Skip to content

ci(actions): Update GitHub Actions to latest versions#2377

Open
tintinhamans wants to merge 8 commits intoTheSuperHackers:mainfrom
tintinhamans:arctic/github-actions-update
Open

ci(actions): Update GitHub Actions to latest versions#2377
tintinhamans wants to merge 8 commits intoTheSuperHackers:mainfrom
tintinhamans:arctic/github-actions-update

Conversation

@tintinhamans
Copy link

@tintinhamans tintinhamans commented Mar 2, 2026
edited
Loading

This pull request updates all GitHub Actions used in the project's workflow YAML files to use exact commit SHA references instead of version tags. This change improves security and reliability by ensuring that workflows always use the intended action versions, preventing unexpected updates or changes from upstream maintainers.

Closes #779

  • Updated all actions/checkout steps to use an explicit commit SHA (de0fac2e4500dabe0009e67214ff5f5447ce83dd for v6.0.2) instead of the @v4 tag across all workflow files.
  • Updated all uses of actions/cache, actions/cache/restore, and actions/cache/save to use commit SHA (cdf6c1fa76f9f475f3d7449005a359c84ca0f306 for v5.0.3) instead of @v4.
  • Updated all actions/upload-artifact and actions/download-artifact steps to use exact commit SHAs (bbbca2ddaa5d8feaa63e36b76fdaad77386f024f for upload v7.0.0, 70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 for download v8.0.0) instead of version tags.
  • Updated softprops/action-gh-release to use a specific commit SHA (a06a81a03ee405af7f2048a818ed3f03bbf83c7b for v2.5.0) instead of @v2.
  • Updated other third-party actions (dorny/paths-filter, ilammy/msvc-dev-cmd, lukka/run-vcpkg) to use commit SHAs instead of tags, ensuring consistent and secure action execution.

Once this is merged, we can implement the following setting to enforce this going forward:

image

@tintinhamans tintinhamans requested a review from bobtista March 2, 2026 14:18
@greptile-apps
Copy link

greptile-apps bot commented Mar 2, 2026
edited
Loading

Greptile Summary

This PR hardens the CI/CD pipeline by replacing all floating action version tags (e.g. @v4, @v2) with exact commit SHA references across all six workflow files, preventing silent supply-chain drift and aligning with GitHub's recommended "pin to SHA" security posture. Alongside the pinning, several actions are also upgraded by one or more major versions (e.g. actions/checkout v4 → v6.0.2, actions/cache v4 → v5.0.3, actions/upload-artifact v4 → v7.0.0, actions/download-artifact v4 → v8.0.0).

Key observations:

  • Unresolved artifact version mismatch: actions/upload-artifact is pinned at v7.0.0 while actions/download-artifact is pinned at v8.0.0. These two actions share a storage format contract and GitHub's documentation requires them to be on the same major version. This mismatch spans multiple workflow boundaries (build-toolchain.ymlcheck-replays.yml and build-toolchain.ymlweekly-release.yml), and was flagged in a prior review thread but has not been addressed in this PR.
  • Multi-major-version upgrades: actions/checkout skips v5 entirely (v4 → v6.0.2) and actions/upload-artifact jumps three major versions (v4 → v7.0.0). While these upgrades appear intentional per the PR description, they go beyond pure SHA-pinning and could introduce subtle behavioral changes.
  • The shared SHA cdf6c1fa76f9f475f3d7449005a359c84ca0f306 for actions/cache, actions/cache/restore, and actions/cache/save is correct — all three are sub-actions within the same repository pinned at the same commit.
  • Third-party actions (dorny/paths-filter, ilammy/msvc-dev-cmd, lukka/run-vcpkg, softprops/action-gh-release) are pinned within their existing major versions, which is the safest pattern.

Confidence Score: 3/5
  • This PR is safe to merge for the pinning improvements, but the unresolved upload/download artifact major-version mismatch (v7 vs v8) across workflow boundaries poses a real risk of silent artifact resolution failures at runtime.
  • The security goal of SHA pinning is well-executed and consistent across all six files. However, the actions/upload-artifact (v7) / actions/download-artifact (v8) mismatch was flagged in a prior review thread and remains unaddressed. These two actions share a cross-job artifact storage contract, and a major-version mismatch can silently break artifact downloads. Additionally, actions/checkout jumps two major versions (v4 → v6) and actions/upload-artifact jumps three (v4 → v7), which goes beyond pure pinning and introduces upgrade risk. Score reflects the unresolved known issue and the multi-major-version upgrades that warrant careful validation.
  • build-historical.yml, build-toolchain.yml, check-replays.yml, and weekly-release.yml all participate in the upload-artifact v7 / download-artifact v8 cross-workflow mismatch and deserve close attention.

