Bump GitHub Actions across major versions#5755
Merged
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
poutine found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
| extensions: mbstring, intl | ||
|
|
||
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | ||
| - uses: "ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda" # v4.0.0 |
|
|
||
| - name: "Install compiler dependencies" | ||
| uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | ||
| uses: "ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda" # v4.0.0 |
|
|
||
| - name: "Install Box dependencies" | ||
| uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | ||
| uses: "ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda" # v4.0.0 |
| run: "composer config autoloader-suffix PHPStanChecksum" | ||
|
|
||
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | ||
| - uses: "ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda" # v4.0.0 |
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | ||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 |
| php-version: "8.2" | ||
|
|
||
| - uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | ||
| - uses: "ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda" # v4.0.0 |
|
|
||
| - name: "Install Box dependencies" | ||
| uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3 | ||
| uses: "ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda" # v4.0.0 |
ondrejmirtes
force-pushed
the
github-actions-major-bumps
branch
from
3219cf0 to
6dd1a79
Compare
| AWS_SECRET_ACCESS_KEY: ${{ secrets.APIREF_AWS_SECRET_ACCESS_KEY }} | ||
|
|
||
| - uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 | ||
| - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 |
| - name: 'Get Previous tag' | ||
| id: previoustag | ||
| uses: "WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce" # v1.4.0 | ||
| uses: "WyriHaximus/github-action-get-previous-tag@61819f33034117e6c686e6a31dba995a85afc9de" # v2.0.0 |
| - name: "Find existing PR comment" | ||
| id: find-comment | ||
| uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 | ||
| uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0 |
| - name: "Mark comment as running" | ||
| if: steps.find-comment.outputs.comment-id != '' | ||
| uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 | ||
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 |
|
|
||
| - name: Comment PR | ||
| uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 | ||
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 |
|
|
||
| - name: Comment PR | ||
| uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 | ||
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 |
| - name: "Create Pull Request" | ||
| id: create-pr | ||
| uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 | ||
| uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 |
Major-version bumps, grouped separately so CI can shake out any breaking changes in isolation. All actions remain pinned to commit SHAs: - actions/cache (+ /restore, /save) v4.3.0 -> v5.0.5 - actions/download-artifact v4.3.0 -> v8.0.1 - actions/upload-artifact v4.6.2 -> v7.0.1 - actions/github-script v7.1.0 -> v9.0.0 - actions/setup-node v4.4.0 -> v6.4.0 - astral-sh/setup-uv v7.3.0 -> v8.1.0 - boostsecurityio/poutine-action v0.15.2 -> v1.1.4 - crazy-max/ghaction-import-gpg v6.3.0 -> v7.0.0 - dorny/paths-filter v3.0.2 -> v4.0.1 - peter-evans/create-or-update-comment v4.0.0 -> v5.0.0 - peter-evans/create-pull-request v6.1.0 -> v8.1.1 - peter-evans/find-comment v3.1.0 -> v4.0.0 - peter-evans/repository-dispatch v3.0.0 -> v4.0.1 - stefanzweifel/git-auto-commit-action v5.2.0 -> v7.1.0 - WyriHaximus/github-action-get-previous-tag v1.4.0 -> v2.0.0 download-artifact v5 changed single by-ID downloads to extract directly into `path` instead of nesting under the artifact name. The "Download old artifact by ID" step in phar.yml relied on the nested layout, so pin its `path` to phar-file-checksum to keep phar-file-checksum/phpstan.phar where the following step expects it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ondrejmirtes
force-pushed
the
github-actions-major-bumps
branch
from
6dd1a79 to
3bdeea0
Compare
| name: Import GPG key | ||
| id: import-gpg | ||
| uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 | ||
| uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 |
| - name: "Commit PHAR - tag" | ||
| if: "startsWith(github.ref, 'refs/tags/')" | ||
| uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0 | ||
| uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0 |
Unwrap the three actions/download-artifact steps that were run through Wandalen/wretry.action (attempt_limit 5, attempt_delay 1000) back into plain steps. All three download by name, so the v5+ by-ID path change does not apply. The reflection-golden-test.yml step was still on the moving actions/download-artifact@v4 tag (nested inside the wretry action: input, so it escaped the SHA pinning); pin it to the v8.0.1 SHA used everywhere else. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
| - name: "Find PR comment" | ||
| id: find-comment | ||
| uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0 | ||
| uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0 |
| - name: "Post/update PR comment (changes)" | ||
| if: needs.evaluate.outputs.pr-evaluate-exit-code == '2' | ||
| uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 | ||
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 |
| - name: "Update PR comment (no changes, only if exists)" | ||
| if: needs.evaluate.outputs.pr-evaluate-exit-code == '0' && steps.find-comment.outputs.comment-id != '' | ||
| uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 | ||
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Major-version bumps for GitHub Actions, split out from the within-major
refreshes (committed directly to
2.1.x) so CI can shake out any breakingchanges in isolation. All actions remain pinned to commit SHAs.
actions/cache(+/restore,/save)actions/download-artifactactions/upload-artifactactions/github-scriptactions/setup-nodeastral-sh/setup-uvboostsecurityio/poutine-actioncrazy-max/ghaction-import-gpgdorny/paths-filterpeter-evans/create-or-update-commentpeter-evans/create-pull-requestpeter-evans/find-commentpeter-evans/repository-dispatchramsey/composer-installstefanzweifel/git-auto-commit-actionWyriHaximus/github-action-get-previous-tagWorth a closer look while CI runs
upload-artifactv7 +download-artifactv8 are the largest jumps; several workflows upload in one job and download in another, so they need to work as a pair.github-scriptv9 andsetup-nodev6 move to a newer Node runtime — check custom inline scripts.ramsey/composer-installv4 is used in ~30 places; verify its inputs still match.peter-evans/*majors drive the bot/comment/PR workflows; watch for input renames.actionlintpasses locally (exit 0).🤖 Generated with Claude Code