Skip to content

chore: pin CI actions to Node-24 majors (checkout v7, setup-uv v8) via SHA#5

Merged
ScottRBK merged 1 commit into
mainfrom
chore/bump-actions
Jun 27, 2026
Merged

chore: pin CI actions to Node-24 majors (checkout v7, setup-uv v8) via SHA#5
ScottRBK merged 1 commit into
mainfrom
chore/bump-actions

Conversation

@ScottRBK

Copy link
Copy Markdown
Owner

Resolves the Node 20 deprecation warning surfaced during the v0.1.13 release run.

What changed

Bumped the two flagged actions off their @v4 (Node 20) pins across all three workflows
(ci.yml, build.yml, publish.yml):

Action Was Now
actions/checkout @v4 @9c091bb (v7.0.0)
astral-sh/setup-uv @v4 @fac544c (v8.2.0)

Why SHA-pinned

Pinned to full commit SHAs (with # vX.Y.Z comments) rather than floating major tags for
supply-chain hardening. setup-uv v8 deliberately stopped publishing @v8/@v8.0 tags
(citing the tj-actions attack), and publish.yml holds id-token: write for PyPI trusted
publishing — the prime target to harden.

Breaking-change review (none affect us)

  • setup-uv v5→v8: venv auto-activation (v6) and manifest-file format (v8) changes are
    gated behind inputs we don't pass; we invoke it with no inputs.
  • checkout v5→v7: v7's fork-PR guard only applies to pull_request_target / workflow_run
    (neither trigger used here). fetch-depth: 0 (needed by hatch-vcs) is unchanged.

Verification

CI green on this branch (run 28282338236) — checkout + setup-uv ran on Node 24, no deprecation
annotation. build.yml (tag push) and publish.yml (release) can't run from a branch push;
they were reviewed by changelog since they share the same two action pins.

🤖 Generated with Claude Code

Resolves the Node 20 deprecation warning by bumping the two flagged
actions off their @v4 (Node 20) pins across all three workflows:

- actions/checkout    -> v7.0.0 (9c091bb)
- astral-sh/setup-uv  -> v8.2.0 (fac544c)

Pinned to full commit SHAs (with version comments) rather than floating
major tags for supply-chain hardening — setup-uv v8 no longer publishes
@v8/@v8.0 tags for this reason, and publish.yml holds id-token: write
for PyPI trusted publishing. Verified no breaking changes affect our
input-less usage: setup-uv's venv-activation/manifest changes are gated
behind unused inputs, and checkout's v7 fork-PR guard only applies to
pull_request_target/workflow_run, which we don't use. fetch-depth: 0
(needed by hatch-vcs) is unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ScottRBK ScottRBK merged commit ba905be into main Jun 27, 2026
2 checks passed
@ScottRBK ScottRBK deleted the chore/bump-actions branch June 27, 2026 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant