CI: fix security workflow + bump actions for Node.js 24 (#33)

hardbyte · web-flow · commit e24b5a1afc3c · 2026-05-13T07:50:04.000+12:00
* CI: fix security workflow + bump actions for Node.js 24

- security.yml: drop invalid `issues-reason:` and `checks-reason:`
  permission keys (those aren't real GitHub Actions permissions; their
  presence broke the workflow at parse time on every push). Intent
  preserved as YAML comments above the `permissions:` block.

- Bump actions off the deprecated Node.js 20 runner:
  - actions/checkout v4 → v5
  - actions/setup-python v4/v5 → v6
  - actions/upload-artifact v4 → v5
  - actions/download-artifact v4 → v5
  - astral-sh/setup-uv v3/v4 → v8
  - rustsec/audit-check v1.4.1 → v2

PyO3/maturin-action and github/codeql-action stay on their rolling
major tags (v1 and v3 respectively).

* Pin to existing major tags: setup-uv@v7, audit-check@v2.0.0

astral-sh/setup-uv only publishes specific tags past v7 (no v8 alias).
rustsec/audit-check has no moving major tag — pin to v2.0.0.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,10 +26,10 @@ jobs:
       matrix:
         python-version: ["3.11", "3.12"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@v7
         with:
           version: "latest"
       
@@ -56,10 +56,10 @@ jobs:
     name: Code Quality & Type Checking
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@v7
         with:
           version: "latest"
       
@@ -119,8 +119,8 @@ jobs:
           - runner: ubuntu-latest
             target: ppc64le
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.11'
       - name: Build wheels
@@ -131,7 +131,7 @@ jobs:
           sccache: 'true'
           manylinux: auto
       - name: Upload wheels
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: wheels-linux-${{ matrix.platform.target }}
           path: dist
@@ -147,8 +147,8 @@ jobs:
           - runner: windows-latest
             target: x86
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.11'
           architecture: ${{ matrix.platform.target }}
@@ -159,7 +159,7 @@ jobs:
           args: --release --out dist --find-interpreter
           sccache: 'true'
       - name: Upload wheels
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: wheels-windows-${{ matrix.platform.target }}
           path: dist
@@ -175,8 +175,8 @@ jobs:
           - runner: macos-14
             target: aarch64
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.11'
       - name: Build wheels
@@ -186,7 +186,7 @@ jobs:
           args: --release --out dist --find-interpreter
           sccache: 'true'
       - name: Upload wheels
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: wheels-macos-${{ matrix.platform.target }}
           path: dist
@@ -195,14 +195,14 @@ jobs:
     runs-on: ubuntu-latest
     needs: [test, lint]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Build sdist
         uses: PyO3/maturin-action@v1
         with:
           command: sdist
           args: --out dist
       - name: Upload sdist
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: wheels-sdist
           path: dist
@@ -215,7 +215,7 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v5
       - name: Publish to PyPI
         uses: PyO3/maturin-action@v1
         env:
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -25,7 +25,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 1
 
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -17,21 +17,21 @@ jobs:
   security:
     name: Security Scan
     runs-on: ubuntu-latest
+    # issues: write — rustsec/audit-check creates issues for new advisories.
+    # checks: write — rustsec/audit-check posts check annotations.
     permissions:
       issues: write
-      issues-reason: to create issues
       checks: write
-      checks-reason: to create check
     steps:
-      - uses: actions/checkout@v4
-      
+      - uses: actions/checkout@v5
+
       - name: Run Rust security audit
-        uses: rustsec/audit-check@v1.4.1
+        uses: rustsec/audit-check@v2.0.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-      
+
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@v7
         with:
           version: "latest"
       
@@ -56,8 +56,8 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-      
+        uses: actions/checkout@v5
+
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