Important Files Changed
Filename Overview
.github/workflows/build-historical.yml Pins checkout (v4→v6.0.2), cache (v4→v5.0.3), upload-artifact (v4→v7.0.0), download-artifact (v4→v8.0.0), and softprops/action-gh-release (v2→v2.5.0) to explicit SHAs; upload/download artifact major version mismatch (v7 vs v8) remains unresolved per previous thread.
.github/workflows/build-toolchain.yml Pins checkout (v4→v6.0.2), cache/restore/save (v4→v5.0.3), ilammy/msvc-dev-cmd (v1→v1.13.0), lukka/run-vcpkg (v11→v11.5), and upload-artifact (v4→v7.0.0) to explicit SHAs; same SHA correctly reused for cache, cache/restore, and cache/save sub-actions.
.github/workflows/check-replays.yml Pins checkout (v4→v6.0.2), download-artifact (v4→v8.0.0), cache (v4→v5.0.3), and upload-artifact (v4→v7.0.0) to explicit SHAs; the download-artifact (v8) here consumes artifacts produced by build-toolchain.yml's upload-artifact (v7), contributing to the cross-workflow version mismatch.
.github/workflows/ci.yml Pins checkout (v4→v6.0.2) and dorny/paths-filter (v3→v3.0.2) to explicit SHAs; both are same-major-version pins for dorny, straightforward and low-risk change.
.github/workflows/validate-pull-request.yml Single change: pins checkout (v4→v6.0.2) to an explicit SHA; no other actions present in the diff, straightforward change.
.github/workflows/weekly-release.yml Pins checkout (v4→v6.0.2), download-artifact (v4→v8.0.0), and softprops/action-gh-release (v2→v2.5.0) to explicit SHAs; download-artifact v8 consumes artifacts from build-toolchain.yml's upload-artifact v7, part of the same cross-workflow mismatch.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    subgraph Actions ["GitHub Actions — Pinned SHA Versions"]
        CO["actions/checkout\nde0fac2e… (v6.0.2)"]
        CA["actions/cache + /restore + /save\ncdf6c1fa… (v5.0.3)"]
        UA["actions/upload-artifact\nbbbca2dd… (v7.0.0)"]
        DA["actions/download-artifact\n70fc10c6… (v8.0.0)"]
        GR["softprops/action-gh-release\na06a81a0… (v2.5.0)"]
        MS["ilammy/msvc-dev-cmd\n0b201ec7… (v1.13.0)"]
        PF["dorny/paths-filter\nde90cc6f… (v3.0.2)"]
        VC["lukka/run-vcpkg\n5e0cab20… (v11.5)"]
    end

    subgraph Workflows
        BH[".github/workflows/build-historical.yml"]
        BT[".github/workflows/build-toolchain.yml"]
        CR[".github/workflows/check-replays.yml"]
        CI[".github/workflows/ci.yml"]
        VP[".github/workflows/validate-pull-request.yml"]
        WR[".github/workflows/weekly-release.yml"]
    end

    BH --> CO & CA & UA & DA & GR
    BT --> CO & CA & UA & MS & VC
    CR --> CO & CA & UA & DA
    CI --> CO & PF
    VP --> CO
    WR --> CO & DA & GR

    UA -. "v7 uploads" .-> ArtStore[(Artifact Storage)]
    DA -. "v8 downloads ⚠️" .-> ArtStore

    style DA fill:#ffcccc,stroke:#cc0000
    style UA fill:#ffe0b2,stroke:#e65100
    style ArtStore fill:#fff9c4,stroke:#f9a825
Loading

Last reviewed commit: 42d6406

@tintinhamans tintinhamans requested a review from OmniBlade March 6, 2026 00:52
@tintinhamans tintinhamans force-pushed the arctic/github-actions-update branch from b87d91a to bc4cd05 Compare March 10, 2026 08:36
@tintinhamans
ci(actions): Update actions/checkout to version v6.0.2
c01b16b 
Signed-off-by: tintinhamans <5984296+tintinhamans@users.noreply.github.com>
@tintinhamans
ci(actions): Update actions/cache to version v5.0.3
615d47a 
Signed-off-by: tintinhamans <5984296+tintinhamans@users.noreply.github.com>
@tintinhamans
ci(actions): Update actions/upload-artifact to version v7.0.0
0cdb54e 
Signed-off-by: tintinhamans <5984296+tintinhamans@users.noreply.github.com>
@tintinhamans
ci(actions): Update actions/download-artifact to version v8.0.0
9cec152 
Signed-off-by: tintinhamans <5984296+tintinhamans@users.noreply.github.com>
@tintinhamans
ci(actions): Update softprops/action-gh-release to version v2.5.0
b7ea840 
Signed-off-by: tintinhamans <5984296+tintinhamans@users.noreply.github.com>
@tintinhamans tintinhamans force-pushed the arctic/github-actions-update branch from bc4cd05 to 97d917a Compare March 10, 2026 08:38
@tintinhamans tintinhamans force-pushed the arctic/github-actions-update branch from 97d917a to 42d6406 Compare March 10, 2026 08:44
greptile-apps[bot]
greptile-apps bot reviewed Mar 10, 2026
View reviewed changes
.github/workflows/build-historical.yml
Comment on lines 207 to +221
@@ -218,14 +218,14 @@ jobs:
steps:
- name: Download Generals Artifact
if: ${{ github.event.inputs.game == 'Generals' || github.event.inputs.game == 'Both' }}
uses: actions/download-artifact@v4
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
Copy link

