Skip to content

Update all dependencies#328

Merged
rbikar merged 1 commit into
masterfrom
renovate/all
Jul 13, 2026
Merged

Update all dependencies#328
rbikar merged 1 commit into
masterfrom
renovate/all

Conversation

@renovate

@renovate renovate Bot commented Mar 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change Age Confidence
actions/checkout action major v6v7 age confidence
actions/github-script action major v8v9 age confidence
actions/setup-python (changelog) action digest a309ff8ece7cb0
codecov/codecov-action action major v5v7 age confidence
fastapi (changelog) dependencies minor 0.138.10.139.0 age confidence
pytest-cov (changelog) dev minor 7.0.07.1.0 age confidence
redis final digest 1c054d52838d55
registry.access.redhat.com/ubi9/python-39 final digest f54df76089d748
snok/install-poetry (changelog) action digest 76e04a9a783c32
testfixtures (changelog) test minor 12.2.012.3.0 age confidence

Release Notes

actions/checkout (actions/checkout)

v7.0.0

Compare Source

v7

Compare Source

actions/github-script (actions/github-script)

v9.0.0

Compare Source

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.
What's Changed
New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v9

Compare Source

codecov/codecov-action (codecov/codecov-action)

v7.0.0

Compare Source

⚠️ Due to migration issues with keybase, we are unable to update our keys under the codecovsecurity account. We have deleted the account and are using codecovsecops with the original gpg key

What's Changed

Full Changelog: codecov/codecov-action@v6.0.1...v7.0.0

v7

Compare Source

v6.0.2

Compare Source

This is a copy of the v7.0.0 release to make updates easier

What's Changed

Full Changelog: codecov/codecov-action@v6.0.1...v6.0.2

v6.0.1

Compare Source

What's Changed

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

v6.0.0

Compare Source

⚠️ This version introduces support for node24 which make cause breaking changes for systems that do not currently support node24. ⚠️
What's Changed

Full Changelog: codecov/codecov-action@v5.5.4...v6.0.0

v6

Compare Source

fastapi/fastapi (fastapi)

v0.139.0

Compare Source

Features
  • ✨ Support dependencies in app.frontend(), e.g. for automatic cookie authentication for the frontend. PR #​15908 by @​tiangolo.
Translations
Internal

v0.138.2

Compare Source

Refactors
  • ♻️ Make app.frontend() return 404 for methods other than GET or HEAD with no static file matches. PR #​15863 by @​tiangolo.
Internal
pytest-dev/pytest-cov (pytest-cov)

v7.1.0

Compare Source

  • Fixed total coverage computation to always be consistent, regardless of reporting settings.
    Previously some reports could produce different total counts, and consequently can make --cov-fail-under behave different depending on
    reporting options.
    See #&#8203;641 <https://github.com/pytest-dev/pytest-cov/issues/641>_.

  • Improve handling of ResourceWarning from sqlite3.

    The plugin adds warning filter for sqlite3 ResourceWarning unclosed database (since 6.2.0).
    It checks if there is already existing plugin for this message by comparing filter regular expression.
    When filter is specified on command line the message is escaped and does not match an expected message.
    A check for an escaped regular expression is added to handle this case.

    With this fix one can suppress ResourceWarning from sqlite3 from command line::

    pytest -W "ignore:unclosed database in <sqlite3.Connection object at:ResourceWarning" ...

  • Various improvements to documentation.
    Contributed by Art Pelling in #&#8203;718 <https://github.com/pytest-dev/pytest-cov/pull/718>_ and
    "vivodi" in #&#8203;738 <https://github.com/pytest-dev/pytest-cov/pull/738>.
    Also closed #&#8203;736 <https://github.com/pytest-dev/pytest-cov/issues/736>
    .

  • Fixed some assertions in tests.
    Contributed by in Markéta Machová in #&#8203;722 <https://github.com/pytest-dev/pytest-cov/pull/722>_.

  • Removed unnecessary coverage configuration copying (meant as a backup because reporting commands had configuration side-effects before coverage 5.0).

Simplistix/testfixtures (testfixtures)

v12.3.0

Compare Source

  • Added :doc:pydantic <pydantic> support: a :func:comparer <testfixtures.pydantic.compare_basemodel>
    for :class:~pydantic.BaseModel is automatically registered, and the testfixtures[pydantic]
    extra installs a compatible version.

  • Added :class:ReprComparison and :func:repr_like for asserting an object's type along with its
    :func:repr.

  • Added :class:StrComparison and :func:str_like for asserting an object's type along with its
    :class:str.

  • Added :func:mapping, the typed helper for :class:MappingComparison.

  • :func:like now accepts a regular expression, as a string or a compiled :class:re.Pattern,
    returning a :class:TextComparison typed as a :class:str. :class:TextComparison can also
    now be built directly from a compiled :class:re.Pattern.

  • :class:ShouldRaise now accepts :func:repr_like and :func:str_like matchers, so a raised
    exception's type and rendering can be checked without constructing the exception instance.

