fix: correct GitHub Actions version comments to match commit SHAs #2
Conversation
- Updated actions/setup-go from v5.2.0 to v6.1.0 - Updated golangci-lint-action from v6.5.0 to v9.2.0 - Updated astral-sh/setup-uv from v6.0.1 to v7.1.6 - Updated actions/setup-python from v5.3.0 to v6.1.0 - Updated lychee-action from v2.3.0 to v2.7.0 - Updated action-gh-release from v2.2.1 to v2.5.0 - Updated pnpm/action-setup from incorrect v6.0.1 to v4.2.0 - Updated actions/setup-node from v6.0.1 to v6.1.0 - Updated codecov-action from v5.4.2 to v5.5.2 - Updated upload-pages-artifact from v3.0.1 to v4.0.0 - Fixed download-artifact from incorrect v6.0.1 to correct v4.1.8 - Fixed deploy-pages from incorrect v6.0.1 to correct v4.0.5 - Updated version comments in sync-labels.yml with correct dates Co-authored-by: zircote <307960+zircote@users.noreply.github.com>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix mismatches between GitHub Actions commit SHAs and their version comments across workflow files. However, the PR contains several critical issues that need to be addressed.
Key Changes
- Updates version comments for multiple GitHub Actions across 8 workflow and action files
- Updates metadata dates in
sync-labels.yml - Claims to correct version comments to match actual SHA versions
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
actions/setup-python-uv/action.yml |
Updates astral-sh/setup-uv version comment from v6.0.1 to v7.1.6 |
actions/setup-node-pnpm/action.yml |
Updates pnpm/action-setup to v4.2.0 (downgrade) and actions/setup-node to v6.1.0 |
.github/workflows/sync-labels.yml |
Updates version comments and dates to 2025-12-28 (future date issue) |
.github/workflows/reusable-security.yml |
Updates actions/setup-python to v6.1.0 and actions/download-artifact to v4.1.8 (downgrade) |
.github/workflows/reusable-release.yml |
Updates actions/download-artifact to v4.1.8 (downgrade) and softprops/action-gh-release to v2.5.0 |
.github/workflows/reusable-docs.yml |
Updates multiple actions including lychee-action to v2.7.0, upload-pages-artifact to v4.0.0, and deploy-pages to v4.0.5 (downgrade) |
.github/workflows/reusable-ci-typescript.yml |
Updates codecov/codecov-action version comment from v5.4.2 to v5.5.2 |
.github/workflows/reusable-ci-go.yml |
Updates actions/setup-go to v6.1.0 (4 instances) and golangci/golangci-lint-action to v9.2.0 |
| - name: Download artifacts | ||
| if: inputs.upload-artifacts | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v6.0.1 | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 |
There was a problem hiding this comment.
The version comment change from v6.0.1 to v4.1.8 for actions/download-artifact appears incorrect. Version numbers should not decrease (going from v6 to v4 suggests a downgrade). This SHA (fa0a91b85d4f404e444e00e005971372dc801d16) needs to be verified against the actual release tags in the actions/download-artifact repository to determine the correct version comment.
| - name: Upload Pages artifact | ||
| if: inputs.deploy-to-pages | ||
| uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v3.0.1 | ||
| uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 |
There was a problem hiding this comment.
The version comment change from v3.0.1 to v4.0.0 for actions/upload-pages-artifact appears incorrect. This SHA (7b1f4a764d45c48632c6b24a0339c27f5614fb0b) needs to be verified against the actual release tags in the actions/upload-pages-artifact repository to determine the correct version comment.
| uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 | |
| uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v3.0.1 |
| - name: Deploy to GitHub Pages | ||
| id: deployment | ||
| uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v6.0.1 | ||
| uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 |
There was a problem hiding this comment.
The version comment change from v6.0.1 to v4.0.5 for actions/deploy-pages appears incorrect. Version numbers should not decrease (going from v6 to v4 suggests a downgrade). This SHA (d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e) needs to be verified against the actual release tags in the actions/deploy-pages repository to determine the correct version comment.
| steps: | ||
| - name: Setup pnpm | ||
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v6.0.1 | ||
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 |
There was a problem hiding this comment.
The version comment change from v6.0.1 to v4.2.0 for pnpm/action-setup appears incorrect. Version numbers should not decrease (going from v6 to v4 suggests a downgrade). This SHA (41ff72655975bd51cab0327fa583b6e92b6d3061) needs to be verified against the actual release tags in the pnpm/action-setup repository to determine the correct version comment.
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0 | |
| uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # pnpm/action-setup pinned SHA |
| steps: | ||
| - name: Download all artifacts | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v6.0.1 | ||
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 |
There was a problem hiding this comment.
The version comment change from v6.0.1 to v4.1.8 for actions/download-artifact appears incorrect. Version numbers should not decrease (going from v6 to v4 suggests a downgrade). This SHA (fa0a91b85d4f404e444e00e005971372dc801d16) needs to be verified against the actual release tags in the actions/download-artifact repository to determine the correct version comment.
The previous update contained mismatches between commit SHAs and version comments across workflow files. Some actions had outdated version comments despite correct SHAs, while others had incorrect version comments for unchanged SHAs.
Changes
Version comments corrected to match actual SHA versions:
actions/setup-go: v5.2.0 → v6.1.0 (4 instances)golangci/golangci-lint-action: v6.5.0 → v9.2.0astral-sh/setup-uv: v6.0.1 → v7.1.6actions/setup-python: v5.3.0 → v6.1.0lycheeverse/lychee-action: v2.3.0 → v2.7.0softprops/action-gh-release: v2.2.1 → v2.5.0pnpm/action-setup: v6.0.1 → v4.2.0actions/setup-node: v6.0.1 → v6.1.0codecov/codecov-action: v5.4.2 → v5.5.2actions/upload-pages-artifact: v3.0.1 → v4.0.0Version comments reverted where SHAs were unchanged:
actions/download-artifact: v6.0.1 → v4.1.8actions/deploy-pages: v6.0.1 → v4.0.5Updated stale metadata:
sync-labels.yml: Updated version comments and dates to 2025-12-28Files Modified
.github/workflows/reusable-ci-go.yml.github/workflows/reusable-ci-typescript.yml.github/workflows/reusable-docs.yml.github/workflows/reusable-release.yml.github/workflows/reusable-security.yml.github/workflows/sync-labels.ymlactions/setup-node-pnpm/action.ymlactions/setup-python-uv/action.yml✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.