Skip to content

action-allowlist-review: bump manusa/actions-setup-minikube from 2.16.1 to 2.17.1 in /.github/actions/for-dependabot-triggered-reviews#857

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/manusa/actions-setup-minikube-2.17.1
Open

action-allowlist-review: bump manusa/actions-setup-minikube from 2.16.1 to 2.17.1 in /.github/actions/for-dependabot-triggered-reviews#857
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/manusa/actions-setup-minikube-2.17.1

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 18, 2026
edited
Loading

Bumps manusa/actions-setup-minikube from 2.16.1 to 2.17.1.

Release notes

Sourced from manusa/actions-setup-minikube's releases.

v2.17.1

Full Changelog: manusa/actions-setup-minikube@v2.17.0...v2.17.1

v2.17.0

What's Changed

Full Changelog: manusa/actions-setup-minikube@v2.16.1...v2.17.0

Commits
  • c714373 [RELEASE] Release v2.17.1
  • 4a46310 fix(download): verify SHA256 of downloaded binaries (#151)
  • 285c4cc [RELEASE] Release v2.17.0
  • d0f2bf9 chore(deps): bump @​actions/github from 6.0.0 to 8.0.1
  • a820593 chore(deps): bump axios from 1.13.6 to 1.16.1
  • f0ec2ac ci: extend arm64 matrix to addons, ingress, and containerd jobs
  • e441e61 chore(docs): document arm64 runner support
  • 2ade203 fix: support arm64 runners
  • cd375e9 test: extract createTarball helper to shared test-utils
  • 2fccca0 test(configure-environment): replace exec mock with stub scripts
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 18, 2026
@dependabot dependabot Bot requested a review from dfoulks1 as a code owner May 18, 2026 23:15
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label May 18, 2026
@dependabot dependabot Bot requested a review from potiuk as a code owner May 18, 2026 23:15
@dependabot dependabot Bot added the github_actions Pull requests that update GitHub Actions code label May 18, 2026
@dependabot dependabot Bot requested a review from ppkarwasz as a code owner May 18, 2026 23:15
@ppkarwasz
Copy link
Copy Markdown
Member

ppkarwasz commented May 19, 2026

There appear to be two verifier bugs plus one legitimate finding that traces to a transitive dependency rather than this PR.

Verifier bug 1 — sha256-hex.js misclassified. The verifier deleted [src/__tests__/test-utils/sha256-hex.js](https://github.com/manusa/actions-setup-minikube/blob/c714373206b0bc4eb9565d795fe5acf5e41ab483/src/__tests__/test-utils/sha256-hex.js) before the rebuild and then flagged it as "only in original." The file is plain source extracted from inline test code in [cd375e9](https://github.com/manusa/actions-setup-minikube/commit/cd375e9cf1327ed71542703a3020cacdfd416e99); anything under __tests__/test-utils/ should be treated as source.

Verifier bug 2 — node_modules diff is npm-version sensitive. @actions/github@8.0.1 pulls in the modern Octokit majors (@octokit/core@^7, @octokit/request@^10, etc.), whose ESM-only tarballs combined with npm's evolving install behaviour (lockfileVersion 2, peer-dep auto-install, .bin/ shim generation) produce different on-disk layouts across npm versions even when every tarball's SRI matches. The producer's release environment and the verifier's runner aren't pinned to the same npm version, so the diff is structural noise. package-lock.json is already excluded — node_modules should join it.

Legitimate but misattributed — 7zdec.exe. The binary lives at node_modules/@actions/tool-cache/scripts/externals/7zdec.exe and would flag every action depending on @actions/tool-cache (setup-node, setup-python, etc.). Not this PR's problem.

On 7zdec.exe more broadly: it's committed directly into actions/toolkit as an opaque blob — no provenance, no SHA256SUMS, no record of which LZMA SDK release it came from. Upstream 7-Zip is itself unsigned, so a pinned hash is the only available integrity primitive.

Cleanest fix would be for actions/toolkit to split it into a platform package @actions/tool-cache-7zdec-win32-x64, built in CI from a hash-pinned LZMA SDK release at ip7z/7zip, published with npm publish --provenance, and referenced from @actions/tool-cache via optionalDependencies. Verifiable trace from upstream to each consumer's package-lock.json SRI, and every action needing 7z extraction benefits.

@ppkarwasz ppkarwasz mentioned this pull request May 19, 2026
Open
@ppkarwasz
Copy link
Copy Markdown
Member

ppkarwasz commented May 19, 2026

@dependabot recreate

@dependabot
action-allowlist-review: bump manusa/actions-setup-minikube
b3e13d5 
Bumps [manusa/actions-setup-minikube](https://github.com/manusa/actions-setup-minikube) from 2.16.1 to 2.17.1.
- [Release notes](https://github.com/manusa/actions-setup-minikube/releases)
- [Commits](manusa/actions-setup-minikube@96202de...c714373)

---
updated-dependencies:
- dependency-name: manusa/actions-setup-minikube
  dependency-version: 2.17.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/manusa/actions-setup-minikube-2.17.1 branch from 3365731 to b3e13d5 Compare May 19, 2026 18:23
@ppkarwasz
Copy link
Copy Markdown
Member

ppkarwasz commented May 19, 2026

Due to some bug d112413 downgraded manusa/actions-setup-minikube instead of upgrading it, which is the reason the starting release is 2.16.1 instead of 2.17.0.

@potiuk
Copy link
Copy Markdown
Member

potiuk commented May 19, 2026

Due to some bug d112413 downgraded manusa/actions-setup-minikube instead of upgrading it, which is the reason the starting release is 2.16.1 instead of 2.17.0.

Cooldown?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dfoulks1 dfoulks1 Awaiting requested review from dfoulks1 dfoulks1 is a code owner

@potiuk potiuk Awaiting requested review from potiuk potiuk is a code owner

@ppkarwasz ppkarwasz Awaiting requested review from ppkarwasz ppkarwasz is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ppkarwasz @potiuk