  • Renamed :class:!StringComparison to :class:TextComparison. :class:!StringComparison remains
    as a deprecated alias.

  • Fixed a bug where comparing two matcher instances directly, such as two :class:SequenceComparison
    objects, could produce a confusing diff instead of comparing them for equality.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested review from drepelov and rbikar as code owners March 8, 2026 09:09
@github-actions

github-actions Bot commented Mar 8, 2026

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@codecov-commenter

codecov-commenter commented Mar 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (6c63bcb) to head (8f908c4).

Additional details and impacted files
@@            Coverage Diff            @@
##            master      #328   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           21        21           
  Lines         1319      1319           
=========================================
  Hits          1319      1319           
Flag Coverage Δ
unit-tests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions

github-actions Bot commented Mar 9, 2026

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

github-actions Bot commented Mar 9, 2026

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@github-actions

github-actions Bot commented May 9, 2026

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@renovate renovate Bot force-pushed the renovate/all branch from 4e2ff80 to 09aaaa1 Compare May 11, 2026 04:46
@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@renovate renovate Bot force-pushed the renovate/all branch from 09aaaa1 to f9f9918 Compare May 11, 2026 07:03
@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@renovate renovate Bot force-pushed the renovate/all branch from f9f9918 to a896cb7 Compare May 11, 2026 08:34
@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@renovate renovate Bot force-pushed the renovate/all branch 8 times, most recently from c3076c8 to 6a0fc1d Compare May 18, 2026 06:58
@renovate renovate Bot force-pushed the renovate/all branch 9 times, most recently from b87ecd8 to 3032957 Compare May 25, 2026 17:33
@renovate renovate Bot force-pushed the renovate/all branch from 3032957 to 520e4ef Compare May 26, 2026 09:55
@github-actions

Copy link
Copy Markdown

Warning: The mypy type checker has found some errors. See the mypy job for details

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates pinned GitHub Actions revisions, Docker base image digests, and the pytest-cov development dependency. Workflow commands and Dockerfile instructions remain unchanged apart from referenced versions or digests.

Changes

Dependency and Base Image Updates

Layer / File(s) Summary
Workflow action SHA pinning
.github/workflows/docs.yml, .github/workflows/mypy.yml, .github/workflows/tox-test.yml
Updates pinned SHAs for GitHub Actions and changes the Codecov uploader to a pinned action SHA while preserving workflow control flow.
Docker base image digest updates
dev-docker/Dockerfile-app, dev-docker/Dockerfile-beat, dev-docker/Dockerfile-broker, dev-docker/Dockerfile-workers
Replaces the pinned UBI9 Python 3.9 and Redis base image digests.
pytest-cov version bump
pyproject.toml
Updates pytest-cov from 7.0.0 to 7.1.0.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Suggested reviewers: rbikar, drepelov

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is broad, but it still accurately summarizes the dependency and action updates in this PR.
Description check ✅ Passed The description is clearly aligned with the dependency and workflow updates shown in the changeset.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/all

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (3)
.github/workflows/docs.yml (1)

13-21: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add persist-credentials: false to actions/checkout

actions/checkout leaves the git token in .git/config by default; disabling credential persistence avoids exposing it to later steps.

🔧 Suggested hardening
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml around lines 13 - 21, The workflow’s
actions/checkout step is still persisting the git token in the repository
config, so update the checkout configuration to disable credential persistence.
Add persist-credentials set to false on the actions/checkout step in the docs
workflow so later steps cannot reuse the token.

Source: Linters/SAST tools

.github/workflows/mypy.yml (1)

13-27: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add persist-credentials: false to checkout actions/checkout leaves the repo token in git config by default; disable it here to avoid unnecessary credential persistence.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mypy.yml around lines 13 - 27, The checkout step is
leaving repository credentials persisted in git config; update the
actions/checkout usage in the mypy workflow to disable credential persistence by
setting persist-credentials to false. Keep the fix scoped to the existing
checkout step so the workflow still checks out the repo without storing the
token.

Source: Linters/SAST tools

.github/workflows/tox-test.yml (1)

12-118: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Harden checkout and job token scope Add persist-credentials: false to each actions/checkout step and add a least-privilege permissions: block (for example contents: read) to the non-Codecov jobs.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tox-test.yml around lines 12 - 118, The workflow jobs
using actions/checkout and tox currently rely on the default token scope and
persist checkout credentials unnecessarily. Update each checkout step in the
tox-test workflow to disable credential persistence, and add an explicit
least-privilege permissions block (for example contents: read) to every
non-Codecov job while preserving the existing id-token permission only for the
coverage job. Use the existing job names (py39, py312, py313, static, coverage,
bandit, bandit-exitzero) and the actions/checkout step as the anchors for the
change.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/docs.yml:
- Around line 13-21: The workflow’s actions/checkout step is still persisting
the git token in the repository config, so update the checkout configuration to
disable credential persistence. Add persist-credentials set to false on the
actions/checkout step in the docs workflow so later steps cannot reuse the
token.

