Conversation
📝 WalkthroughWalkthroughGitHub Actions commit-SHA pins were updated across multiple workflows (.github/workflows/build.yml, ci.yml, check-release.yml, prep-release.yml, publish-release.yml, update-integration-tests.yml). Updated actions include actions/checkout, setup-node, setup-python, jupyterlab/maintainer-tools (base-setup, update-snapshots), qlty-action/install, codecov actions, and several release-related actions. Public version tags remained the same and workflow control flow and steps were not modified; the only functional input addition noted is populate-release now accepting Sequence Diagram(s)Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. 📝 Coding Plan
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #70 +/- ##
=======================================
Coverage 69.56% 69.56%
=======================================
Files 13 13
Lines 253 253
Branches 28 28
=======================================
Hits 176 176
Misses 73 73
Partials 4 4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
7ac98cb to
a1f63c6
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
a1f63c6 to
9ead0be
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
9ead0be to
a349898
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
a349898 to
44933d6
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml(3 hunks).github/workflows/check-release.yml(2 hunks).github/workflows/ci.yml(6 hunks).github/workflows/prep-release.yml(1 hunks).github/workflows/publish-release.yml(2 hunks).github/workflows/update-integration-tests.yml(3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: check_release
- GitHub Check: build
🔇 Additional comments (10)
.github/workflows/prep-release.yml (1)
32-32: Action SHA update verified for consistency.The base-setup action is correctly updated with proper version tag alignment. This aligns with updates across other workflows.
.github/workflows/build.yml (3)
19-19: Checkout action SHA correctly updated with version alignment.SHA
93cb6efmaps to v5, matching the inline version comment.
22-22: Base-setup action SHA consistent across all references.Both instances use SHA
7a3e704with v1 tag maintained.Also applies to: 96-96
187-187: Check-links action shares same SHA as base-setup.Both reference
7a3e704, suggesting they're from the same release commit. Verify this is intentional behavior by the maintainer-tools project..github/workflows/publish-release.yml (2)
29-29: Checkout and base-setup actions maintain version consistency.SHAs align with previously reviewed updates across other workflows.
Also applies to: 39-39
41-41: Verify create-github-app-token SHA is valid for v2.SHA
7e473effor v2 should be cross-checked against GitHub's official action repository to confirm it corresponds to an expected v2 release..github/workflows/update-integration-tests.yml (1)
32-32: All action SHAs correctly updated with maintained version tags.Consistent with updates across other workflows: checkout v5, base-setup and update-snapshots both v1 with shared SHA
7a3e704.Also applies to: 72-72, 83-83
.github/workflows/check-release.yml (1)
20-20: Action SHAs align with coordinated updates across the repository.Checkout v5 and base-setup v1 follow the established pattern from other workflows.
Also applies to: 31-31
.github/workflows/ci.yml (2)
26-26: Checkout actions consistently updated across all jobs.All 6 instances of
actions/checkoutcorrectly point to SHA93cb6efwith v5 tag.Also applies to: 45-45, 69-69, 93-93, 116-116, 131-131
48-48: Base-setup actions consistently pinned across all jobs.All instances use SHA
7a3e704with v1 tag—consistent with other workflow files.Also applies to: 72-72, 96-96, 118-118, 134-134
.github/workflows/ci.yml
Outdated
|
|
||
| - name: Install qlty | ||
| uses: qltysh/qlty-action/install@92420f3093ba65970fed22ce5f162ecb8a5c1700 | ||
| uses: qltysh/qlty-action/install@c1d9ae56aba737dfb3c83921007a2610f1dad51c |
There was a problem hiding this comment.
