Skip to content

chore(deps): update github actions#3

Closed
renovate[bot] wants to merge 2 commits intomainfrom
renovate/github-actions
Closed

chore(deps): update github actions#3
renovate[bot] wants to merge 2 commits intomainfrom
renovate/github-actions

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 24, 2026

This PR contains the following updates:

Package Type Update Change
actions/create-github-app-token action major v2.2.1v3.0.0
anthropics/claude-code-action action patch v1.0.70v1.0.77
codecov/codecov-action action patch v5.5.2v5.5.3
jdx/mise-action action major v3.6.2v4.0.1
slackapi/slack-github-action action major v2.1.1v3.0.1

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v3.0.0

Compare Source

Bug Fixes
BREAKING CHANGES
  • Custom proxy handling has been removed. If you use HTTP_PROXY or HTTPS_PROXY, you must now also set NODE_USE_ENV_PROXY=1 on the action step.
  • Requires Actions Runner v2.327.1 or later if you are using a self-hosted runner.

v2.2.2

Compare Source

Bug Fixes
anthropics/claude-code-action (anthropics/claude-code-action)

v1.0.77

Compare Source

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

What's Changed

Full Changelog: anthropics/claude-code-action@v1.0.76...v1.0.77

v1.0.76

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.76

v1.0.75

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.75

v1.0.74

Compare Source

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.74

v1.0.73

Compare Source

Full Changelog: anthropics/claude-code-action@v1...v1.0.73

v1.0.72

Compare Source

What's Changed

Full Changelog: anthropics/claude-code-action@v1...v1.0.72

v1.0.71

Compare Source

What's Changed

New Contributors

Full Changelog: anthropics/claude-code-action@v1...v1.0.71

codecov/codecov-action (codecov/codecov-action)

v5.5.3

Compare Source

What's Changed

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

jdx/mise-action (jdx/mise-action)

v4.0.1: : Documentation and Internal Cleanup

Compare Source

A small maintenance release that updates the README documentation to reflect v4 and cleans up internal code. There are no functional changes to the action itself.

Changed
  • Updated all README examples to reference jdx/mise-action@v4, actions/checkout@v6, and current tool versions by @​deining in #​407 and #​408
  • Extracted getCwd() helper to deduplicate working directory resolution logic (internal refactor, no behavior change) by @​altendky in #​403
New Contributors

Full Changelog: jdx/mise-action@v4.0.0...v4.0.1

v4.0.0

Compare Source

What's Changed
New Contributors

Full Changelog: jdx/mise-action@v3...v4.0.0

v3.6.3

Compare Source

What's Changed
New Contributors

Full Changelog: jdx/mise-action@v3.6.2...v3.6.3

slackapi/slack-github-action (slackapi/slack-github-action)

v3.0.1: Slack GitHub Action v3.0.1

Compare Source

What's Changed

Alongside the breaking changes of @v3.0.0 and a new technique to run Slack CLI commands, we tried the wrong name to publish to the GitHub Marketplace 🐙 This action is now noted as The Slack GitHub Action in listings 🎶 ✨

🎨 Maintenance

Full Changelog: slackapi/slack-github-action@v3.0.0...v3.0.1

v3.0.0: Slack GitHub Action v3.0.0

Compare Source

The @v3.0.0 release had a hiccup on publish and we recommend using @​v3.0.1 or a more recent version when updating! Oops!

🎽 Running Slack CLI commands and the active Node runtime, both included in this release 👟 ✨

⚠️ Breaking change: Node.js 24 the runtime

This major version updates the GitHub Actions required runtime to Node.js 24. Most GitHub-hosted runners already include this, but self-hosted runners may need to be updated ahead of planned deprecations of Node 20 on GitHub Actions runners.

📺 Enhancement: Run Slack CLI commands

This release introduces a new technique for running Slack CLI commands directly in GitHub Actions workflows. Use this to install the latest version (or a specific one) of the CLI and execute commands like deploy for merges to main, manifest validate with tests, and other commands.

Gather a token using the following CLI command to store with repo secrets, then get started with an example below:

$ slack auth token
🧪 Validate an app manifest on pull requests

Check that your app manifest is valid before merging changes:

🔗 https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/validate-a-manifest

- name: Validate the manifest
  uses: slackapi/slack-github-action/[email protected]
  with:
    command: "manifest validate --app ${{ vars.SLACK_APP_ID }}"
    token: ${{ secrets.SLACK_SERVICE_TOKEN }}
🚀 Deploy your app on push to main

Automate deployments whenever changes land on your main branch:

🔗 https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/deploy-an-app

- name: Deploy the app
  uses: slackapi/slack-github-action/[email protected]
  with:
    command: "deploy --app ${{ vars.SLACK_APP_ID }} --force"
    token: ${{ secrets.SLACK_SERVICE_TOKEN }}

Any Slack CLI command can be passed through the command option without the "slack" prefix 🍀

The token input accepts a service token for authentication. You can gather this token by running slack auth token with the Slack CLI and storing the value as a repository secret.

The latest Slack CLI version is used by default, but a specific one can be set with the version input.

🏆 Huge thanks to @​ewanek1 for explorations and prototypes toward the scripted CLI technique!

For full documentation on the CLI technique, check out the docs and explore the related pages 📚

What's Changed

👾 Enhancements
📚 Documentation
🧰 Maintenance
🎁 Dependencies

👋 New Contributors

Full Changelog: slackapi/slack-github-action@v2.1.1...v3.0.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the bot Automated pull requests or issues label Mar 24, 2026
@renovate renovate bot requested a review from olivermeyer as a code owner March 24, 2026 09:46
@renovate renovate bot added dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check bot Automated pull requests or issues labels Mar 24, 2026
This was referenced Mar 24, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olivermeyer olivermeyer Awaiting requested review from olivermeyer

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@olivermeyer