Skip to content

Fix create-pull-request action pins and update GitHub Actions workflow pins#3448

Merged
joshlf merged 3 commits into
mainfrom
codex/clone-pr-and-fix-zizmor-failures
Jun 8, 2026
Merged

Fix create-pull-request action pins and update GitHub Actions workflow pins#3448
joshlf merged 3 commits into
mainfrom
codex/clone-pr-and-fix-zizmor-failures

Conversation

@joshlf

@joshlf joshlf commented Jun 8, 2026

Copy link
Copy Markdown
Member

Motivation

  • Ensure workflow action pins match their commented v tags and silence zizmor findings by restoring the correct peter-evans/create-pull-request SHA and aligning other action pins across CI workflows.
  • Keep GitHub Actions runtime dependencies up-to-date and consistent to avoid audit mismatches and to ensure CI/automation steps use the intended releases.

Description

  • Restored the peter-evans/create-pull-request SHA to the commit that matches the existing v8.1.0 comments in .github/workflows/anneal-release.yml, .github/workflows/backport-pr.yml, .github/workflows/release-crate-version.yml, and .github/workflows/roll-pinned-toolchain-versions.yml.
  • Bumped many workflow action pins and versions (notably actions/checkout to v6.0.3, docker/* actions, docker/build-push-action to v7.2.0, actions/download-artifact/upload-artifact to newer pins, codecov to v7.0.0, zizmor-action to v0.5.6, benchmark-action to v1.22.1, actions/upload-pages-artifact/actions/deploy-pages and other workflow helper actions) across multiple .github/workflows files for consistency.
  • Fixed a small set of mismatched pinned SHAs that caused the custom pin/tag consistency check to fail and committed the changes on the PR branch with message "Fix create-pull-request action pins".

Testing

  • Ran uvx zizmor --persona pedantic .github --format plain --color never (and --format sarif) and observed no blocking findings for the .github directory (zizmor exit 0).
  • Executed the custom Python check that validates uses: owner/repo@<sha> # v... comments against the tag commit SHA and confirmed pinned-action comments match (exit 0).
  • Verified repository diffs and formatting checks with git diff --check and local git commands to ensure no whitespace or diff issues (no errors).

Codex Task

@joshlf joshlf enabled auto-merge June 8, 2026 11:17
@joshlf joshlf mentioned this pull request Jun 8, 2026
Closed
@codecov-commenter

codecov-commenter commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.85%. Comparing base (83dbc57) to head (f6ac801).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #3448   +/-   ##
=======================================
  Coverage   91.85%   91.85%           
=======================================
  Files          20       20           
  Lines        6093     6093           
=======================================
  Hits         5597     5597           
  Misses        496      496

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@joshlf

joshlf commented Jun 8, 2026

Copy link
Copy Markdown
Member Author

This is just #3447, but I asked Codex to fix Zizmor warnings.

@joshlf joshlf requested a review from jswrenn June 8, 2026 12:07
@joshlf joshlf added this pull request to the merge queue Jun 8, 2026
Merged via the queue into main with commit 7055b34 Jun 8, 2026
131 checks passed
@joshlf joshlf deleted the codex/clone-pr-and-fix-zizmor-failures branch June 8, 2026 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jswrenn jswrenn jswrenn approved these changes

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joshlf @codecov-commenter @jswrenn