Bump all workflow actions to a more recent version#7144
Conversation
📝 WalkthroughWalkthroughAll 18 GitHub Actions workflow files are updated to use newer major versions of standard actions: ChangesGitHub Actions version bumps
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🧹 Nitpick comments (2)
.github/workflows/docs-build.yml (1)
74-74: Actions use mutable tags instead of SHA pins—consider using explicit commit SHAs for better supply chain security.These action references (lines 74, 89, 96, 129, 139, 152) still use major version tags (
@v*) rather than full commit SHAs, which means the pinned versions could change at runtime if the upstream action releases updates. While tag-based references are simpler to maintain, pinning to explicit SHAs reduces the risk of unexpected behavior changes from upstream action updates.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docs-build.yml at line 74, Replace the mutable action version tags with immutable commit SHA pins for improved supply chain security. In the docs-build.yml workflow file, update all action references currently using `@v`* tags (specifically actions/checkout@v7 and others mentioned at lines 74, 89, 96, 129, 139, 152) to use their full commit SHA format instead. For example, change actions/checkout@v7 to actions/checkout@<full-commit-sha> where the SHA corresponds to the specific version you want to use. This ensures the pinned versions cannot change unexpectedly at runtime.Source: Linters/SAST tools
.github/workflows/wiki-generate-icons.yaml (1)
61-61: ⚡ Quick winUpdate inline comments to reference v7 documentation.
The comments reference
v4documentation but the workflow now usesv7of the action.📝 Proposed fix to update documentation links
- # https://github.com/actions/upload-artifact/tree/v4/ + # https://github.com/actions/upload-artifact/tree/v7/ - name: Upload unit icons uses: actions/upload-artifact@v7 - # https://github.com/actions/upload-artifact/tree/v4/ + # https://github.com/actions/upload-artifact/tree/v7/ - name: Upload strategic icons uses: actions/upload-artifact@v7Also applies to: 68-68
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/wiki-generate-icons.yaml at line 61, The inline comments in the workflow file reference v4 documentation for the upload-artifact action but the workflow is currently using v7 of that action. Update all comments that contain URLs pointing to the upload-artifact action documentation to reference v7 instead of v4. Specifically, change any comment URLs containing "upload-artifact/tree/v4" to "upload-artifact/tree/v7" to ensure documentation links remain accurate and consistent with the action version being used.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/bake-blueprints.yaml:
- Line 60: The workflow file uses mutable version tags for action references
instead of immutable commit SHAs, which creates supply-chain risk. Find the
three action references on lines 60, 67, and 79 (actions/checkout@v7 and other
actions with `@v13` tags) and replace each mutable version tag with the full
commit SHA of the desired version. For example, replace actions/checkout@v7 with
the format actions/checkout@<full-commit-hash> where the commit hash is the
specific immutable identifier for that action version.
In @.github/workflows/deploy-fafbeta.yaml:
- Line 99: The actions/download-artifact action in the deploy-fafbeta.yaml
workflow is using version v6, which is outdated. Upgrade the version
specification in the uses statement for actions/download-artifact from v6 to v8
(the latest stable release v8.0.1). Before upgrading, review the changelog
between v6 and v8 to check for any breaking changes that might affect the
workflow, and document the upgrade decision in case compatibility was a concern.
In @.github/workflows/docs-convert-changelog.yaml:
- Line 44: Replace all mutable version tag references in the actions/checkout
and other workflow action uses statements with pinned commit digest format.
Specifically, for the affected uses statements at the identified lines, replace
the version tag (e.g., `@v7`, `@v6`) with the corresponding commit SHA to ensure
reproducibility and supply-chain security. Look for all instances where actions
are referenced with `@vX` format and convert them to the pinned digest format
using the full commit hash instead.
In @.github/workflows/docs-spelling-check.yaml:
- Line 37: In the docs-spelling-check.yaml workflow file, replace the mutable
version tag in the checkout action from `@v7` to a pinned 40-character commit SHA.
Update the uses statement for actions/checkout to reference a specific commit
hash (such as b4ffde65f46336ab88eb53be808477a3936bae11) instead of the version
tag, and optionally append a comment with the version number for reference.