🧩 Analysis chain
Script executed:
#!/bin/bash
# Read the CI workflow file to see the full context
cat -n .github/workflows/ci.yml | head -50Repository: deepnote/jupyterlab-deepnote
<shell_result>
Repository: deepnote/jupyterlab-deepnote
Exit code: 0
stdout:
1 name: CI
2
3 on:
4 push:
5 branches:
6 - main
7 pull_request:
8
9 concurrency:
10 group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
11 cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
12
13 permissions:
14 contents: read
15 pull-requests: read
16 packages: read
17
18 jobs:
19 qlty:
20 name: Qlty Check
21 runs-on: ubuntu-latest
22 timeout-minutes: 3
23
24 steps:
25 - name: Checkout code
26 uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
27 with:
28 fetch-depth: 0
29
30 - name: Install qlty
31 uses: qltysh/qlty-action/install@c1d9ae56aba737dfb3c83921007a2610f1dad51c
32
33 - name: Run qlty check
34 run: qlty check
35
36 - name: Run qlty code smells analysis
37 run: qlty smells
38
39 lint-and-format:
40 name: Lint & Format
41 runs-on: ubuntu-latest
42 timeout-minutes: 15
43 steps:
44 - name: Checkout
45 uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
46
47 - name: Base Setup
48 uses: jupyterlab/maintainer-tools/.github/actions/base-setup@7a3e70473eff6cce4988f449decedc61d1304379 # v1
49
50 - name: Install dependencies
</shell_result>
qltysh/qlty-action GitHub repository commit c1d9ae56aba737dfb3c83921007a2610f1dad51c
<web_search_result>
I couldn't find any public GitHub commit with hash c1d9ae56aba737dfb3c83921007a2610f1dad51c in the qltysh/qlty-action repository. The repository’s public page (commit history and tags) shows recent activity but that specific commit hash does not appear. [1]
If you want, I can (a) open the repository’s full commit history and look again, (b) check whether that commit exists on another branch or a fork, or (c) fetch the raw commit URL you gave and show the page contents — which one do you prefer? [1]
Sources:
[1] qltysh/qlty-action (GitHub repository).
</web_search_result>
qltysh/qlty-action install action GitHub
<web_search_result>
You can install the Qlty CLI in a GitHub Actions workflow using the reusable install action at qltysh/qlty-action/install. Example (use the latest tag, e.g. v2):
- uses: qltysh/qlty-action/install@v2
A minimal workflow example:
- uses: actions/checkout@v3
- uses: qltysh/qlty-action/install@v2
- run: qlty --version # verify installation
(Then run qlty commands like qlty check, qlty fmt, or upload coverage with qltysh/qlty-action/coverage.)
Sources: qlty-action README (actions list and install action). [1] Qlty CI docs (GitHub Actions integration / coverage example). [2]
Sources:
[1] https://github.com/qltysh/qlty-action — README / Actions list.
[2] https://docs.qlty.sh/coverage/ci — CI integration (GitHub Actions example).
</web_search_result>
Based on my verification, I have found that:
-
Missing version comment is confirmed: Other actions in the same file (lines 26, 45, 48) all have version comments (e.g.,
# v5,# v1), while line 31 lacks one. -
SHA verification issue is real: The SHA
c1d9ae56aba737dfb3c83921007a2610f1dad51cdoes not appear in the public qltysh/qlty-action repository's commit history. -
Best practice violation: Official documentation for qltysh/qlty-action recommends using semantic version tags (e.g.,
@v2) rather than commit SHAs.
The original review comment is valid and identifies genuine issues. Here is the rewritten comment:
Add version tag comment and verify action reference.
Line 31 lacks a version comment unlike other actions in this workflow (see lines 26, 45, 48 with # v5, # v1, etc.). Additionally, the referenced SHA c1d9ae56aba737dfb3c83921007a2610f1dad51c does not appear in the public qltysh/qlty-action repository. Consider using a semantic version tag (e.g., @v2) with a corresponding comment for consistency and maintainability.
🤖 Prompt for AI Agents
.github/workflows/ci.yml around line 31: the action reference uses a raw SHA
without the version comment used elsewhere and the SHA does not match the public
repo; replace the SHA with the appropriate semantic version tag (e.g., @v2) and
add a trailing inline comment like "# v2" to match the other entries, and verify
the chosen tag exists in the qltysh/qlty-action repository before committing.
9a68fdb to
5ab7043
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.github/workflows/ci.yml (1)
31-31: qlty-action reference lacks version comment and requires SHA verification.Line 31 omits the version comment pattern used consistently elsewhere (lines 26, 45, 69, 93, 116, 131 all include
# v5or# v1). Additionally, the SHAc1d9ae5...was previously flagged as not appearing in the public qltysh/qlty-action repository.Verify the qlty-action SHA validity and add an appropriate version comment (e.g.,
# v2) to match the pattern.#!/bin/bash # Verify qlty-action SHA exists and is accessible gh api repos/qltysh/qlty-action/commits/c1d9ae56aba737dfb3c83921007a2610f1dad51c --jq '.sha' 2>/dev/null || echo "SHA not found in public repo" # Check latest tags/releases to identify correct version gh api repos/qltysh/qlty-action/releases --jq '.[0:5] | .[] | "\(.tag_name): \(.target_commitish)"'
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml(3 hunks).github/workflows/check-release.yml(1 hunks).github/workflows/ci.yml(6 hunks).github/workflows/prep-release.yml(1 hunks).github/workflows/publish-release.yml(2 hunks).github/workflows/update-integration-tests.yml(3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build
- GitHub Check: check_release
🔇 Additional comments (10)
.github/workflows/prep-release.yml (1)
32-32: Action SHA updates are consistent and properly annotated.Both external action references have been updated with version comments intact. Changes align with the PR objectives.
