Bump aws-actions/configure-aws-credentials from 6 to 6.1.1#365
Open
dependabot[bot] wants to merge 1 commit into
Open
Bump aws-actions/configure-aws-credentials from 6 to 6.1.1#365dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 6 to 6.1.1. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](aws-actions/configure-aws-credentials@v6...v6.1.1) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-version: 6.1.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
Changed
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewI'll review how this action is used in the repo and inspect the upstream changes for supply-chain risk. Summary: This is a routine patch/minor pin of the official AWS-maintained action. No supply-chain compromise indicators were found. Evidence by category
Scanner caveat (worth noting, not blocking): The resolved upstream range ( Recommendation: Safe to merge from a supply-chain perspective. Optionally consider Compatibility AnalysisSearching the repo for how Compatibility & adoption analysis —
|
| File | Usage |
|---|---|
.github/workflows/build-riscv64.yml |
upload job, release-only (if: env.RELEASE == 'true') |
- name: Configure AWS credentials
if: env.RELEASE == 'true'
uses: aws-actions/configure-aws-credentials@v6.1.1
with:
role-to-assume: arn:aws:iam::${{ secrets.CHIA_AWS_ACCOUNT_ID }}:role/installer-upload
aws-region: us-west-2Workflow already grants id-token: write (required for OIDC role assumption). No other .github/workflows reference this action.
PR scope: pin @v6 → @v6.1.1 in that one step (per malware/PR scan artifacts).
2) Intersection with upstream changes (v6 → v6.1.1)
| Release | Relevant to this repo? |
|---|---|
| 6.1.1 | Dependency-only (@aws-sdk/client-sts, Smithy, etc.) — no input/output contract changes |
| 6.1.0 | New opt-in inputs: skip-cleanup, aws-profile — not used; defaults unchanged |
| 6.0.0 | Already on v6 major (Node 24) — breaking change already absorbed |
Your usage is the standard OIDC path: role-to-assume + aws-region, no custom role-session-name, profiles, role chaining, or output-env-credentials: false.
Not in this bump: v6.1.2 (released 2026-05-26) adds default session tags, stricter role-session-name validation, custom STS endpoints, etc. Those behavioral changes do not apply to 6.1.1.
3) Risks / unknowns
| Risk | Severity |
|---|---|
| AWS credential step runs only on release publish, not on ordinary PR/push CI | Medium — merge won’t prove the step until next release |
| Bundled AWS SDK bumps (STS client) | Low — routine for this action; same AssumeRole/OIDC flow |
If @v6 was a moving tag, you may already have been on 6.1.x behavior; pin makes that explicit |
Informational |
| 6.1.2 is available with IAM/session-tag behavior changes — separate review if you want latest | Out of scope for this PR |
No repo build/runtime coupling — GitHub Actions only.
4) Recommendation
Merge
- Patch-level pin within the same major you already use.
- No overlap with your inputs or workflow permissions.
- 6.1.1 changelog is dependency maintenance only; 6.1.0 features are opt-in and unused.
- Safer than jumping to 6.1.2, which would introduce new default session-tag behavior.
Post-merge: Confirm on the next release: published run that “Configure AWS credentials” and subsequent aws s3 steps succeed (only path that exercises this bump).
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
13 - Resolution strategy:
tag_range - Changed node/vendor paths:
0 - Changed lockfiles:
1 - Resolved upstream range:
acca2b1b2070338fb9fd1ca27ecee81d687e58e5..d979d5b3a71173a29b74b5b88418bfda9437d885 - Resolved refs: from=
acca2b1b2070338fb9fd1ca27ecee81d687e58e5to=d979d5b3a71173a29b74b5b88418bfda9437d885 - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
947
Top findings
dist/cleanup/index.js:844codepoint_decoder ::const code = this.code = key.charCodeAt(index);dist/cleanup/index.js:866codepoint_decoder ::const code = key.charCodeAt(index);dist/cleanup/index.js:1350codepoint_decoder ::if (!isTokenCharCode(characters.charCodeAt(i))) {dist/cleanup/index.js:2814codepoint_decoder ::for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {dist/cleanup/index.js:3420codepoint_decoder ::if (data.charCodeAt(dataLength - 1) === 61) {dist/cleanup/index.js:3422codepoint_decoder ::if (data.charCodeAt(dataLength - 1) === 61) {dist/cleanup/index.js:3502codepoint_decoder ::while (lead < str.length && predicate(str.charCodeAt(lead))) lead++;dist/cleanup/index.js:3505codepoint_decoder ::while (trail > 0 && predicate(str.charCodeAt(trail))) trail--;dist/cleanup/index.js:3869codepoint_decoder ::if (x.charCodeAt(index) > 255) {dist/cleanup/index.js:3871codepoint_decoder ::Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.dist/cleanup/index.js:4043codepoint_decoder ::const code = url.charCodeAt(i);dist/cleanup/index.js:4069codepoint_decoder ::const c = statusText.charCodeAt(i);dist/cleanup/index.js:4623codepoint_decoder ::if (data.charCodeAt(position.position) !== 61) {dist/cleanup/index.js:4636codepoint_decoder ::const code = char.charCodeAt(0);dist/cleanup/index.js:4650codepoint_decoder ::if (data.charCodeAt(position.position) !== 45) {dist/cleanup/index.js:4663codepoint_decoder ::const code = char.charCodeAt(0);dist/cleanup/index.js:4762codepoint_decoder ::if (input.charCodeAt(position.position) === 34) {dist/cleanup/index.js:4771codepoint_decoder ::assert(input.charCodeAt(position.position) === 44);dist/cleanup/index.js:5110codepoint_decoder ::if ((chars.charCodeAt(i) & ~127) !== 0) {dist/cleanup/index.js:5122codepoint_decoder ::const cp = boundary.charCodeAt(i);
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps aws-actions/configure-aws-credentials from 6 to 6.1.1.
Release notes
Sourced from aws-actions/configure-aws-credentials's releases.
Changelog
Sourced from aws-actions/configure-aws-credentials's changelog.
... (truncated)
Commits
d979d5bchore: release 6.1.1 (#1757)d4a9acdchore: Update distfc44f4achore(deps): bump@aws-sdk/client-stsfrom 3.1033.0 to 3.1038.0 (#1749)0b8336fchore: Update dist8c5bf33chore(deps-dev): bump@aws-sdk/credential-provider-env(#1751)53df0c1chore: Update distc2c5582chore(deps): bump@smithy/node-http-handlerfrom 4.6.0 to 4.6.1 (#1750)bd0031dchore(deps): bump postcss from 8.5.6 to 8.5.12 (#1752)6ab499achore(deps-dev): bump@biomejs/biomefrom 2.4.12 to 2.4.13 (#1747)bc94895chore(deps-dev): bump@biomejs/biomefrom 2.4.11 to 2.4.12 (#1739)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Single-line GitHub Action patch pin; same inputs and release-gated AWS role usage as before.
Overview
Pins
aws-actions/configure-aws-credentialsfrom@v6to@v6.1.1in the riscv64 release upload job (.github/workflows/build-riscv64.yml). Role assumption, region, and when the step runs are unchanged; only the action version is updated (Dependabot patch release with dependency churn in the action itself).Reviewed by Cursor Bugbot for commit 4a86cf5. Bugbot is set up for automated code reviews on this repo. Configure here.