build(deps): bump GitHub Actions across workflows#133
Conversation
Consolidates the four open Dependabot PRs into one change: - actions/checkout v4/v6 -> v7 (#131) - codecov/codecov-action v6 -> v7 (#130) - github/codeql-action/init 4.36.3 -> 4.37.0 (#132) - github/codeql-action/analyze 4.36.3 -> 4.37.0 (#129) CI on the Dependabot PRs for checkout v7 and codecov v7 was fully green; the CodeQL bumps are pinned-SHA updates within v4 and keep init/analyze on the same version. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01W4svt5QTs4WUMSy4HwiVt9
📝 WalkthroughWalkthroughGitHub Actions workflows update checkout, CodeQL, and Codecov action versions across CI, security analysis, build, and Docker release jobs. Existing commands, language configuration, job structure, and release logic remain unchanged. ChangesGitHub Actions dependency updates
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related issues
Possibly related PRs
Suggested labels: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
🧹 Nitpick comments (3)
.github/workflows/codeql.yml (1)
15-15: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winSet
persist-credentials: falseon the checkout step.zizmor flags this checkout for the "artipacked" credential-persistence risk. The CodeQL analysis job does not perform git operations after checkout, so persisting the
GITHUB_TOKENin.git/configis unnecessary and increases attack surface.🔒️ Proposed fix
- uses: actions/checkout@v7 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml at line 15, Update the checkout step using actions/checkout@v7 to set persist-credentials: false, preventing unnecessary GITHUB_TOKEN persistence for the CodeQL job.Source: Linters/SAST tools
.github/workflows/release.yml (1)
30-30: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winSet
persist-credentials: falseon both checkout steps.zizmor flags both
actions/checkoutsteps for the "artipacked" credential-persistence risk. Neither thebuildjob (tag verification, package building) nor thedockerjob (Docker build & push) performs git operations after checkout, so persisting credentials is unnecessary.🔒️ Proposed fix
Apply to both checkout steps (lines 30 and 82):
- uses: actions/checkout@v7 + with: + persist-credentials: falseAlso applies to: 82-82
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml at line 30, Disable credential persistence on both actions/checkout steps by adding persist-credentials: false to the checkout configuration in the build and docker jobs; locate the steps by their actions/checkout@v7 usages.Source: Linters/SAST tools
.github/workflows/ci.yml (1)
17-17: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winSet
persist-credentials: falseon all checkout steps.zizmor flags all four
actions/checkoutsteps for the "artipacked" credential-persistence risk. By default, checkout persists theGITHUB_TOKENin.git/config, which can be exfiltrated via artifacts or logs. None of these jobs (lint, type-check, security, test) perform git operations after checkout, so persisting credentials is unnecessary.🔒️ Proposed fix
Apply to all four checkout steps:
- uses: actions/checkout@v7 + with: + persist-credentials: falseAlso applies to: 26-26, 34-34, 47-47
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 17, Add persist-credentials: false to every actions/checkout step in the workflow, including the checkout steps for the lint, type-check, security, and test jobs. Ensure all four checkout actions explicitly disable credential persistence.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 17: Add persist-credentials: false to every actions/checkout step in the
workflow, including the checkout steps for the lint, type-check, security, and
test jobs. Ensure all four checkout actions explicitly disable credential
persistence.
In @.github/workflows/codeql.yml:
- Line 15: Update the checkout step using actions/checkout@v7 to set
persist-credentials: false, preventing unnecessary GITHUB_TOKEN persistence for
the CodeQL job.
In @.github/workflows/release.yml:
- Line 30: Disable credential persistence on both actions/checkout steps by
adding persist-credentials: false to the checkout configuration in the build and
docker jobs; locate the steps by their actions/checkout@v7 usages.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 7c23bc73-bdd6-4c91-b667-125a6078f581
📒 Files selected for processing (3)
.github/workflows/ci.yml.github/workflows/codeql.yml.github/workflows/release.yml
Summary
Consolidates the four open Dependabot PRs (#129, #130, #131, #132) into a single change so all GitHub Actions bumps land together. Once merged, Dependabot will close the four original PRs automatically.
Closes #129, closes #130, closes #131, closes #132
Changes
actions/checkoutv6 → v7 inci.ymlandcodeql.yml, and v4 → v7 inrelease.yml(build(deps): Bump actions/checkout from 4 to 7 #131)codecov/codecov-actionv6 → v7 inci.yml(build(deps): Bump codecov/codecov-action from 6 to 7 #130)github/codeql-action/initandgithub/codeql-action/analyze4.36.3 → 4.37.0 (pinned SHA99df26d) incodeql.yml(build(deps): Bump github/codeql-action/init from 4.36.3 to 4.37.0 #132, build(deps): Bump github/codeql-action/analyze from 4.36.3 to 4.37.0 #129) — merging both bumps together keepsinitandanalyzeon the same versionTesting
uv run pytest) — all 13 CI checks were green on the Dependabot PRs for checkout v7 (build(deps): Bump actions/checkout from 4 to 7 #131) and codecov v7 (build(deps): Bump codecov/codecov-action from 6 to 7 #130), including the full test matrix and the Codecov uploadAdditional Notes
The CodeQL bumps are pinned-SHA updates within the v4 major line, so no config changes are needed. The
codecov-actionv7 upload was verified working with the existingfile:/token:inputs on PR #130. No breaking changes expected; CI on this PR will confirm.🤖 Generated with Claude Code
https://claude.ai/code/session_01W4svt5QTs4WUMSy4HwiVt9
Generated by Claude Code
Summary by CodeRabbit