Also applies to: 36-36
.github/workflows/ci.yml (2)
26-26: Checkout action updates are consistent and properly annotated.All six instances of actions/checkout have been updated to SHA 93cb6efe... with the
# v5version comment preserved.Also applies to: 45-45, 69-69, 93-93, 116-116, 131-131
48-48: Base-setup action updates are consistent and properly annotated.All five instances of jupyterlab/maintainer-tools base-setup have been updated to SHA d734fad... with the
# v1version comment preserved.Also applies to: 72-72, 96-96, 118-118, 134-134
.github/workflows/update-integration-tests.yml (1)
32-32: Action SHA updates are consistent and properly annotated.All three external actions (checkout, base-setup, update-snapshots) have been updated with version comments intact. Both maintainer-tools actions correctly reference the same SHA.
Also applies to: 72-72, 83-83
.github/workflows/build.yml (3)
19-19: Checkout and base-setup updates are consistent.Both actions updated with version comments preserved.
Also applies to: 22-22
185-187: Check-links job action updates are consistent.All three actions (checkout, base-setup, check-links) properly updated with version comments.
96-96: No compatibility concerns with actions/setup-python v6.The v6 upgrade is compatible with this workflow. The only breaking change is the Node.js runtime upgrade (20→24), which requires runner v2.327.1+ but does not affect Python installation, caching, or downstream steps. Python 3.9 installation works without issues, and the workflow's standard invocation pattern remains fully supported.
.github/workflows/check-release.yml (2)
20-20: Checkout, base-setup, and check-release updates are consistent.All actions properly updated with version comments. Consistent with other workflow files.
Also applies to: 31-31, 34-34
23-23: Review always-auth removal in actions/setup-node v6.v6 has breaking changes:
- The
always-authinput was removed (npm deprecated it). Remove anywith: always-auth: true/falsefrom the workflow.- Automatic dependency caching is now npm-only; if using other package managers or explicit cache configuration, verify it's still set up correctly.
- Registry authentication via
NODE_AUTH_TOKENandregistry-url/scopeinputs remains compatible—no changes needed there.Node 22.x installation and basic NPM operations work without issues on v6.
.github/workflows/publish-release.yml (1)
29-29: Action updates are consistent and properly annotated.Checkout, base-setup, create-github-app-token, and releaser actions all properly updated with version comments. Changes align with PR objectives.
Also applies to: 39-39, 41-41, 49-49, 60-60
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 | ||
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
actions/setup-node v6 breaking changes compared to v5
💡 Result:
Summary of breaking changes from actions/setup-node v5 → v6:
-
Automatic caching behavior changed:
- v5: enabled automatic package-manager detection and caching by default when no explicit cache input provided. [1][2]
- v6: automatic caching is limited to npm only (caching for yarn/pnpm is disabled by default and must be configured explicitly). You can control this with the package-manager-cache input. [1][3]
-
Removal of deprecated input:
- v6 removes the always-auth input (it was deprecated). Remove any uses of always-auth to avoid warnings/errors. [3]
Sources:
- Release notes (v5, v6) — actions/setup-node releases. [1][2]
- README / documentation (caching details and removed inputs). [3]
References:
[1] actions/setup-node release v5.0.0.
[2] actions/setup-node release v6.0.0.
[3] actions/setup-node README / documentation on caching and inputs.
🏁 Script executed:
cat -n .github/workflows/publish-release.ymlRepository: deepnote/jupyterlab-deepnote
Length of output: 3182
Remove always-auth: true — no longer supported in actions/setup-node v6.
Line 37 uses the deprecated always-auth input, which was removed in v6. This will cause the setup-node step to fail or emit errors. Remove line 37. The registry-url and scope inputs (lines 35–36) work correctly in v6, and Node 22.x is fully supported.
🤖 Prompt for AI Agents
In .github/workflows/publish-release.yml around lines 32–37, the
actions/setup-node step is using the removed always-auth input (line 37); remove
the always-auth: true line so the workflow uses setup-node v6 correctly while
keeping registry-url and scope inputs on lines 35–36 unchanged; ensure no other
references to always-auth remain in the file and commit the updated workflow.
5ab7043 to
3731938
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (2)
.github/workflows/ci.yml (1)
31-31: Unresolved from prior review: Add version tag comment and verify action reference.Line 31 lacks a version comment unlike other actions in this workflow, and the referenced SHA does not appear in the qltysh/qlty-action public repository. Consider switching to a semantic version tag (e.g.,
@v2) with a version comment for consistency and maintainability..github/workflows/publish-release.yml (1)
32-37: Unresolved from prior review: Removealways-auth: true— deprecated in actions/setup-node v6.Line 37 uses the deprecated
always-authinput, removed in v6. This will cause workflow failures. Remove the line;registry-urlandscopeinputs function correctly in v6.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml(3 hunks).github/workflows/check-release.yml(1 hunks).github/workflows/ci.yml(6 hunks).github/workflows/prep-release.yml(1 hunks).github/workflows/publish-release.yml(2 hunks).github/workflows/update-integration-tests.yml(3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: check_release
- GitHub Check: build
.github/workflows/check-release.yml
Outdated
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 | ||
| with: | ||
| cache: 'npm' | ||
| node-version: ${{ env.NODE_VERSION }} | ||
| registry-url: 'https://npm.pkg.github.com' | ||
| scope: '@deepnote' | ||
| always-auth: true |
There was a problem hiding this comment.
Remove always-auth: true — deprecated in actions/setup-node v6.
Line 29 uses the always-auth input, which was removed in v6. This will cause workflow failures. Remove the line; the cache, node-version, registry-url, and scope inputs function correctly in v6.
Apply this diff to remove the deprecated input:
- name: Setup Node.js
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
with:
cache: 'npm'
node-version: ${{ env.NODE_VERSION }}
registry-url: 'https://npm.pkg.github.com'
scope: '@deepnote'
- always-auth: true📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 | |
| with: | |
| cache: 'npm' | |
| node-version: ${{ env.NODE_VERSION }} | |
| registry-url: 'https://npm.pkg.github.com' | |
| scope: '@deepnote' | |
| always-auth: true | |
| uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 | |
| with: | |
| cache: 'npm' | |
| node-version: ${{ env.NODE_VERSION }} | |
| registry-url: 'https://npm.pkg.github.com' | |
| scope: '@deepnote' |
🤖 Prompt for AI Agents
.github/workflows/check-release.yml around lines 23 to 29: the workflow uses
actions/setup-node v6 but includes the deprecated input always-auth: true which
will cause failures; remove the line containing always-auth: true so the step
only passes cache, node-version, registry-url and scope inputs supported by v6.
cd14a66 to
ed2a5b4
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
ed2a5b4 to
ddf5c98
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (3)
.github/workflows/publish-release.yml (1)
32-37: Remove deprecatedalways-authinput.Line 37 uses
always-auth: true, which was removed in setup-node v6 and will cause failures. Remove it.🔎 Proposed fix
- name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true.github/workflows/ci.yml (1)
31-31: Add version comment for consistency.Line 31 lacks a version comment unlike other actions in this file (see lines 26, 45, 48, etc. with
# v5,# v1).🔎 Suggested addition
- name: Install qlty - uses: qltysh/qlty-action/install@ea1f343351856554424688e75be09f7fd59936a6 + uses: qltysh/qlty-action/install@ea1f343351856554424688e75be09f7fd59936a6 # v2.github/workflows/check-release.yml (1)
23-29: Remove deprecatedalways-authinput.Line 29 uses
always-auth: true, which was removed in setup-node v6 and will cause failures. Remove it.🔎 Proposed fix
- name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build
- GitHub Check: check_release
🔇 Additional comments (5)
.github/workflows/publish-release.yml (1)
29-29: LGTM — SHA refreshes are clean.Action digest pins updated correctly with appropriate version comments.
Also applies to: 39-41, 49-49, 60-60
.github/workflows/prep-release.yml (1)
32-32: LGTM — SHA updates are clean.Action pins refreshed with correct version comments.
Also applies to: 36-36
.github/workflows/update-integration-tests.yml (1)
32-32: LGTM — SHA updates are clean.Action digest pins updated with appropriate version tags.
Also applies to: 72-72, 83-83
.github/workflows/ci.yml (1)
26-26: LGTM — SHA updates are clean.Action pins refreshed consistently with version comments.
Also applies to: 45-48, 69-72, 93-96, 116-118, 131-134
.github/workflows/check-release.yml (1)
20-20: LGTM — SHA updates are clean.Action digest pins refreshed with correct version tags.
Also applies to: 31-31, 34-34
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
ddf5c98 to
c313ca9
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
c313ca9 to
815980e
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/build.yml:
- Around line 19-22: The maintainer-tools action pin is inconsistent: the uses
line references
jupyterlab/maintainer-tools/.github/actions/base-setup@d734fad2dc3aadbe56a5fd530037656e770e1a8d
but the comment says # v1; update the pin to the real v1 tag (use
`@cc93cd104e7bcd29438a12c1c1c8d64d62555a33`) or change the comment to reflect the
current SHA so the uses entry for base-setup and its accompanying comment match.
