Skip to content

Python: .NET: Consolidate Dependabot dependency updates#7103

Merged
moonbox3 merged 9 commits into
microsoft:mainfrom
moonbox3:codex/consolidate-dependabot-20260714-df198005f
Jul 14, 2026
Merged

Python: .NET: Consolidate Dependabot dependency updates#7103
moonbox3 merged 9 commits into
microsoft:mainfrom
moonbox3:codex/consolidate-dependabot-20260714-df198005f

Conversation

@moonbox3

Copy link
Copy Markdown
Contributor

Motivation & Context

Keep the repository's .NET dependencies and pinned GitHub Actions current while reviewing the open Dependabot updates as one coherent change.

Description & Review Guide

  • What are the major changes? Update Anthropic to 12.35.1, Anthropic.Foundry to 0.7.1, astral-sh/setup-uv to 8.3.2, actions/cache/save to 6.1.0, github/codeql-action/analyze to 4.37.0, softprops/action-gh-release to 3.0.1, and dorny/paths-filter to 4.0.2.
  • What is the impact of these changes? Refreshes central .NET package versions and immutable GitHub Action pins without changing Agent Framework APIs or runtime behavior.
  • What do you want reviewers to focus on? Confirm the major-version action updates remain compatible with the existing workflow inputs and permissions, and review the two Anthropic package upgrades together.

Related Issue

Supersedes:

Contribution Checklist

  • The code builds clean without any errors or warnings
  • All unit tests pass, and I have added new tests where possible
  • The PR follows the Contribution Guidelines
  • This PR is linked to an issue and there is no other open PR for this issue (see Related Issue above).
  • This is not a breaking change. If it is a breaking change, add the breaking change label (or add "[BREAKING]" to the title prefix, before or after any language prefix) — a workflow keeps the label and title prefix in sync automatically.

dependabot Bot and others added 8 commits July 14, 2026 16:14
---
updated-dependencies:
- dependency-name: Anthropic
  dependency-version: 12.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 7.6.0 to 8.3.2.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@37802ad...11f9893)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.3.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/cache/save](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

---
updated-dependencies:
- dependency-name: actions/cache/save
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action/analyze](https://github.com/github/codeql-action) from 4.35.5 to 4.37.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@9e0d7b8...99df26d)

---
updated-dependencies:
- dependency-name: github/codeql-action/analyze
  dependency-version: 4.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.6.2 to 3.0.1.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@3bb1273...718ea10)

---
updated-dependencies:
- dependency-name: softprops/action-gh-release
  dependency-version: 3.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [dorny/paths-filter](https://github.com/dorny/paths-filter) from 4.0.1 to 4.0.2.
- [Release notes](https://github.com/dorny/paths-filter/releases)
- [Changelog](https://github.com/dorny/paths-filter/blob/master/CHANGELOG.md)
- [Commits](dorny/paths-filter@fbd0ab8...7b450ff)

---
updated-dependencies:
- dependency-name: dorny/paths-filter
  dependency-version: 4.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 6.8.0 to 8.3.2.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@d0cc045...11f9893)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.3.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 07:22
@giles17 giles17 added the .NET Usage: [Issues, PRs], Target: .Net label Jul 14, 2026
@moonbox3 moonbox3 marked this pull request as ready for review July 14, 2026 07:23
@moonbox3 moonbox3 added the python Usage: [Issues, PRs], Target: Python label Jul 14, 2026
@moonbox3 moonbox3 self-assigned this Jul 14, 2026
@github-actions github-actions Bot changed the title Consolidate Dependabot dependency updates .NET: Consolidate Dependabot dependency updates Jul 14, 2026
@github-actions github-actions Bot changed the title .NET: Consolidate Dependabot dependency updates Python: Consolidate Dependabot dependency updates Jul 14, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates several Dependabot-driven updates to keep central .NET package versions and pinned GitHub Actions dependencies current, without intending to change Agent Framework runtime behavior.

