Skip to content

chore(deps): bump release-drafter/release-drafter from 7.4.0 to 7.5.1#56

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/release-drafter/release-drafter-7.5.1
Open

chore(deps): bump release-drafter/release-drafter from 7.4.0 to 7.5.1#56
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/release-drafter/release-drafter-7.5.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps release-drafter/release-drafter from 7.4.0 to 7.5.1.

Release notes

Sourced from release-drafter/release-drafter's releases.

v7.5.1

What's Changed

Bug Fixes

  • fix: use PR changed files as the source of truth for path filtering (#1640) @​cchanche

Full Changelog: release-drafter/release-drafter@v7.5.0...v7.5.1

v7.5.0

What's Changed

New

Bug Fixes

Dependency Updates

Full Changelog: release-drafter/release-drafter@v7.4.0...v7.5.0

Commits
  • 4d75298 chore: release v7.5.1
  • 87be2bf fix: use PR changed files as the source of truth for path filtering (#1640)
  • 73b95fa chore: release v7.5.0
  • 46fd415 Fix/align increments to semver lib from 0.0.0 (#1636)
  • ee02572 chore: upgrade various deps
  • cd91445 build(deps): bump undici from 6.24.1 to 6.27.0 (#1637)
  • 33c969b fix: require actual matches for category mode only (#1639)
  • 5d6d314 ci: support label 'dependencies' for dependabot
  • See full diff in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 1, 2026 02:54
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 1, 2026
@github-actions github-actions Bot added the chore label Jul 1, 2026
@clawsweeper

clawsweeper Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codex review: needs changes before merge. Reviewed July 9, 2026, 8:08 AM ET / 12:08 UTC.

Summary
The PR changes the release-drafter/release-drafter GitHub Action pin in .github/workflows/release-drafter.yml from the v7.4.0 SHA to the v7.5.1 SHA.

Reproducibility: not applicable. this is a Dependabot GitHub Actions dependency update, not a reported runtime bug. The blocker is source-verifiable from the workflow pins, the PR diff, and the paired autolabeler PR.

Review metrics: 1 noteworthy metric.

  • Release-drafter pins: 1 changed, 1 related unchanged. The only concrete blocker is that the paired autolabeler reference remains on the old upstream release.

Merge readiness
Overall: 🦐 gold shrimp
Proof: 🌊 off-meta tidepool
Patch quality: 🦐 gold shrimp
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

Risk before merge

  • [P1] Merging this PR alone would leave release drafting on release-drafter v7.5.1 while PR autolabeling remains on v7.4.0 in the same workflow.
  • [P1] The changed draft-release job is skipped on pull_request_target PR checks, so green checks do not exercise the post-merge push or manual draft-release path.
  • [P1] The upstream bump executes new bundled third-party Action code, but the ref remains SHA-pinned and workflow permissions are unchanged.

Maintainer options:

  1. Unify release-drafter pins before merge (recommended)
    Update the autolabeler sub-action to the same 4d75298e00d9e34c483e5ff8c68d0ea1c1940c1e commit so both release-drafter workflow paths move together.
  2. Coordinate with the sibling autolabeler PR
    A workflow owner can land this in lockstep with chore(deps): bump release-drafter/release-drafter/autolabeler from 7.4.0 to 7.5.1 #58 so main does not intentionally stay on split release-drafter versions.
  3. Recreate as one grouped update
    If maintainers prefer not to edit Dependabot branches, close or pause the separate bumps and recreate one grouped release-drafter Action update.
Copy recommended automerge instruction
@clawsweeper automerge

Special instructions:
Update `.github/workflows/release-drafter.yml` so the `release-drafter/release-drafter/autolabeler` step also uses `4d75298e00d9e34c483e5ff8c68d0ea1c1940c1e`; leave workflow triggers, permissions, environment variables, release settings, and `CHANGELOG.md` unchanged.

Next step before merge

Security
Cleared: No concrete supply-chain defect was found: the Action ref remains SHA-pinned, workflow permissions are unchanged, and the upstream v7.5.1 tag verifies to the target commit.

