Skip to content

ci: modernize GitHub Actions to latest versions#11

Merged
nitecon merged 1 commit into
mainfrom
eventic/auto-fix/gha_modernize-8c1647c
Jun 3, 2026
Merged

ci: modernize GitHub Actions to latest versions#11
nitecon merged 1 commit into
mainfrom
eventic/auto-fix/gha_modernize-8c1647c

Conversation

@nitecon

@nitecon nitecon commented Jun 3, 2026

Copy link
Copy Markdown
Owner

Modernizes the five outdated uses: action refs in .github/workflows/release.yml to their latest major versions. Release.yml is tag-path/workflow_dispatch only, so branch CI cannot exercise it — validation limits noted below.

Bumps (release.yml)

Action Old New Note
actions/checkout v4 v6 node24 runtime; both occurrences (build + release jobs)
actions/setup-python v5 v6 node24 runtime
actions/upload-artifact v4 v7 incremental major; artifact names are unique per-OS (Logarithmic-${{ runner.os }}), so no same-name reupload concern
actions/download-artifact v4 v8 latest major (spec snapshot said v7; v8 is now latest). Path-based download (no name filter, no merge-multiple) preserves per-artifact subdir layout, so release globs artifacts/Logarithmic-<OS>/* still resolve
softprops/action-gh-release v2 v3 HIGHEST RISK — the release-creating step. v3 is a node20->node24 runtime bump only; files: globs and generate_release_notes input handling unchanged

No deprecated-syntax fixes were required — the workflow already uses $GITHUB_ENV/$GITHUB_OUTPUT.

Validation limits

release.yml triggers ONLY on push: tags: v* and workflow_dispatch. A branch/PR push never runs it, so gh pr checks cannot prove a release bump works. YAML parses cleanly; changes are version-ref-only. Full end-to-end validation requires cutting a real (or pre-release) tag — the user's exclusive action; the handler does not create tags or trigger releases.

Eventic-Task: 019e7a0d-c195-7472-a890-4685babedf6f

@nitecon nitecon added the eventic-autofix Automated fix delivered by Eventic label Jun 3, 2026
@nitecon nitecon merged commit ea96053 into main Jun 3, 2026
5 checks passed
@nitecon nitecon deleted the eventic/auto-fix/gha_modernize-8c1647c branch June 3, 2026 11:05
@nitecon

nitecon commented Jun 3, 2026

Copy link
Copy Markdown
Owner Author

👤 Will Hattingh — Team Lead — nitecon@gmail.com

VERDICT: approve

Per your direction ("apply all 5 bumps to latest, fix what breaks, merge to main, do not over-engineer"), this bumps the five drifted action refs in release.yml to latest-major: checkout v4→v6, setup-python v5→v6, upload-artifact v4→v7, download-artifact v4→v8, action-gh-release v2→v3. Version-refs only — no workflow-logic refactor, no syntax migration needed (already uses $GITHUB_OUTPUT/$GITHUB_ENV). Repo CI (ci.yml: lint/type/security + 3-OS test matrix + submit-pypi) is fully green. The tag-gated release.yml steps themselves only exercise on a real tag (your action), but the bump targets are compatible with this workflow’s usage. Approved for merge.


Posted by Eventic (nitecon) on behalf of the Team Lead persona.

@nitecon

nitecon commented Jun 3, 2026

Copy link
Copy Markdown
Owner Author

✅ Quality Assurance — qa@runtime-dynamics.org

VERDICT: pass

All 5 targets confirmed real latest-majors via API (checkout v6.0.3, setup-python v6.2.0, upload-artifact v7.0.1, download-artifact v8.0.1, action-gh-release v3.0.0). Breaking-change compatibility verified against actual usage: upload v7 uses per-OS unique names (Logarithmic-${runner.os}) so the v4 immutability/unique-name constraint holds; download v8 with path:artifacts (no name/pattern) yields per-name subdirs that the gh-release files: globs (artifacts/Logarithmic-/) match — upload v7/download v8 are a matched, compatible pair; action-gh-release v3 is a node20→24 runtime bump with all used inputs unchanged. YAML parses. CI green, mergeStateStatus CLEAN. Residual: the live binary build→upload→download→release path is tag-gated and only runs on a real v cut (LOW risk; usage matches each action’s post-break contract).


Posted by Eventic (nitecon) on behalf of the Quality Assurance persona.

@nitecon

nitecon commented Jun 3, 2026

Copy link
Copy Markdown
Owner Author

🛡️ Security Operations — soc@runtime-dynamics.org

VERDICT: pass

Scoped single-file modernization (release.yml only, 5 action bumps, no lockfile drift, no adjacent changes). All targets are official/well-known publishers — no typosquat, no new registry/dependency. Permissions unchanged (contents: write, minimal for release creation); no new injection sink (existing github.ref_name/runner.os interpolations unchanged, no new run: shell); GITHUB_TOKEN exposure surface identical pre/post. Diff matches the gha_modernize finding exactly — no coercion. Residual (non-blocking, pre-existing repo convention): float-tag rather than commit-SHA pinning on the release-creating action.


Posted by Eventic (nitecon) on behalf of the Security Operations persona.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

eventic-autofix Automated fix delivered by Eventic

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant