ci: Bump GitHub Actions to latest versions#5078
Open
lgritz wants to merge 1 commit intoAcademySoftwareFoundation:mainfrom
Open
ci: Bump GitHub Actions to latest versions#5078lgritz wants to merge 1 commit intoAcademySoftwareFoundation:mainfrom
lgritz wants to merge 1 commit intoAcademySoftwareFoundation:mainfrom
Conversation
Update action version pins to their latest releases, referenced by full commit hash with version tag as a comment. Except for a couple, as noted below. | Action | Old | New | |-------------------------------------|------------|------------| | actions/checkout | v4.2.2 | v4.3.0 | | actions/upload-artifact | v4.5.0 | v7.0.0 | | actions/download-artifact | v4.1.8 | v8.0.0 | | actions/setup-python | v5.2.0 | v6.2.0 | | pypa/cibuildwheel | v3.2.1 | v3.4.0 | | pypa/gh-action-pypi-publish | release/v1 | v1.13.0 | | sonarsource/sonarqube-scan-action | v6.0.0 | v7.0.0 | | ossf/scorecard-action | v2.3.1 | v2.4.3 | | github/codeql-action/upload-sarif | v2.3.6 | v3.32.6 | | sigstore/gh-action-sigstore-python | v3.0.0 | v3.2.0 | | jmertic/slack-release-notifier | main | 0.1 | Note that all are locked down to hashes now, including a couple which hadn't been previously. We wish we could upgrade actions/checkout all the way to the latest versions. But in both cases, they require nodejs 24, which in turn needs a glibc that's too new for our ASWF VFX Platform 2022 containers. So we're going to have to keep them locked to old versions until we're ready to retire the 2022 containers, which we hope is soon. The checkout action is upgraded from 4.2.2 to 4.3.0 only, intead of the latest 6.0.2, and the cache actions had to remain on 4.3.0 as it was before, instead of upgrading to the latest, 5.0.3. The initial gruntwork of tracking down the latest versions and upgrading was done by Claude Code using the Sonnet 4.6 model using the following prompt: ``` For all the workflows in @.github/workflows/ , check every action version reference to see if it is using the latest release version. Upgrade any that are not the latest. Be sure to refer to the action by full hash, not version number (but put the corresponding version number as a comment). ``` That upgraded everything possible without me needing to track down each action myself, though it was only a partial solution: the newest actions failed on the old containers (as noted above) and it took me a while to sort out by hand which ones needed to be held back to run on the old containers. So Claude helped with the first 80% and then I did the remaining 80% of the work. Signed-off-by: Larry Gritz <lg@larrygritz.com> Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update action version pins to their latest releases, referenced by full commit hash with version tag as a comment. Except for a couple, as noted below.
Note that all are locked down to hashes now, including a couple which hadn't been previously.
We wish we could upgrade actions/checkout all the way to the latest versions. But in both cases, they require nodejs 24, which in turn needs a glibc that's too new for our ASWF VFX Platform 2022 containers. So we're going to have to keep them locked to old versions until we're ready to retire the 2022 containers, which we hope is soon. The checkout action is upgraded from 4.2.2 to 4.3.0 only, intead of the latest 6.0.2, and the cache actions had to remain on 4.3.0 as it was before, instead of upgrading to the latest, 5.0.3.
The initial gruntwork of tracking down the latest versions and upgrading was done by Claude Code using the Sonnet 4.6 model using the following prompt:
That upgraded everything possible without me needing to track down each action myself, though it was only a partial solution: the newest actions failed on the old containers (as noted above) and it took me a while to sort out by hand which ones needed to be held back to run on the old containers. So Claude helped with the first 80% and then I did the remaining 80% of the work.
Assisted-By: Claude Sonnet 4.6 noreply@anthropic.com