action-allowlist-review: bump nwtgck/actions-netlify from 3.0.0 to 4.0.0 in /.github/actions/for-dependabot-triggered-reviews

[dependabot]

Bumps nwtgck/actions-netlify from 3.0.0 to 4.0.0.

Release notes

Sourced from nwtgck/actions-netlify's releases.

v4.0.0

https://github.com/nwtgck/actions-netlify/blob/develop/CHANGELOG.md

Changelog

Sourced from nwtgck/actions-netlify's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog

[Unreleased]

[4.0.0] - 2026-06-05

Changed

• Update dependencies
• Updates the default runtime to node24

[3.0.0] - 2024-03-10

Changed

• Update dependencies
• Updates the default runtime to node20

[2.1.0] - 2023-08-18

Changed

• Update dependencies

Added

• Add "enable-github-deployment" input #901 by @​a-tokyo

[2.0.0] - 2022-12-08

Changed

• Update dependencies
• Updates the default runtime to node16

[1.2.4] - 2022-10-14

Changed

• Update dependencies

[1.2.3] - 2021-12-20

Changed

• Update dependencies

[1.2.2] - 2021-05-08

Fixed

• Fix GitHub deployment description

Changed

• Update dependencies

[1.2.1] - 2021-05-05

Added

• Add "fails-without-credentials" input to fail if the credentials not provided #532

Changed

• Update dependencies

... (truncated)

Commits

• d22a32a Merge branch 'release/4.0.0'
• 6c4be64 bump: 4.0.0
• ea1587a chore: node24
• 2f7daf7 deps: update
• f242d4c Build(deps): bump undici from 5.28.3 to 5.28.4 (#1156)
• 3bde29c Build(deps): bump nwtgck/actions-comment-run from 2.0 to 3.0 (#1152)
• c71a094 Merge tag 'v3.0.0' into develop
• See full diff in compare view

[potiuk]

@dependabot rebase

[potiuk]

The verify gate fails this major bump on two counts:

1. The published dist/ doesn't reproduce from source — rebuilding from the v4.0.0 source (after a tsconfig.json lib: ["es2022"] change) yields a different dist/index.js / dist/thread.js than what's committed.
2. dist/elf_cam_bg.wasm ships in-tree with no provenance — the v4.0.0 release has no assets (no SHA256SUMS, no SLSA attestation).

So we can't tie the shipped bundle back to the reviewed source. I've filed nwtgck/actions-netlify#1242 upstream asking for a reproducible dist/ build and build provenance for the wasm.

Not merging for now. @dfoulks1 @ppkarwasz — do you think we hold this until upstream resolves #1242, or is there a path you'd prefer (e.g. pin back / drop the entry)? Opinions welcome.

[potiuk]

⚠️ Holding for manual security review — do not auto-merge.

The verify gate fails this major bump (3.0.0→4.0.0) on its two core reproducibility checks, not on a download-provenance technicality:

In-tree binary check     ✗  unverified binaries in repo (no SLSA attestation)
JS build verification    ✗  DIFFERENCES DETECTED
RESULT: Differences detected between published and rebuilt JS

The committed dist/ bundle for nwtgck/actions-netlify@v4.0.0 does not reproduce from source, and there are in-tree binaries without SLSA attestation. None of the trusted-download escape hatches apply here — this is the exact supply-chain signal the gate is meant to surface.

This may be benign (minifier/toolchain differences) or not — it needs a human to inspect the published-vs-rebuilt diff and the in-tree binaries before this can be approved. Flagging rather than merging.