♻️ Duplicate comments (4)
.github/workflows/publish-release.yml (1)
32-37: Removealways-auth: true— removed in setup-node v6.Line 37 uses a deprecated input that will cause failures. Delete the line.
Proposed fix
- name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true.github/workflows/ci.yml (1)
30-31: Add version comment for consistency.Other actions have version comments (e.g.,
# v5,# v1). This line lacks one.Proposed fix
- name: Install qlty - uses: qltysh/qlty-action/install@781c27d0ba52e67907ade4064dff08d1a797212e + uses: qltysh/qlty-action/install@781c27d0ba52e67907ade4064dff08d1a797212e # v2.github/workflows/check-release.yml (1)
22-29: Removealways-auth: true— removed in setup-node v6.Line 29 uses a deprecated input. Delete the line.
Proposed fix
- name: Setup Node.js uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true.github/workflows/build.yml (1)
59-71: Codecov action SHAs updated.Security concerns about codecov-action v5 were raised in prior review. The 2021 incident targeted the Bash Uploader; current v5 includes mitigations.
📜 Review details
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: build
- GitHub Check: check_release
🔇 Additional comments (7)
.github/workflows/publish-release.yml (1)
28-29: SHA updates look good.Action pins refreshed consistently across Checkout, base-setup, create-github-app-token, and jupyter_releaser steps.
Also applies to: 39-41, 47-49, 56-60
.github/workflows/prep-release.yml (1)
32-36: LGTM.SHA pins updated for base-setup and prep-release actions. Version comments preserved.
.github/workflows/ci.yml (1)
25-26: LGTM.Checkout and base-setup SHAs updated consistently across all jobs.
Also applies to: 44-48, 68-72, 92-96, 115-118, 130-134
.github/workflows/update-integration-tests.yml (1)
31-32: LGTM.SHA pins updated for checkout, base-setup, and update-snapshots. Version comments intact.
Also applies to: 71-72, 83-88
.github/workflows/check-release.yml (1)
19-20: LGTM.SHA pins updated for checkout, base-setup, and check-release actions.
Also applies to: 30-34
.github/workflows/build.yml (2)
96-99: Setup-python updated to v6.SHA 83679a8 corresponds to v6.1.0 which includes urllib3 2.5.0 with security fixes.
185-187: Check_links job SHAs consistent with build job.All three actions updated to match the pins used elsewhere in the workflow.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
renovate
bot
force-pushed
the
renovate/github-actions
branch
2 times, most recently
from
33f143f to
915cceb
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
915cceb to
3fc6cec
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
3fc6cec to
17e5073
Compare
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
17e5073 to
7f26785
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.github/workflows/check-release.yml (1)
23-29:⚠️ Potential issue | 🟠 MajorDrop
always-authin setup-node v6 configuration.Line 29 uses an input removed from setup-node v6. Remove it to keep this step forward-compatible.
Proposed fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/check-release.yml around lines 23 - 29, The workflow step using actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (setup-node v6) includes the removed input always-auth; remove the always-auth: true line from that step so the setup-node invocation only uses cache, node-version, registry-url and scope inputs (i.e., update the setup-node configuration block to drop the always-auth field)..github/workflows/publish-release.yml (1)
32-37:⚠️ Potential issue | 🟠 MajorRemove deprecated
always-authfrom setup-node v6 step.Line 37 passes
always-auth, but setup-node v6 dropped that input. Remove it to avoid invalid-input warnings and future breakage.Proposed fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/publish-release.yml around lines 32 - 37, The setup-node step using actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) passes the deprecated input always-auth; remove the always-auth: true line from that step to eliminate the invalid-input warning and future breakage while leaving node-version, registry-url and scope intact; if persistent npm authentication is required, configure it via npmrc/auth-token steps instead of the removed input.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/check-release.yml:
- Around line 23-29: The workflow step using
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (setup-node v6)
includes the removed input always-auth; remove the always-auth: true line from
that step so the setup-node invocation only uses cache, node-version,
registry-url and scope inputs (i.e., update the setup-node configuration block
to drop the always-auth field).
In @.github/workflows/publish-release.yml:
- Around line 32-37: The setup-node step using
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) passes the
deprecated input always-auth; remove the always-auth: true line from that step
to eliminate the invalid-input warning and future breakage while leaving
node-version, registry-url and scope intact; if persistent npm authentication is
required, configure it via npmrc/auth-token steps instead of the removed input.
