Skip to content

chore(ci): upgrade GitHub Actions to latest majors and pin to commit SHAs#479

Merged
peteski22 merged 2 commits into
mainfrom
chore/pin-and-upgrade-github-actions
Jun 26, 2026
Merged

chore(ci): upgrade GitHub Actions to latest majors and pin to commit SHAs#479
peteski22 merged 2 commits into
mainfrom
chore/pin-and-upgrade-github-actions

Conversation

@peteski22

@peteski22 peteski22 commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

Hardens and modernizes every GitHub Actions workflow in two atomic commits.

Commit 1 — upgrade to latest major versions (closes #461)

  • actions/checkout v6 → v7
  • astral-sh/setup-uv v7 → v8 (pinned to v8.2.0; v8 stopped publishing floating @v8 major/minor tags, so only full-version or SHA refs resolve)
  • actions/setup-node v4 → v6
  • pnpm/action-setup v4 → v6
  • actions/cache v4 → v6

setup-go, setup-python, golangci-lint-action, the artifact actions and the docker/* actions were already on their latest majors. Every version was verified against each action's releases/latest rather than from memory.

Commit 2 — pin to commit SHAs + disable credential persistence (closes #467)

  • Replaced every floating action tag with the full 40-char commit SHA, keeping the human-readable version in a trailing comment (# vX.Y.Z) so Dependabot can still bump them.
  • Added persist-credentials: false to every actions/checkout step so the GITHUB_TOKEN is not written to the runner's git config.

Safety review

  • No checkout relies on persisted credentials. The only git push (release-cli.yaml) operates on a separately cloned repo using an explicit x-access-token URL, so persist-credentials: false is safe everywhere.
  • Major-bump breaking changes checked against this repo's config:
    • setup-node v6 limits automatic caching to npm, but the explicit cache: pnpm used here is still fully supported.
    • setup-uv v8's removed manifest-file format is not used.
    • checkout v7's fork-PR restriction only affects pull_request_target/workflow_run, neither of which is used.

Verification

  • All 15 workflows validated as well-formed YAML (yq).
  • Structural check (yq): every checkout sets persist-credentials: false; every uses: is a 40-hex SHA pin.
  • Executed two representative jobs end-to-end under nektos/act (pull_request event):
    • ci-prompts-sync — SHA-pinned actions/checkout resolved and ran; job green.
    • validate-cli-release — SHA-pinned actions/checkout + actions/setup-go resolved and ran; the Scoop-autoupdate contract grep against the now-pinned release-cli.yaml still passes; job green.

Closes #461
Closes #467

Summary by CodeRabbit

  • Chores
    • Updated CI and release workflows to use pinned action versions across CLI, SDK, docs, server, and release pipelines.
    • Added safer checkout settings in several workflows to reduce credential exposure.
    • Kept build, test, publish, and validation steps unchanged while improving workflow consistency and reliability.

Align all workflows to the latest action majors for consistency and
security improvements (closes #461):

- actions/checkout v6 -> v7 (blocks unsafe fork-PR checkout by default)
- astral-sh/setup-uv v7 -> v8 (pinned to v8.2.0; v8 drops floating
  major/minor tags, so only full-version or SHA refs resolve)
- actions/setup-node v4 -> v6 (explicit `cache: pnpm` still supported;
  the v6 break only affects implicit cache auto-detection)
- pnpm/action-setup v4 -> v6
- actions/cache v4 -> v6

setup-go, setup-python, golangci-lint-action, upload/download-artifact,
and the docker/* actions were already on their latest majors.
Replace every floating action tag (mutable git refs that a compromised
maintainer can silently retarget) with the full 40-char commit SHA,
keeping the human-readable version in a trailing comment so Dependabot
can still bump them. Add persist-credentials: false to every checkout
step so the GITHUB_TOKEN is not written to the runner's git config,
shrinking the blast radius if a later step is compromised (closes #467).

No checkout relies on the persisted credentials: the only git push runs
against a separately cloned repo using an explicit token.
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Multiple GitHub Actions workflows now use commit-pinned action references instead of floating tags. The updates cover CI, documentation, and release jobs, and several checkout steps now set persist-credentials: false.

