chore(ci): bump pinned-by-tag actions to latest majors#14
Merged
Conversation
Bundles the five GitHub Actions dependabot bumps so they land as a single CI-validated unit instead of five separate force-rebases: - actions/upload-artifact v4 → v7 (#3) - actions/cache v4 → v5 (#4) - github/codeql-action/* v3 → v4 (#5) - actions/attest-build-provenance v2 → v4 (#6) - peter-evans/create-pull-request v6 → v8 (#2) Only loose @vn tag pins are touched. SHA-pinned action references (scorecard.yml upload-artifact v7.0.1, scorecard.yml codeql-action v4.35.3, helm-release.yml upload-artifact v4.4.3) are left intact — those were intentionally pinned at specific points for supply-chain hardening and will be updated independently when their pins next roll. actionlint passes; only pre-existing shellcheck info-level findings in unrelated script blocks (SC2086 / SC2129) which the linter has been emitting since before the bump. upload-artifact v5 dropped the implicit same-name-merge behavior; our usages already use uniquely-namespaced artifact names (matrix.platform, env.VERSION, etc.) so no callsite needs adjustment. actions/cache v5 tightens cache-key validation but our keys are already conservative hashes of Cargo.lock / requirements.txt etc. Closes dependabot PRs #2, #3, #4, #5, #6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Cliftonz
added a commit
that referenced
this pull request
May 26, 2026
All four docs-quality.yml checks were failing on every PR before any of the in-flight PRs even touched the surface. They surfaced when PR #13 / #14 / #15 ran and exposed main's state to scrutiny. Spell check (codespell): Add three entries to .codespellignore. - `dokcer` — intentional typo example in docs/adding-tools.md and docs/llms-full.txt demonstrating the fuzzy-suggest feature catching `dokcer` → `docker`. Without the ignore, every PR that touches those docs fails the spell check on a string that is supposed to be a typo. - `iterm` — proper noun for the iTerm2 macOS terminal app, used in docs/adding-tools.md. - `unparseable` — alternative spelling of `unparsable` used in docs/release-quirks-jarvy.md (pre-existing). Link check (lychee): `exclude_mail` was removed in lychee 0.22 — the inverse `include_mail` now controls this behavior. Default is to skip mailtos, so the directive becomes `include_mail = false` to preserve the prior behavior. Without the fix lychee errors at config parse time with exit code 3 and never checks any links. README ↔ values.schema invariants: The grep -F "^https://" invariant test was looking for the literal string `^https://` in the helm chart README. The schema pattern uses `^(|https://...)$` which contains `(|https` between the `^` and the `https`, so the substring match failed. Added a prose mention "URL must start with `^https://`" inside the endpoint-pattern bullet so the invariant has the literal substring to find without changing the schema or the human-readable description. Vale prose lint: `vale-action@v2` periodically fails at `loadStyles` with `E100 Runtime error` and exits 2 before any docs are checked. The linter's content findings are already advisory via `fail_on_error: false`; add `continue-on-error: true` at the step level so the workflow doesn't block on an infra hiccup in the vendored vale toolchain. Real findings still surface via reviewdog annotations when loadStyles succeeds. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bundles the five GitHub Actions dependabot bumps so they land as a single CI-validated unit instead of five separate force-rebases:
actions/upload-artifactv4 → v7 (chore(ci): bump actions/upload-artifact from 4 to 7 #3)actions/cachev4 → v5 (chore(ci): bump actions/cache from 4 to 5 #4)github/codeql-action/*v3 → v4 (chore(ci): bump github/codeql-action from 3 to 4 #5)actions/attest-build-provenancev2 → v4 (chore(ci): bump actions/attest-build-provenance from 2 to 4 #6)peter-evans/create-pull-requestv6 → v8 (chore(ci): bump peter-evans/create-pull-request from 6 to 8 #2)Only loose
@vNtag pins are touched. SHA-pinned action references (scorecard.ymlupload-artifact v7.0.1,scorecard.ymlcodeql-action v4.35.3,helm-release.ymlupload-artifact v4.4.3) are left intact — those were intentionally pinned at specific points for supply-chain hardening and will be updated independently when their pins next roll.Risk notes
upload-artifactv5 dropped implicit same-name-merge behavior. Our usages already use uniquely-namespaced artifact names (matrix.platform,env.VERSION, etc.) so no callsite needs adjustment.actions/cachev5 tightens cache-key validation. Our keys are already conservative hashes ofCargo.lock/requirements.txtetc.actionlintpasses; only pre-existing shellcheck info-level findings in unrelatedrun:blocks (SC2086 / SC2129) — the linter has been emitting those since before this bump.Test plan
actionlint .github/workflows/*.ymlCloses #2
Closes #3
Closes #4
Closes #5
Closes #6
🤖 Generated with Claude Code