chore(ci): upgrade GitHub Actions to latest majors and pin to commit SHAs#479
Conversation
Align all workflows to the latest action majors for consistency and security improvements (closes #461): - actions/checkout v6 -> v7 (blocks unsafe fork-PR checkout by default) - astral-sh/setup-uv v7 -> v8 (pinned to v8.2.0; v8 drops floating major/minor tags, so only full-version or SHA refs resolve) - actions/setup-node v4 -> v6 (explicit `cache: pnpm` still supported; the v6 break only affects implicit cache auto-detection) - pnpm/action-setup v4 -> v6 - actions/cache v4 -> v6 setup-go, setup-python, golangci-lint-action, upload/download-artifact, and the docker/* actions were already on their latest majors.
Replace every floating action tag (mutable git refs that a compromised maintainer can silently retarget) with the full 40-char commit SHA, keeping the human-readable version in a trailing comment so Dependabot can still bump them. Add persist-credentials: false to every checkout step so the GITHUB_TOKEN is not written to the runner's git config, shrinking the blast radius if a later step is compromised (closes #467). No checkout relies on the persisted credentials: the only git push runs against a separately cloned repo using an explicit token.
WalkthroughMultiple GitHub Actions workflows now use commit-pinned action references instead of floating tags. The updates cover CI, documentation, and release jobs, and several checkout steps now set ChangesWorkflow action pinning
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Modernizes and hardens the repository’s GitHub Actions workflows by upgrading to newer major action versions, pinning all uses: references to immutable commit SHAs, and reducing credential exposure during checkouts.
Changes:
- Upgraded workflow actions to newer major versions (e.g., checkout/setup-node/cache/pnpm/setup-uv).
- Pinned all action references to 40-character commit SHAs with human-readable version comments.
- Set
persist-credentials: falseon allactions/checkoutsteps to prevent writing theGITHUB_TOKENto git config.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-cli-release.yaml | Pins checkout/setup-go and disables persisted checkout credentials. |
| .github/workflows/release-server-image.yaml | Pins docker-related actions and checkout; disables persisted checkout credentials. |
| .github/workflows/release-sdk-python.yaml | Pins checkout/setup-uv/PyPI publish action; disables persisted checkout credentials. |
| .github/workflows/release-schema.yaml | Pins checkout/setup-uv/PyPI publish action; disables persisted checkout credentials. |
| .github/workflows/release-cli.yaml | Pins checkout/setup-go/artifact actions; disables persisted checkout credentials in both checkouts. |
| .github/workflows/docs.yaml | Pins checkout/setup-python; disables persisted checkout credentials for validate/publish jobs. |
| .github/workflows/ci-server.yaml | Pins checkout/setup-uv/pnpm/setup-node; disables persisted checkout credentials across jobs. |
| .github/workflows/ci-server-embeddings.yaml | Pins checkout/setup-uv/pnpm/setup-node/cache; disables persisted checkout credentials across jobs. |
| .github/workflows/ci-sdk-python.yaml | Pins checkout/setup-uv; disables persisted checkout credentials across jobs. |
| .github/workflows/ci-sdk-go.yaml | Pins checkout/setup-go/golangci-lint action; disables persisted checkout credentials across jobs. |
| .github/workflows/ci-sdk-go-postgres.yaml | Pins checkout/setup-go/golangci-lint action; disables persisted checkout credentials across jobs. |
| .github/workflows/ci-schema.yaml | Pins checkout/setup-uv/setup-go/golangci-lint action; disables persisted checkout credentials across jobs. |
| .github/workflows/ci-prompts-sync.yaml | Pins checkout and disables persisted checkout credentials. |
| .github/workflows/ci-licenses.yaml | Pins checkout/setup-go and disables persisted checkout credentials. |
| .github/workflows/ci-cli.yaml | Pins checkout/setup-go/golangci-lint action and disables persisted checkout credentials across jobs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
Hardens and modernizes every GitHub Actions workflow in two atomic commits.
Commit 1 — upgrade to latest major versions (closes #461)
actions/checkoutv6 → v7astral-sh/setup-uvv7 → v8 (pinned tov8.2.0; v8 stopped publishing floating@v8major/minor tags, so only full-version or SHA refs resolve)actions/setup-nodev4 → v6pnpm/action-setupv4 → v6actions/cachev4 → v6setup-go,setup-python,golangci-lint-action, the artifact actions and thedocker/*actions were already on their latest majors. Every version was verified against each action'sreleases/latestrather than from memory.Commit 2 — pin to commit SHAs + disable credential persistence (closes #467)
# vX.Y.Z) so Dependabot can still bump them.persist-credentials: falseto everyactions/checkoutstep so theGITHUB_TOKENis not written to the runner's git config.Safety review
git push(release-cli.yaml) operates on a separately cloned repo using an explicitx-access-tokenURL, sopersist-credentials: falseis safe everywhere.setup-nodev6 limits automatic caching to npm, but the explicitcache: pnpmused here is still fully supported.setup-uvv8's removedmanifest-fileformat is not used.checkoutv7's fork-PR restriction only affectspull_request_target/workflow_run, neither of which is used.Verification
yq).yq): every checkout setspersist-credentials: false; everyuses:is a 40-hex SHA pin.nektos/act(pull_requestevent):ci-prompts-sync— SHA-pinnedactions/checkoutresolved and ran; job green.validate-cli-release— SHA-pinnedactions/checkout+actions/setup-goresolved and ran; the Scoop-autoupdate contract grep against the now-pinnedrelease-cli.yamlstill passes; job green.Closes #461
Closes #467
Summary by CodeRabbit