From 9a8f9acdd1a13179c4b46ae0c4ff7891220fb227 Mon Sep 17 00:00:00 2001 From: Scott Raisbeck Date: Sat, 27 Jun 2026 08:19:47 +0100 Subject: [PATCH] chore: pin CI actions to Node-24 majors via commit SHA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves the Node 20 deprecation warning by bumping the two flagged actions off their @v4 (Node 20) pins across all three workflows: - actions/checkout -> v7.0.0 (9c091bb) - astral-sh/setup-uv -> v8.2.0 (fac544c) Pinned to full commit SHAs (with version comments) rather than floating major tags for supply-chain hardening — setup-uv v8 no longer publishes @v8/@v8.0 tags for this reason, and publish.yml holds id-token: write for PyPI trusted publishing. Verified no breaking changes affect our input-less usage: setup-uv's venv-activation/manifest changes are gated behind unused inputs, and checkout's v7 fork-PR guard only applies to pull_request_target/workflow_run, which we don't use. fetch-depth: 0 (needed by hatch-vcs) is unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/build.yml | 4 ++-- .github/workflows/ci.yml | 4 ++-- .github/workflows/publish.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 31ec334..cad9071 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,12 +9,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Set up Python 3.12 run: uv python install 3.12 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2fbc3a..5cfa8f8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,10 +14,10 @@ jobs: python-version: ["3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Set up Python ${{ matrix.python-version }} run: uv python install ${{ matrix.python-version }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 6f643f5..fe4df36 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,12 +12,12 @@ jobs: id-token: write # Required for trusted publishing steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - name: Build package run: uv build