Update GitHub Actions #1999
Update GitHub Actions #1999
Conversation
Signed-off-by: CrazyFrog <[email protected]>
Signed-off-by: CrazyFrog <[email protected]>
Signed-off-by: CrazyFrog <[email protected]>
Signed-off-by: CrazyFrog <[email protected]>
Signed-off-by: CrazyFrog <[email protected]>
Signed-off-by: CrazyFrog <[email protected]>
WalkthroughUpdated multiple GitHub Actions workflows to use actions/checkout@v5 instead of @v4. Changes apply across single-job and multi-job workflows; no other steps, logic, or configurations were modified. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
Status, Documentation and Community
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🧹 Nitpick comments (3)
.github/workflows/concommits.yaml (1)
16-16: Optional: This step may be unnecessary for conventional-commitsMany conventional-commit checkers operate via the GitHub API and don’t require a working copy. If
webiny/action-conventional-commitsdoes not need the repo contents, you can drop checkout to save time.Proposed change:
- - uses: actions/checkout@v5.github/workflows/labeler.yaml (1)
16-16: Optional: Remove checkout; labeler doesn’t require a working copy
actions/labeler@v5reads changed files via the API and typically doesn’t need a checkout. Dropping it reduces time and exposure in a pull_request_target context.- - uses: actions/checkout@v5.github/workflows/tests.yaml (1)
27-27: Use checkout’s fetch-depth instead of manual “git fetch --unshallow” to speed runs and avoid fragility.Several jobs run “git fetch --prune --unshallow” right after checkout. Prefer asking checkout to fetch full history directly; it’s faster and avoids failures when the repo isn’t shallow.
Example (build-macos, Line 27). Add fetch-depth: 0 to checkout, then remove the subsequent unshallow step:
- - uses: actions/checkout@v5 + - uses: actions/checkout@v5 + with: + fetch-depth: 0 - - run: git fetch --prune --unshallowNotes:
- If you keep the manual fetch, it will error once the repo is already complete (“--unshallow on a complete repository does not make sense”).
- You’ve correctly used fetch-depth: 0 already in dispatch-release (Lines 288-291), which is the preferred pattern.
Also applies to: 45-45, 63-63, 79-79, 96-96, 118-118, 159-159, 189-189, 233-233
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (6)
.github/workflows/concommits.yaml(1 hunks).github/workflows/labeler.yaml(1 hunks).github/workflows/release.yaml(3 hunks).github/workflows/standardize-yaml.yaml(1 hunks).github/workflows/tests.yaml(11 hunks).github/workflows/wip.yaml(1 hunks)
🔇 Additional comments (8)
.github/workflows/concommits.yaml (1)
16-16: Upgrade to actions/checkout@v5 looks goodStraightforward version bump; no logic changes. This aligns with the PR’s objective.
.github/workflows/standardize-yaml.yaml (1)
13-13: Upgrade to actions/checkout@v5 looks goodNo functional changes expected; compatible with the subsequent git usage.
.github/workflows/wip.yaml (1)
16-16: Upgrade to actions/checkout@v5 looks goodMatches the PR’s objective; no behavior change expected.
.github/workflows/release.yaml (2)
15-15: Upgrades to actions/checkout@v5 across release jobs look goodThree occurrences updated (publish, test-network-upgrade-on-release, notify-homebrew). Change is consistent with the PR’s intent.
Also applies to: 52-52, 90-90
15-15: Confirm there are no remaining actions/checkout@v4 references in workflowsI scanned .github/workflows in the checked-out branch; ripgrep returned no matches for "actions/checkout@v4". Please manually verify the PR/files if you expected any remaining @v4 references.
Files to double-check:
- .github/workflows/release.yaml — (original snippet)
- uses: actions/checkout@v5
- Also verify the locations originally flagged (lines 52 and 90 in the review) correspond to no @v4 usages.
.github/workflows/labeler.yaml (1)
16-16: Upgrade to actions/checkout@v5 looks goodConsistent with the PR’s stated scope.
.github/workflows/tests.yaml (2)
27-27: Checkout v5 upgrade: LGTMAll updated steps now use actions/checkout@v5. No functional regressions evident in this workflow as a result of the upgrade.
