Skip to content

ci: modernize release.yml GitHub Actions versions#6

Open
nitecon wants to merge 1 commit into
mainfrom
eventic/auto-fix/gha_modernize-46d3c70
Open

ci: modernize release.yml GitHub Actions versions#6
nitecon wants to merge 1 commit into
mainfrom
eventic/auto-fix/gha_modernize-46d3c70

Conversation

@nitecon

@nitecon nitecon commented Jun 3, 2026

Copy link
Copy Markdown
Owner

Modernizes the four outdated GitHub Actions in .github/workflows/release.yml (the only workflow in this repo). Versions resolved against each action's latest GitHub release as of 2026-06-03.

The 4 bumps

Action Where Old -> New Tier Breaking-change note
actions/checkout source-release L23, version-release L90, create-release L138 @v4 -> @v6 low-risk node24 runtime; behavior-compatible on hosted ubuntu-latest. Lowest risk of the set.
actions/upload-artifact version-release L123 @v4 -> @v7 known-breaking Already past the v3->v4 immutability break. Artifact names are unique per UE version (AssetsBridge-<tag>-UE<ver>), so the no-same-name-reupload rule is satisfied. A v4->v7 multi-major jump — verify before relying on it.
actions/download-artifact create-release L147 @v4 -> @v8 known-breaking Uses pattern: AssetsBridge-* + merge-multiple: true into artifacts/, then files: artifacts/*.zip. v4+ already downloads each artifact to its own subdir and merge-multiple flattens, so likely compatible — confirm the create-release glob still resolves after the v4->v8 jump.
softprops/action-gh-release source-release prerelease L50, versioned make_latest L170 @v2 -> @v3 known-breaking, HIGHEST RISK This is the actual release-creating step, used twice. v3 bumped the node runtime and adjusted input handling. Verify files: globs, tag_name, prerelease/make_latest, and body templating still behave before a real cut.

Why this is not auto-merged

release.yml is the ONLY workflow in this repo and it is tag-gated: the source-release job runs on push to main, and version-release + create-release run only on push: tags: v*. A branch/PR push never exercises the tag jobs, so no gh pr checks run can validate these bumps — this is a release-only repo and the bumps are unverifiable by branch CI.

The handler must never cut a tag to test a release, so the only authoritative validation is a real release on your own cadence. Validate-then-merge is yours: apply this branch, then cut a release (or run a scratch/fork pre-release tag across the 5.4/5.5/5.6/5.7 matrix) to confirm the per-UE zips still build, upload, download, and publish before merging.

Branched from origin/main @ 46d3c70 (v1.3.0 release commit).

Eventic-Task: 019e80b9-65f9-7003-8e4c-06592b7843e3

@nitecon nitecon added the eventic-autofix Automated fix opened by the Eventic handler label Jun 3, 2026
@nitecon

nitecon commented Jun 3, 2026

Copy link
Copy Markdown
Owner Author

👤 Will Hattingh — Team Lead — nitecon@gmail.com

VERDICT: approve (open for your validate-then-merge — NOT auto-merged)

Per your "approve", this opens the branch+PR with the four release.yml action bumps: checkout v4→v6, upload-artifact v4→v7, download-artifact v4→v8, and the highest-risk softprops/action-gh-release v2→v3 (the dual release-creating step). Branched cleanly from origin/main @46d3c70, Team-Lead-authored, no tag/release created. This is a release-only repo — release.yml is tag-gated, so branch CI runs no checks and the bumps cannot be exercised here. Per the agreed plan I am not merging this one: please validate by cutting a release (or a scratch pre-release across the 5.4/5.5/5.6/5.7 UE matrix) to confirm build→upload→download→publish, then merge. The handler will never cut that tag (guardrail).


Posted by Eventic (nitecon) on behalf of the Team Lead persona.

@nitecon

nitecon commented Jun 3, 2026

Copy link
Copy Markdown
Owner Author

✅ Quality Assurance — qa@runtime-dynamics.org

VERDICT: pass

All four targets are real latest-majors (checkout v6.0.3, upload-artifact v7.0.1, download-artifact v8.0.1, action-gh-release v3.0.0); YAML parses. Breaking-change compatibility vs actual usage: upload v7 uses per-matrix unique names (AssetsBridge--UE<5.4|5.5|5.6|5.7>) so the v4 immutability/unique-name rule holds; download v8 uses pattern: AssetsBridge-* + merge-multiple: true (both inputs confirmed present in v8) — upload v7/download v8 are matched-generation; action-gh-release v3 is runtime-only with all used inputs (tag_name/name/body/files/prerelease/make_latest/draft) unchanged. CONCERN (non-blocking): download-artifact v8 newly defaults digest-mismatch to error (was warn), and the full upload→download→release flow + the dual gh-release step can only be confirmed by a real release cut — tag-gated, so untestable in branch CI. No incompatibility evident statically; bumps are likely-correct.


Posted by Eventic (nitecon) on behalf of the Quality Assurance persona.

@nitecon

nitecon commented Jun 3, 2026

Copy link
Copy Markdown
Owner Author

🛡️ Security Operations — soc@runtime-dynamics.org

VERDICT: pass

Tightly scoped to the four stated action bumps in release.yml (plus a cosmetic whitespace edit); no other file touched, no lockfile drift, no scope change. All four are legitimate latest majors of established first-party/well-known actions with no outstanding advisories; the upload v7/download v8 pair is the correctly matched generation. Job permissions remain contents: write (minimal for releases, no escalation); only secret is the standard ephemeral GITHUB_TOKEN; no run: step interpolates bumped-action output into a shell (no new injection sink). Residual (pre-existing repo style, not introduced here): float-tag rather than commit-SHA pinning on the release-creating action — the tag-gated, human-validated flow keeps a person in the loop.


Posted by Eventic (nitecon) on behalf of the Security Operations persona.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

eventic-autofix Automated fix opened by the Eventic handler

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant