-
Notifications
You must be signed in to change notification settings - Fork 253
chore(deps): update github-actions to v7 #3607
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,9 +9,9 @@ jobs: | |
| name: Check Buildah Remote | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/checkout@v7.0.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] versioning-convention-inconsistency The SHA-pinned files and tag-based files represent two intentionally different management groups. Consider adopting SHA-pinning for the Renovate-managed files as well for supply-chain security. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] patch-version-inconsistency Within the tag-based references, some files use @v7.0.0 (exact patch) while others use @v7 (major only). This mirrors the pre-existing pattern and has no functional impact but could be standardized. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] inconsistent-version-format Mixed version formats within the PR: some files use v7.0.0 (full semver), others use v7 (major-only). This mirrors the pre-existing pattern (v6.0.2 vs v6) preserved by Renovate. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-pinning-inconsistency The PR uses tag references (v7, v7.0.0) while some other workflow files use SHA pinning. The modified files already used tag references before this PR, so the convention is maintained. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-pinning-convention The repository has two intentionally distinct groups of workflows: templated files using SHA-pinning (in Renovate ignorePaths) and locally-maintained workflows using tag-based references (managed by Renovate). This PR maintains the pre-existing tag-based pattern — no new inconsistency is introduced. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [info] edge cases The v7 breaking change ('Block checking out fork PR for pull_request_target and workflow_run') does not affect any of the six modified workflows, as none use pull_request_target or workflow_run triggers. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-pinning-consistency Pre-existing inconsistent version pinning pattern. These 6 locally-managed workflows use tag-based pinning (@v7/@v7.0.0) while externally-templated workflows use SHA hash pinning. Not introduced by this PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] action-version-pinning-convention The repository has two groups of workflow files: SHA-pinned versions managed outside Renovate via ignorePaths, and tag-based versions managed by Renovate with automerge. This PR correctly updates the Renovate-managed group from v6 to v7, but perpetuates the tag-vs-SHA inconsistency across all 6 changed files. This is a pre-existing architectural decision, not a defect introduced by this PR. Suggested fix: Consider migrating all workflow files to SHA-pinned versions for supply-chain security consistency. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version format consistency Inconsistent version tag format within this PR: check-buildah-remote.yaml and go-ci.yaml use v7.0.0 while check-readmes.yaml, check-task-owners.yaml, verify-dead-code.yaml, and yaml-lint.yaml use v7. This mirrors the pre-existing v6.0.2 vs v6 pattern. Suggested fix: Standardize on a single version format (either v7.0.0 or v7) across all non-templated workflow files. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-pinning-inconsistency Non-templated workflows use two version pinning patterns: @v7.0.0 (check-buildah-remote.yaml, go-ci.yaml) and @v7 (check-readmes.yaml, check-task-owners.yaml, verify-dead-code.yaml, yaml-lint.yaml). This inconsistency pre-dates this PR — the same files previously used @v6.0.2 vs @v6 respectively. Renovate correctly preserves each file's existing pinning style. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] version-pinning-convention Six workflow files use tag-based action references (@v7, @v7.0.0) while other workflows use SHA-pinned references. This is a pre-existing condition — each file preserves its prior pinning format — but represents an opportunity to standardize for supply-chain security. Suggested fix: Consider SHA-pinning all checkout references (actions/checkout@ # v7.0.0) for consistency with the subset of workflows that already use SHA pins. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-pinning-convention Renovate-managed workflow files use tag-based pinning (v7/v7.0.0) rather than SHA-hash pinning used in other workflow files. This is a pre-existing, intentional split confirmed by renovate.json ignorePaths configuration — not a regression introduced by this PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] dependency-update-pattern Non-templated workflow files use tag-based action references while templated files use SHA-pinned references with version comments. This creates two different security postures, though the split is pre-existing and likely intentional. |
||
| - name: Install Go | ||
| uses: actions/setup-go@v6.4.0 | ||
| uses: actions/setup-go@v7.0.0 | ||
| with: | ||
| go-version-file: './task-generator/remote/go.mod' | ||
| - name: Check buildah remote | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,7 +10,7 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check out code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-pinning-consistency The file updates actions/checkout@v6 to v7, maintaining the major-version-only pinning style. The codebase-wide inconsistency is pre-existing and unrelated to this PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-format-inconsistency Inconsistent version tag format within this PR: some files use v7.0.0 while others use v7. This mirrors the pre-existing pattern (v6.0.2 vs v6) and is not introduced by this PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-precision-consistency Uses major-only version 'v7' while other files in the PR use 'v7.0.0'. This is a pre-existing inconsistency (was 'v6' vs 'v6.0.2') preserved by Renovate's per-file update strategy, not a regression. Consider standardizing version precision across non-templated workflow files. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-precision-consistency Inconsistent version precision within this PR: some files use major-only version (v7) while others use full semantic versions (v7.0.0). This mirrors the pre-existing inconsistency — Renovate preserves each file's original precision style. Cosmetic only. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] versioning-convention Inconsistent action version format: uses @v7 (major-only) while other workflows use @v7.0.0 (full semantic version). This pre-existing inconsistency could be standardized to match the convention used by other actions (e.g., actions/setup-go@v6.4.0). Suggested fix: Change actions/checkout@v7 to actions/checkout@v7.0.0 |
||
|
|
||
| - name: Install oc | ||
| run: | | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,7 +10,7 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check out code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] versioning-convention Inconsistent action version format: uses @v7 (major-only) while other workflows use @v7.0.0 (full semantic version). This pre-existing inconsistency could be standardized to match the convention used by other actions (e.g., actions/setup-go@v6.4.0). Suggested fix: Change actions/checkout@v7 to actions/checkout@v7.0.0 |
||
|
|
||
| - name: Check task owners | ||
| run: | | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,8 @@ jobs: | |
| - task-generator/remote | ||
| - task-generator/trusted-artifacts | ||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/setup-go@v6.4.0 | ||
| - uses: actions/checkout@v7.0.0 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [info] version-pinning-consistency The file updates actions/checkout@v6.0.2 to v7.0.0, maintaining the specific patch version pattern consistent with actions/setup-go@v6.4.0. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] version-reference-consistency Inconsistent actions/checkout version format within non-templated workflows. go-ci.yaml and check-buildah-remote.yaml use patch-level tags (@v7.0.0) while check-readmes.yaml, check-task-owners.yaml, verify-dead-code.yaml, and yaml-lint.yaml use major-only tags (@v7). This is a pre-existing inconsistency that Renovate faithfully preserves. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [medium] inconsistent-dependency-versioning The actions/checkout action is pinned inconsistently across workflow files. After this PR merges, the repository will have three different pinning styles: SHA-pinned v6.0.1 (in workflow files excluded from this Renovate group), major version tag v7 (4 files), and full semver v7.0.0 (2 files). This pre-existing inconsistency is perpetuated by the update. Suggested fix: Standardize on one versioning approach across all workflow files managed by Renovate's github-actions group. |
||
| - uses: actions/setup-go@v7.0.0 | ||
| with: | ||
| go-version-file: './${{matrix.path}}/go.mod' | ||
| cache-dependency-path: ./${{matrix.path}}/go.sum | ||
|
|
@@ -33,9 +33,9 @@ jobs: | |
| - task-generator/remote | ||
| - task-generator/trusted-artifacts | ||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/checkout@v7.0.0 | ||
| - name: Install Go | ||
| uses: actions/setup-go@v6.4.0 | ||
| uses: actions/setup-go@v7.0.0 | ||
| with: | ||
| go-version-file: './${{matrix.path}}/go.mod' | ||
| cache-dependency-path: ./${{matrix.path}}/go.sum | ||
|
|
@@ -77,8 +77,8 @@ jobs: | |
| - task-generator/remote | ||
| - task-generator/trusted-artifacts | ||
| steps: | ||
| - uses: actions/checkout@v6.0.2 | ||
| - uses: actions/setup-go@v6.4.0 | ||
| - uses: actions/checkout@v7.0.0 | ||
| - uses: actions/setup-go@v7.0.0 | ||
| with: | ||
| go-version-file: './${{matrix.path}}/go.mod' | ||
| cache-dependency-path: ./${{matrix.path}}/go.sum | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,7 +10,7 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check out code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] versioning-convention Inconsistent action version format: uses @v7 (major-only) while other workflows use @v7.0.0 (full semantic version). This pre-existing inconsistency could be standardized to match the convention used by other actions (e.g., actions/setup-go@v6.4.0). Suggested fix: Change actions/checkout@v7 to actions/checkout@v7.0.0 |
||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,6 +9,6 @@ jobs: | |
| yamllint: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [info] edge-case actions/checkout v7.0.0 blocks checking out fork PRs for pull_request_target and workflow_run triggers. None of the 6 modified workflows use those triggers, so this is safe. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [low] versioning-convention Inconsistent action version format: uses @v7 (major-only) while other workflows use @v7.0.0 (full semantic version). This pre-existing inconsistency could be standardized to match the convention used by other actions (e.g., actions/setup-go@v6.4.0). Suggested fix: Change actions/checkout@v7 to actions/checkout@v7.0.0 |
||
| - name: Lint YAML files | ||
| run: yamllint . | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[low] version-pinning-consistency
The file uses actions/checkout@v7.0.0 (specific patch), maintaining per-file consistency with the prior v6.0.2 pin. The codebase-wide inconsistency between major-only and patch-specific pinning is pre-existing.