Skip to content

Update GitHub Actions to latest versions#738

Merged
epompeii merged 2 commits intodevelfrom
claude/update-github-actions-IMVof
Mar 25, 2026
Merged

Update GitHub Actions to latest versions#738
epompeii merged 2 commits intodevelfrom
claude/update-github-actions-IMVof

Conversation

@epompeii
Copy link
Member

@epompeii epompeii commented Mar 25, 2026

Summary

  • actions/cache v4 → v5
  • actions/download-artifact v4 → v7
  • actions/upload-artifact v4 → v6
  • mlugg/setup-zig v1 → v2
  • lycheeverse/lychee-action v2.3.0 → v2.4.1

All upgrades are backward compatible — no workflow input/config changes needed. upload-artifact@v6 and download-artifact@v7 are fully compatible with each other.

Supersedes #607, #608, #630, #631, #632

Test plan

  • CI workflows pass with the updated action versions
  • Artifact upload/download works correctly across jobs

https://claude.ai/code/session_01GvcMR9yr5MKruNmrXWadDn

@claude
Update GitHub Actions to latest versions
4347fb6 
- actions/cache v4 → v5
- actions/download-artifact v4 → v7
- actions/upload-artifact v4 → v6
- mlugg/setup-zig v1 → v2
- lycheeverse/lychee-action v2.3.0 → v2.4.1

Supersedes #607, #608, #630, #631, #632

https://claude.ai/code/session_01GvcMR9yr5MKruNmrXWadDn
@github-actions
Copy link

github-actions bot commented Mar 25, 2026
edited
Loading

🤖 Claude Code Review

PR: #738
Base: devel
Head: claude/update-github-actions-IMVof
Commit: 87ba26158d41cc11df7f03abd7e50658413c3334

PR Review: Update GitHub Actions to latest versions

Summary

Two commits updating GitHub Actions dependencies across 8 CI workflow files. Pure version bumps, no logic changes.

Version Changes

Action Old New Status
actions/cache v4 v5 OK
actions/upload-artifact v4 v7 OK
actions/download-artifact v4 v8 OK
lycheeverse/lychee-action v2.3.0 v2.4.1 OK
mlugg/setup-zig v1 v2 OK

Issues

1. upload-artifact v7 / download-artifact v8 version mismatch
The upload-artifact is at v7 and download-artifact is at v8. This is intentional and correct — these actions moved to independent versioning. However, it's worth confirming that artifacts uploaded with v7 are compatible with downloads via v8. Per the GitHub docs, v7 upload is the counterpart to v8 download (both use the same underlying artifact backend), so this pairing is correct.

2. No pinning to full SHA
All actions use tag-based references (e.g., @v5) rather than SHA-pinned references (e.g., @abc123). This is the existing pattern in the repo so it's consistent, but SHA pinning is a security best practice to prevent tag-hijacking supply chain attacks. Consider pinning to full commit SHAs for third-party actions, especially mlugg/setup-zig and lycheeverse/lychee-action which are community-maintained.

3. actions/checkout not updated
The diff shows actions/checkout@v6 is already in use (appears in context lines). This is current, so no issue.

Verdict

Looks good. The changes are mechanical, consistent across all workflows, and use the correct version pairings. The only actionable suggestion is considering SHA pinning for supply chain security, but that's a pre-existing pattern rather than a regression introduced by this PR.

Model: claude-opus-4-6

@claude
Bump to actual latest: upload-artifact v7, download-artifact v8
87ba261 
The dependabot PRs targeted v6/v7 but the actual latest versions are
upload-artifact v7 and download-artifact v8.

https://claude.ai/code/session_01GvcMR9yr5MKruNmrXWadDn
@epompeii epompeii self-assigned this Mar 25, 2026
@epompeii epompeii merged commit 82e5039 into devel Mar 25, 2026
37 checks passed
@epompeii epompeii deleted the claude/update-github-actions-IMVof branch March 25, 2026 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@epompeii epompeii

Labels

claude

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@epompeii @claude