Skip to content

ci: pin upload/download-artifact to v5.0.0 SHAs#262

Merged
DavidCozens merged 2 commits into
mainfrom
ci/upload-artifact-v5
May 4, 2026
Merged

ci: pin upload/download-artifact to v5.0.0 SHAs#262
DavidCozens merged 2 commits into
mainfrom
ci/upload-artifact-v5

Conversation

@DavidCozens

Copy link
Copy Markdown
Owner

Summary

  • Bumps all actions/upload-artifact@v4 (×11) and actions/download-artifact@v4 (×5) to v5.0.0, pinned by commit SHA to match the convention used for checkout/setup-python/upload-pages-artifact.
  • Addresses the GitHub Actions deprecation warning ("Node.js 20 actions are deprecated... actions/upload-artifact@v4") that fires on every job. v5.0.0 is purely the Node 24 runtime bump — no artifact format change.

Reference: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/

Test plan

  • YAML parses cleanly (yaml.safe_load)
  • CI: full matrix to confirm artifact upload/download still round-trips (analyze-tidy → quality-monitor consumes the SARIF artifact, BDD jobs upload junit reports)

🤖 Generated with Claude Code

GitHub deprecated Node.js 20 actions on 2025-09-19. actions/upload-artifact@v4
and actions/download-artifact@v4 still ship Node 20 and trigger the deprecation
warning on every job; the runner forces Node 24 from 2026-06-02. v5.0.0 of
both actions is purely the Node 24 runtime bump (no artifact format change).

Pinned to SHA to match the convention used elsewhere in this workflow
(actions/checkout, actions/setup-python, actions/upload-pages-artifact, etc.).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

Warning

Rate limit exceeded

@DavidCozens has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 20 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 406b80ce-8a06-4c90-86ff-7044e7ac0ebc

📥 Commits

Reviewing files that changed from the base of the PR and between 3b64613 and cf3b5d3.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/upload-artifact-v5

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 44 minutes and 20 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

☀️   Quality Summary

   🚦   build-linux-gcc: 100% successful (✔️ 1025 passed, 🙈 3 skipped)
   🚦   build-linux-clang: 100% successful (✔️ 974 passed, 🙈 3 skipped)
   🚦   sanitize-linux-gcc: 100% successful (✔️ 974 passed, 🙈 3 skipped)
   🚦   integration-linux-openssl: 100% successful (✔️ 9 passed)
   🚦   bdd-linux-syslog-ng: 100% successful (✔️ 46 passed)
   🚦   bdd-windows-otel: 57% successful (✔️ 26 passed, 🙈 20 skipped)
   🚦   build-windows-msvc: 100% successful (✔️ 887 passed, 🙈 1 skipped)
   ⚠️   Clang-Tidy: No warnings
   ⚠️   CPPCheck: No warnings


Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result.

@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

☀️   Quality Summary

   🚦   build-linux-gcc: 100% successful (✔️ 1025 passed, 🙈 3 skipped)
   🚦   build-linux-clang: 100% successful (✔️ 974 passed, 🙈 3 skipped)
   🚦   sanitize-linux-gcc: 100% successful (✔️ 974 passed, 🙈 3 skipped)
   🚦   integration-linux-openssl: 100% successful (✔️ 9 passed)
   🚦   bdd-linux-syslog-ng: 100% successful (✔️ 46 passed)
   🚦   bdd-windows-otel: 57% successful (✔️ 26 passed, 🙈 20 skipped)
   🚦   build-windows-msvc: 100% successful (✔️ 887 passed, 🙈 1 skipped)
   ⚠️   Clang-Tidy: No warnings
   ⚠️   CPPCheck: No warnings


Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result.

@DavidCozens DavidCozens merged commit 7bc93e0 into main May 4, 2026
14 checks passed
@DavidCozens DavidCozens deleted the ci/upload-artifact-v5 branch May 4, 2026 09:24
DavidCozens added a commit that referenced this pull request May 4, 2026
The analyze-iwyu job's iwyu-report upload and the summary job's iwyu-report
download were still using @v4 floating tags. Pinning them to match the
v5.0.0 SHAs introduced in #262 — keeps the action reference style uniform
across the workflow.
DavidCozens added a commit that referenced this pull request May 4, 2026
* ci: add analyze-iwyu required check, bump cpputest-clang to sha-7eac3ab

Adds the analyze-iwyu CI job (mirrors analyze-tidy/analyze-cppcheck
shape) that runs `cmake --build --preset iwyu --target iwyu` against
the new cpputest-clang image (which now ships include-what-you-use
0.23 built against clang-19). Job is wired into the summary's needs
list so it gates the PR.

The container SHA bump from sha-0385cea to sha-7eac3ab also updates
the existing build-linux-clang job and the local clang dev-container.

After this merges, branch protection should be updated to make
analyze-iwyu a required status check (not done in this PR — it's a
GitHub UI change, not a code change).

* ci: surface analyze-iwyu in PR Quality Monitor summary

CodeRabbit caught that analyze-iwyu was wired into the summary job's
needs (gating execution) but the Quality Monitor summary itself
neither downloaded the iwyu-report artifact nor had an analyze-iwyu
analysis entry, so PR-level findings would be invisible. Adds the
download step and the analysis block using warnings-ng's `iwyu`
parser id.

* ci: drop analyze-iwyu Quality Monitor analysis entry, keep artifact download

The warnings-ng parser registry bundled with quality-monitor@v1 has no
parser registered under id `iwyu` — the summary job was failing with
`java.util.NoSuchElementException: No such parser registered: iwyu`.

Dropping the analysis-array entry. The iwyu-report artifact download is
kept for archival/inspection. The job-level pass/fail status of
analyze-iwyu (which becomes a required check via branch protection) is
the gate — Quality Monitor surfacing was nice-to-have for warnings-ng
formatted output, not strictly necessary for required-check semantics.

* ci: pin upload/download-artifact in analyze-iwyu and summary

The analyze-iwyu job's iwyu-report upload and the summary job's iwyu-report
download were still using @v4 floating tags. Pinning them to match the
v5.0.0 SHAs introduced in #262 — keeps the action reference style uniform
across the workflow.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant