Skip to content

[TASK] Update GitHub Actions to latest versions#1329

Open
CybotTM wants to merge 1 commit into
task/sha-pin-actionsfrom
task/update-actions-latest
Open

[TASK] Update GitHub Actions to latest versions#1329
CybotTM wants to merge 1 commit into
task/sha-pin-actionsfrom
task/update-actions-latest

Conversation

@CybotTM

@CybotTM CybotTM commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Second part of the #1184 split — version updates only, stacked on #1328 so this diff shows nothing but version changes. GitHub retargets it to main automatically once #1328 merges (I'll rebase away the inherited commit then).

Every new SHA was resolved and cross-checked against the GitHub API for its tag. main.yaml is untouched (belongs to #1196) — note this leaves its three actions/cache pins at v5.0.3 until #1196 lands.

Per-action risk assessment

Action From → To Semver Breaking / notable changes Risk for our usage
actions/checkout v6.0.2 → v7.0.0 major Blocks checking out fork PRs in pull_request_target/workflow_run contexts (#2454); ESM migration None — our only pull_request_target workflow (pr-auto-merge.yaml) has no checkout step; all checkout usages run on push/tag/PR events
actions/cache v5.0.3 → v6.1.0 major ESM migration (#1760); v6.1.0 adds read-only cache handling Low — plain path+key usage in split-repositories.yaml, no interface change
dependabot/fetch-metadata v2.3.0 → v3.1.0 major Declared breaking change: requires Node 24 runtime (#671) Noneubuntu-latest provides Node 24; the github-token input and update-type output we use are unchanged
docker/build-push-action v7.0.0 → v7.3.0 minor Low
docker/login-action v4.0.0 → v4.4.0 minor Low
docker/metadata-action v6.0.0 → v6.2.0 minor Low
docker/setup-buildx-action v4.0.0 → v4.2.0 minor Low
docker/setup-qemu-action v4.0.0 → v4.2.0 minor Low
actions/upload-artifact v7.0.0 → v7.0.1 patch docs + typespec runtime fix None
actions/download-artifact v8.0.0 → v8.0.1 patch CJK artifact-name support None

frankdejonge/use-github-token and use-subsplit-publish stay at 1.1.0 — that is their latest release. (Their Node 20 deprecation warning in Publish Sub-split cannot be fixed by any bump; upstream has no Node 24 build yet.)

Verification limits

PR CI cannot exercise most of these workflows: docker.yaml, deploy-azure-assets.yaml run on tag/release only; split-repositories.yaml on push to main; docker-test.yaml only on Dockerfile changes; the two pr-auto-* workflows on Dependabot PRs. First real exercise is the next release/tag and the next Dependabot PR.

Follow-up worth considering (not in this PR): add a github-actions ecosystem to .github/dependabot.yml so these pins stay current automatically.

Updates the pinned actions in the six non-main workflows to their
latest releases (SHAs verified against the GitHub API):

- actions/checkout v6.0.2 -> v7.0.0
- actions/cache v5.0.3 -> v6.1.0
- dependabot/fetch-metadata v2.3.0 -> v3.1.0
- docker/build-push-action v7.0.0 -> v7.3.0
- docker/login-action v4.0.0 -> v4.4.0
- docker/metadata-action v6.0.0 -> v6.2.0
- docker/setup-buildx-action v4.0.0 -> v4.2.0
- docker/setup-qemu-action v4.0.0 -> v4.2.0
- actions/upload-artifact v7.0.0 -> v7.0.1
- actions/download-artifact v8.0.0 -> v8.0.1

main.yaml is left to #1196.

Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant