Summary
ci.yml references astral-sh/setup-uv@v7 and codecov/codecov-action@v6. Issue #32 covers the broken actions/checkout@v6. This issue tracks the other two action versions which also need verification: setup-uv@v7 is ahead of the published releases, and codecov-action@v6 should be verified against the official Codecov releases.
Category
Bug / CI
Severity
Low
Location
.github/workflows/ci.yml — line 18, 27, 35, 48: astral-sh/setup-uv@v7
.github/workflows/ci.yml — line 53: codecov/codecov-action@v6
Details
At time of audit (May 2026):
If either version tag does not exist, GitHub Actions may resolve to an unexpected or unpinned version. The safest approach is to pin to an exact commit SHA alongside the version tag.
This is lower severity than #32 because setup-uv and codecov-action are not as widely versioned as actions/checkout, but it still represents a CI reliability concern.
Suggested Fix
- Verify the latest published major versions for both actions
- Pin to full SHA for security (supply chain protection):
# Recommended: pin to SHA + tag comment
- uses: astral-sh/setup-uv@<verified-sha> # v<X>
- uses: codecov/codecov-action@<verified-sha> # v<X>
- Consider using Dependabot (already configured in
.github/dependabot.yml) to keep action versions up to date automatically.
Effort Estimate
10 min
Automated finding by repo-health-agent v1.0
Summary
ci.ymlreferencesastral-sh/setup-uv@v7andcodecov/codecov-action@v6. Issue #32 covers the brokenactions/checkout@v6. This issue tracks the other two action versions which also need verification:setup-uv@v7is ahead of the published releases, andcodecov-action@v6should be verified against the official Codecov releases.Category
Bug / CI
Severity
Low
Location
.github/workflows/ci.yml— line 18, 27, 35, 48:astral-sh/setup-uv@v7.github/workflows/ci.yml— line 53:codecov/codecov-action@v6Details
At time of audit (May 2026):
astral-sh/setup-uv— published versions should be verified at https://github.com/astral-sh/setup-uv/releasescodecov/codecov-action— published versions should be verified at https://github.com/codecov/codecov-action/releasesIf either version tag does not exist, GitHub Actions may resolve to an unexpected or unpinned version. The safest approach is to pin to an exact commit SHA alongside the version tag.
This is lower severity than #32 because
setup-uvandcodecov-actionare not as widely versioned asactions/checkout, but it still represents a CI reliability concern.Suggested Fix
.github/dependabot.yml) to keep action versions up to date automatically.Effort Estimate
10 min
Automated finding by repo-health-agent v1.0