Changes

Workflow action pinning

Layer / File(s) Summary
CLI workflow action pins
.github/workflows/ci-cli.yaml, .github/workflows/ci-licenses.yaml, .github/workflows/ci-prompts-sync.yaml, .github/workflows/validate-cli-release.yaml
actions/checkout, actions/setup-go, and golangci/golangci-lint-action are pinned to commit SHAs across the CLI lint, test, licences, prompt-sync, and release-validation workflows.
Schema and SDK CI pins
.github/workflows/ci-schema.yaml, .github/workflows/ci-sdk-go.yaml, .github/workflows/ci-sdk-go-postgres.yaml, .github/workflows/ci-sdk-python.yaml
Schema and SDK CI jobs pin checkout, UV setup, Go setup, pnpm setup, node setup, and golangci-lint actions to commit SHAs while keeping existing matrix, cache, and go-version-file settings.
Server and docs CI pins
.github/workflows/ci-server.yaml, .github/workflows/ci-server-embeddings.yaml, .github/workflows/docs.yaml
Server and docs workflows pin checkout, UV, Python, pnpm, node, and cache actions to commit SHAs, with existing checkout options and cache inputs preserved.
Release workflow action pins
.github/workflows/release-cli.yaml, .github/workflows/release-schema.yaml, .github/workflows/release-sdk-python.yaml, .github/workflows/release-server-image.yaml
Release jobs pin checkout, setup, upload/download, Docker, and PyPI publish actions to commit SHAs, including checkout steps that retain their existing path, ref, sparse-checkout, and persist-credentials settings.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The workflow SHA pinning is in scope, but the summaries don't show persist-credentials: false added to every checkout step, so #467 is not fully met. Add persist-credentials: false to every actions/checkout step and confirm no workflow still uses floating action tags.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately describes the main change: upgrading GitHub Actions and pinning them to commit SHAs.
Out of Scope Changes check ✅ Passed The changes stay focused on CI and release workflow hardening, with no unrelated code paths or features touched.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/pin-and-upgrade-github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Modernizes and hardens the repository’s GitHub Actions workflows by upgrading to newer major action versions, pinning all uses: references to immutable commit SHAs, and reducing credential exposure during checkouts.

Changes:

  • Upgraded workflow actions to newer major versions (e.g., checkout/setup-node/cache/pnpm/setup-uv).
  • Pinned all action references to 40-character commit SHAs with human-readable version comments.
  • Set persist-credentials: false on all actions/checkout steps to prevent writing the GITHUB_TOKEN to git config.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/validate-cli-release.yaml Pins checkout/setup-go and disables persisted checkout credentials.
.github/workflows/release-server-image.yaml Pins docker-related actions and checkout; disables persisted checkout credentials.
.github/workflows/release-sdk-python.yaml Pins checkout/setup-uv/PyPI publish action; disables persisted checkout credentials.
.github/workflows/release-schema.yaml Pins checkout/setup-uv/PyPI publish action; disables persisted checkout credentials.
.github/workflows/release-cli.yaml Pins checkout/setup-go/artifact actions; disables persisted checkout credentials in both checkouts.
.github/workflows/docs.yaml Pins checkout/setup-python; disables persisted checkout credentials for validate/publish jobs.
.github/workflows/ci-server.yaml Pins checkout/setup-uv/pnpm/setup-node; disables persisted checkout credentials across jobs.
.github/workflows/ci-server-embeddings.yaml Pins checkout/setup-uv/pnpm/setup-node/cache; disables persisted checkout credentials across jobs.
.github/workflows/ci-sdk-python.yaml Pins checkout/setup-uv; disables persisted checkout credentials across jobs.
.github/workflows/ci-sdk-go.yaml Pins checkout/setup-go/golangci-lint action; disables persisted checkout credentials across jobs.
.github/workflows/ci-sdk-go-postgres.yaml Pins checkout/setup-go/golangci-lint action; disables persisted checkout credentials across jobs.
.github/workflows/ci-schema.yaml Pins checkout/setup-uv/setup-go/golangci-lint action; disables persisted checkout credentials across jobs.
.github/workflows/ci-prompts-sync.yaml Pins checkout and disables persisted checkout credentials.
.github/workflows/ci-licenses.yaml Pins checkout/setup-go and disables persisted checkout credentials.
.github/workflows/ci-cli.yaml Pins checkout/setup-go/golangci-lint action and disables persisted checkout credentials across jobs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@peteski22 peteski22 merged commit 5810e78 into main Jun 26, 2026
35 checks passed
@peteski22 peteski22 deleted the chore/pin-and-upgrade-github-actions branch June 26, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Pin GitHub Actions to commit SHAs and set persist-credentials: false chore: upgrade GitHub Actions to latest major versions

2 participants