In @.github/workflows/mypy.yml:
- Around line 13-27: The checkout step is leaving repository credentials
persisted in git config; update the actions/checkout usage in the mypy workflow
to disable credential persistence by setting persist-credentials to false. Keep
the fix scoped to the existing checkout step so the workflow still checks out
the repo without storing the token.

In @.github/workflows/tox-test.yml:
- Around line 12-118: The workflow jobs using actions/checkout and tox currently
rely on the default token scope and persist checkout credentials unnecessarily.
Update each checkout step in the tox-test workflow to disable credential
persistence, and add an explicit least-privilege permissions block (for example
contents: read) to every non-Codecov job while preserving the existing id-token
permission only for the coverage job. Use the existing job names (py39, py312,
py313, static, coverage, bandit, bandit-exitzero) and the actions/checkout step
as the anchors for the change.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: ca0a8719-e1d1-4d5a-aba5-c89e97d54ea5

📥 Commits

Reviewing files that changed from the base of the PR and between eaf7fe6 and 88416bc.

⛔ Files ignored due to path filters (1)
  • poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (8)
  • .github/workflows/docs.yml
  • .github/workflows/mypy.yml
  • .github/workflows/tox-test.yml
  • dev-docker/Dockerfile-app
  • dev-docker/Dockerfile-beat
  • dev-docker/Dockerfile-broker
  • dev-docker/Dockerfile-workers
  • pyproject.toml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/docs.yml:
- Line 13: Disable persisted checkout credentials on every listed checkout step
by adding persist-credentials: false: .github/workflows/docs.yml lines 13-13;
.github/workflows/mypy.yml lines 13-13; and .github/workflows/tox-test.yml lines
12-12, 28-28, 42-42, 56-56, 72-72, 96-96, and 110-110.

In @.github/workflows/tox-test.yml:
- Line 28: Restrict workflow permissions by adding permissions: contents: read
to the py312 job at .github/workflows/tox-test.yml lines 28-28, the py313 job at
lines 42-42, and the static job at lines 56-56.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 3949fed0-2069-4544-9bd0-fee61d160297

📥 Commits

Reviewing files that changed from the base of the PR and between 88416bc and 2feace8.

⛔ Files ignored due to path filters (1)
  • poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (8)
  • .github/workflows/docs.yml
  • .github/workflows/mypy.yml
  • .github/workflows/tox-test.yml
  • dev-docker/Dockerfile-app
  • dev-docker/Dockerfile-beat
  • dev-docker/Dockerfile-broker
  • dev-docker/Dockerfile-workers
  • pyproject.toml
🚧 Files skipped from review as they are similar to previous changes (5)
  • dev-docker/Dockerfile-app
  • pyproject.toml
  • dev-docker/Dockerfile-broker
  • dev-docker/Dockerfile-beat
  • dev-docker/Dockerfile-workers

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable persisted checkout credentials across all workflows.

Every listed checkout step leaves the GitHub token in local Git configuration while repository-controlled commands execute.

  • .github/workflows/docs.yml#L13-L13: add persist-credentials: false.
  • .github/workflows/mypy.yml#L13-L13: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L12-L12: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L28-L28: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L42-L42: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L56-L56: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L72-L72: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L96-L96: add persist-credentials: false.
  • .github/workflows/tox-test.yml#L110-L110: add persist-credentials: false.
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 13-13: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

📍 Affects 3 files
  • .github/workflows/docs.yml#L13-L13 (this comment)
  • .github/workflows/mypy.yml#L13-L13
  • .github/workflows/tox-test.yml#L12-L12
  • .github/workflows/tox-test.yml#L28-L28
  • .github/workflows/tox-test.yml#L42-L42
  • .github/workflows/tox-test.yml#L56-L56
  • .github/workflows/tox-test.yml#L72-L72
  • .github/workflows/tox-test.yml#L96-L96
  • .github/workflows/tox-test.yml#L110-L110
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs.yml at line 13, Disable persisted checkout
credentials on every listed checkout step by adding persist-credentials: false:
.github/workflows/docs.yml lines 13-13; .github/workflows/mypy.yml lines 13-13;
and .github/workflows/tox-test.yml lines 12-12, 28-28, 42-42, 56-56, 72-72,
96-96, and 110-110.

Source: Linters/SAST tools

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Restrict permissions for the affected tox jobs.

  • .github/workflows/tox-test.yml#L28-L28: add permissions: contents: read to the py312 job.
  • .github/workflows/tox-test.yml#L42-L42: add permissions: contents: read to the py313 job.
  • .github/workflows/tox-test.yml#L56-L56: add permissions: contents: read to the static job.
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 28-28: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

📍 Affects 1 file
  • .github/workflows/tox-test.yml#L28-L28 (this comment)
  • .github/workflows/tox-test.yml#L42-L42
  • .github/workflows/tox-test.yml#L56-L56
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tox-test.yml at line 28, Restrict workflow permissions by
adding permissions: contents: read to the py312 job at
.github/workflows/tox-test.yml lines 28-28, the py313 job at lines 42-42, and
the static job at lines 56-56.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants