Update CI workflow: modernize action versions and runners#52
Update CI workflow: modernize action versions and runners#52
Conversation
…0 deprecation - Replace removed macos-13 runner with macos-15-intel for x86_64 builds - Upgrade macos-14 to macos-15 for aarch64 builds - Bump actions/checkout v4 → v6 (Node.js 24 support) - Bump actions/setup-python v5 → v6 (Node.js 24 support) - Bump actions/upload-artifact v4 → v6 (Node.js 24 support) - Bump actions/download-artifact v4 → v7 (Node.js 24 support) https://claude.ai/code/session_01KDSfy998W8oiQ61iVtoNMv
📝 WalkthroughWalkthroughGitHub Actions workflow updated to use newer versions of checkout, setup-python, and artifact actions, with runner specifications modernized to macos-15-intel and macos-15 platforms. Metadata timestamp added reflecting the modernization date. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip CodeRabbit can approve the review once all CodeRabbit's comments are resolved.Enable the |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/publish.yml (2)
39-40: Pin action refs to immutable commit SHAs instead of floating major version tags.Using
@v6/@v7tags is convenient, but GitHub recommends pinning to full-length commit SHAs as the only way to guarantee immutable action references and mitigate supply-chain risks. Prefer@<full-commit-sha>and let Dependabot/Renovate keep SHAs updated.Applies to: 39-40, 52, 68-69, 81, 99-100, 112, 120, 127, 137
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/publish.yml around lines 39 - 40, The workflow uses floating major tags for GitHub Actions (e.g., actions/checkout@v6 and actions/setup-python@v6); replace these with the corresponding full commit SHAs to pin immutable action refs across the workflow (also update other occurrences like actions/setup-node, actions/cache, etc.), updating each usage to use @<full-commit-sha> and commit the change; use Dependabot/Renovate to keep SHAs current and verify signatures/compatibility after pinning.
137-137: Review actions/download-artifact v8 for breaking changes before upgrading.
v8is the current major version, but contains breaking changes from v7: digest mismatches now fail by default (configurable viadigest-mismatchinput), and decompression behavior changed (configurable via newskip-decompressinput). Test the workflow thoroughly before upgrading.Suggested change
- - uses: actions/download-artifact@v7 + - uses: actions/download-artifact@v8🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/publish.yml at line 137, Update the GitHub Actions step that currently uses actions/download-artifact@v7 to v8 and adjust its inputs for the breaking changes: add and configure the new digest-mismatch input (e.g., set digest-mismatch: ignore or fail as desired) and add skip-decompress if you need the prior decompression behavior; then run CI/workflow tests to validate artifact downloads and decompression paths for the steps referencing actions/download-artifact to ensure no digest mismatches or decompression regressions occur.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/publish.yml:
- Around line 39-40: The workflow uses floating major tags for GitHub Actions
(e.g., actions/checkout@v6 and actions/setup-python@v6); replace these with the
corresponding full commit SHAs to pin immutable action refs across the workflow
(also update other occurrences like actions/setup-node, actions/cache, etc.),
updating each usage to use @<full-commit-sha> and commit the change; use
Dependabot/Renovate to keep SHAs current and verify signatures/compatibility
after pinning.
- Line 137: Update the GitHub Actions step that currently uses
actions/download-artifact@v7 to v8 and adjust its inputs for the breaking
changes: add and configure the new digest-mismatch input (e.g., set
digest-mismatch: ignore or fail as desired) and add skip-decompress if you need
the prior decompression behavior; then run CI/workflow tests to validate
artifact downloads and decompression paths for the steps referencing
actions/download-artifact to ensure no digest mismatches or decompression
regressions occur.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 6d9a5ba5-5cd2-4aea-8f4c-360dda9108a4
📒 Files selected for processing (1)
.github/workflows/publish.yml
2 participants
Summary
This PR modernizes the GitHub Actions CI/CD workflow by updating action versions to their latest releases and updating macOS runner versions to currently supported versions.
Key Changes
Action versions: Updated all GitHub Actions to their latest versions:
actions/checkout: v4 → v6actions/setup-python: v5 → v6actions/upload-artifact: v4 → v6actions/download-artifact: v4 → v7macOS runners: Updated to currently supported versions:
macos-13→macos-15-intel(for x86_64 builds)macos-14→macos-15(for aarch64 builds)Documentation: Added a comment noting the last update date and purpose of manual modifications
Implementation Details
These updates ensure the workflow uses modern, actively maintained versions of GitHub Actions and runs on supported macOS versions. The changes maintain backward compatibility with the existing build matrix for Python versions (3.9-3.14) across all platforms (Linux, Windows, macOS).
https://claude.ai/code/session_01KDSfy998W8oiQ61iVtoNMv
Summary by CodeRabbit