CI: fix security workflow + bump actions for Node.js 24#33
Conversation
- security.yml: drop invalid `issues-reason:` and `checks-reason:` permission keys (those aren't real GitHub Actions permissions; their presence broke the workflow at parse time on every push). Intent preserved as YAML comments above the `permissions:` block. - Bump actions off the deprecated Node.js 20 runner: - actions/checkout v4 → v5 - actions/setup-python v4/v5 → v6 - actions/upload-artifact v4 → v5 - actions/download-artifact v4 → v5 - astral-sh/setup-uv v3/v4 → v8 - rustsec/audit-check v1.4.1 → v2 PyO3/maturin-action and github/codeql-action stay on their rolling major tags (v1 and v3 respectively).
astral-sh/setup-uv only publishes specific tags past v7 (no v8 alias). rustsec/audit-check has no moving major tag — pin to v2.0.0.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 971afee70f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v4 | ||
| uses: astral-sh/setup-uv@v8 |
There was a problem hiding this comment.
Any CI or security job that reaches this step will fail while resolving the action, because setup-uv v8 stopped publishing moving major/minor tags; the v8.0.0 release notes say @v8 and @v8.0 do not resolve and only full tags such as astral-sh/setup-uv@v8.1.0 or a commit SHA should be used. This same unresolved reference is also used in the lint job and in .github/workflows/security.yml, so PR CI and the scheduled security scan cannot install uv.
Useful? React with 👍 / 👎.
| runs-on: ubuntu-latest | ||
| # issues: write — rustsec/audit-check creates issues for new advisories. |
There was a problem hiding this comment.
With a job-level permissions: block, GitHub sets every unspecified scope to none, and actions/checkout recommends contents: read unless another token is supplied. After the invalid *-reason keys are removed this job can parse, but the default checkout token still has no repository contents permission, so the security workflow can fail at checkout in repositories where token auth is required; add contents: read alongside the issue/check permissions.
Useful? React with 👍 / 👎.
1 participant
Summary
Two related cleanups noted as follow-ups in the 0.6.0 release:
security.ymlwas failing on every push. Thepermissions:block had two invalid keys —issues-reason:andchecks-reason:— which aren't real GitHub Actions permission scopes. GitHub rejected the workflow at parse time, hence the instant failures with no log. Replaced the rationale-as-key pattern with YAML comments.Bumped actions off the deprecated Node.js 20 runner (Node 20 will be force-migrated to Node 24 on June 2nd 2026 and removed on September 16th 2026):
PyO3/maturin-actionandgithub/codeql-actionstay on their rolling major tags (v1andv3) — both already support Node 24.Test plan
yaml.safe_load()parses all three changed files cleanly.docs.yml(untracked WIP from a prior session).