chore: bump github actions to latest majors in ci#554
Conversation
Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
✅ Deploy Preview for project-hami ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
📝 WalkthroughWalkthroughThis PR updates the docs-health GitHub Actions workflow, bumping actions/checkout from v4 to v7 and actions/setup-node from v4 to v6, with no other changes to steps or logic. ChangesWorkflow Action Upgrades
Estimated code review effort: 1 (Trivial) | ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/docs-health.yml (1)
18-18: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider setting
persist-credentials: falseon checkout.Static analysis flags that the checkout step doesn't disable credential persistence, leaving the
GITHUB_TOKENin local git config for the remainder of the job (artipacked). Since later steps runnpm ci/build/linkinator against third-party npm packages, disabling this reduces exfiltration risk if a compromised dependency runs during install/build.🔒 Proposed fix
- uses: actions/checkout@v7 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docs-health.yml at line 18, The checkout step in the docs-health workflow currently leaves Git credentials persisted, which can expose the GITHUB_TOKEN to later build steps. Update the actions/checkout configuration to disable credential persistence by setting persist-credentials to false on the checkout step, keeping the rest of the workflow unchanged.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/docs-health.yml:
- Line 18: The checkout step in the docs-health workflow currently leaves Git
credentials persisted, which can expose the GITHUB_TOKEN to later build steps.
Update the actions/checkout configuration to disable credential persistence by
setting persist-credentials to false on the checkout step, keeping the rest of
the workflow unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 50d49ca3-938e-4d9a-944c-2c634430d97b
📒 Files selected for processing (1)
.github/workflows/docs-health.yml
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mesutoezdil, windsonsea The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
checkout was pinned to v4, setup-node to v4, both several majors behind. Bumped to the latest major (checkout v7, setup-node v6). Checked setup-node v6 docs, explicit cache: npm input still works the same, only auto-detection changed for workflows that omit the cache input.
Summary by CodeRabbit