Skip to content

chore(deps): bump softprops/action-gh-release from 3.0.0 to 3.0.1 in the actions-minor-and-patch group across 1 directory#3

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions-minor-and-patch-183c542dec
Closed

chore(deps): bump softprops/action-gh-release from 3.0.0 to 3.0.1 in the actions-minor-and-patch group across 1 directory#3
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions-minor-and-patch-183c542dec

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown

Bumps the actions-minor-and-patch group with 1 update in the / directory: softprops/action-gh-release.

Updates softprops/action-gh-release from 3.0.0 to 3.0.1

Release notes

Sourced from softprops/action-gh-release's releases.

v3.0.1

3.0.1

  • maintenance release with updated dependencies
Changelog

Sourced from softprops/action-gh-release's changelog.

3.0.1

  • maintenance release with updated dependencies

3.0.0

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24. Use v3 on GitHub-hosted runners and self-hosted fleets that already support the Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on v2.6.2.

What's Changed

Other Changes 🔄

  • Move the action runtime and bundle target to Node 24
  • Update @types/node to the Node 24 line and allow future Dependabot updates
  • Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

2.6.2

What's Changed

Other Changes 🔄

2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

... (truncated)

Commits
  • 718ea10 release 3.0.1
  • f1a938b chore(deps): bump esbuild from 0.28.0 to 0.28.1 (#802)
  • 0066ead chore(deps): bump vite from 8.0.14 to 8.0.16 (#806)
  • dc643ca chore(deps): bump the npm group with 3 updates (#805)
  • 85ee99b chore(deps): bump actions/checkout in the github-actions group (#804)
  • 9ed3cf9 chore(deps): bump the npm group with 2 updates (#800)
  • 3efcac8 chore(deps): bump the npm group with 3 updates (#798)
  • 05d6b91 chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 (#797)
  • 403a524 chore(deps): bump @​types/node from 24.12.2 to 24.12.3 in the npm group (#796)
  • 437e073 chore(deps): bump the npm group with 4 updates (#792)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 21, 2026
jahala added a commit that referenced this pull request Jun 23, 2026
…ean room, subscription/API dual-auth (#15)

* fix(docs+tend): correct stale corpus counts (16->58), re-audit features, runnable smoke fixtures

Tend reconciliation after the #52 control-set + #13 fixes. The audit sweep
surfaced real drift, not just stale evidence SHAs:

- docs: known-limitations.md + methodology.md claimed the corpus is "16 tasks
  (11 of 16 from SWE-QA)" -- it is 52 measured + 6 control = 58, dominated by
  the tilth benchmark (36/52). Corrected the counts, the source-family table,
  and the concentration framing (these are user-facing, README/site-linked).
- tend: re-verified copeca-analysis-reporting, copeca-artifact-integrity and
  copeca-cost-model at HEAD with fresh evidence (tests + discriminating
  negctrl + green smokes); copeca-docs-and-init left honestly partial (manual
  onboarding check). Recorded coverage drift (Ed25519 signing + the #52
  control/tool-validity report behavior are uncovered by any check).
- smoke fixtures: the analysis + integrity smokes pointed at gitignored paths
  (results/bench.jsonl, scenarios/smoke_test.yaml) and had never run green.
  Added committed fixtures (tests/fixtures/sample_report_records.jsonl,
  sample_artifact.copeca.zip) and repointed both smokes -- now passing.
- test_contamination_check provenance floor 16 -> 58.
- .claude/CLAUDE.md: documented the benchmark run procedure (was tend-only).

Full suite green (664 passed). Follow-ups filed: worktree concurrency (so runs
can parallelize) + tend coverage drift for Ed25519/#52/new-task.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(tend): describe robust run-execution design (scenario-matrix + single-run)

Per docs/plans/run-execution-robustness.md. Rewrote copeca-scenario-matrix and
copeca-single-run slots/narratives/checks to the approved design (per-worker
isolated clones, streaming persistence, lockless concurrency, real teardown +
child cleanup) and removed the phantom claims (state.py, "SIGKILL -> git worktree
remove", broken-concurrency rationale). Both now carry checks that verify the new
behavior; audits auto-invalidated (in-progress) until the build lands.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(run): stream results to disk as they complete (RUN-A)

run_matrix gains an on_record sink, called for each record (success OR error) as
it completes, in addition to the returned list. The dead results_path param is
removed — I/O cannot live in the orchestrator (architecture.md §7.8). cli.py
truncates the results file fresh at start, then injects a _persist sink
(append_jsonl + divergence warning): records hit disk live, so an interrupted run
keeps completed work and `copeca analyze` works mid-run. 12 call-sites updated.

