Skip to content

chore(deps): bump changesets/action from 1.7.0 to 1.9.0#2260

Merged
mattzcarey merged 2 commits into
mainfrom
dependabot/github_actions/changesets/action-1.9.0
Jul 1, 2026
Merged

chore(deps): bump changesets/action from 1.7.0 to 1.9.0#2260
mattzcarey merged 2 commits into
mainfrom
dependabot/github_actions/changesets/action-1.9.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Bumps changesets/action from 1.7.0 to 1.9.0.

Release notes

Sourced from changesets/action's releases.

v1.9.0

Minor Changes

  • #636 b072bcc Thanks @​bluwy! - Add a new @changesets/action/pr-comment sub-action to comment on PRs

  • #625 8795eee Thanks @​bluwy! - Add a new @changesets/action/pr-status sub-action to generate the changeset status comment for PRs as an alternative to the Changesets Bot.

Patch Changes

  • #535 34f64f6 Thanks @​Andarist! - Fixed an issue with GitHub releases not being created for successfully published packages when some packages failed to be published to the registry.

  • #632 1d54b9e Thanks @​bluwy! - Simplify internal implementation to get changelog entries for a package version

  • #629 e0c90aa Thanks @​bluwy! - Fix custom version and publish command argument parsing

  • #645 f9585d9 Thanks @​Andarist! - Improved force-push handling when using commitMode: "github-api" so updating an existing branch no longer temporarily resets the target branch to the base commit, avoiding cases where GitHub closes open pull requests during the update. This should remove a possibility of a GitHub state race that caused the force-pushed PRs not being reopened.

v1.8.0

Minor Changes

  • #258 f5dbf72 Thanks @​tom-sherman! - Support draft version PR modes with a new prDraft input. Use create to create new version PRs as drafts, or always to also convert existing version PRs back to draft when updating them.

Patch Changes

  • #502 6002dbd Thanks @​oshytiko! - Fixed initial .changeset state being picked up, when cwd parameter is provided

  • #536 81b3f61 Thanks @​radnan! - Fixed .changeset state being picked for the version command when cwd parameter is provided

Changelog

Sourced from changesets/action's changelog.

@​changesets/action

2.0.0-next.2

Patch Changes

  • #670 5a8b9b7 Thanks @​Andarist! - Authenticate git CLI pushes with the configured GitHub token using Git extra headers instead of writing to a global .netrc file.

  • #670 5a8b9b7 Thanks @​Andarist! - Derive the Git server URL from the GitHub Actions context when configuring git CLI authentication to support GitHub Enterprise Server setups.

2.0.0-next.1

Patch Changes

  • #663 ccb3811 Thanks @​Andarist! - Fix the computed publish plan path passed internally to changeset pack by the /pack subaction.

  • #662 5c88881 Thanks @​Andarist! - Fixed usage of --from-publish-plan flag used by the /pack subaction

  • #666 dc29b73 Thanks @​Andarist! - Fix the /version subaction to not crash on missing pr-base-branch input. This input is meant to be optional.

2.0.0-next.0

Major Changes

  • #657 4f718b5 Thanks @​Andarist! - Removed compatibility support for old Changesets v1.

  • #659 5649ff4 Thanks @​bluwy! - Remove cwd option for changesets/action. Use the step working-directory option instead to change the directory.

Minor Changes

  • #656 a12d90d Thanks @​bluwy! - Add new /select-mode, /version, and /publish sub-actions to better control version and publish steps

1.9.0

Minor Changes

  • #636 b072bcc Thanks @​bluwy! - Add a new @changesets/action/pr-comment sub-action to comment on PRs

  • #625 8795eee Thanks @​bluwy! - Add a new @changesets/action/pr-status sub-action to generate the changeset status comment for PRs as an alternative to the Changesets Bot.

Patch Changes

  • #535 34f64f6 Thanks @​Andarist! - Fixed an issue with GitHub releases not being created for successfully published packages when some packages failed to be published to the registry.

  • #632 1d54b9e Thanks @​bluwy! - Simplify internal implementation to get changelog entries for a package version

  • #629 e0c90aa Thanks @​bluwy! - Fix custom version and publish command argument parsing

  • #645 f9585d9 Thanks @​Andarist! - Improved force-push handling when using commitMode: "github-api" so updating an existing branch no longer temporarily resets the target branch to the base commit, avoiding cases where GitHub closes open pull requests during the update. This should remove a possibility of a GitHub state race that caused the force-pushed PRs not being reopened.

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 8, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 8, 2026 18:34
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 8, 2026
@changeset-bot

changeset-bot Bot commented Jun 8, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: b621858

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new

pkg-pr-new Bot commented Jun 8, 2026

Copy link
Copy Markdown

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/@modelcontextprotocol/client@2260

@modelcontextprotocol/codemod

npm i https://pkg.pr.new/@modelcontextprotocol/codemod@2260

@modelcontextprotocol/core

npm i https://pkg.pr.new/@modelcontextprotocol/core@2260

@modelcontextprotocol/server

npm i https://pkg.pr.new/@modelcontextprotocol/server@2260

@modelcontextprotocol/server-legacy

npm i https://pkg.pr.new/@modelcontextprotocol/server-legacy@2260

@modelcontextprotocol/express

npm i https://pkg.pr.new/@modelcontextprotocol/express@2260

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/@modelcontextprotocol/fastify@2260

@modelcontextprotocol/hono

npm i https://pkg.pr.new/@modelcontextprotocol/hono@2260

@modelcontextprotocol/node

npm i https://pkg.pr.new/@modelcontextprotocol/node@2260

commit: b621858

@dependabot dependabot Bot force-pushed the dependabot/github_actions/changesets/action-1.9.0 branch from a860f11 to 9b37f55 Compare June 25, 2026 18:44

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — routine Dependabot bump of changesets/action 1.7.0 → 1.9.0 with the SHA pin correctly matching the v1.9.0 release commit.

Extended reasoning...

Overview

This PR touches a single file, .github/workflows/release.yml, updating the SHA-pinned changesets/action reference from 6a0a831 (v1.7.0) to a45c4d5 (v1.9.0) in both the version-PR step and the publish step. The pinned SHA matches the v1.9.0 release commit listed in the upstream changelog/commit list, and the # v1 version comment remains accurate.

Security risks

The change is in the release workflow, which is supply-chain-sensitive (it has contents: write, pull-requests: write, and id-token: write for npm OIDC publishing). However, the action remains pinned to a full commit SHA from the official changesets/action repository, the upstream 1.8.0/1.9.0 changes are additive (new optional sub-actions, draft-PR input, and bug fixes) and do not alter the publish path used here (publish: pnpm run ci:publish), and no permissions or secrets are changed. No new tokens or scopes are required per the action's docs.

Level of scrutiny

This is a mechanical, Dependabot-style dependency bump following the repo's established SHA-pinning convention. Per the repo review conventions' CI guidance, no claims of breakage should be made without verification, and none are warranted — the workflow inputs used (publish, GITHUB_TOKEN, NPM_CONFIG_PROVENANCE) are unchanged between 1.7.0 and 1.9.0.

Other factors

The bug-hunting system found no issues, the timeline contains only standard bot comments (changeset-bot correctly notes no changeset is needed for a workflow-only change), and both usages of the action were updated consistently.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/changesets/action-1.9.0 branch from 9b37f55 to 033df55 Compare June 26, 2026 13:03

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — straightforward Dependabot bump of changesets/action from 1.7.0 to 1.9.0, SHA-pinned to the v1.9.0 release commit.

Extended reasoning...

Overview

This PR only touches .github/workflows/release.yml, updating the pinned SHA for changesets/action in two steps (the Version Packages PR step and the Publish step) from 6a0a831 (v1.7.0) to a45c4d5, which the Dependabot-provided commit list confirms is the v1.9.0 release commit. No other workflow inputs, permissions, or env vars change.

Security risks

Minimal. The action remains pinned to a full commit SHA (not a mutable tag), so supply-chain exposure is unchanged. The 1.8/1.9 changes are additive (new opt-in sub-actions for PR comments/status, draft-PR support) plus patch fixes; none alter the default version/publish behavior this workflow relies on, and no new permissions or tokens are required. The workflow already grants contents: write / pull-requests: write (version job) and id-token: write (publish job), which covers everything the bumped action does here.

Level of scrutiny

Low — this is a routine, mechanical CI dependency bump within the same major version, the kind of change Dependabot produces regularly. It does not touch SDK source, protocol logic, or any published package (changeset-bot correctly notes no changeset is needed).

Other factors

The bug-hunting system found no issues, and the same commit appears to already be present at the repository HEAD. Per the repo's review conventions on CI/GitHub Actions changes, I verified the new SHA against the release notes rather than asserting behavior from memory; nothing in the 1.7.0→1.9.0 changelog affects this workflow's existing configuration.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/changesets/action-1.9.0 branch from 033df55 to 3a7e192 Compare June 30, 2026 14:49

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — routine Dependabot bump of changesets/action to v1.9.0, both pinned SHAs updated consistently.

Extended reasoning...

Overview

This PR touches a single file, .github/workflows/release.yml, updating the SHA-pinned changesets/action reference from 6a0a831 (v1.7.0) to a45c4d5 (v1.9.0) in both places it is used (the version PR step and the publish step). The new SHA matches the v1.9.0 release commit listed in the Dependabot description, and both call sites are updated consistently so there is no version skew within the workflow.

Security risks

The action remains pinned to a full commit SHA (good supply-chain hygiene), and the upgrade is a minor/patch-level change within the v1 line. The new pr-comment/pr-status sub-actions introduced in 1.9.0 are opt-in and not used here, so no new permissions are needed; the existing contents: write / pull-requests: write and id-token: write grants are unchanged. The publish job continues to use the same pnpm run ci:publish command and OIDC/provenance setup.

Level of scrutiny

This is CI configuration touching the release pipeline, which warrants a quick sanity check rather than deep review: the change is mechanical (a Dependabot SHA bump with no input/permission changes), follows the established pinning convention, and the 1.7.0→1.9.0 changelog contains only additive sub-actions and bug fixes — no breaking changes to the inputs (publish) or outputs (hasChangesets) this workflow relies on.

Other factors

No bugs were found by the bug hunting system, no human reviewer comments are outstanding, and no changeset is needed for a workflow-only change. The actual release behavior will be exercised on the next merge to main, which is the normal validation path for this kind of bump.

@dependabot dependabot Bot force-pushed the dependabot/github_actions/changesets/action-1.9.0 branch from 3a7e192 to ff42fdb Compare June 30, 2026 15:05

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — straightforward Dependabot bump of changesets/action to v1.9.0, with both pinned SHAs in release.yml updated consistently.

Extended reasoning...

Overview

This PR touches a single file, .github/workflows/release.yml, updating the pinned commit SHA for changesets/action from 6a0a831 (v1.7.0) to a45c4d5 (v1.9.0) at both usage sites (the Version Packages PR step and the Publish step). The Dependabot-provided commit list confirms a45c4d5 is the v1.9.0 tag commit, and the # v1 pin comment remains accurate.

Security risks

Minimal. The action remains pinned by full commit SHA (good supply-chain practice), and no permissions, tokens, or secrets are added or changed in the workflow. The v1.9.0 release notes describe additive sub-actions and patch fixes; the existing usage (default version step + publish: pnpm run ci:publish) requires no input changes.

Level of scrutiny

This is CI/release tooling, so it only affects the publish pipeline, not shipped SDK code. Per the repo's review conventions for .github/workflows/ diffs, I checked the changelog rather than asserting behavior from memory: nothing in 1.8.0/1.9.0 changes the inputs or permissions this workflow relies on.

Other factors

No bugs were found by the bug hunting system, and the only timeline activity is the standard changeset-bot and pkg-pr-new bot comments. The change is mechanical and consistent with how other action bumps are handled in this repo.

