ci: bump stale GitHub Actions (pre-empt Dependabot noise) #3073
Closed
hunhoffe wants to merge 1 commit into
Closed
ci: bump stale GitHub Actions (pre-empt Dependabot noise) #3073hunhoffe wants to merge 1 commit into
hunhoffe wants to merge 1 commit into
Conversation
Pre-emptive sweep of low-risk action version drift so that once Dependabot lands (in #3070) it doesn't open a wave of bump PRs for these on its first weekly run. Conservative scope: - Bumped to current major/minor: - actions/setup-python @v5 -> @v6 - hendrikmuhs/ccache-action @v1.2 / @v1.2.12 -> @v1 (consolidates two inconsistent pin styles) - ilammy/msvc-dev-cmd @v1.4.1 -> @v1 - ncipollo/release-action @v1.12.0 -> @v1 - reviewdog/action-suggester @v1.22 -> @v1 - edumserrano/find-create-or-update-comment @v2 -> @V3 - Pinned a floating tag to a SHA: - descriptinc/free-disk-space @main -> a SHA on main as of 2023-09-27 (the latest commit; the action has no releases). @main on a third-party action is a moving target and the largest supply-chain risk in our workflows; the SHA pin is what Scorecard's Pinned-Dependencies check rewards. Skipped intentionally: - aminya/setup-cpp* — PR #2030 is in flight on this; not superseding it. - actions/checkout — already brought current by #2981. - actions/upload-artifact (@v4 -> @v7) / actions/download-artifact (@v4 -> @v8) / microsoft/setup-msbuild (@v1 -> @V3) / peter-evans/create-pull-request (@v6 -> @v8) / peaceiris/actions-gh-pages (@V3 -> @v4) — major-version jumps with documented breaking changes (artifact-name uniqueness, branching defaults). Safer to let Dependabot open these as individual PRs with changelog links so each can be tested in isolation. Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
hunhoffe
changed the title
hunhoffe
requested review from
erwei-xilinx,
fifield and
stephenneuendorffer
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Mechanical version bumps for stale third-party Actions, intended to land before Dependabot is enabled (#3070) so its first weekly run doesn't open a wave of bump PRs for these.
Bumped
actions/setup-python@v5 → @v6hendrikmuhs/ccache-action@v1.2/@v1.2.12 → @v1(consolidates two inconsistent pin styles)ilammy/msvc-dev-cmd@v1.4.1 → @v1ncipollo/release-action@v1.12.0 → @v1reviewdog/action-suggester@v1.22 → @v1edumserrano/find-create-or-update-comment@v2 → @v3descriptinc/free-disk-space@main → SHA—@mainon a third-party action is a moving target; SHA-pinning removes that supply-chain risk (and is what Scorecard'sPinned-Dependenciescheck rewards)Skipped intentionally
aminya/setup-cpp*— PR Revert "[CI] test rollback of setup-cpp action (#2028)" #2030 in flight; not superseding itactions/checkout— already current via ci: update GitHub Actions to Node.js 24-compatible versions #2981actions/upload-artifact(@v4 → @v7),actions/download-artifact(@v4 → @v8),microsoft/setup-msbuild(@v1 → @v3),peter-evans/create-pull-request(@v6 → @v8),peaceiris/actions-gh-pages(@v3 → @v4) — major-version jumps with documented breaking changes(artifact-name uniqueness, branching defaults). Safer to let Dependabot open these as individual PRs with changelog links so each can be tested in isolation
Interaction with other PRs
Touches the same workflow files as wheels: harden supply chain, slim wheels, rehearse PyPI publish #3072 and wheels: PEP 440-compliant versioning for mlir-aie (PyPI prep) #3071 but at non-overlapping line ranges; git auto-merge handles either order cleanly. Independent of Add Dependabot, OSSF Scorecard, and SECURITY.md for supply-chain hygiene #3070.