ℹ️ Review info
Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 605fc181-b275-439a-b46f-99b4ebeb897b
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
7f26785 to
8d709e8
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.github/workflows/publish-release.yml (1)
32-37:⚠️ Potential issue | 🟡 MinorDrop the removed
always-authinput.Line 37 still passes
always-auth: true, butactions/setup-nodev6 removed that input and explicitly tells consumers to remove any remaining references from workflow config. Keep the SHA bump; delete this key. (github.com)Suggested diff
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/publish-release.yml around lines 32 - 37, Remove the deprecated always-auth input from the actions/setup-node step: in the workflow step that uses actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (the step containing the with: block and node-version/registry-url/scope), delete the line passing always-auth: true so the step only includes node-version, registry-url and scope; keep the pinned SHA as-is..github/workflows/check-release.yml (1)
23-29:⚠️ Potential issue | 🟡 MinorRemove
always-authfrom the v6 setup-node step.Line 29 still sets
always-auth: true, butactions/setup-nodev6 removed that input and its docs say to remove leftover references from workflow configs. This pin bump should not keep the deprecated key around. (github.com)Suggested diff
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/check-release.yml around lines 23 - 29, The workflow step that uses actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f still includes the deprecated input always-auth: true; remove the always-auth line from the setup-node step (the block containing uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f and its with: keys) so the workflow no longer references the removed v6 input.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/check-release.yml:
- Around line 23-29: The workflow step that uses
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f still includes the
deprecated input always-auth: true; remove the always-auth line from the
setup-node step (the block containing uses:
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f and its with: keys)
so the workflow no longer references the removed v6 input.
In @.github/workflows/publish-release.yml:
- Around line 32-37: Remove the deprecated always-auth input from the
actions/setup-node step: in the workflow step that uses
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (the step containing
the with: block and node-version/registry-url/scope), delete the line passing
always-auth: true so the step only includes node-version, registry-url and
scope; keep the pinned SHA as-is.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 59b9e955-2511-46c7-8b17-fc05d5bb4957
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
8d709e8 to
a49f9e3
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.github/workflows/publish-release.yml (1)
31-37:⚠️ Potential issue | 🔴 CriticalRemove
always-authbefore switching this step to setup-node v6.
actions/setup-node@v6removed that input, so keeping Line 37 will break or warn in the release workflow. Dropalways-auth: trueand leaveregistry-url/scopeas-is. (github.com)Suggested fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/publish-release.yml around lines 31 - 37, Remove the deprecated "always-auth: true" input from the GitHub Actions step that uses actions/setup-node (the "Setup Node.js" step / actions/setup-node@v6); keep the existing registry-url and scope lines as-is and ensure the step uses node-version: ${{ env.NODE_VERSION }} without the always-auth entry so it will work with setup-node v6..github/workflows/check-release.yml (1)
22-29:⚠️ Potential issue | 🔴 CriticalDrop
always-authfrom the v6 setup-node step.
actions/setup-node@v6no longer supportsalways-auth, so this upgraded step is carrying an invalid input. Remove Line 29 before merging. (github.com)Suggested fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/check-release.yml around lines 22 - 29, The "Setup Node.js" step using actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) includes the unsupported input key always-auth; remove the always-auth: true line from that step so the action no longer receives an invalid input, keeping the cache, node-version, registry-url and scope keys unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/check-release.yml:
- Around line 22-29: The "Setup Node.js" step using
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) includes the
unsupported input key always-auth; remove the always-auth: true line from that
step so the action no longer receives an invalid input, keeping the cache,
node-version, registry-url and scope keys unchanged.
