed changes
.github/workflows/release.yml

- name: Create Release
uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
Copy link

@github-actions github-actions bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 GitHub Actions dependency changed to unverified commit SHA (high severity)

The softprops/action-gh-release action was updated to a new commit SHA (de2c0eb89ae2a093876385947365aca7b0e5f844). This change must be verified to ensure it's a legitimate update from the upstream repository and not a malicious commit. The new SHA should be cross-referenced with the official softprops/action-gh-release repository tags/releases. If this is a downgrade or points to an unofficial fork, it could introduce supply chain vulnerabilities that access GITHUB_TOKEN and release artifacts containing the msgvault binary.

Automated security review by Claude 4.5 Sonnet - Human review still required

@github-actions
Copy link

github-actions bot commented Feb 5, 2026

Security Review: 1 High/Medium Issue Found

Claude's automated security review identified potential security concerns. Please review the inline comments.

Note: This is an automated review. False positives are possible. Please review each issue carefully and use your judgment.

Powered by Claude 4.5 Sonnet

@wesm wesm merged commit aecffc8 into main Feb 5, 2026
3 checks passed
@dependabot dependabot bot deleted the dependabot/github_actions/softprops/action-gh-release-de2c0eb89ae2a093876385947365aca7b0e5f844 branch February 5, 2026 22:19
wesm pushed a commit to robelkin/msgvault that referenced this pull request Feb 7, 2026
@dependabot @wesm
Bump softprops/action-gh-release from 26994186c0ac3ef5cae75ac16aa32e8…
bf19468 
…153525f77 to de2c0eb89ae2a093876385947365aca7b0e5f844 (wesm#80)

Bumps
[softprops/action-gh-release](https://github.com/softprops/action-gh-release)
from 26994186c0ac3ef5cae75ac16aa32e8153525f77 to
de2c0eb89ae2a093876385947365aca7b0e5f844.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md">softprops/action-gh-release's
changelog</a>.</em></p>
<blockquote>
<h2>2.5.0</h2>
<h2>What's Changed</h2>
<h3>Exciting New Features 🎉</h3>
<ul>
<li>feat: mark release as draft until all artifacts are uploaded by <a
href="https://github.com/dumbmoron"><code>@​dumbmoron</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/692">softprops/action-gh-release#692</a></li>
</ul>
<h3>Other Changes 🔄</h3>
<ul>
<li>dependency updates</li>
</ul>
<h2>2.4.2</h2>
<h2>What's Changed</h2>
<h3>Exciting New Features 🎉</h3>
<ul>
<li>feat: Ensure generated release notes cannot be over 125000
characters by <a
href="https://github.com/BeryJu"><code>@​BeryJu</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/684">softprops/action-gh-release#684</a></li>
</ul>
<h3>Other Changes 🔄</h3>
<ul>
<li>dependency updates</li>
</ul>
<h2>2.4.1</h2>
<h2>What's Changed</h2>
<h3>Other Changes 🔄</h3>
<ul>
<li>fix(util): support brace expansion globs containing commas in
parseInputFiles by <a
href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/672">softprops/action-gh-release#672</a></li>
<li>fix: gracefully fallback to body when body_path cannot be read by <a
href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/671">softprops/action-gh-release#671</a></li>
</ul>
<h2>2.4.0</h2>
<h2>What's Changed</h2>
<h3>Exciting New Features 🎉</h3>
<ul>
<li>feat(action): respect working_directory for files globs by <a
href="https://github.com/stephenway"><code>@​stephenway</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/667">softprops/action-gh-release#667</a></li>
</ul>
<h2>2.3.4</h2>
<h2>What's Changed</h2>
<h3>Bug fixes 🐛</h3>
<ul>
<li>fix(action): handle 422 already_exists race condition by <a
href="https://github.com/stephenway"><code>@​stephenway</code></a> in <a
href="https://redirect.github.com/softprops/action-gh-release/pull/665">softprops/action-gh-release#665</a></li>
</ul>
<h3>Other Changes 🔄</h3>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/softprops/action-gh-release/compare/26994186c0ac3ef5cae75ac16aa32e8153525f77...de2c0eb89ae2a093876385947365aca7b0e5f844">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@wesm wesm Awaiting requested review from wesm wesm is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wesm