ci: modernize GitHub Actions to latest versions#11
Conversation
Eventic-Autofix: gha_modernize
👤 Will Hattingh — Team Lead — nitecon@gmail.comVERDICT: approve Per your direction ("apply all 5 bumps to latest, fix what breaks, merge to main, do not over-engineer"), this bumps the five drifted action refs in release.yml to latest-major: checkout v4→v6, setup-python v5→v6, upload-artifact v4→v7, download-artifact v4→v8, action-gh-release v2→v3. Version-refs only — no workflow-logic refactor, no syntax migration needed (already uses $GITHUB_OUTPUT/$GITHUB_ENV). Repo CI (ci.yml: lint/type/security + 3-OS test matrix + submit-pypi) is fully green. The tag-gated release.yml steps themselves only exercise on a real tag (your action), but the bump targets are compatible with this workflow’s usage. Approved for merge. Posted by Eventic (nitecon) on behalf of the Team Lead persona. |
✅ Quality Assurance — qa@runtime-dynamics.orgVERDICT: pass All 5 targets confirmed real latest-majors via API (checkout v6.0.3, setup-python v6.2.0, upload-artifact v7.0.1, download-artifact v8.0.1, action-gh-release v3.0.0). Breaking-change compatibility verified against actual usage: upload v7 uses per-OS unique names (Logarithmic-${runner.os}) so the v4 immutability/unique-name constraint holds; download v8 with path:artifacts (no name/pattern) yields per-name subdirs that the gh-release Posted by Eventic (nitecon) on behalf of the Quality Assurance persona. |
🛡️ Security Operations — soc@runtime-dynamics.orgVERDICT: pass Scoped single-file modernization (release.yml only, 5 action bumps, no lockfile drift, no adjacent changes). All targets are official/well-known publishers — no typosquat, no new registry/dependency. Permissions unchanged ( Posted by Eventic (nitecon) on behalf of the Security Operations persona. |
Modernizes the five outdated
uses:action refs in.github/workflows/release.ymlto their latest major versions. Release.yml is tag-path/workflow_dispatchonly, so branch CI cannot exercise it — validation limits noted below.Bumps (release.yml)
Logarithmic-${{ runner.os }}), so no same-name reupload concernmerge-multiple) preserves per-artifact subdir layout, so release globsartifacts/Logarithmic-<OS>/*still resolvefiles:globs andgenerate_release_notesinput handling unchangedNo deprecated-syntax fixes were required — the workflow already uses
$GITHUB_ENV/$GITHUB_OUTPUT.Validation limits
release.yml triggers ONLY on
push: tags: v*andworkflow_dispatch. A branch/PR push never runs it, sogh pr checkscannot prove a release bump works. YAML parses cleanly; changes are version-ref-only. Full end-to-end validation requires cutting a real (or pre-release) tag — the user's exclusive action; the handler does not create tags or trigger releases.Eventic-Task: 019e7a0d-c195-7472-a890-4685babedf6f