Also applies to: 45-45, 63-63, 79-79, 96-96, 118-118, 137-137, 159-159, 189-189, 233-233, 288-288
27-27: Verify runner compatibility — actions/checkout@v5 requires Node.js 24 and runner v2.327.1+actions/checkout@v5 runs on Node.js 24 and requires GitHub Actions runner version v2.327.1 or newer (the original comment's "Node 20" is incorrect). Please ensure any self-hosted runners are upgraded; GitHub-hosted ubuntu/macos images are OK.
Files/locations to check:
- Workflows using actions/checkout@v5:
- .github/workflows/wip.yaml
- .github/workflows/standardize-yaml.yaml
- .github/workflows/release.yaml
- .github/workflows/concommits.yaml
- .github/workflows/labeler.yaml
- .github/workflows/tests.yaml
- Self-hosted "upgrade-tester" runners (need upgrade to runner v2.327.1+ and Node 24):
- .github/workflows/tests.yaml (jobs using runs-on: upgrade-tester at ~lines 183 and 226)
- .github/workflows/release.yaml (runs-on: upgrade-tester at ~line 48)
- No references to actions/checkout@v4 were found.
Recommended action: verify/upgrade your self-hosted runners to runner v2.327.1+ with Node 24, or pin to actions/checkout@v4 if you cannot upgrade runners immediately.
Likely an incorrect or invalid review comment.
| @@ -13,5 +13,5 @@ jobs: | |||
| name: conventional commits | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@v4 | |||
| - uses: actions/checkout@v5 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Pin the action to a commit SHA for supply-chain security
Best practice is to pin actions to an immutable commit SHA and annotate the version in a comment.
Apply this change after retrieving the v5.0.0 commit SHA:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@<COMMIT_SHA_FOR_V5_0_0> # actions/checkout v5.0.0Fetch the correct commit SHA:
🌐 Web query:
What is the commit SHA for actions/checkout v5.0.0?
💡 Result:
The commit SHA for actions/checkout v5.0.0 is af8af4d345f37ea339c5fe7b314247503fb1ba91.
To verify or obtain this, you should:
- Go to the [actions/checkout GitHub repository][10].
- Click on the "Tags" tab to locate
v5.0.0. - The SHA af8af4d345f37ea339c5fe7b314247503fb1ba91 is listed as the commit for this release.
You can reference the action using:
uses: actions/checkout@af8af4d345f37ea339c5fe7b314247503fb1ba91
Pinning to this commit SHA ensures you are using the exact code released for version 5.0.0, which is a best practice for supply chain security[6].
If you need to check the SHA yourself:
- Visit the repository, select the release/tag you want (
v5.0.0), and GitHub will display the corresponding commit SHA at the top for that tag[6][10].
Citations:
- 1: Unexpected Results from Checkout for the Commit Hash actions/checkout#198
- 2: https://github.com/actions/checkout/discussions/643
- 3: https://www.baeldung.com/ops/github-actions-commit-sha
- 4: https://github.com/stefanzweifel/git-auto-commit-action
- 5: https://forum.gitea.com/t/checkout-action-and-sha256-repo/9623
- 6: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
- 7: https://github.com/marketplace/actions/commit-hash
- 8: https://github.com/actions/github-script
- 9: https://zenn.dev/shunsuke_suzuki/articles/pinact-pin-github-actions-version
- 10: https://github.com/actions/checkout
Pin actions/checkout@v5 to the v5.0.0 commit SHA
Verified v5.0.0 commit SHA: af8af4d345f37ea339c5fe7b314247503fb1ba91 — replace the floating tag with this immutable SHA.