Changes:

  • Bump central .NET package versions for Anthropic and Anthropic.Foundry.
  • Update pinned GitHub Actions SHAs across multiple workflows (uv setup, cache save, CodeQL analyze, paths-filter, gh-release).
  • Refresh the reusable .github/actions/python-setup composite action to use the newer astral-sh/setup-uv pin.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
dotnet/Directory.Packages.props Updates central package versions for Anthropic dependencies.
.github/workflows/python-sample-validation.yml Updates actions/cache/save pin for validation history caching.
.github/workflows/python-release.yml Updates softprops/action-gh-release pin used to publish releases.
.github/workflows/python-merge-tests.yml Updates dorny/paths-filter and actions/cache/save pins used in merge-test workflows.
.github/workflows/python-lab-tests.yml Updates dorny/paths-filter pin for lab-test workflow filtering.
.github/workflows/python-integration-tests.yml Updates actions/cache/save pin used for integration report history caching.
.github/workflows/python-docs.yml Updates astral-sh/setup-uv pin for docs workflow setup.
.github/workflows/issue-triage.yml Updates astral-sh/setup-uv pin for triage workflow setup.
.github/workflows/dotnet-build-and-test.yml Updates dorny/paths-filter and actions/cache/save pins for .NET CI.
.github/workflows/devflow-pr-review.yml Updates astral-sh/setup-uv pin for PR review workflow setup.
.github/workflows/codeql-analysis.yml Updates github/codeql-action/analyze pin for CodeQL analysis.
.github/actions/python-setup/action.yml Updates astral-sh/setup-uv pin in the reusable composite action.

Comment thread .github/workflows/python-sample-validation.yml
Comment thread .github/workflows/python-merge-tests.yml
Comment thread .github/workflows/python-integration-tests.yml
Comment thread .github/workflows/dotnet-build-and-test.yml
Comment thread .github/workflows/codeql-analysis.yml
@moonbox3 moonbox3 changed the title Python: Consolidate Dependabot dependency updates Python: .NET: Consolidate Dependabot dependency updates Jul 14, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated Code Review

Reviewers: 5 | Confidence: 77%

✓ Correctness

This PR consolidates Dependabot dependency updates for GitHub Actions and .NET packages. All action version bumps (setup-uv v6/v7→v8.3.2, cache/save v5→v6, action-gh-release v2→v3, paths-filter v4.0.1→v4.0.2, codeql-action patch) use only basic, stable inputs (path, key, files, version-file, enable-cache, filters) that are preserved across major versions. The Anthropic NuGet packages are minor version bumps (12.31→12.35.1, 0.6→0.7.1). No correctness issues found.

✓ Security Reliability

This PR updates GitHub Action pins and NuGet package versions. All actions continue to be pinned by full commit SHA, which is the recommended supply chain security practice. The inputs used with each updated action (version-file, enable-cache, path, key, files) are fundamental inputs unlikely to change across major versions. The Anthropic NuGet packages are minor version bumps within the same major version. No security vulnerabilities, injection risks, resource leaks, or unhandled failure modes were identified.

✓ Test Coverage

This is a straightforward dependency update PR bumping GitHub Actions and NuGet packages. The core Anthropic package (12.31.0→12.35.1) has adequate unit and integration test coverage (26 unit tests + conformance integration tests) that would catch breaking changes. However, the Anthropic.Foundry package (0.6.0→0.7.1) has no dedicated test coverage — it's only exercised in sample code. Since this is a pre-1.0 package where semver allows breaking changes in minor versions, this is a pre-existing test gap worth noting but not blocking. The GitHub Actions changes use only standard inputs compatible across the version bumps.

✓ Failure Modes

This PR consolidates Dependabot dependency updates for GitHub Actions and .NET packages. The changes are straightforward pin updates. The only notable operational concern is a version skew between actions/cache/save (updated to v6.1.0) and actions/cache/restore (still at v5.0.5) within the same workflow files. While actions/cache major version bumps are typically node runtime changes and the cache format is service-side compatible, the inconsistency creates a latent risk if future versions diverge on format.

✓ Design Approach

I did not find a design-level issue in this diff. The workflow changes are straightforward action pin updates, and the bumped actions still accept the same inputs this repository passes (version/version-file/cache inputs for setup-uv, filters for dorny/paths-filter, path/key for actions/cache/save, category for codeql-action/analyze, and files for action-gh-release). The .NET change is limited to central package version bumps for Anthropic and Anthropic.Foundry, with no accompanying consumer changes that point to a mismatched integration inside the repo.

Suggestions

  • actions/cache/restore remains pined at v5.0.5 (27d5ce7f) in python-integration-tests.yml:554, dotnet-build-and-test.yml:618, python-merge-tests.yml:751, and python-sample-validation.yml:704, while actions/cache/save in those same files is updated to v6.1.0 (55cc8345). Consider updating cache/restore to the same v6.1.0 commit for consistency.

Automated review by moonbox3's agents

@moonbox3 moonbox3 added this pull request to the merge queue Jul 14, 2026
Merged via the queue into microsoft:main with commit 4c0d9ed Jul 14, 2026
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

.NET Usage: [Issues, PRs], Target: .Net python Usage: [Issues, PRs], Target: Python

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants