Description
Several .github/workflows/ files reference GitHub Actions versions that do not exist:
actions/checkout@v7 — latest stable is v4 (v7 does not exist)
actions/upload-artifact@v7 — latest stable is v4 (v7 does not exist)
When a workflow run hits these steps, GitHub Actions will fail with:
Error: Unable to resolve action `actions/checkout@v7`, the action does not exist
This breaks every CI job that uses these actions — including the main ci.yml, matrix.yml, release.yml, and potentially others.
Affected Files
Audit all files under .github/workflows/ for these patterns:
actions/checkout@v7
actions/upload-artifact@v7
- Any other
@v5, @v6, or @v7 suffixes on official GitHub Actions (verify against github.com/actions)
Acceptance Criteria
Security Note
Pinning actions to a commit SHA (not just a tag) is recommended by GitHub's own security hardening guide, as tags can be moved. The dependency-scan.yml workflow (already present) should be configured to flag unpinned action references.
Priority
High — CI is broken for all workflows using these actions.
Estimated Effort
Small
Description
Several
.github/workflows/files reference GitHub Actions versions that do not exist:actions/checkout@v7— latest stable is v4 (v7 does not exist)actions/upload-artifact@v7— latest stable is v4 (v7 does not exist)When a workflow run hits these steps, GitHub Actions will fail with:
This breaks every CI job that uses these actions — including the main
ci.yml,matrix.yml,release.yml, and potentially others.Affected Files
Audit all files under
.github/workflows/for these patterns:actions/checkout@v7actions/upload-artifact@v7@v5,@v6, or@v7suffixes on official GitHub Actions (verify against github.com/actions)Acceptance Criteria
actions/checkoutreferences updated toactions/checkout@v4actions/upload-artifactreferences updated toactions/upload-artifact@v4actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2) per security best practice to prevent supply-chain attacksUnable to resolve actionerrors)CONTRIBUTING.mdor a workflow comment about the version pinning policySecurity Note
Pinning actions to a commit SHA (not just a tag) is recommended by GitHub's own security hardening guide, as tags can be moved. The
dependency-scan.ymlworkflow (already present) should be configured to flag unpinned action references.Priority
High — CI is broken for all workflows using these actions.
Estimated Effort
Small