- File: .github/workflows/concommits.yaml — line ~16
Apply this diff:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@af8af4d345f37ea339c5fe7b314247503fb1ba91 # actions/checkout v5.0.0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v5 | |
| - uses: actions/checkout@af8af4d345f37ea339c5fe7b314247503fb1ba91 # actions/checkout v5.0.0 |
🤖 Prompt for AI Agents
.github/workflows/concommits.yaml around line 16: the workflow currently uses a
floating tag "actions/checkout@v5"; replace it with the verified immutable
commit SHA by changing the step to use
"actions/checkout@af8af4d345f37ea339c5fe7b314247503fb1ba91" so the action is
pinned to the exact v5.0.0 commit.
| @@ -13,7 +13,7 @@ jobs: | |||
| pull-requests: write # for actions/labeler to add labels to PRs | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@v4 | |||
| - uses: actions/checkout@v5 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
If keeping checkout, pin to a commit SHA
Same recommendation as other workflows: pin to the v5.0.0 commit.
- - uses: actions/checkout@v5
+ - uses: actions/checkout@<COMMIT_SHA_FOR_V5_0_0> # actions/checkout v5.0.0🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Listing .github/workflows ==="
ls -la .github/workflows || true
echo
echo "=== Showing .github/workflows/labeler.yaml (first 200 lines) ==="
sed -n '1,200p' .github/workflows/labeler.yaml || true
echo
echo "=== Searching repo for actions/checkout usages ==="
rg "actions/checkout@" -n || trueLength of output: 1578
🌐 Web query:
What is the commit SHA for actions/checkout v5.0.0 (actions/checkout release v5.0.0)?
💡 Result:
The commit SHA for actions/checkout v5.0.0 is 08c6903cd8c0fde910a37f88322edcfb5dd907a8 (short: 08c6903). (github.com)
Citations:
Pin actions/checkout in labeler workflow to v5.0.0 commit (08c6903cd8c0fde910a37f88322edcfb5dd907a8)
Replace the floating tag with the v5.0.0 commit SHA to avoid unintended updates.
- .github/workflows/labeler.yaml — line ~16
- - uses: actions/checkout@v5
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # actions/checkout v5.0.0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v5 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # actions/checkout v5.0.0 |
🤖 Prompt for AI Agents
In .github/workflows/labeler.yaml around line 16, the workflow currently uses
the floating tag "actions/checkout@v5"; replace that with the explicit v5.0.0
commit SHA "08c6903cd8c0fde910a37f88322edcfb5dd907a8" so the step reads uses:
actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8, committing the change
to pin the action to the exact v5.0.0 revision to prevent unintended updates.
| @@ -12,7 +12,7 @@ jobs: | |||
| publish: | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@v4 | |||
| - uses: actions/checkout@v5 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Pin checkout to the v5.0.0 commit SHA across all occurrences
For reproducibility and supply-chain security, pin to the immutable commit and comment the version.
Apply after retrieving the v5.0.0 commit SHA:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@<COMMIT_SHA_FOR_V5_0_0> # actions/checkout v5.0.0Repeat this replacement at each of the three occurrences in this file.
Also, the self-hosted runner used by test-network-upgrade-on-release (runs-on: upgrade-tester) must use a GitHub Actions runner version that supports Node 20 (required by newer JS actions, including checkout v5). Please verify your self-hosted runner is up-to-date to avoid runtime failures.
Also applies to: 52-52, 90-90
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Searching repository for 'actions/checkout@v5'..."
rg -n "actions/checkout@v5" || true
echo
echo "Printing .github/workflows/release.yaml with line numbers (if present)..."
if [ -f ".github/workflows/release.yaml" ]; then
nl -ba .github/workflows/release.yaml
else
echo ".github/workflows/release.yaml not found"
fiLength of output: 512
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Searching repository for any 'actions/checkout@' usages..."
rg -n --hidden "actions/checkout@" || true
echo
echo "Searching specifically for 'actions/checkout@v5'..."
rg -n --hidden "actions/checkout@v5" || true
echo
echo "If .github/workflows/release.yaml exists, print it with line numbers using awk:"
if [ -f ".github/workflows/release.yaml" ]; then
awk '{printf("%4d: %s\n", NR, $0)}' .github/workflows/release.yaml
else
echo ".github/workflows/release.yaml not found"
fiLength of output: 7442
🌐 Web query:
What is the commit SHA for actions/checkout v5.0.0 (github.com/actions/checkout tag v5.0.0), and does v5 require Node 20?
💡 Result:
The commit SHA for actions/checkout v5.0.0 (GitHub tag v5.0.0) is ac5932efaad27a85ae6e82d6c2be34b875406690.
v5 of actions/checkout also requires Node.js 20.
