Python: .NET: Consolidate Dependabot dependency updates#7103
Conversation
--- updated-dependencies: - dependency-name: Anthropic dependency-version: 12.35.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 7.6.0 to 8.3.2. - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@37802ad...11f9893) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.3.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/cache/save](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache/save dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action/analyze](https://github.com/github/codeql-action) from 4.35.5 to 4.37.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@9e0d7b8...99df26d) --- updated-dependencies: - dependency-name: github/codeql-action/analyze dependency-version: 4.37.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.6.2 to 3.0.1. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](softprops/action-gh-release@3bb1273...718ea10) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/dorny/paths-filter/releases) - [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md) - [Commits](dorny/paths-filter@fbd0ab8...7b450ff) --- updated-dependencies: - dependency-name: dorny/paths-filter dependency-version: 4.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 6.8.0 to 8.3.2. - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@d0cc045...11f9893) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.3.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Pull request overview
This PR consolidates several Dependabot-driven updates to keep central .NET package versions and pinned GitHub Actions dependencies current, without intending to change Agent Framework runtime behavior.
Changes:
- Bump central .NET package versions for
AnthropicandAnthropic.Foundry. - Update pinned GitHub Actions SHAs across multiple workflows (uv setup, cache save, CodeQL analyze, paths-filter, gh-release).
- Refresh the reusable
.github/actions/python-setupcomposite action to use the newerastral-sh/setup-uvpin.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| dotnet/Directory.Packages.props | Updates central package versions for Anthropic dependencies. |
| .github/workflows/python-sample-validation.yml | Updates actions/cache/save pin for validation history caching. |
| .github/workflows/python-release.yml | Updates softprops/action-gh-release pin used to publish releases. |
| .github/workflows/python-merge-tests.yml | Updates dorny/paths-filter and actions/cache/save pins used in merge-test workflows. |
| .github/workflows/python-lab-tests.yml | Updates dorny/paths-filter pin for lab-test workflow filtering. |
| .github/workflows/python-integration-tests.yml | Updates actions/cache/save pin used for integration report history caching. |
| .github/workflows/python-docs.yml | Updates astral-sh/setup-uv pin for docs workflow setup. |
| .github/workflows/issue-triage.yml | Updates astral-sh/setup-uv pin for triage workflow setup. |
| .github/workflows/dotnet-build-and-test.yml | Updates dorny/paths-filter and actions/cache/save pins for .NET CI. |
| .github/workflows/devflow-pr-review.yml | Updates astral-sh/setup-uv pin for PR review workflow setup. |
| .github/workflows/codeql-analysis.yml | Updates github/codeql-action/analyze pin for CodeQL analysis. |
| .github/actions/python-setup/action.yml | Updates astral-sh/setup-uv pin in the reusable composite action. |
There was a problem hiding this comment.
Automated Code Review
Reviewers: 5 | Confidence: 77%
✓ Correctness
This PR consolidates Dependabot dependency updates for GitHub Actions and .NET packages. All action version bumps (setup-uv v6/v7→v8.3.2, cache/save v5→v6, action-gh-release v2→v3, paths-filter v4.0.1→v4.0.2, codeql-action patch) use only basic, stable inputs (path, key, files, version-file, enable-cache, filters) that are preserved across major versions. The Anthropic NuGet packages are minor version bumps (12.31→12.35.1, 0.6→0.7.1). No correctness issues found.
✓ Security Reliability
This PR updates GitHub Action pins and NuGet package versions. All actions continue to be pinned by full commit SHA, which is the recommended supply chain security practice. The inputs used with each updated action (version-file, enable-cache, path, key, files) are fundamental inputs unlikely to change across major versions. The Anthropic NuGet packages are minor version bumps within the same major version. No security vulnerabilities, injection risks, resource leaks, or unhandled failure modes were identified.
✓ Test Coverage
This is a straightforward dependency update PR bumping GitHub Actions and NuGet packages. The core Anthropic package (12.31.0→12.35.1) has adequate unit and integration test coverage (26 unit tests + conformance integration tests) that would catch breaking changes. However, the Anthropic.Foundry package (0.6.0→0.7.1) has no dedicated test coverage — it's only exercised in sample code. Since this is a pre-1.0 package where semver allows breaking changes in minor versions, this is a pre-existing test gap worth noting but not blocking. The GitHub Actions changes use only standard inputs compatible across the version bumps.
✓ Failure Modes
This PR consolidates Dependabot dependency updates for GitHub Actions and .NET packages. The changes are straightforward pin updates. The only notable operational concern is a version skew between actions/cache/save (updated to v6.1.0) and actions/cache/restore (still at v5.0.5) within the same workflow files. While actions/cache major version bumps are typically node runtime changes and the cache format is service-side compatible, the inconsistency creates a latent risk if future versions diverge on format.
✓ Design Approach
I did not find a design-level issue in this diff. The workflow changes are straightforward action pin updates, and the bumped actions still accept the same inputs this repository passes (
version/version-file/cache inputs forsetup-uv,filtersfordorny/paths-filter,path/keyforactions/cache/save,categoryforcodeql-action/analyze, andfilesforaction-gh-release). The .NET change is limited to central package version bumps forAnthropicandAnthropic.Foundry, with no accompanying consumer changes that point to a mismatched integration inside the repo.
Suggestions
- actions/cache/restore remains pined at v5.0.5 (27d5ce7f) in python-integration-tests.yml:554, dotnet-build-and-test.yml:618, python-merge-tests.yml:751, and python-sample-validation.yml:704, while actions/cache/save in those same files is updated to v6.1.0 (55cc8345). Consider updating cache/restore to the same v6.1.0 commit for consistency.
Automated review by moonbox3's agents
Motivation & Context
Keep the repository's .NET dependencies and pinned GitHub Actions current while reviewing the open Dependabot updates as one coherent change.
Description & Review Guide
Anthropicto 12.35.1,Anthropic.Foundryto 0.7.1,astral-sh/setup-uvto 8.3.2,actions/cache/saveto 6.1.0,github/codeql-action/analyzeto 4.37.0,softprops/action-gh-releaseto 3.0.1, anddorny/paths-filterto 4.0.2.Related Issue
Supersedes:
Contribution Checklist
breaking changelabel (or add "[BREAKING]" to the title prefix, before or after any language prefix) — a workflow keeps the label and title prefix in sync automatically.