New tests (TestStreamingPersistence): per-record streaming + a mid-run-interrupt
test proving completed records survive. Satisfies copeca-scenario-matrix c003.
Full suite green (666).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(run): per-worker isolated clones replace shared-bare worktrees (RUN-CLONE)

GitWorktreeManager now gives each work-item its OWN independent clone (git clone
--no-hardlinks from a cached bare) instead of a git worktree off a shared bare.
Eliminates two problems at once: (1) cross-task git visibility — an agent's
`git log --all` can no longer see another task's mutation commits (acute for
debug tasks built on planted history); (2) index.lock contention — independent
clones share no index, so max_workers>1 is collision-free with no locking (the
lock now guards only first-time bare-clone creation). Added remove_worktree (the
real teardown the arch doc named); run_single's finally removes the clone instead
of resetting it. Dead git-worktree helpers removed; reset() kept (still used by
check.py + cli.py).

New tests/repos/test_clone_isolation.py: isolation (commit in clone A invisible to
clone B), removal, lockless 4-way concurrency — all RED under the old model.
Satisfies copeca-scenario-matrix c002/c004 + copeca-single-run c003. 669 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(run): kill in-flight agents + stop new work on interrupt (RUN-E)

A SIGINT/SIGTERM handler (cli.py) now request_abort()s and group-kills every
in-flight agent on interruption, so an aborted run leaves no orphaned agent or
MCP-server processes. subprocess.py keeps a thread-safe registry of live process
groups (registered around each run; killed by terminate_active_process_groups);
run_matrix clears the abort flag at start and _run_one_work_item bails BEFORE
spawning when aborted — queued work stops instantly (surfaced as aborted error
records), and completed records are already on disk via RUN-A.

Tests: registry lifecycle, group-kill incl. children, timeout group-kill leaves
no orphan (copeca-single-run c004), abort API, abort-bails-before-spawn
(copeca-scenario-matrix c005). 674 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(tend): re-audit scenario-matrix + single-run as verified (RUN-VERIFY)

Both run-execution features re-verified against the robust design built in RUN-A/
CLONE/E. Evidence: their check-tests pass (proof of execution), every new check is
test-first RED→GREEN this session (discrimination), a streaming negctrl
DISCRIMINATES, and the live full-haiku re-run validates the pipeline on real data
(parallel — 5 agents / 4 clones, streaming — jsonl grows live, 0 index.lock
collisions). scenario-matrix c001-c005 + single-run c001-c004 all pass; status
verified.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(isolation): cross-CLI clean room — descriptor, bring-your-own-home, two-lock isolation, provenance

Builds the run-isolation feature (ISO-1..9): every benchmark run executes in a
verifiable clean room across Claude Code, Codex, and Gemini CLI.

- ISO-1 IsolationSpec descriptor on RunnerConfig (per-CLI clean-room data)
- ISO-2 bring-your-own-home: a private throwaway HOME per arm (baseline included);
  zero host-config footprint; provider API-key preflight
- ISO-3/4/5 per-CLI descriptors: claude (--strict-mcp-config + --no-session-persistence
  + disable CLAUDE.md/telemetry), codex (--ignore-user-config + -c mcp overrides,
  absorbs SD-L2), gemini (new runner + gemini_json parser + pricing; fresh GEMINI_CLI_HOME)
- ISO-6 pre-run workdir ambient-file scan (Lock 2a) — refuse contaminated worktrees
- ISO-7 post-hoc symmetric trace gate (Lock 2b) — fail any baseline that used the
  tool-under-test; exclude it from the delta
- ISO-8 version provenance (tool + CLI version per record) + multi-version preflight
  warning + declared tool-under-test identity (hardens the gate)
- ISO-9 hermetic clean-room proof for all three CLIs

Architecture: docs/architecture.md §13. Two audit-caught leaks fixed test-first
(temp-home on mode-setup failure; clone on CONTAMINATED_WORKDIR refusal).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(isolation): architecture §13 clean-room design + research + epic plan

