Skip to content

Update GitHub Action Versions#388

Open
kozlov721 wants to merge 1 commit into
mainfrom
gh-actions-update-1780039488
Open

Update GitHub Action Versions#388
kozlov721 wants to merge 1 commit into
mainfrom
gh-actions-update-1780039488

Conversation

@kozlov721
Copy link
Copy Markdown
Collaborator

@kozlov721 kozlov721 commented May 29, 2026
edited by coderabbitai Bot
Loading

GitHub Actions Version Updates

Summary by CodeRabbit

  • Chores
    • Updated CI/CD pipeline automation tools across all development workflows to their latest stable versions, improving build reliability, deployment security, and release process efficiency.

Review Change Stack

@kozlov721 kozlov721 requested a review from a team as a code owner May 29, 2026 07:24
@kozlov721 kozlov721 requested review from conorsim, klemen1999 and tersekmatija and removed request for a team May 29, 2026 07:24
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 29, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This pull request updates GitHub Actions across multiple CI/CD workflows to use newer pinned versions. actions/checkout is standardized to v6.0.2, actions/setup-python to v6.2.0, and specialized actions including testing tools, publishing utilities, and metadata assignment workflows are updated to their latest compatible releases.

Changes

Workflow Actions Version Updates

Layer / File(s) Summary
Core checkout and setup-python standardization
.github/workflows/actions_autoupdate.yaml, .github/workflows/ci.yaml, .github/workflows/python-publish.yaml, .github/workflows/semgrep.yaml, .github/workflows/tests.yaml, .github/workflows/update-cov-report.yaml		 All workflows pin actions/checkout to v6.0.2. Jobs requiring Python (type-check, config-test, tests jobs in ci.yaml and python-publish workflow) pin actions/setup-python to v6.2.0.
CI, testing, and reporting infrastructure
.github/workflows/ci.yaml, .github/workflows/tests.yaml, .github/workflows/update-cov-report.yaml		 jakebailey/pyright-action upgraded to v3.0.2, google-github-actions/auth to v3.0.0 for GCP operations, codecov/test-results-action to v1.2.1, codecov/codecov-action to v6.0.1, actions/upload-artifact to v7.0.1, dawidd6/action-download-artifact to v21, and jlumbroso/free-disk-space pinned from main to v1.3.1. Configuration and behavior remain unchanged.
Publishing workflow action upgrade
.github/workflows/python-publish.yaml		 pypa/gh-action-pypi-publish migrated from pinned commit to release v1.14.0.
Metadata assignment workflow upgrades
.github/workflows/add-metadata.yaml		 toShimaru/auto-author-assign bumped to v3.0.2 and actions/labeler upgraded to v6.1.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit hops through action versions bright,
From v4 to v6, pinning them tight,
Checkout and setup dance hand in hand,
Codecov, auth, and publish command—
All workflows now stand on solid ground!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Update GitHub Action Versions' directly summarizes the main change: systematic updates to multiple GitHub Action versions across all workflow files in the repository.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch gh-actions-update-1780039488

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/python-publish.yaml (1)

31-34: ⚡ Quick win

Re-pin gh-action-pypi-publish to a commit SHA, not a mutable tag.

This step previously used an immutable commit hash and is being changed to the floating v1.14.0 tag. This is the most security-sensitive action in the repo (it consumes PYPI_API_TOKEN), so dropping SHA pinning is a meaningful supply-chain regression — a re-tag of v1.14.0 would silently run new code with your publish credentials. Prefer pinning to the release's commit SHA (optionally with a # v1.14.0 comment).

Optionally, consider migrating to PyPI Trusted Publishing (OIDC) to remove the long-lived PYPI_API_TOKEN secret entirely.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-publish.yaml around lines 31 - 34, The workflow
currently references pypa/gh-action-pypi-publish@v1.14.0 which is a mutable tag;
replace that floating tag with the action's immutable commit SHA (e.g.,
pypa/gh-action-pypi-publish@<commit-sha>) to re-pin the step that uses the
PYPI_API_TOKEN, keeping an optional comment like "# v1.14.0" for clarity; update
the uses line in the job (the line containing "uses:
pypa/gh-action-pypi-publish@v1.14.0") to the commit SHA and verify the workflow
still runs, and optionally consider migrating to OIDC-based PyPI Trusted
Publishing to remove the long-lived secret.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/tests.yaml:
- Around line 58-63: The "Free Disk Space (Ubuntu)" job step uses if: matrix.os
== 'ubuntu-latest' which never matches the workflow matrix (os:
[ubuntu-t4-4core, windows-latest]); update the condition on the step named "Free
Disk Space (Ubuntu)" to if: matrix.os == 'ubuntu-t4-4core' if you intend it to
run on the self-hosted Ubuntu leg, or remove the step entirely if disk cleanup
is not required; ensure you keep the existing uses:
jlumbroso/free-disk-space@v1.3.1 line unchanged when fixing the condition.

