Skip to content

chore: upgrade GitHub Actions versions#45

Open
vinitkumar wants to merge 2 commits intomainfrom
codex/actions-upgrade-20260414
Open

chore: upgrade GitHub Actions versions#45
vinitkumar wants to merge 2 commits intomainfrom
codex/actions-upgrade-20260414

Conversation

@vinitkumar
Copy link
Copy Markdown
Member

@vinitkumar vinitkumar commented Apr 14, 2026
edited by sourcery-ai bot
Loading

Summary

  • upgrade outdated GitHub Actions versions listed in the repository audit
  • align workflow action references with their current supported versions

Testing

  • not run (workflow-only change)

Summary by Sourcery

Update GitHub workflow configurations to use newer, supported versions of core actions.

CI:

  • Bump versions of actions/checkout, actions/setup-python, and actions/cache across workflows to their latest major releases.
  • Upgrade github/codeql-action (init, autobuild, analyze) to the latest major version in the CodeQL analysis workflow.
  • Update actions/github-script to the latest major version used for PR title linting.

@vinitkumar vinitkumar requested a review from fsbraun April 14, 2026 04:48
@sourcery-ai
Copy link
Copy Markdown
Contributor

sourcery-ai bot commented Apr 14, 2026
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates GitHub Actions workflow files to use newer major versions of core actions (checkout, setup-python, cache, CodeQL, and github-script) across documentation, CI, linting, CodeQL analysis, coverage, and publish workflows, without changing workflow logic.

File-Level Changes

Change Details Files
Bump core actions versions in docs workflow while keeping existing job logic intact.
  • Update checkout action references to the latest major version in both docs build and deploy jobs.
  • Update setup-python action references to the latest major version for Python 3.9 in both jobs.
  • Update cache action references to the latest major version for pip cache in both jobs.
 .github/workflows/docs.yml
Upgrade actions used in CodeQL analysis workflow to the latest supported major versions.
  • Update checkout action to the latest major version in the CodeQL job.
  • Bump CodeQL init action from v3 to v4.
  • Bump CodeQL autobuild action from v3 to v4.
  • Bump CodeQL analyze action from v3 to v4.
 .github/workflows/codeql-analysis.yml
Refresh CI/testing workflows to use newer checkout and setup-python versions.
  • Update checkout action to the latest major version in the coverage workflow.
  • Update setup-python action to the latest major version for matrix Python versions in the coverage workflow.
  • Update checkout and setup-python actions to latest versions in lint workflow.
 .github/workflows/codecov.yml
.github/workflows/lint.yml
Update publish workflows to use the latest checkout and Python setup actions for packaging to PyPI and TestPyPI.
  • Update checkout action to the latest major version in both live and TestPyPI publish workflows.
  • Update setup-python action to the latest major version in both publish workflows while keeping Python versions unchanged.
 .github/workflows/publish-to-live-pypi.yml
.github/workflows/publish-to-test-pypi.yml
Upgrade github-script action used for PR title linting to a newer major version.
  • Bump actions/github-script from v7 to v9 in the lint-pr workflow while preserving the existing validation script.
 .github/workflows/lint-pr.yml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • Several upgraded actions (e.g., actions/checkout@v6, actions/setup-python@v6, actions/cache@v5, github/codeql-action@v4, actions/github-script@v9) don’t currently exist as published major versions; please confirm these tags are valid and adjust to the latest actually released major versions.
  • For workflow stability, consider upgrading incrementally to the latest known major versions (e.g., from v3 to v4) and verifying each workflow run, rather than jumping multiple major versions ahead in one change.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- Several upgraded actions (e.g., `actions/checkout@v6`, `actions/setup-python@v6`, `actions/cache@v5`, `github/codeql-action@v4`, `actions/github-script@v9`) don’t currently exist as published major versions; please confirm these tags are valid and adjust to the latest actually released major versions.
- For workflow stability, consider upgrading incrementally to the latest known major versions (e.g., from v3 to v4) and verifying each workflow run, rather than jumping multiple major versions ahead in one change.

## Individual Comments

### Comment 1
<location path=".github/workflows/docs.yml" line_range="15-22" />
<code_context>

     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
       with:
         fetch-depth: '2'
</code_context>
<issue_to_address>
**issue (bug_risk):** Referencing v6 of checkout/setup-python and v5 of cache may break if those major versions are not actually published yet.

These workflows now depend on checkout@v6, setup-python@v6, and cache@v5, which may not yet exist; if they’re unpublished, the jobs won’t start. Please pin to the latest confirmed majors (e.g., checkout@v4, setup-python@v5, cache@v4) and only bump once newer majors are available.
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread .github/workflows/docs.yml
Comment on lines +15 to +22
uses: actions/checkout@v6
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: '3.9'
cache: 'pip'
- name: Cache dependencies
uses: actions/cache@v4
uses: actions/cache@v5
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai bot Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Referencing v6 of checkout/setup-python and v5 of cache may break if those major versions are not actually published yet.

These workflows now depend on checkout@v6, setup-python@v6, and cache@v5, which may not yet exist; if they’re unpublished, the jobs won’t start. Please pin to the latest confirmed majors (e.g., checkout@v4, setup-python@v5, cache@v4) and only bump once newer majors are available.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 14, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.43%. Comparing base (7161463) to head (2d6f6d1).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #45   +/-   ##
=======================================
  Coverage   82.43%   82.43%           
=======================================
  Files          21       21           
  Lines        1503     1503           
  Branches      190      190           
=======================================
  Hits         1239     1239           
  Misses        208      208           
  Partials       56       56

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@fsbraun fsbraun fsbraun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vinitkumar @fsbraun