Skip to content

ci: Updated all the GitHub Actions#3277

Open
agsaru wants to merge 1 commit into
Netflix:masterfrom
agsaru:action
Open

ci: Updated all the GitHub Actions#3277
agsaru wants to merge 1 commit into
Netflix:masterfrom
agsaru:action

Conversation

@agsaru

@agsaru agsaru commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

PR Type

  • Bug fix
  • New feature
  • Core Runtime change (higher bar -- see CONTRIBUTING.md)
  • Docs / tooling
  • Refactoring

Summary

This PR updates all the GitHub Actions to use latest release versions.
Pinned commit SHAs rather than version tags.

Copilot AI review requested due to automatic review settings June 18, 2026 16:50
Copilot AI reviewed Jun 18, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@greptile-apps

greptile-apps Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR upgrades all GitHub Actions across 8 workflow files to use immutable commit SHA pins instead of mutable version tags, improving supply-chain security. It also bumps several actions to newer major versions (e.g., actions/checkout v6→v7, github/codeql-action v2→v4, dorny/test-reporter v1→v3, codecov/codecov-action v5→v7).

  • All mutable @vN tags are replaced with full 40-character commit SHAs annotated with a version comment, which is the recommended practice for pinning third-party actions.
  • actions/upload-artifact is bumped to v7.0.1 while actions/download-artifact is bumped to v8.0.1 — a major-version mismatch in ux-tests.yml that may break artifact exchange between jobs in the coverage-report workflow.

Confidence Score: 4/5

Safe to merge for all workflows except ux-tests.yml, where the upload/download artifact version mismatch could silently break the coverage-report job.

The upload-artifact (v7) and download-artifact (v8) actions are at different major versions in ux-tests.yml. GitHub has previously required these two actions to share the same major version (the v3→v4 migration broke cross-version artifact reads), so this mismatch could cause the coverage-report job to fail to retrieve any artifacts uploaded by earlier jobs.

.github/workflows/ux-tests.yml — the upload-artifact/download-artifact major-version mismatch should be resolved before merging.

Important Files Changed

Filename Overview
.github/workflows/ux-tests.yml SHA-pins all actions correctly, but uses upload-artifact@v7.0.1 while download-artifact@v8.0.1 is used in the coverage-report job — a major-version mismatch that may break artifact transfer between jobs.
.github/workflows/codeql.yml Upgrades checkout from mutable @v6 tag (which didn't correspond to a real release) to SHA-pinned v7.0.0, and bumps codeql-action from v2 to v4.36.2 — all three action steps use the same SHA for consistency.
.github/workflows/full-stack-test.yml Replaces mutable @v6 tag with SHA-pinned checkout@v7.0.0; straightforward and consistent with the rest of the PR.
.github/workflows/metaflow.s3_tests.minio.yml Upgrades checkout SHA to v7.0.0; setup-python SHA unchanged (same commit hash as before), only comment formatting adjusted.
.github/workflows/publish.yml Upgrades checkout to v7.0.0 and pypa/gh-action-pypi-publish from v1.13.0 to v1.14.0; setup-python SHA unchanged.
.github/workflows/test-card-build.yml Replaces mutable @v6 tags with SHA-pinned checkout@v7.0.0 and setup-node@v6.4.0.
.github/workflows/test-stubs.yml Upgrades checkout to SHA-pinned v7.0.0 and nick-fields/retry from mutable @v2 to SHA-pinned v4.0.0.
.github/workflows/test.yml Upgrades checkout to SHA-pinned v7.0.0; setup-python and pre-commit/action SHAs are unchanged, only formatting adjusted.

Reviews (1): Last reviewed commit: "Updated github actions" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 18, 2026
View reviewed changes
Comment thread .github/workflows/ux-tests.yml
Comment on lines +411 to +417
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
with:
pattern: coverage-*
path: coverage-artifacts/

- name: Download test results from all backends
uses: actions/download-artifact@v4
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1

@greptile-apps greptile-apps Bot Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 upload-artifact and download-artifact major version mismatch

Artifacts are uploaded with upload-artifact@v7.0.1 but downloaded with download-artifact@v8.0.1. GitHub has historically required these two actions to use the same major version (the v3→v4 migration, for example, required upgrading both simultaneously because the storage format changed). If the artifact schema changed between v7 and v8, the download-artifact step in the coverage-report job will fail to find or decode the artifacts produced by the earlier jobs, silently breaking coverage reporting.

@agsaru agsaru mentioned this pull request Jun 18, 2026
Open
5 tasks
@codecov

codecov Bot commented Jun 18, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (master@5cdcc70). Learn more about missing BASE report.

Additional details and impacted files 
@@            Coverage Diff            @@
##             master    #3277   +/-   ##
=========================================
  Coverage          ?   30.34%           
=========================================
  Files             ?      381           
  Lines             ?    52551           
  Branches          ?     9273           
=========================================
  Hits              ?    15946           
  Misses            ?    35427           
  Partials          ?     1178

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments
Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@agsaru