chore/ci: bump GitHub Actions to latest pinned versions#1051
Merged
keegancsmith merged 6 commits intomainfrom Apr 28, 2026
Merged
chore/ci: bump GitHub Actions to latest pinned versions#1051keegancsmith merged 6 commits intomainfrom
keegancsmith merged 6 commits intomainfrom
Conversation
Many of the actions in our workflows were several major versions behind their current releases. Stale action versions miss security fixes, runtime improvements, and node runtime upgrades that newer GitHub runners increasingly require. This bumps each action to the current latest stable major version while keeping the existing pinning style (major-version tag for first-party or well-known actions, full SHA for the third-party fuzz action). Test Plan: CI on the resulting PR will exercise every updated workflow. Amp-Thread-ID: https://ampcode.com/threads/T-019dd37a-0e28-70a9-8d90-537a24f5d9f2 Co-authored-by: Amp <amp@ampcode.com>
…fact deprecation The v1.2.0 release of jidicula/go-fuzz-action internally pins actions/upload-artifact@v3, which GitHub now automatically fails as a deprecated artifact action. Upstream main has bumped the internal upload-artifact dependency through v7 (commit 23f1a5d), but no new release tag has been cut yet. Pin to that commit SHA so the fuzz-test job stops failing on artifact upload. Once upstream cuts a new tag (>= v1.2.1) we can move back to a tagged release. Test Plan: pushing to PR #1051 to let CI run the fuzz-test job and confirm it no longer hits the upload-artifact v3 deprecation error. Amp-Thread-ID: https://ampcode.com/threads/T-019dd390-92a3-772e-80cd-4c076c7df864 Co-authored-by: Amp <amp@ampcode.com>
Contributor
|
Fuzz test failed on commit ab5b23e. To troubleshoot locally, use the GitHub CLI to download the seed corpus with |
burmudar
approved these changes
Apr 28, 2026
Contributor
|
Fuzz test failed on commit 2c7fbf9. To troubleshoot locally, use the GitHub CLI to download the seed corpus with |
This reverts commit 2c7fbf9.
It's broken and we can rely on non CI runs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Many of the actions in our workflows were several major versions behind their current releases. Stale action versions miss security fixes, runtime improvements, and the newer Node runtimes that GitHub-hosted runners increasingly require.
This bumps each action used in
.github/workflowsto the current latest stable major version while keeping the existing pinning style: a major-version tag for first-party and well-known actions, and a full commit SHA for the third-partyjidicula/go-fuzz-action.Notable bumps:
actions/checkout:v2/v3/v4→v6actions/cache:v3→v5docker/setup-buildx-action:v3→v4docker/metadata-action:v5→v6docker/login-action:v3→v4docker/build-push-action:v6→v7github/codeql-action/upload-sarif:v3→v4ludeeus/action-shellcheck:1.1.0→2.0.0reviewdog/action-shfmt:v1.0.2→v1.0.4jidicula/go-fuzz-action: pinned SHA → removed. Broken on newer versions and low value.Test Plan
CI on this PR exercises every updated workflow.