In @.github/workflows/docs-synchronize-changelog.yaml:
- Line 57: The actions/checkout references at lines 57 and 66 are using mutable
major version tags (v7) instead of being pinned to specific commit SHAs, which
violates the unpinned-uses security policy. Replace both instances of `uses:
actions/checkout@v7` with the fully qualified SHA-pinned version of the action
(e.g., `actions/checkout@<specific-commit-sha>`) to ensure the workflow always
uses the exact version specified and prevent unexpected updates.
In @.github/workflows/docs-url-check.yaml:
- Line 39: The `actions/checkout@v7` action is using a mutable version tag which
violates security best practices. Replace the `@v7` tag with a full-length
commit SHA to pin the action to a specific, immutable reference. You can find
the current commit SHA for v7 from the official actions/checkout repository
releases page and update the workflow step to use that format instead.
In @.github/workflows/prepare-release.yaml:
- Line 52: Replace the mutable version tags for GitHub Actions with their
corresponding full commit SHAs to improve CI supply-chain integrity and
reproducibility. Update actions/checkout from `@v7` to its full commit SHA,
actions/download-artifact from `@v6` to its full commit SHA, and
actions/github-script from `@v9` to its full commit SHA. You can find the exact
commit SHAs by visiting each action's GitHub repository and checking the
releases or tags to identify the specific commit hash for each version.
In @.github/workflows/wiki-generate-blueprints.yaml:
- Around line 37-44: Review the workflow trigger events (check the top level
`on:` directive) to determine if this workflow uses `pull_request_target` or
`workflow_run` events and needs to checkout code from fork pull requests. If
fork PR checkouts are needed, add `allow-unsafe-pr-checkout: true` to both
checkout action steps (the one checking out the BrewWikiGen repository and the
one checking out the FAF Repository) to handle the breaking change in
actions/checkout v7. Additionally, verify if leafo/gh-actions-lua v13 is used
anywhere in this workflow and either ensure any Lua scripts are compatible with
Lua 5.5 or explicitly pin the Lua version to 5.4 by adding `luaVersion: '5.4'`
to maintain backward compatibility if needed.
---
Nitpick comments:
In @.github/workflows/docs-build.yml:
- Line 74: Replace the mutable action version tags with immutable commit SHA
pins for improved supply chain security. In the docs-build.yml workflow file,
update all action references currently using `@v`* tags (specifically
actions/checkout@v7 and others mentioned at lines 74, 89, 96, 129, 139, 152) to
use their full commit SHA format instead. For example, change
actions/checkout@v7 to actions/checkout@<full-commit-sha> where the SHA
corresponds to the specific version you want to use. This ensures the pinned
versions cannot change unexpectedly at runtime.
In @.github/workflows/wiki-generate-icons.yaml:
- Line 61: The inline comments in the workflow file reference v4 documentation
for the upload-artifact action but the workflow is currently using v7 of that
action. Update all comments that contain URLs pointing to the upload-artifact
action documentation to reference v7 instead of v4. Specifically, change any
comment URLs containing "upload-artifact/tree/v4" to "upload-artifact/tree/v7"
to ensure documentation links remain accurate and consistent with the action
version being used.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7845e047-de93-45a5-b120-443cc20f4266
📒 Files selected for processing (19)
.github/workflows/bake-blueprints.yaml.github/workflows/deploy-faf.yaml.github/workflows/deploy-fafbeta.yaml.github/workflows/deploy-fafdevelop.yaml.github/workflows/docs-build.yml.github/workflows/docs-convert-changelog.yaml.github/workflows/docs-generate-changelog.yaml.github/workflows/docs-spelling-check.yaml.github/workflows/docs-synchronize-changelog.yaml.github/workflows/docs-url-check.yaml.github/workflows/etfreeman-db-update.yaml.github/workflows/prepare-release.yaml.github/workflows/spookydb-update.yaml.github/workflows/stage-fafbeta.yaml.github/workflows/stage-fafdevelop.yaml.github/workflows/tests.yaml.github/workflows/wiki-generate-blueprints.yaml.github/workflows/wiki-generate-changelogs.yaml.github/workflows/wiki-generate-icons.yaml
| uses: actions/checkout@v7 | ||
| with: | ||
| repository: The-Balthazar/BrewWikiGen | ||
| path: ./brew-wiki-gen | ||
|
|
||
| # FA repo is sparse checkout as it is quite large and we dont won't to incur higher action minutes for no reason | ||
| - name: Checkout FAF Repository # -png folder doesnt exist yet, confirm location. | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify action versions exist and check for breaking changes
echo "=== Checking actions/checkout v7 ==="
gh api repos/actions/checkout/git/refs/tags/v7 --jq '.ref' || echo "Tag v7 not found"
echo ""
echo "=== Checking actions/upload-artifact v7 ==="
gh api repos/actions/upload-artifact/git/refs/tags/v7 --jq '.ref' || echo "Tag v7 not found"
echo ""
echo "=== Checking leafo/gh-actions-lua v13 ==="
gh api repos/leafo/gh-actions-lua/git/refs/tags/v13 --jq '.ref' || echo "Tag v13 not found"
echo ""
echo "=== Recent releases for actions/checkout ==="
gh release list --repo actions/checkout --limit 10
echo ""
echo "=== Recent releases for actions/upload-artifact ==="
gh release list --repo actions/upload-artifact --limit 10
echo ""
echo "=== Recent releases for leafo/gh-actions-lua ==="
gh release list --repo leafo/gh-actions-lua --limit 10Repository: FAForever/fa
Length of output: 1471
🌐 Web query:
actions/checkout v7 breaking changes
💡 Result:
The primary breaking change in actions/checkout v7, released on June 18, 2026, is a new security restriction regarding fork pull request checkouts [1][2]. Key changes in v7 include: 1. Blocked Fork PR Checkouts by Default: The action now refuses to check out code from a fork pull request when used in pull_request_target or workflow_run events (specifically when the workflow is triggered by a pull_request* event) [2][3]. This is designed to prevent "pwn request" vulnerabilities where untrusted fork code could execute in the privileged context of the base repository [2][3]. 2. Opt-in Mechanism: If your workflow requires this functionality, you must explicitly opt in by setting the new input allow-unsafe-pr-checkout to true [3]. Users are strongly advised to review the security risks associated with using pull_request_target before enabling this [2][3]. 3. ESM Migration: The action has been migrated to ESM (ECMAScript Modules) to support newer versions of underlying @actions/* dependencies [1][3]. Future Backport: On July 16, 2026, GitHub will backport this security enforcement to all currently supported major versions of actions/checkout [2]. Workflows pinned to a floating major tag (e.g., actions/checkout@v4) will automatically receive this change and may start failing if they checkout fork pull request code without the new opt-in flag [2]. Workflows pinned to specific SHA, minor, or patch versions will not be affected by the automatic backport [2].
Citations:
- 1: https://github.com/actions/checkout/releases/tag/v7.0.0
- 2: https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
- 3: https://github.com/actions/checkout/blob/main/README.md
🌐 Web query:
actions/upload-artifact v7 breaking changes
💡 Result:
The transition to actions/upload-artifact v7, released on February 26, 2026, primarily introduced a new feature rather than traditional breaking changes [1][2]. The release is backward compatible because the new archive parameter defaults to true, maintaining existing behavior [2][3]. Key aspects of the v7 release include: New Functionality: Direct Unzipped Uploads The most significant addition is the ability to upload artifacts without zipping them by setting the archive input to false [1][2]. This supports: - Single file uploads only: The action will fail if the provided path glob resolves to multiple files [1][3]. - Ignored Name Parameter: When archive is set to false, the name parameter is ignored. The resulting artifact name becomes the name of the uploaded file itself [1][3]. - Workflow Impacts: If you enable archive: false, you must ensure that any subsequent download steps (which require updating to at least actions/download-artifact v8) match the filename rather than a custom artifact name [2][3]. Technical Changes - ESM Upgrade: The action was upgraded to ECMAScript Modules (ESM) to support newer versions of the @actions/* packages [1][4]. - No Documented Breaking Changes: While some users noted that major version bumps often imply breaking changes, the maintainers provided no specific list of breaking behavioral changes for v7 [5]. The release is generally considered a drop-in replacement for v6, provided the new optional features are not used incorrectly [3]. If you are upgrading from v6 to v7, your existing workflows will continue to function as they did before, with compression enabled by default [3]. If you choose to adopt the new direct upload feature, be aware of the specific requirements regarding file counts and naming conventions [1][3].
Citations:
- 1: https://github.com/actions/upload-artifact/releases/tag/v7.0.0
- 2: https://github.blog/changelog/2026-02-26-github-actions-now-supports-uploading-and-downloading-non-zipped-artifacts/
- 3: https://zenn.dev/korosuke613/articles/github-actions-use-archive-artifact?locale=en
- 4: https://github.com/actions/upload-artifact/releases
- 5: [docs] No documented breaking changes in v7 actions/upload-artifact#776
🌐 Web query:
leafo/gh-actions-lua v13 changes
💡 Result:
Version 13 of the leafo/gh-actions-lua GitHub Action, released on April 23, 2026, introduced several key changes [1][2]: Lua 5.5 Support The action added support for Lua 5.5.0 [1][3][4]. Consequently, the default luaVersion was updated to 5.5 (previously 5.4) [1][3]. ESM Migration The action's main.js file was converted to ES modules to maintain compatibility with updated GitHub Actions toolkit packages that are now ESM-only [1][4]. This change does not affect the action's API or inputs [1][3]. Dependency Upgrades The action updated several underlying @actions dependencies to their major versions to ensure compatibility [1][4]: @actions/core: 1.11.1 to 3.0.1 [1][4] @actions/cache: 4.1.0 to 6.0.0 [1][4] @actions/exec: 1.1.1 to 3.0.0 [1][4] @actions/io: 1.1.3 to 3.0.2 [1][4] @actions/tool-cache: 2.0.2 to 4.0.0 [1][4] Refreshed Release Tarballs The included release tarballs were updated: 5.5.0.tar.gz was added [1][3]. 5.3.6.tar.gz replaced 5.3.5.tar.gz [1][4]. 5.4.8.tar.gz replaced 5.4.1.tar.gz [1][4]. Documentation and Example Updates Example snippets were updated to use actions/checkout@v6 (replacing @master/@v4) to resolve Node.js 20 deprecation warnings, and step-security/msvc-dev-cmd@v1 was adopted as a replacement for ilammy/msvc-dev-cmd@v1 [1][3][4].
Citations:
- 1: https://github.com/leafo/gh-actions-lua/releases
- 2: https://p.rst.im/q/GitHub.Com/leafo/gh-actions-lua
- 3: chore(deps): update leafo/gh-actions-lua action to v13 jellydn/quick-code-runner.nvim#49
- 4: Bump leafo/gh-actions-lua from 12.0.0 to 13.0.0 exercism/moonscript#162
Address breaking changes in actions/checkout v7 and leafo/gh-actions-lua v13.
The version bumps to actions/checkout v7 and leafo/gh-actions-lua v13 introduce breaking changes that may affect this workflow:
- actions/checkout v7 (released June 18, 2026): Now blocks fork pull request checkouts by default in
pull_request_targetandworkflow_runevents. If the workflow needs to checkout fork PR code, addallow-unsafe-pr-checkout: trueto the checkout step. - leafo/gh-actions-lua v13 (released April 23, 2026): Changes the default Lua version from 5.4 to 5.5. Verify that any Lua scripts in this workflow are compatible with Lua 5.5, or explicitly pin
luaVersion: '5.4'if backward compatibility is needed. - actions/upload-artifact v7: No breaking changes; this upgrade is safe.
🧰 Tools
🪛 zizmor (1.25.2)
[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 44-44: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/wiki-generate-blueprints.yaml around lines 37 - 44, Review
the workflow trigger events (check the top level `on:` directive) to determine
if this workflow uses `pull_request_target` or `workflow_run` events and needs
to checkout code from fork pull requests. If fork PR checkouts are needed, add
`allow-unsafe-pr-checkout: true` to both checkout action steps (the one checking
out the BrewWikiGen repository and the one checking out the FAF Repository) to
handle the breaking change in actions/checkout v7. Additionally, verify if
leafo/gh-actions-lua v13 is used anywhere in this workflow and either ensure any
Lua scripts are compatible with Lua 5.5 or explicitly pin the Lua version to 5.4
by adding `luaVersion: '5.4'` to maintain backward compatibility if needed.
|
I think I'd rather merge #7150 to not deal with the breaking changes of checkout v7 and you forgot to update the comments that reference the version. |
|
Fine with me 👍 |
2 participants
Description of the proposed changes
Update remaining workflow actions. Recently the syntax-check workflow started to fail, see also:
Fixed with:
Then we ran into this:
Testing done on the proposed changes
Unfortunately it is not really possible to test workflows locally.
Summary by CodeRabbit