chore(deps): bump qltysh/qlty-action from 92420f3093ba65970fed22ce5f162ecb8a5c1700 to c1d9ae56aba737dfb3c83921007a2610f1dad51c

[dependabot]

Bumps qltysh/qlty-action from 92420f3093ba65970fed22ce5f162ecb8a5c1700 to c1d9ae56aba737dfb3c83921007a2610f1dad51c.

Changelog

Sourced from qltysh/qlty-action's changelog.

Changelog

v2.2.0 (2025-08-11)

• Testing release process (no changes)

v2.1.0 (2025-08-08)

New

• support "dry-run" option for command complete

Improved

• Use log level "error" instead of "warning" when a catastrophic error occurs but "skip-errors" is true

Fixed

• Ignore "validate" option when command is "complete" (otherwise errors with invalid option)

v2.0.0 (2025-08-05)

This release mirrors the breaking change we introduced in the qlty CLI proper: we now validate coverage data by default instead of uploading coverage data to qlty that qlty cannot use. Now you must opt out of this behavior whereas previously opt in.

What This Means for You:

• If coverage reporting is working as expected, you'll experience no impact. If you're uploading valid reports and seeing directory and file-level coverage metrics in Qlty, you don't need to do anything. (If your reports include mismatched paths, you'll see specific path errors listed within your CI output)
• Potential CI Build Failures: Once this change is implemented, if your current CI/CD pipeline uploads a report with mismatched paths, your builds will begin to fail when executing qlty coverage publish.
• Quick Fix for Build Failures: If your builds start failing and you need to get them passing immediately, you can temporarily add validate: false to the GitHub Action configuration. This will disable validation and allow your CI build to pass (though your coverage data will remain broken until you've uploaded a valid report).

We believe this change will significantly improve the accuracy and usability of your coverage data within Qlty. If you have any questions or require assistance, please don't hesitate to contact our support team.

v1.2.0 (2025-08-04)

Fixed

• Ensure correct commit sha provided from PRs for 'complete' action (#125)
• More robust error output in face of unknown errors (#121)
• Set output directory to RUNNER_TEMP (#110)

Thank you, @​enell for your contribution!

v1.1.1 (2025-06-25)

Improved

• Make files arg optional for complete (#112)

v1.1.0 (2025-05-15)

... (truncated)

Commits

• c1d9ae5 chore: Upgrade glob package (#163)
• fb4768f ci: add --ignore-scripts to npm install for security (#162)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow dependencies to latest versions for improved tool compatibility and stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dependabot]

Labels

The following labels could not be found: skip news. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0%. Comparing base (134386f) to head (e0b01e8).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@     Coverage Diff     @@
##   main   #226   +/-   ##
===========================
===========================

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Artmann]

@coderabbitai Review this please

[coderabbitai]

@Artmann I'll review the changes now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

The CI workflow's qlty action install step was updated to use a different commit reference, changing from 92420f3093ba65970fed22ce5f162ecb8a5c1700 to c1d9ae56aba737dfb3c83921007a2610f1dad51c. No changes to workflow logic or behavior.

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title clearly identifies the dependency bump from one commit to another with specific commit hashes, accurately reflecting the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 134386f and e0b01e8.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/ci.yml (2)

74-74: Security improvement noted: --ignore-scripts added to npm install.

The updated action includes a helpful security fix (commit fb4768f) that adds --ignore-scripts to npm install, reducing supply-chain attack surface.

---

74-74: Dependency update is compatible with current configuration.

The qlty-action v2.0.0 update includes security improvements (--ignore-scripts for npm install). The referenced breaking change regarding coverage data validation does not apply to this project, as coverage validation is not configured and coverage is explicitly excluded from qlty checks. CI should pass without requiring configuration changes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}