@greptile-apps greptile-apps bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mismatched upload-artifact / download-artifact major versions

actions/upload-artifact is pinned at v7 (bbbca2ddaa5d8feaa63e36b76fdaad77386f024f) while actions/download-artifact is pinned at v8 (70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3). These are paired actions maintained in the same repository, and GitHub's own documentation explicitly states that the download action version should match the upload action version. A major-version mismatch can cause download steps to silently fail or be unable to resolve artifact metadata produced by a different storage format.

This same pairing concern affects every workflow where artifacts cross job boundaries:

  • .github/workflows/build-historical.yml lines 207 & 221/228 (upload v7 → download v8 in create-release)
  • .github/workflows/build-toolchain.yml line 201 (upload v7) — artifacts consumed by check-replays.yml line 39 (download v8) and weekly-release.yml lines 154/165 (download v8)

Both actions should be pinned to the same major version. Either align everything on upload-artifact v7 + download-artifact v7, or upload-artifact v8 + download-artifact v8.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/build-historical.yml
Line: 207-221

Comment:
**Mismatched upload-artifact / download-artifact major versions**

`actions/upload-artifact` is pinned at **v7** (`bbbca2ddaa5d8feaa63e36b76fdaad77386f024f`) while `actions/download-artifact` is pinned at **v8** (`70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3`). These are paired actions maintained in the same repository, and GitHub's own documentation explicitly states that the download action version should match the upload action version. A major-version mismatch can cause download steps to silently fail or be unable to resolve artifact metadata produced by a different storage format.

This same pairing concern affects every workflow where artifacts cross job boundaries:
- `.github/workflows/build-historical.yml` lines 207 & 221/228 (upload v7 → download v8 in `create-release`)
- `.github/workflows/build-toolchain.yml` line 201 (upload v7) — artifacts consumed by `check-replays.yml` line 39 (download v8) and `weekly-release.yml` lines 154/165 (download v8)

Both actions should be pinned to the same major version. Either align everything on upload-artifact v7 + download-artifact v7, or upload-artifact v8 + download-artifact v8.

How can I resolve this? If you propose a fix, please make it concise.

Copy link
Author

@tintinhamans tintinhamans Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure this is an issue? I haven't seen this guidance anywhere to match versions - I'm using the latest tags for both.

Copy link

@greptile-apps greptile-apps bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're absolutely right, and I apologize for the confusion. After reviewing both the upload-artifact and download-artifact documentation, there's no requirement for matching major versions between the two actions.

The key compatibility requirement is that download-artifact v4+ cannot download artifacts created by upload-artifact v3 or earlier due to the backend architecture change. But within the v4+ family (which includes v7 and v8), the actions are compatible with each other.

Both actions you're using:

  • upload-artifact@v7.0.0 - uses the v4+ architecture
  • download-artifact@v8.0.0 - uses the v4+ architecture

These are fully compatible. The version differences (v7 vs v8) mainly reflect Node.js runtime updates and incremental features, not breaking changes to the artifact storage format.

My original comment was incorrect, and I apologize for the confusion this caused. Your workflow configuration is fine as-is.

@tintinhamans
Copy link
Author

tintinhamans commented Mar 10, 2026

.github/workflows/build-historical.yml, check-replays.yml, and weekly-release.yml all participate in the upload-artifact v7 / download-artifact v8 mismatch and warrant a quick check.

@greptileai, this is correct - they are both the latest tags for those actions.

@greptile-apps
Copy link

greptile-apps bot commented Mar 10, 2026

Got it. The version mismatch between upload-artifact v7 and download-artifact v8 is expected since they're the latest versions of each action. They can have different version numbers even though they work together. Thanks for confirming!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@bobtista bobtista Awaiting requested review from bobtista

@OmniBlade OmniBlade Awaiting requested review from OmniBlade

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GitHub workflow actions hardening

1 participant

@tintinhamans