Bumps [changesets/action](https://github.com/changesets/action) from 1.7.0 to 1.9.0.
- [Release notes](https://github.com/changesets/action/releases)
- [Changelog](https://github.com/changesets/action/blob/main/CHANGELOG.md)
- [Commits](changesets/action@6a0a831...a45c4d5)

---
updated-dependencies:
- dependency-name: changesets/action
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/changesets/action-1.9.0 branch from ff42fdb to 4ef817f Compare June 30, 2026 20:20

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — straightforward Dependabot bump of changesets/action from 1.7.0 to 1.9.0, applied consistently to both pinned usages.

Extended reasoning...

Overview

This PR updates the changesets/action GitHub Action from 1.7.0 (6a0a831) to 1.9.0 (a45c4d5) in .github/workflows/release.yml. Both occurrences (the Version Packages PR step and the Publish step) are updated to the same SHA, which matches the v1.9.0 tag per the upstream release commit list in the PR description. No other workflow inputs, permissions, or env vars are changed.

Security risks

Low. The action remains pinned to a full commit SHA (not a mutable tag), which preserves supply-chain protection. The 1.8.0/1.9.0 changes are additive (new optional sub-actions pr-comment/pr-status, draft-PR support) plus patch fixes; none alter the default behavior of the version/publish flows used here, and no new permissions or tokens are required. The publish job's existing id-token: write / OIDC trusted-publishing setup is untouched.

Level of scrutiny

This is a CI configuration dependency bump generated by Dependabot — mechanical, small, and self-contained. The main risks for such bumps are (a) SHA not matching the claimed version and (b) only one of multiple usages being updated; both check out here. Per the repo's review conventions, no unverified claims about the action's behavior are being made.

Other factors

The bug-hunting system found no issues, and there are no outstanding reviewer comments. No changeset is needed since this only touches CI. The release workflow itself will exercise the new version on the next push to main; any breakage would surface immediately and be trivially revertible.

@mattzcarey mattzcarey enabled auto-merge (squash) July 1, 2026 08:17
@mattzcarey mattzcarey disabled auto-merge July 1, 2026 08:17
@mattzcarey mattzcarey enabled auto-merge (squash) July 1, 2026 08:17

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — routine Dependabot bump of changesets/action from 1.7.0 to 1.9.0, with the pinned SHA matching the upstream v1.9.0 release commit and both usages in the workflow updated consistently.

Extended reasoning...

Overview

This PR is a Dependabot dependency bump touching only .github/workflows/release.yml. It updates the pinned commit SHA for changesets/action from 6a0a831f (v1.7.0) to a45c4d59 (v1.9.0) in both places the action is used (the Version Packages PR step and the Publish step). The new SHA matches the v1.9.0 release commit listed in the upstream repository's commit history included in the PR description.

Security risks

Minimal. The action remains SHA-pinned (not a mutable tag), which preserves supply-chain integrity — the update simply moves the pin to the upstream v1.9.0 release commit. The 1.8.0/1.9.0 changes are additive (new sub-actions, draft-PR input) plus patch fixes; none alter the token handling or publish flow used by this workflow. Existing permissions (contents: write, pull-requests: write for versioning; id-token: write for OIDC publish) are unchanged and sufficient.

Level of scrutiny

This touches the release/publish pipeline, which warrants some care, but the change itself is a mechanical, SHA-pinned minor version bump of a widely used first-party changesets action, with no configuration or input changes. Per the repo's review conventions on CI/GitHub Actions diffs, no unverified failure claims apply here, and the workflow inputs (publish: pnpm run ci:publish, GITHUB_TOKEN, NPM_CONFIG_PROVENANCE) are untouched and remain compatible with 1.9.0.

Other factors

No changeset is needed since this doesn't affect published packages. No bugs were found by the bug-hunting system, and there are no outstanding reviewer comments. Both usages of the action were updated consistently, so there is no partial-migration concern.

@mattzcarey mattzcarey merged commit 2f4ad13 into main Jul 1, 2026
21 checks passed
@mattzcarey mattzcarey deleted the dependabot/github_actions/changesets/action-1.9.0 branch July 1, 2026 08:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant