From 8a675fc7fa3e965416d60cc109784863b604dcd3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Jul 2026 21:59:49 +0000 Subject: [PATCH 1/2] ci: bump the all-actions group across 1 directory with 5 updates Bumps the all-actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `6.0.3` | `7.0.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.5` | `6.1.0` | | [actions/cache/save](https://github.com/actions/cache) | `5.0.5` | `6.1.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `8.1.0` | `8.3.0` | | [NVIDIA-NeMo/FW-CI-templates/.github/workflows/_semantic_pull_request.yml](https://github.com/nvidia-nemo/fw-ci-templates) | `1.5.1` | `1.7.1` | Updates `actions/checkout` from 6.0.3 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/df4cb1c069e1874edd31b4311f1884172cec0e10...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0) Updates `actions/cache` from 5.0.5 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/27d5ce7f107fe9357f9df03efb73ab90386fccae...55cc8345863c7cc4c66a329aec7e433d2d1c52a9) Updates `actions/cache/save` from 5.0.5 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/27d5ce7f107fe9357f9df03efb73ab90386fccae...55cc8345863c7cc4c66a329aec7e433d2d1c52a9) Updates `astral-sh/setup-uv` from 8.1.0 to 8.3.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](https://github.com/astral-sh/setup-uv/compare/08807647e7069bb48b6ef5acd8ec9567f424441b...d31148d669074a8d0a63714ba94f3201e7020bc3) Updates `NVIDIA-NeMo/FW-CI-templates/.github/workflows/_semantic_pull_request.yml` from 1.5.1 to 1.7.1 - [Release notes](https://github.com/nvidia-nemo/fw-ci-templates/releases) - [Changelog](https://github.com/NVIDIA-NeMo/FW-CI-templates/blob/main/CHANGELOG.md) - [Commits](https://github.com/nvidia-nemo/fw-ci-templates/compare/d48ee21a4986f7281abf746b7d500880c0e91f41...0aeb3fffafb8917eccdce94fea160557db4bafab) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions - dependency-name: actions/cache/save dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-actions - dependency-name: astral-sh/setup-uv dependency-version: 8.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions - dependency-name: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_semantic_pull_request.yml dependency-version: 1.7.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/agentic-ci-daily.yml | 6 ++-- .github/workflows/agentic-ci-issue-triage.yml | 2 +- .github/workflows/agentic-ci-pr-review.yml | 4 +-- .github/workflows/build-fern-docs.yml | 12 ++++---- .github/workflows/build-notebooks.yml | 6 ++-- .github/workflows/check-colab-notebooks.yml | 4 +-- .github/workflows/ci.yml | 28 +++++++++---------- .github/workflows/docs-preview.yml | 6 ++-- .github/workflows/health-checks.yml | 4 +-- .github/workflows/publish-fern-devnotes.yml | 8 +++--- .github/workflows/semantic-pull-requests.yml | 2 +- 11 files changed, 41 insertions(+), 41 deletions(-) diff --git a/.github/workflows/agentic-ci-daily.yml b/.github/workflows/agentic-ci-daily.yml index 5b0ca1414..01ec9d162 100644 --- a/.github/workflows/agentic-ci-daily.yml +++ b/.github/workflows/agentic-ci-daily.yml @@ -87,14 +87,14 @@ jobs: fi - name: Checkout main - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: main fetch-depth: 0 - name: Restore runner memory id: cache - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: | .agentic-ci-state @@ -738,7 +738,7 @@ jobs: - name: Save rejected gate state if: always() && (steps.scope_gate.outputs.rejected == 'true' || steps.lockfile_gate.outputs.rejected == 'true') - uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: | .agentic-ci-state diff --git a/.github/workflows/agentic-ci-issue-triage.yml b/.github/workflows/agentic-ci-issue-triage.yml index 598d027bb..e0edd028e 100644 --- a/.github/workflows/agentic-ci-issue-triage.yml +++ b/.github/workflows/agentic-ci-issue-triage.yml @@ -38,7 +38,7 @@ jobs: fi - name: Checkout main - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: main diff --git a/.github/workflows/agentic-ci-pr-review.yml b/.github/workflows/agentic-ci-pr-review.yml