Skip to content

build(deps): bump GitHub Actions across workflows#133

Merged
Liohtml merged 1 commit into
mainfrom
claude/dependabot-prs-q6u94z
Jul 10, 2026
Merged

build(deps): bump GitHub Actions across workflows#133
Liohtml merged 1 commit into
mainfrom
claude/dependabot-prs-q6u94z

Conversation

@Liohtml

@Liohtml Liohtml commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

Consolidates the four open Dependabot PRs (#129, #130, #131, #132) into a single change so all GitHub Actions bumps land together. Once merged, Dependabot will close the four original PRs automatically.

Closes #129, closes #130, closes #131, closes #132

Changes

Testing

Additional Notes

The CodeQL bumps are pinned-SHA updates within the v4 major line, so no config changes are needed. The codecov-action v7 upload was verified working with the existing file:/token: inputs on PR #130. No breaking changes expected; CI on this PR will confirm.

🤖 Generated with Claude Code

https://claude.ai/code/session_01W4svt5QTs4WUMSy4HwiVt9


Generated by Claude Code

Summary by CodeRabbit

  • Chores
    • Updated automated build, test, security scanning, and release workflows to use newer action versions.
    • Maintained existing testing, coverage, packaging, and publishing behavior.
    • Improved workflow maintenance and compatibility without changing user-facing functionality.

Consolidates the four open Dependabot PRs into one change:
- actions/checkout v4/v6 -> v7 (#131)
- codecov/codecov-action v6 -> v7 (#130)
- github/codeql-action/init 4.36.3 -> 4.37.0 (#132)
- github/codeql-action/analyze 4.36.3 -> 4.37.0 (#129)

CI on the Dependabot PRs for checkout v7 and codecov v7 was fully
green; the CodeQL bumps are pinned-SHA updates within v4 and keep
init/analyze on the same version.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01W4svt5QTs4WUMSy4HwiVt9
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

GitHub Actions workflows update checkout, CodeQL, and Codecov action versions across CI, security analysis, build, and Docker release jobs. Existing commands, language configuration, job structure, and release logic remain unchanged.

Changes

GitHub Actions dependency updates

Layer / File(s) Summary
CI validation and coverage updates
.github/workflows/ci.yml
Lint, type-check, security, and matrix test jobs use actions/checkout@v7; coverage upload uses codecov/codecov-action@v7 while test commands remain unchanged.
CodeQL action updates
.github/workflows/codeql.yml
The analysis workflow updates checkout and repins CodeQL initialization and analysis actions while retaining Python configuration.
Release workflow checkout updates
.github/workflows/release.yml
Build and Docker jobs replace actions/checkout@v4 with actions/checkout@v7.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related issues

Possibly related PRs

  • Liohtml/MedCheck#2 — Updates actions/checkout references in overlapping CI and CodeQL workflows.
  • Liohtml/MedCheck#8 — Updates action versions in the same CI and CodeQL workflow areas.

Suggested labels: dependencies, github_actions

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the workflow dependency bumps across the PR.
Description check ✅ Passed The PR description follows the template with Summary, Changes, Testing, and Additional Notes sections filled in.
Linked Issues check ✅ Passed The workflow updates match the linked issues: checkout v7, codecov-action v7, and CodeQL init/analyze 4.37.0.
Out of Scope Changes check ✅ Passed All changes are limited to workflow dependency bumps and stay within the linked issue scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/dependabot-prs-q6u94z

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (3)
.github/workflows/codeql.yml (1)

15-15: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on the checkout step.

zizmor flags this checkout for the "artipacked" credential-persistence risk. The CodeQL analysis job does not perform git operations after checkout, so persisting the GITHUB_TOKEN in .git/config is unnecessary and increases attack surface.

🔒️ Proposed fix
       - uses: actions/checkout@v7
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml at line 15, Update the checkout step using
actions/checkout@v7 to set persist-credentials: false, preventing unnecessary
GITHUB_TOKEN persistence for the CodeQL job.

Source: Linters/SAST tools

.github/workflows/release.yml (1)

30-30: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on both checkout steps.

zizmor flags both actions/checkout steps for the "artipacked" credential-persistence risk. Neither the build job (tag verification, package building) nor the docker job (Docker build & push) performs git operations after checkout, so persisting credentials is unnecessary.

🔒️ Proposed fix

Apply to both checkout steps (lines 30 and 82):

       - uses: actions/checkout@v7
+        with:
+          persist-credentials: false

Also applies to: 82-82

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 30, Disable credential persistence on
both actions/checkout steps by adding persist-credentials: false to the checkout
configuration in the build and docker jobs; locate the steps by their
actions/checkout@v7 usages.

Source: Linters/SAST tools

.github/workflows/ci.yml (1)

17-17: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Set persist-credentials: false on all checkout steps.

zizmor flags all four actions/checkout steps for the "artipacked" credential-persistence risk. By default, checkout persists the GITHUB_TOKEN in .git/config, which can be exfiltrated via artifacts or logs. None of these jobs (lint, type-check, security, test) perform git operations after checkout, so persisting credentials is unnecessary.

🔒️ Proposed fix

Apply to all four checkout steps:

       - uses: actions/checkout@v7
+        with:
+          persist-credentials: false

Also applies to: 26-26, 34-34, 47-47

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 17, Add persist-credentials: false to every
actions/checkout step in the workflow, including the checkout steps for the
lint, type-check, security, and test jobs. Ensure all four checkout actions
explicitly disable credential persistence.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 17: Add persist-credentials: false to every actions/checkout step in the
workflow, including the checkout steps for the lint, type-check, security, and
test jobs. Ensure all four checkout actions explicitly disable credential
persistence.

In @.github/workflows/codeql.yml:
- Line 15: Update the checkout step using actions/checkout@v7 to set
persist-credentials: false, preventing unnecessary GITHUB_TOKEN persistence for
the CodeQL job.

In @.github/workflows/release.yml:
- Line 30: Disable credential persistence on both actions/checkout steps by
adding persist-credentials: false to the checkout configuration in the build and
docker jobs; locate the steps by their actions/checkout@v7 usages.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7c23bc73-bdd6-4c91-b667-125a6078f581

📥 Commits

Reviewing files that changed from the base of the PR and between 419ebcd and 287d90d.

📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • .github/workflows/codeql.yml
  • .github/workflows/release.yml

@Liohtml Liohtml merged commit 09b3ae1 into main Jul 10, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants