Upgrade GitHub Actions to latest versions

[salmanmkc]

Bumps GitHub Actions to their latest versions for bug fixes and security patches.

Changes

Action	Old Version(s)	New Version	Compare	Files
astral-sh/setup-uv	v4	v7	Diff	release.yml, test-benchmark.yml
pnpm/action-setup	v4	v5	Diff	release.yml
softprops/action-gh-release	v1	v2	Diff	release.yml

Notes

Worth running the workflows on a branch before merging to make sure everything still works.

Summary by CodeRabbit

• Chores
  • Updated CI/CD tooling versions in GitHub Actions workflows to use current major versions for improved stability and compatibility in build, test, and release processes.

[CLAassistant]

All committers have signed the CLA.

[bundolee]

Thanks for the contribution! Version bumps verified — all targets are valid.

We're merging #326 first (broader scope from the same set of upgrades). Once that lands, could you rebase this PR on main to avoid conflicts?

git fetch upstream main
git rebase upstream/main
git push --force-with-lease

After rebase, we'll merge this one as well.

[salmanmkc]

Thanks for the contribution! Version bumps verified — all targets are valid.

We're merging #326 first (broader scope from the same set of upgrades). Once that lands, could you rebase this PR on main to avoid conflicts?

git fetch upstream main
git rebase upstream/main
git push --force-with-lease

After rebase, we'll merge this one as well.

ya sure

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions workflow files were updated to use newer major versions of tooling actions: astral-sh/setup-uv upgraded from v4 to v7, pnpm/action-setup from v4 to v5, and softprops/action-gh-release from v1 to v2 across release and test-benchmark workflows.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Version Updates .github/workflows/release.yml, .github/workflows/test-benchmark.yml	Upgraded major versions for three GitHub Actions: astral-sh/setup-uv (v4→v7), pnpm/action-setup (v4→v5), and softprops/action-gh-release (v1→v2). No changes to workflow logic, commands, or conditions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 Hop, hop, actions bright!
Versions leap to new heights,
Tools refreshed with care,
Workflows smooth as rabbit hair! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Upgrade GitHub Actions to latest versions' accurately and specifically describes the main change—updating multiple GitHub Actions workflows to newer versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

51-51: Pin workflow action references to immutable commit SHAs instead of mutable version tags.

The three-part GitHub Action references in this file use mutable tags (@v7, @v5, @v2) which can change unexpectedly. Pin to full commit SHAs (40-character hex) for better supply-chain integrity and reproducibility.

Affected lines:

• Line 51: astral-sh/setup-uv@v7
• Line 60: pnpm/action-setup@v5
• Line 115: softprops/action-gh-release@v2

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 51, Replace the mutable GitHub Action
tags with immutable commit SHAs: locate the three action references
'astral-sh/setup-uv@v7', 'pnpm/action-setup@v5', and
'softprops/action-gh-release@v2' in the release.yml and update each to the
corresponding full 40-character commit SHA (e.g.,
'astral-sh/setup-uv@<full-sha>') so the workflow pins to an exact commit; verify
the chosen SHAs are from the action repositories' main (or desired) branch and
update only the tag portion of each reference.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release.yml:
- Line 51: Replace the mutable GitHub Action tags with immutable commit SHAs:
locate the three action references 'astral-sh/setup-uv@v7',
'pnpm/action-setup@v5', and 'softprops/action-gh-release@v2' in the release.yml
and update each to the corresponding full 40-character commit SHA (e.g.,
'astral-sh/setup-uv@<full-sha>') so the workflow pins to an exact commit; verify
the chosen SHAs are from the action repositories' main (or desired) branch and
update only the tag portion of each reference.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 36636929-97c9-40c7-bc05-ed09459a0e6d

📥 Commits

Reviewing files that changed from the base of the PR and between 62e79a2 and 2156185.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• .github/workflows/test-benchmark.yml

[bundolee]

Thanks again for the contribution — the version bumps were solid and well-documented.

Unfortunately, our CI workflows were significantly rewritten on main since this PR was opened, making a clean rebase impractical. I've incorporated these upgrades in #346 with Co-authored-by credit so your contribution is preserved.

Apologies for the inconvenience, and thanks again!