---

Nitpick comments:
In @.github/workflows/python-publish.yaml:
- Around line 31-34: The workflow currently references
pypa/gh-action-pypi-publish@v1.14.0 which is a mutable tag; replace that
floating tag with the action's immutable commit SHA (e.g.,
pypa/gh-action-pypi-publish@<commit-sha>) to re-pin the step that uses the
PYPI_API_TOKEN, keeping an optional comment like "# v1.14.0" for clarity; update
the uses line in the job (the line containing "uses:
pypa/gh-action-pypi-publish@v1.14.0") to the commit SHA and verify the workflow
still runs, and optionally consider migrating to OIDC-based PyPI Trusted
Publishing to remove the long-lived secret.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 84ddb5cc-14e2-4f1b-a099-660efa31a123

📥 Commits

Reviewing files that changed from the base of the PR and between 8505b0a and 6b477f4.

📒 Files selected for processing (7)
  • .github/workflows/actions_autoupdate.yaml
  • .github/workflows/add-metadata.yaml
  • .github/workflows/ci.yaml
  • .github/workflows/python-publish.yaml
  • .github/workflows/semgrep.yaml
  • .github/workflows/tests.yaml
  • .github/workflows/update-cov-report.yaml

Comment thread .github/workflows/tests.yaml
Comment on lines 58 to 63
- name: Free Disk Space (Ubuntu)
if: matrix.os == 'ubuntu-latest'
uses: jlumbroso/free-disk-space@main
uses: jlumbroso/free-disk-space@v1.3.1
with:
tool-cache: false
large-packages: false
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Free Disk Space step never runs — its if references ubuntu-latest, which isn't in the matrix.

The matrix is os: [ubuntu-t4-4core, windows-latest], so if: matrix.os == 'ubuntu-latest' is never true and this step is dead. Pinning it to v1.3.1 has no effect until the condition is corrected. If disk space is needed on the self-hosted leg, change the condition to matrix.os == 'ubuntu-t4-4core'; otherwise drop the step. (Pre-existing, but worth fixing while this line is being touched.)

🔧 Proposed condition fix 
       - name: Free Disk Space (Ubuntu)
-        if: matrix.os == 'ubuntu-latest'
+        if: matrix.os == 'ubuntu-t4-4core'
         uses: jlumbroso/free-disk-space@v1.3.1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Free Disk Space (Ubuntu)
if: matrix.os == 'ubuntu-latest'
uses: jlumbroso/free-disk-space@main
uses: jlumbroso/free-disk-space@v1.3.1
with:
tool-cache: false
large-packages: false
- name: Free Disk Space (Ubuntu)
if: matrix.os == 'ubuntu-t4-4core'
uses: jlumbroso/free-disk-space@v1.3.1
with:
tool-cache: false
large-packages: false
🧰 Tools
🪛 zizmor (1.25.2)

[error] 60-60: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tests.yaml around lines 58 - 63, The "Free Disk Space
(Ubuntu)" job step uses if: matrix.os == 'ubuntu-latest' which never matches the
workflow matrix (os: [ubuntu-t4-4core, windows-latest]); update the condition on
the step named "Free Disk Space (Ubuntu)" to if: matrix.os == 'ubuntu-t4-4core'
if you intend it to run on the self-hosted Ubuntu leg, or remove the step
entirely if disk cleanup is not required; ensure you keep the existing uses:
jlumbroso/free-disk-space@v1.3.1 line unchanged when fixing the condition.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@klemen1999 klemen1999 Awaiting requested review from klemen1999 klemen1999 is a code owner automatically assigned from luxonis/ml-reviewers

@tersekmatija tersekmatija Awaiting requested review from tersekmatija tersekmatija is a code owner automatically assigned from luxonis/ml-reviewers

@conorsim conorsim Awaiting requested review from conorsim conorsim is a code owner automatically assigned from luxonis/ml-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

@kozlov721 kozlov721

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kozlov721