In @.github/workflows/publish-release.yml:
- Around line 31-37: Remove the deprecated "always-auth: true" input from the
GitHub Actions step that uses actions/setup-node (the "Setup Node.js" step /
actions/setup-node@v6); keep the existing registry-url and scope lines as-is and
ensure the step uses node-version: ${{ env.NODE_VERSION }} without the
always-auth entry so it will work with setup-node v6.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: d8be5b0a-3c55-4436-80db-c133e6f4ab57
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
a49f9e3 to
9235ca2
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.github/workflows/publish-release.yml (1)
32-37:⚠️ Potential issue | 🔴 CriticalDrop
always-authfor setup-node v6 compatibility.Line 37 passes a removed input to
actions/setup-nodev6.Suggested fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true#!/bin/bash set -euo pipefail echo "1) Confirm setup-node v6 + always-auth usage in workflow:" rg -n 'uses:\s*actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f|always-auth' .github/workflows/publish-release.yml echo echo "2) Confirm whether always-auth exists in setup-node@53b8394 action inputs:" curl -fsSL https://raw.githubusercontent.com/actions/setup-node/53b83947a5a98c8d113130e565377fae1a50d02f/action.yml \ | sed -n '/^inputs:/,/^runs:/p' \ | rg -n 'always-auth|registry-url|scope' || true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/publish-release.yml around lines 32 - 37, The workflow uses a pinned setup-node action (uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f) but passes the removed input always-auth; remove the always-auth: true line from the publish-release.yml step (keep node-version, registry-url and scope as-is) so the action inputs match setup-node v6, and verify the step still authenticates via registry-url/scope configuration..github/workflows/check-release.yml (1)
23-29:⚠️ Potential issue | 🔴 CriticalRemove unsupported
always-authfrom setup-node v6.Line 29 uses an input removed in
actions/setup-nodev6; this can break the step.Suggested fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true#!/bin/bash set -euo pipefail echo "1) Confirm setup-node v6 + always-auth usage in workflow:" rg -n 'uses:\s*actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f|always-auth' .github/workflows/check-release.yml echo echo "2) Confirm whether always-auth exists in setup-node@53b8394 action inputs:" curl -fsSL https://raw.githubusercontent.com/actions/setup-node/53b83947a5a98c8d113130e565377fae1a50d02f/action.yml \ | sed -n '/^inputs:/,/^runs:/p' \ | rg -n 'always-auth|registry-url|scope' || true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/check-release.yml around lines 23 - 29, The workflow step using actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f includes the unsupported input always-auth; remove the always-auth: true line from that setup-node step so only supported inputs (cache, node-version, registry-url, scope) remain, and if npm authentication is required configure npm auth via the registry token (e.g., with npm config or creating an ~/.npmrc in a separate step) rather than the removed always-auth input.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/check-release.yml:
- Around line 23-29: The workflow step using
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f includes the
unsupported input always-auth; remove the always-auth: true line from that
setup-node step so only supported inputs (cache, node-version, registry-url,
scope) remain, and if npm authentication is required configure npm auth via the
registry token (e.g., with npm config or creating an ~/.npmrc in a separate
step) rather than the removed always-auth input.
In @.github/workflows/publish-release.yml:
- Around line 32-37: The workflow uses a pinned setup-node action (uses:
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f) but passes the
removed input always-auth; remove the always-auth: true line from the
publish-release.yml step (keep node-version, registry-url and scope as-is) so
the action inputs match setup-node v6, and verify the step still authenticates
via registry-url/scope configuration.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 9d0d1803-4cc8-4314-8994-b9fbcb255253
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
9235ca2 to
539fbed
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (2)
.github/workflows/publish-release.yml (1)
32-37:⚠️ Potential issue | 🔴 CriticalDrop
always-authfrom setup-node v6 configuration.Line [37] passes
always-auth: truewhile Line [32] uses setup-node v6. This input is removed and may break release publishing.Suggested fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true#!/bin/bash # Verify setup-node v6 blocks do not include removed always-auth input. rg -nP 'uses:\s*actions/setup-node@.*#\s*v6' .github/workflows -A8 -B1 rg -nP 'always-auth:\s*true' .github/workflows # Expected after fix: zero always-auth matches under setup-node v6 steps.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/publish-release.yml around lines 32 - 37, Remove the deprecated always-auth input from the setup-node v6 step: in the workflow step that uses actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) remove the always-auth: true line so the step only sets node-version, registry-url and scope; ensure no other setup-node v6 blocks contain always-auth to avoid publishing breaks..github/workflows/check-release.yml (1)
23-29:⚠️ Potential issue | 🔴 CriticalRemove deprecated
always-authfrom setup-node v6 step.Line [29] uses
always-auth: truewithactions/setup-node@... # v6(Line [23]). That input is no longer supported and can fail the workflow.Suggested fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true#!/bin/bash # Verify deprecated setup-node v6 input usage across workflows. rg -nP 'uses:\s*actions/setup-node@.*#\s*v6' .github/workflows -A8 -B1 rg -nP 'always-auth:\s*true' .github/workflows # Expected after fix: no setup-node v6 step contains always-auth.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/check-release.yml around lines 23 - 29, The workflow step using the setup-node action at uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) includes the deprecated input always-auth: true; remove the always-auth line from that step to avoid failing the workflow, or alternatively bump the action to a v3+ release and then keep always-auth if needed—update the step where node-version and registry-url are set and ensure no always-auth input remains for the v6 action.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/check-release.yml:
- Around line 23-29: The workflow step using the setup-node action at uses:
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) includes the
deprecated input always-auth: true; remove the always-auth line from that step
to avoid failing the workflow, or alternatively bump the action to a v3+ release
and then keep always-auth if needed—update the step where node-version and
registry-url are set and ensure no always-auth input remains for the v6 action.