index eacaec730..96aa66398 100644 --- a/.github/workflows/agentic-ci-pr-review.yml +++ b/.github/workflows/agentic-ci-pr-review.yml @@ -157,7 +157,7 @@ jobs: echo "sha=$SHA" >> "$GITHUB_OUTPUT" - name: Checkout PR branch - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ steps.head.outputs.sha }} fetch-depth: 0 @@ -166,7 +166,7 @@ jobs: # with secrets in scope. Always read them from the base branch so a # fork PR cannot inject malicious instructions or code. - name: Checkout base branch agent files - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ github.event.pull_request.base.sha || 'main' }} sparse-checkout: | diff --git a/.github/workflows/build-fern-docs.yml b/.github/workflows/build-fern-docs.yml index 2178b7323..afcf6c123 100644 --- a/.github/workflows/build-fern-docs.yml +++ b/.github/workflows/build-fern-docs.yml @@ -82,20 +82,20 @@ jobs: contents: write steps: - name: Checkout workflow - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: workflow ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || github.event.repository.default_branch }} - name: Checkout source - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 path: source ref: ${{ needs.resolve-release.outputs.source_ref }} - name: Checkout published branch - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 path: website @@ -131,7 +131,7 @@ jobs: python3 workflow/fern/scripts/fern-release-version.py --root website/fern check --version "$RELEASE_TAG" --require-latest-matches-release - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "0.9.5" @@ -199,12 +199,12 @@ jobs: FERN_TOKEN: ${{ secrets.DOCS_FERN_TOKEN }} steps: - name: Checkout published branch - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ env.FERN_PUBLISHED_BRANCH }} - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "0.9.5" diff --git a/.github/workflows/build-notebooks.yml b/.github/workflows/build-notebooks.yml index 9ac8818ab..602d307ab 100644 --- a/.github/workflows/build-notebooks.yml +++ b/.github/workflows/build-notebooks.yml @@ -30,11 +30,11 @@ jobs: OPENROUTER_API_KEY: ${{ secrets.TEST_OPENROUTER_API_KEY }} steps: - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: ref: ${{ inputs.checkout_ref || github.ref }} - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "0.9.5" - name: Set up Python @@ -44,7 +44,7 @@ jobs: - name: Restore notebook cache if: inputs.use_cache id: cache - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: .notebook-cache key: notebooks-${{ hashFiles('docs/notebook_source/*.py') }} diff --git a/.github/workflows/check-colab-notebooks.yml b/.github/workflows/check-colab-notebooks.yml index 7163e3ce0..062ef87fa 100644 --- a/.github/workflows/check-colab-notebooks.yml +++ b/.github/workflows/check-colab-notebooks.yml @@ -20,10 +20,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "latest" python-version: "3.11" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1507c0597..28696983f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,10 +46,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "latest" python-version: ${{ matrix.python-version }} @@ -78,10 +78,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "latest" python-version: ${{ matrix.python-version }} @@ -110,10 +110,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "latest" python-version: ${{ matrix.python-version }} @@ -150,10 +150,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "latest" python-version: ${{ matrix.python-version }} @@ -189,10 +189,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "latest" python-version: ${{ matrix.python-version }} @@ -212,10 +212,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "latest" python-version: "3.11" @@ -237,12 +237,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 # Full history needed for file creation dates - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "latest" python-version: "3.11" diff --git a/.github/workflows/docs-preview.yml b/.github/workflows/docs-preview.yml index 0debbe810..cf578739f 100644 --- a/.github/workflows/docs-preview.yml +++ b/.github/workflows/docs-preview.yml @@ -36,10 +36,10 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "0.9.5" @@ -57,7 +57,7 @@ jobs: fi - name: Checkout published Fern archive - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 path: published-fern-preview diff --git a/.github/workflows/health-checks.yml b/.github/workflows/health-checks.yml index 8787f42a2..2c43b362a 100644 --- a/.github/workflows/health-checks.yml +++ b/.github/workflows/health-checks.yml @@ -17,10 +17,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "latest" python-version: "3.11" diff --git a/.github/workflows/publish-fern-devnotes.yml b/.github/workflows/publish-fern-devnotes.yml index b4d7520ad..ffda444b1 100644 --- a/.github/workflows/publish-fern-devnotes.yml +++ b/.github/workflows/publish-fern-devnotes.yml @@ -43,18 +43,18 @@ jobs: FERN_TOKEN: ${{ secrets.DOCS_FERN_TOKEN }} steps: - name: Checkout workflow - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: workflow ref: ${{ github.event.repository.default_branch }} - name: Checkout source - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: path: source - name: Checkout published branch - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 path: website @@ -86,7 +86,7 @@ jobs: --metadata-published-branch "$PUBLISHED_BRANCH" - name: Install uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 + uses: astral-sh/setup-uv@d31148d669074a8d0a63714ba94f3201e7020bc3 # v8.3.0 with: version: "0.9.5" diff --git a/.github/workflows/semantic-pull-requests.yml b/.github/workflows/semantic-pull-requests.yml index ac5747189..218ff5e06 100644 --- a/.github/workflows/semantic-pull-requests.yml +++ b/.github/workflows/semantic-pull-requests.yml @@ -23,4 +23,4 @@ permissions: jobs: semantic-pull-request: - uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_semantic_pull_request.yml@d48ee21a4986f7281abf746b7d500880c0e91f41 # v1.5.1 + uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_semantic_pull_request.yml@0aeb3fffafb8917eccdce94fea160557db4bafab # v1.7.1 From afe08248768d2aa24d596afd32539b96a8103846 Mon Sep 17 00:00:00 2001 From: Andre Manoel Date: Tue, 7 Jul 2026 14:21:03 -0300 Subject: [PATCH 2/2] fix(ci): preserve approved fork PR reviews Signed-off-by: Andre Manoel --- .github/workflows/agentic-ci-daily.yml | 4 ++-- .github/workflows/agentic-ci-pr-review.yml | 2 ++ .github/workflows/build-notebooks.yml | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/agentic-ci-daily.yml b/.github/workflows/agentic-ci-daily.yml index 01ec9d162..1eddd8064 100644 --- a/.github/workflows/agentic-ci-daily.yml +++ b/.github/workflows/agentic-ci-daily.yml @@ -94,7 +94,7 @@ jobs: - name: Restore runner memory id: cache - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: | .agentic-ci-state @@ -738,7 +738,7 @@ jobs: - name: Save rejected gate state if: always() && (steps.scope_gate.outputs.rejected == 'true' || steps.lockfile_gate.outputs.rejected == 'true') - uses: actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 + uses: actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: | .agentic-ci-state diff --git a/.github/workflows/agentic-ci-pr-review.yml b/.github/workflows/agentic-ci-pr-review.yml index 96aa66398..9750f3635 100644 --- a/.github/workflows/agentic-ci-pr-review.yml +++ b/.github/workflows/agentic-ci-pr-review.yml @@ -159,6 +159,8 @@ jobs: - name: Checkout PR branch uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: + # Preserve maintainer-approved fork reviews while #804 hardens isolation. + allow-unsafe-pr-checkout: true ref: ${{ steps.head.outputs.sha }} fetch-depth: 0 diff --git a/.github/workflows/build-notebooks.yml b/.github/workflows/build-notebooks.yml index 602d307ab..cd07b6af4 100644 --- a/.github/workflows/build-notebooks.yml +++ b/.github/workflows/build-notebooks.yml @@ -44,7 +44,7 @@ jobs: - name: Restore notebook cache if: inputs.use_cache id: cache - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 with: path: .notebook-cache key: notebooks-${{ hashFiles('docs/notebook_source/*.py') }}