- architecture.md §13 (isolation contract, two locks, per-CLI descriptor, version
  provenance) + tightened invariant #3, the Isolated row, and the Docker non-goal
- runner-configuration.md: the isolation: descriptor block
- docs/plans/cross-cli-isolation.md: the epic plan + settled decisions (D1/D2/D3)
- docs/research/cross-cli-isolation/findings.md: per-CLI matrix + prior art
  (force-added; docs/research/ is gitignored repo-wide)
- .claude/CLAUDE.md: modes / tilth-version (absolute cargo path) note

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(tend): run-isolation feature + correct the mode-mechanism baseline-clean claim

- new run-isolation feature (7 checks, 9 steps) wired to personas + the
  contamination-erodes-trust opportunity
- copeca-mode-mechanism: corrected the now-false "isolation in validation.py
  prevents host inheritance" narrative (the lie the audit had trusted)
- persona/opportunity + garden overview refresh

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(lint): clear pre-existing ruff errors blocking CI (F841, E501)

Drop an unused `result` (check=True already guards) and wrap a >100-char
docstring — both pre-existing from the run-robustness work, surfaced by the
full-repo lint gate.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore(scenarios): full-corpus haiku + check-tilth validation scenarios

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(isolation): subscription-default dual-auth profiles (AUTH-1)

A global API key was found to hijack the operator's own Claude Code (it switched
to an empty API account → "Credit balance is too low"). So subscription auth is
now the DEFAULT and an API key is opt-in, via two isolation profiles auto-selected
by the provider key's presence:

- SUBSCRIPTION (default): keep the host HOME so claude -p / codex / gemini use
  their existing login; apply only the flag/env neutralizers; DROP all provider
  key env vars from the child env so a stale/dead key cannot shadow the login.
- API-KEY (opt-in): the private-home hermetic profile + the metered key.

The post-hoc trace gate (Lock 2) guarantees A/B validity in BOTH profiles, so the
private home is not required for correctness — host settings apply symmetrically
to both arms and cancel in the delta.

- IsolationSpec.requires_api_key_env -> api_key_env (presence selects the profile)
- ArmHarness.exclude_keys + _build_child_env(exclude=...) drop the provider keys
  so a stale key never shadows the subscription login
- architecture.md §13.2 rewritten for the two profiles; runner-configuration.md updated

857 tests green; ruff clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(auth): surface CLI auth/budget errors + scenario fail-fast (AUTH-3); document auth model (AUTH-2)

AUTH-3: the Claude stream-json parser now surfaces a result event's is_error
(auth "Not logged in", budget exhaustion, API errors) as RunResult.error — so it
is excluded from metrics + listed under Failed Runs, never silently graded as a
wrong answer (exit 0 + is_error previously slipped past SD-B). run_matrix fails
fast (reusing the RUN-E abort) when a run reports an auth/credit signature, so a
whole scenario cannot burn on doomed "Not logged in" runs.

AUTH-2 (docs): .claude/CLAUDE.md auth knob — subscription is the default, API is
opt-in, and the key must NEVER be set globally (it hijacks the operator's own
Claude Code: "Credit balance is too low"); use a scoped `source ~/.copeca.env`.
Also corrected the stale "max_workers MUST be 1" knob — RUN-CLONE's per-item
independent clones make >1 safe.

864 tests green; ruff clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dependabot dependabot Bot changed the title chore(deps): bump softprops/action-gh-release from 3.0.0 to 3.0.1 in the actions-minor-and-patch group chore(deps): bump softprops/action-gh-release from 3.0.0 to 3.0.1 in the actions-minor-and-patch group across 1 directory Jun 28, 2026
Bumps the actions-minor-and-patch group with 1 update in the / directory: [softprops/action-gh-release](https://github.com/softprops/action-gh-release).


Updates `softprops/action-gh-release` from 3.0.0 to 3.0.1
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@b430933...718ea10)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: 3.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-minor-and-patch-183c542dec branch from 6678e0f to 3b1b83d Compare June 28, 2026 06:04
@dependabot dependabot Bot requested a review from jahala as a code owner June 28, 2026 06:04
@dependabot @github

dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown
Author

Looks like softprops/action-gh-release is updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 5, 2026
@dependabot dependabot Bot deleted the dependabot/github_actions/actions-minor-and-patch-183c542dec branch July 5, 2026 06:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants