ci: update GitHub Actions pins#28333
Conversation
Update workflow actions and reusable workflows to latest stable commit SHAs while preserving version comments. Also harden lint workflow ref handling by passing GitHub ref contexts through environment variables before use in inline shell scripts. Validation: - actionlint v1.7.12 .github/workflows/*.yml - YAML parse for workflow/action/dependabot files - uv run pytest tests/test_lint_config.py -q
|
Local validation completed before opening this PR:
Note: GitHub Actions runs for this fork PR are currently in |
|
Confirming downstream — applied just the Would be great to see this merged before the June 2 forced-Node-24 cutoff — that's when soft-warnings become hard-forces and silent breakages start showing up in actions that don't upgrade. Thanks for the broader hardening pass! |
|
Verified this PR's pins while chasing the node20 deprecation annotations our CI emits on every run (GitHub flips node20 actions to node24 by default 2026-06-16):
However, the branch is now conflicting with main: about half of these bumps have landed on main piecemeal since May 19 (checkout v6.0.2, setup-python v6.2.0, docker login v4.1.0, build-push v7.1.0, upload/download-artifact v7/v8 in tests.yml, sigstore v3.3.0, osv-scanner v2.3.8), and tests.yml/skills-index.yml/lint.yml have been restructured around the conflict sites. Given the June 16 deadline I've opened a rebase of the remainder as #44832, keeping this PR's exact SHAs and crediting @daelnom-dev. If you'd rather rebase this original, I'll close mine — whichever is faster for the maintainers. |
GitHub forces actions declaring node20 onto the node24 runtime by default starting 2026-06-16, and removes node20 from runners on 2026-09-16. Every Tests/Lint run currently emits deprecation annotations for the node20 pins. This is a rebase of NousResearch#28333 (credit: daelnom-dev) onto current main. Roughly half of that PR's bumps have since landed on main piecemeal (checkout v6.0.2, setup-python v6.2.0, docker login v4.1.0, build-push v7.1.0, upload/download-artifact v7/v8 in tests.yml, sigstore v3.3.0, osv-scanner v2.3.8); this picks up the remainder, keeping that PR's exact verified SHAs: - astral-sh/setup-uv v5 + v6 -> v8.1.0 (node24) - actions/upload-artifact v4 -> v7.0.1, download-artifact v4 -> v8.0.1 (remaining lint/docker-publish/skills-index/pypi sites) - actions/github-script v7 -> v9.0.0 - actions/setup-node v4 -> v6.4.0 - actions/create-github-app-token v1.9.3 -> v3.2.0 (inputs already use the v2+ hyphenated names) - docker/setup-buildx-action v3 -> v4.0.0 - marocchino/sticky-pull-request-comment v2.9.1 -> v3.0.4 - actions/upload-pages-artifact v3 -> v5.0.0 + deploy-pages v4 -> v5.0.0 (documented compatible pair) - cachix/cachix-action v17 re-tag SHA (tree-identical to current pin) - comment fix: setup-python pin in lint.yml was already v6.2.0 but still labeled v5 Every new SHA was verified to match its tagged release commit in the action's upstream repo, and each major bump's breaking changes were checked against this repo's actual usage (inputs, outputs, credential -dependent push flows in nix-lockfile-fix.yml, Pages staging in deploy-site.yml, artifact name/pattern downloads) - no workflow behavior changes required. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Summary
uses:pins to latest stable commit SHAs while preserving readable version commentslint.ymlby passing GitHub ref contexts through environment variables before using them in inline shell scriptsValidation
actionlint v1.7.12 .github/workflows/*.ymluv run pytest tests/test_lint_config.py -q→ 5 passedgit diff --check