Fix: validate action runs.main before bumping SHAs

[yogendrasinghx]

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

Adds a validation step to confirm an action’s manifest and declared runs.main entrypoint exist before updating pinned SHAs, preventing invalid Dependabot-style bumps. 🔍

📊 Key Changes

• Introduces action_is_valid(action, ref, token) in actions/dependabot.py to verify action.yml or action.yaml exists for a target ref.
• Parses the action manifest’s runs block and checks whether any declared main JavaScript entrypoint is present in the repository contents.
• Skips SHA updates when the manifest or referenced entrypoint is missing, with a clear warning message in the action output. ⚠️
• Integrates validation into the update flow before accepted refs are added to the list of dependency updates.

🎯 Purpose & Impact

• Prevents bumping to broken action refs that publish a tag or commit without a usable manifest or entrypoint. ✅
• Improves reliability of automated SHA updates in ultralytics/actions by catching invalid upstream releases earlier.
• Reduces the chance of downstream CI failures caused by referencing incomplete or misconfigured GitHub Actions. 🛠️

[UltralyticsAssistant]

👋 Hello @yogendrasinghx, thank you for submitting a ultralytics/actions 🚀 PR! This is an automated message to help streamline review, and an engineer will assist you shortly. Please review the checklist below to help ensure a smooth integration of your changes 😊

• ✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
• ✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/actions main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
• ✅ Update Documentation: Update the relevant documentation for any new or modified features.
• ✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
• ✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
• ✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. Don't hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

[codecov]

Codecov Report

❌ Patch coverage is 0% with 55 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
actions/dependabot.py	0.00%	55 Missing ⚠️

📢 Thoughts on this report? Let us know!

[UltralyticsAssistant]

🔍 PR Review

_{Made with ❤️ by Ultralytics Actions}

Nice addition overall—the validation step should prevent many bad SHA bumps. I found two correctness gaps to address before merging: JavaScript actions with runs.using: node* but missing main are still treated as valid, and relative runs.main paths can be mis-resolved during the entrypoint existence check.

💬 Posted 2 inline comments

[UltralyticsAssistant]

🔍 PR Review 2

_{Made with ❤️ by Ultralytics Actions}

Good safeguard overall for broken action bumps, but the new validation currently treats reusable workflows as invalid actions and will skip legitimate updates. Fixing that edge case would make this PR safe to merge.

💬 Posted 1 inline comment

[UltralyticsAssistant]

🔍 PR Review 3

_{Made with ❤️ by Ultralytics Actions}

Good addition overall: validating action refs before bumping SHAs should prevent a real class of broken updates. The main issue is that the reusable-workflow exclusion regex is currently wrong and will cause valid workflow refs to be skipped. I also see a reliability risk from regex-parsing YAML, which can misclassify valid manifests depending on formatting.

💬 Posted 2 inline comments

[glenn-jocher]

@yogendrasinghx I've merged the companion PR in portal. Is this one good to merge?