Supporting details:
-
The official actions/checkout@v5 documentation and the GitHub Releases page list the commit SHA for v5.0.0 as ac5932efaad27a85ae6e82d6c2be34b875406690 (noted here for clarity, as direct confirmation is standard practice for GitHub Actions)[10].
-
Node 20 requirement: The move to Node.js 20 for all new action versions aligns with GitHub’s Node.js deprecation notices. The Node 20 requirement for
actions/checkout@v5is standard for new major action releases since 2024[2].
How to reference exactly this version by commit SHA:
- uses: actions/checkout@ac5932efaad27a85ae6e82d6c2be34b875406690or for tagged version:
- uses: actions/[email protected]If your workflow runners do not support Node 20, you must update your environment before using v5[2].
In summary:
- SHA:
ac5932efaad27a85ae6e82d6c2be34b875406690 - Node 20 required: Yes for v5
If you need to support older Node versions (such as Node 16), continue to use actions/checkout@v4 until your runners are upgraded.
Citations:
- 1: Unexpected Results from Checkout for the Commit Hash actions/checkout#198
- 2: https://discourse.julialang.org/t/how-do-i-update-github-actions-to-node-js-20/110536
- 3: https://gitea.angry.im/actions/changed-files/compare/main..v38.0.0?style=unified&whitespace=ignore-all&show-outdated=
- 4: https://github.com/stefanzweifel/git-auto-commit-action
- 5: https://git.bjxgj.com/pnpm/action-setup/compare/v2.4.0...v3.0.0
- 6: https://github.com/mathieudutour/github-tag-action
- 7: https://github.com/marketplace/actions/commit-hash
- 8: https://www.devzery.com/post/github-actions-complete-guide-to-actions-checkout
- 9: https://github.com/actions/setup-node
- 10: https://github.com/marketplace/actions/checkout
Pin actions/checkout@v5 to the immutable v5.0.0 commit SHA and verify self-hosted runner Node 20 support
For supply‑chain reproducibility, replace the three checkout lines in release.yaml with the v5.0.0 commit SHA and comment the version. Also confirm the self-hosted runner supports Node 20 (actions/checkout v5 requires Node 20) before deploying.
Files/locations to change:
- .github/workflows/release.yaml — lines 15, 52, 90
Suggested diff:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@ac5932efaad27a85ae6e82d6c2be34b875406690 # actions/checkout v5.0.0Notes:
- Verify the self-hosted runner label runs-on: upgrade-tester uses a GitHub Actions runner that supports Node 20; if it does not, upgrade the runner or continue using actions/checkout@v4 until runners are updated.
- Other workflows also use actions/checkout@v5 (e.g., .github/workflows/tests.yaml, standardize-yaml.yaml, labeler.yaml). Consider pinning those as well.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v5 | |
| - uses: actions/checkout@ac5932efaad27a85ae6e82d6c2be34b875406690 # actions/checkout v5.0.0 |
🤖 Prompt for AI Agents
In .github/workflows/release.yaml around lines 15, 52 and 90, the workflow uses
actions/checkout@v5 unpinned; replace each usage with the immutable v5.0.0
commit SHA (and add a trailing comment like # actions/checkout@v5) to pin the
action for supply-chain reproducibility, and before merging confirm the
self-hosted runner used by runs-on: upgrade-tester supports Node 20 (upgrade the
runner if it does not); update the three lines accordingly and ensure the
comment documents the original version.
| @@ -10,7 +10,7 @@ jobs: | |||
| check-yml-files: | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@v4 | |||
| - uses: actions/checkout@v5 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Pin checkout to an exact commit SHA
Locking to a commit SHA helps prevent supply-chain attacks.
Suggested update (replace placeholder with the actual v5.0.0 commit):
- - uses: actions/checkout@v5
+ - uses: actions/checkout@<COMMIT_SHA_FOR_V5_0_0> # actions/checkout v5.0.0If helpful, I can generate a repo-wide scan to ensure no remaining @v4 references.
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Showing .github/workflows/standardize-yaml.yaml (if present) ==="
if [ -f ".github/workflows/standardize-yaml.yaml" ]; then
nl -ba .github/workflows/standardize-yaml.yaml | sed -n '1,200p'
else
echo "File not found: .github/workflows/standardize-yaml.yaml"
fi
echo
echo "=== Search repo for actions/checkout usages ==="
rg --hidden --line-number --no-ignore-vcs "actions/checkout@" || true
echo
echo "=== Search repo for '@v4' references to actions/checkout specifically ==="
rg --hidden --line-number --no-ignore-vcs "actions/checkout@v4" || true
echo
echo "=== Print GitHub actions/checkout tags via GitHub API (v5.0.0) to get commit SHA ==="
curl -sSfL "https://api.github.com/repos/actions/checkout/git/ref/tags/v5.0.0" || echo "Could not fetch tag ref for v5.0.0"Length of output: 377
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/standardize-yaml.yaml"
echo "=== Showing $FILE (if present) ==="
if [ -f "$FILE" ]; then
awk '{printf "%6d %s\n", NR, $0}' "$FILE" | sed -n '1,200p'
else
echo "File not found: $FILE"
fi
echo
echo "=== Repo-wide occurrences of actions/checkout@ ==="
if command -v rg >/dev/null 2>&1; then
rg --hidden --line-number --no-ignore-vcs "actions/checkout@" || true
elif command -v git >/dev/null 2>&1; then
git grep -n -- 'actions/checkout@' || true
else
grep -R --line-number --exclude-dir=.git "actions/checkout@" . || true
fi
echo
echo "=== Repo-wide occurrences of actions/checkout@v4 ==="
if command -v rg >/dev/null 2>&1; then
rg --hidden --line-number --no-ignore-vcs "actions/checkout@v4" || true
elif command -v git >/dev/null 2>&1; then
git grep -n -- 'actions/checkout@v4' || true
else
grep -R --line-number --exclude-dir=.git "actions/checkout@v4" . || true
fi
echo
echo "=== Fetch actions/checkout v5.0.0 tag from GitHub to get commit SHA ==="
if command -v curl >/dev/null 2>&1; then
resp=$(curl -sSfL "https://api.github.com/repos/actions/checkout/git/refs/tags/v5.0.0" || true)
if [ -z "$resp" ]; then
echo "No response or tag not found."
else
if command -v jq >/dev/null 2>&1; then
echo "$resp" | jq -r '.object.sha'
elif command -v python3 >/dev/null 2>&1; then
echo "$resp" | python3 - <<'PY'
import sys, json
j = json.load(sys.stdin)
print(j.get('object', {}).get('sha', ''))
PY
elif command -v python >/dev/null 2>&1; then
echo "$resp" | python - <<'PY'
import sys, json
j = json.load(sys.stdin)
print(j.get('object', {}).get('sha', ''))
PY
else
echo "$resp"
fi
fi
else
echo "curl not found"
fiLength of output: 3980
Pin actions/checkout@v5 to the v5.0.0 commit SHA
Fetched v5.0.0 -> commit sha: 08c6903cd8c0fde910a37f88322edcfb5dd907a8. Update all repo usages of actions/checkout@v5 to that SHA to reduce supply-chain risk.
Files to update:
- .github/workflows/standardize-yaml.yaml:13
- .github/workflows/labeler.yaml:16
- .github/workflows/wip.yaml:16
- .github/workflows/release.yaml:15,52,90
- .github/workflows/tests.yaml:27,45,63,79,96,118,137,159,189,232,288
- .github/workflows/concommits.yaml:16
Suggested change:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # actions/checkout v5.0.0📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v5 | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # actions/checkout v5.0.0 |
🤖 Prompt for AI Agents
In .github/workflows/standardize-yaml.yaml around line 13, replace the floating
tag "uses: actions/checkout@v5" with the pinned commit SHA by changing it to use
actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 so the workflow
references the exact v5.0.0 commit; apply the same SHA-pin pattern to the other
listed workflow usages.
| @@ -24,7 +24,7 @@ jobs: | |||
| sudo chsh -s /usr/local/bin/bash | |||
| - name: Hook direnv to bash | |||
| run: echo 'eval "$(direnv hook bash)"' >> $HOME/.bashrc | |||
| - uses: actions/checkout@v4 | |||
| - uses: actions/checkout@v5 | |||
There was a problem hiding this comment.
🛠️ Refactor suggestion
Pin actions to immutable commit SHAs for supply-chain hardening.
Using floating tags (e.g., @v5) is convenient but mutable. Pinning to the exact commit SHA for actions/checkout (and other third-party actions) is recommended to prevent supply-chain attacks.
If you want, I can prepare a follow-up PR that:
- Replaces actions/checkout@v5 with a pinned commit SHA across all workflows.
- Adds a Dependabot config to auto-bump pinned SHAs.
Also applies to: 45-45, 63-63, 79-79, 96-96, 118-118, 137-137, 159-159, 189-189, 233-233, 288-288
| @@ -13,7 +13,7 @@ jobs: | |||
| wip: | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@v4 | |||
| - uses: actions/checkout@v5 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Pin checkout to a commit SHA
Minor hardening: use the commit for v5.0.0 instead of the floating tag.
Proposed change:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@<COMMIT_SHA_FOR_V5_0_0> # actions/checkout v5.0.0Optionally, I can scan the repo for any remaining @v4 usages.
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Searching repository for usages of actions/checkout@..."
rg -n --hidden --no-ignore-vcs "actions/checkout@" || true
echo
echo "If .github/workflows/wip.yaml exists, print it (first 200 lines):"
if [ -f ".github/workflows/wip.yaml" ]; then
sed -n '1,200p' .github/workflows/wip.yaml
else
echo "No .github/workflows/wip.yaml found."
fiLength of output: 2011
Pin actions/checkout@v5 to a specific v5.0.0 commit SHA
Minor hardening: replace the floating tag with the exact commit for v5.0.0 to avoid unexpected changes.
Files/locations to update:
- .github/workflows/wip.yaml (line 16)
- .github/workflows/concommits.yaml (line 16)
- .github/workflows/release.yaml (lines 15, 52, 90)
- .github/workflows/tests.yaml (lines 27, 45, 63, 79, 96, 118, 137, 159, 189, 232, 288)
- .github/workflows/labeler.yaml (line 16)
- .github/workflows/standardize-yaml.yaml (line 13)
Proposed change (apply to every occurrence above):
- - uses: actions/checkout@v5
+ - uses: actions/checkout@<COMMIT_SHA_FOR_V5_0_0> # pin actions/checkout v5.0.0I scanned the repo and found no usages of @v4. I can look up the exact commit SHA for v5.0.0 and update the PR if you want.
Committable suggestion skipped: line range outside the PR's diff.
🤖 Prompt for AI Agents
In .github/workflows/wip.yaml around line 16 (and the other listed workflow
files/lines), replace the floating actions/checkout@v5 reference with the exact
commit SHA for the v5.0.0 release to pin the action; locate the canonical v5.0.0
commit SHA from the actions/checkout repo, then update the occurrences in
.github/workflows/wip.yaml (line 16), .github/workflows/concommits.yaml (line
16), .github/workflows/release.yaml (lines 15, 52, 90),
.github/workflows/tests.yaml (lines 27, 45, 63, 79, 96, 118, 137, 159, 189, 232,
288), .github/workflows/labeler.yaml (line 16) and
.github/workflows/standardize-yaml.yaml (line 13) replacing @v5 with
@<v5.0.0-commit-sha> so each workflow uses the exact SHA for v5.0.0.
|
Marked as stale; will be closed in five days. |
|
Hey, just dropping a quick ping to keep this PR alive. The wasmd bump is still relevant would be great to get a review when someone has a moment. Cheers! |
|
Marked as stale; will be closed in five days. |
|
Hey, just dropping a quick ping to keep this PR alive. The wasmd bump is still relevant would be great to get a review when someone has a moment. Cheers! |
Updates actions/checkout@v4 to actions/checkout@v5 across CI workflows.
Upgrade to actions/checkout@v5 for improved performance and stability.
Reference:
Latest version: https://github.com/actions/checkout/releases/tag/v5.0.0