In @.github/workflows/publish-release.yml:
- Around line 32-37: Remove the deprecated always-auth input from the setup-node
v6 step: in the workflow step that uses
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) remove the
always-auth: true line so the step only sets node-version, registry-url and
scope; ensure no other setup-node v6 blocks contain always-auth to avoid
publishing breaks.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 92f3c3a8-63f8-49f6-b974-0462c98329ee
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
renovate
bot
force-pushed
the
renovate/github-actions
branch
from
539fbed to
9722cfb
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (3)
.github/workflows/check-release.yml (1)
22-29:⚠️ Potential issue | 🔴 CriticalRemove
always-auth: true— deprecated in setup-node v6.This input was removed in v6. Workflow will fail or emit errors.
Proposed fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: cache: 'npm' node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/check-release.yml around lines 22 - 29, The workflow step named "Setup Node.js" uses actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) and includes the deprecated input always-auth: true; remove the always-auth: true line from that step so the action uses the supported inputs (cache, node-version, registry-url, scope) without the deprecated field to prevent workflow failures or warnings..github/workflows/ci.yml (1)
30-31: 🧹 Nitpick | 🔵 TrivialAdd version comment for consistency.
Other actions have version comments (e.g.,
# v5,# v1). This line lacks one.Proposed fix
- name: Install qlty - uses: qltysh/qlty-action/install@141b881236146435192435eb7b0e06ea0b70b4d9 + uses: qltysh/qlty-action/install@141b881236146435192435eb7b0e06ea0b70b4d9 # v2qltysh/qlty-action latest version tag🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yml around lines 30 - 31, The workflow step "name: Install qlty" uses the qlty action without the version-style comment used elsewhere; update the step to include a version comment (e.g., add a trailing comment like "# v<tag>" next to the uses line for uses: qltysh/qlty-action/install@141b881236146435192435eb7b0e06ea0b70b4d9) so it matches the other actions’ version comment convention and improves consistency..github/workflows/publish-release.yml (1)
31-37:⚠️ Potential issue | 🔴 CriticalRemove
always-auth: true— deprecated in setup-node v6.Same issue as check-release.yml. This input no longer exists in v6.
Proposed fix
- name: Setup Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ env.NODE_VERSION }} registry-url: 'https://npm.pkg.github.com' scope: '@deepnote' - always-auth: true🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/publish-release.yml around lines 31 - 37, The workflow step "Setup Node.js" uses actions/setup-node@... v6 and includes the deprecated input key always-auth; remove the always-auth: true line from that step so the YAML matches setup-node v6 inputs (locate the step with name "Setup Node.js" and uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f and delete the always-auth entry).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/check-release.yml:
- Around line 22-29: The workflow step named "Setup Node.js" uses
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f (v6) and includes
the deprecated input always-auth: true; remove the always-auth: true line from
that step so the action uses the supported inputs (cache, node-version,
registry-url, scope) without the deprecated field to prevent workflow failures
or warnings.
In @.github/workflows/ci.yml:
- Around line 30-31: The workflow step "name: Install qlty" uses the qlty action
without the version-style comment used elsewhere; update the step to include a
version comment (e.g., add a trailing comment like "# v<tag>" next to the uses
line for uses:
qltysh/qlty-action/install@141b881236146435192435eb7b0e06ea0b70b4d9) so it
matches the other actions’ version comment convention and improves consistency.
In @.github/workflows/publish-release.yml:
- Around line 31-37: The workflow step "Setup Node.js" uses
actions/setup-node@... v6 and includes the deprecated input key always-auth;
remove the always-auth: true line from that step so the YAML matches setup-node
v6 inputs (locate the step with name "Setup Node.js" and uses:
actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f and delete the
always-auth entry).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: b1f2cdb4-909b-47f9-9fa9-07d27e9a906c
📒 Files selected for processing (6)
.github/workflows/build.yml.github/workflows/check-release.yml.github/workflows/ci.yml.github/workflows/prep-release.yml.github/workflows/publish-release.yml.github/workflows/update-integration-tests.yml
This PR contains the following updates:
08c6903→93cb6ef6701853→fee1f7d2028fbc→53b8394e797f83→a309ff85a10915→1af588447f89e9→0fa95f06accaa3→3e74486d72f5cb→0a0663892420f3→141b881Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.