chore(actions-update): Update github-actions#95
Conversation
e158514 to
c4ae0cc
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
c4ae0cc to
1e90d93
Compare
📝 WalkthroughWalkthroughThis PR updates GitHub Actions versions used in CI workflows. The actions/checkout action is upgraded from v6 to v7, actions/cache (and actions/cache/restore) from v4 to v6, and actions/upload-artifact from v5 to v7 across the post-merge and pre-merge workflow files. No workflow logic, commands, or cache keys/paths are changed. ChangesCI Workflow Action Upgrades
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/pre-merge.yml (1)
16-16: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider disabling credential persistence on checkout steps.
Both checkout steps in
build-kotlinandtest-kotlinlackpersist-credentials: false. This is pre-existing, but the major version bump is an opportune time to harden this configuration.- uses: actions/checkout@v7 with: persist-credentials: falseAlso applies to: 39-39
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pre-merge.yml at line 16, The checkout steps in the Kotlin workflows are missing hardened credential settings; update each actions/checkout usage in the build-kotlin and test-kotlin jobs to include persist-credentials: false. Use the existing checkout steps as the anchor point and keep the change limited to those action invocations so credentials are not persisted during the workflow..github/workflows/post-merge.yml (1)
19-19: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider disabling credential persistence on checkout.
The
actions/checkout@v7step does not setpersist-credentials: false, which leaves Git credentials persisted in the workspace. This is a pre-existing configuration, but since this is a major version bump, it's a good opportunity to harden the security posture.- uses: actions/checkout@v7 with: persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/post-merge.yml at line 19, The post-merge workflow’s actions/checkout step should be hardened by disabling persisted Git credentials. Update the checkout configuration to set persist-credentials to false on the existing actions/checkout@v7 step so the workflow does not leave credentials available in the workspace.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/post-merge.yml:
- Line 19: The post-merge workflow’s actions/checkout step should be hardened by
disabling persisted Git credentials. Update the checkout configuration to set
persist-credentials to false on the existing actions/checkout@v7 step so the
workflow does not leave credentials available in the workspace.
In @.github/workflows/pre-merge.yml:
- Line 16: The checkout steps in the Kotlin workflows are missing hardened
credential settings; update each actions/checkout usage in the build-kotlin and
test-kotlin jobs to include persist-credentials: false. Use the existing
checkout steps as the anchor point and keep the change limited to those action
invocations so credentials are not persisted during the workflow.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 93915b9a-649f-4222-b0c9-568287ff344e
📒 Files selected for processing (2)
.github/workflows/post-merge.yml.github/workflows/pre-merge.yml
This PR contains the following updates:
v4→v6v6→v7v5→v7Release Notes
actions/cache (actions/cache)
v6.1.0Compare Source
What's Changed
Full Changelog: actions/cache@v6...v6.1.0
v6.0.0Compare Source
What's Changed
Full Changelog: actions/cache@v5...v6.0.0
v6Compare Source
v5.1.0Compare Source
What's Changed
Full Changelog: actions/cache@v5...v5.1.0
v5.0.5Compare Source
What's Changed
Full Changelog: actions/cache@v5...v5.0.5
v5.0.4Compare Source
What's Changed
New Contributors
Full Changelog: actions/cache@v5...v5.0.4
v5.0.3Compare Source
What's Changed
@actions/cacheto v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)@actions/coreto v2.0.3Full Changelog: actions/cache@v5...v5.0.3
v5.0.2: v.5.0.2Compare Source
v5.0.2
What's Changed
When creating cache entries, 429s returned from the cache service will not be retried.
v5.0.1Compare Source
v5.0.1
What's Changed
v5.0.0
What's Changed
Full Changelog: actions/cache@v5...v5.0.1
v5.0.0Compare Source
What's Changed
Full Changelog: actions/cache@v4.3.0...v5.0.0
v5Compare Source
actions/checkout (actions/checkout)
v7.0.0Compare Source
v7Compare Source
actions/upload-artifact (actions/upload-artifact)
v7.0.1Compare Source
What's Changed
Full Changelog: actions/upload-artifact@v7...v7.0.1
v7.0.0Compare Source
v7 What's new
Direct Uploads
Adds support for uploading single files directly (unzipped). Callers can set the new
archiveparameter tofalseto skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. Thenameparameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.ESM
To support new versions of the
@actions/*packages, we've upgraded the package to ESM.What's Changed
New Contributors
Full Changelog: actions/upload-artifact@v6...v7.0.0
v7Compare Source
v6.0.0Compare Source
v6 - What's new
Node.js 24
This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.
What's Changed
Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0
v6Compare Source
Configuration
📅 Schedule: (in timezone Europe/Prague)
* 0-3 1 * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.