Review findings

  • [P2] Keep the autolabeler pin aligned — .github/workflows/release-drafter.yml:43
Review details

Best possible solution:

Keep both remaining release-drafter entrypoints on the same verified v7.5.1 SHA, either by adding the autolabeler bump here or landing this together with #58.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this is a Dependabot GitHub Actions dependency update, not a reported runtime bug. The blocker is source-verifiable from the workflow pins, the PR diff, and the paired autolabeler PR.

Is this the best way to solve the issue?

No; as submitted it updates only one of the two remaining release-drafter uses. The narrow maintainable solution is a coordinated v7.5.1 pin across the direct action and autolabeler sub-action.

Full review comments:

  • [P2] Keep the autolabeler pin aligned — .github/workflows/release-drafter.yml:43
    This line moves the draft job to v7.5.1, but the same workflow still runs release-drafter/release-drafter/autolabeler at the old v7.4.0 SHA. The previous merged bump updated both remaining release-drafter refs together, and chore(deps): bump release-drafter/release-drafter/autolabeler from 7.4.0 to 7.5.1 #58 covers the missing half, so include that SHA here or land both PRs together.
    Confidence: 0.91

Overall correctness: patch is incorrect
Overall confidence: 0.91

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against 4f2ededcae52.

Label changes

Label justifications:

  • P3: This is a low-blast-radius dependency-maintenance PR for repository release automation.
  • merge-risk: 🚨 automation: The diff changes GitHub Actions release automation and can leave release-drafter workflow paths on mixed upstream versions if merged alone.
  • rating: 🦐 gold shrimp: Overall readiness is 🦐 gold shrimp; proof is 🌊 off-meta tidepool and patch quality is 🦐 gold shrimp.
  • status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: Not applicable: this is a Dependabot-authored GitHub Actions dependency update, so contributor real-behavior proof is not required; workflow-owner review and post-merge workflow logs are the relevant proof path.
Evidence reviewed

Acceptance criteria:

  • [P1] rg -n "release-drafter/release-drafter(@|/autolabeler@)" .github/workflows/release-drafter.yml.
  • [P1] git diff --check.

What I checked:

Likely related people:

  • openclaw/openclaw-secops: CODEOWNERS explicitly routes .github/workflows/ and release-drafter configuration changes to this owner handle. (role: workflow code owner; confidence: high; commits: 54e6b97d0d60; files: .github/CODEOWNERS, .github/workflows/release-drafter.yml, .github/release-drafter.yml)
  • vincentkoc: GitHub commit history shows this author added release note generation, published release-drafter notes, added CODEOWNERS, and later hardened the release-drafter workflow permissions and SHA pins. (role: introduced and recent workflow contributor; confidence: high; commits: eed2d38bba4c, c30546785fcd, 54e6b97d0d60; files: .github/workflows/release-drafter.yml, .github/release-drafter.yml, .github/CODEOWNERS)
  • steipete: The current main release-preparation commit is authored by this user and touches adjacent release workflow and release configuration surfaces. (role: recent release workflow contributor; confidence: medium; commits: 4f2ededcae52; files: .github/workflows/release.yml, .goreleaser-release.yml, scripts/prepare-notcrawl-release.sh)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (2 earlier review cycles)
  • reviewed 2026-07-03T09:50:12.029Z sha 403e1f0 :: needs changes before merge. :: [P2] Keep the autolabeler pin on the same release
  • reviewed 2026-07-09T12:03:15.255Z sha 735c400 :: needs changes before merge. :: [P2] Keep the autolabeler pin aligned

@clawsweeper clawsweeper Bot added rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. labels Jul 1, 2026
Bumps [release-drafter/release-drafter](https://github.com/release-drafter/release-drafter) from 7.4.0 to 7.5.1.
- [Release notes](https://github.com/release-drafter/release-drafter/releases)
- [Commits](release-drafter/release-drafter@ed4bc48...4d75298)

---
updated-dependencies:
- dependency-name: release-drafter/release-drafter
  dependency-version: 7.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/release-drafter/release-drafter-7.5.1 branch from 403e1f0 to 735c400 Compare July 9, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code merge-risk: 🚨 automation 🚨 Merging this PR could break CI, automerge, proof capture, label sync, or automation. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🦐 gold shrimp Decent PR readiness signal, but merge confidence is limited. status: ⏳ waiting on author ClawSweeper has contributor-facing work open and is waiting for author action.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant