From 971afee70fe481430bbe59834cfa3dcae433dbc5 Mon Sep 17 00:00:00 2001 From: Brian Thorne Date: Wed, 13 May 2026 06:34:37 +1200 Subject: [PATCH 1/2] CI: fix security workflow + bump actions for Node.js 24 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - security.yml: drop invalid `issues-reason:` and `checks-reason:` permission keys (those aren't real GitHub Actions permissions; their presence broke the workflow at parse time on every push). Intent preserved as YAML comments above the `permissions:` block. - Bump actions off the deprecated Node.js 20 runner: - actions/checkout v4 → v5 - actions/setup-python v4/v5 → v6 - actions/upload-artifact v4 → v5 - actions/download-artifact v4 → v5 - astral-sh/setup-uv v3/v4 → v8 - rustsec/audit-check v1.4.1 → v2 PyO3/maturin-action and github/codeql-action stay on their rolling major tags (v1 and v3 respectively). --- .github/workflows/ci.yml | 32 ++++++++++++++++---------------- .github/workflows/claude.yml | 2 +- .github/workflows/security.yml | 18 +++++++++--------- 3 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7261cba..fac5168 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,10 +26,10 @@ jobs: matrix: python-version: ["3.11", "3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@v8 with: version: "latest" @@ -56,10 +56,10 @@ jobs: name: Code Quality & Type Checking runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@v8 with: version: "latest" @@ -119,8 +119,8 @@ jobs: - runner: ubuntu-latest target: ppc64le steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v5 + - uses: actions/setup-python@v6 with: python-version: '3.11' - name: Build wheels @@ -131,7 +131,7 @@ jobs: sccache: 'true' manylinux: auto - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: wheels-linux-${{ matrix.platform.target }} path: dist @@ -147,8 +147,8 @@ jobs: - runner: windows-latest target: x86 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v5 + - uses: actions/setup-python@v6 with: python-version: '3.11' architecture: ${{ matrix.platform.target }} @@ -159,7 +159,7 @@ jobs: args: --release --out dist --find-interpreter sccache: 'true' - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: wheels-windows-${{ matrix.platform.target }} path: dist @@ -175,8 +175,8 @@ jobs: - runner: macos-14 target: aarch64 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v5 + - uses: actions/setup-python@v6 with: python-version: '3.11' - name: Build wheels @@ -186,7 +186,7 @@ jobs: args: --release --out dist --find-interpreter sccache: 'true' - name: Upload wheels - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: wheels-macos-${{ matrix.platform.target }} path: dist @@ -195,14 +195,14 @@ jobs: runs-on: ubuntu-latest needs: [test, lint] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Build sdist uses: PyO3/maturin-action@v1 with: command: sdist args: --out dist - name: Upload sdist - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: wheels-sdist path: dist @@ -215,7 +215,7 @@ jobs: permissions: id-token: write steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@v5 - name: Publish to PyPI uses: PyO3/maturin-action@v1 env: diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 77946ae..c570b7d 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -25,7 +25,7 @@ jobs: id-token: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: fetch-depth: 1 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 9779fa2..4293c01 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,21 +17,21 @@ jobs: security: name: Security Scan runs-on: ubuntu-latest + # issues: write — rustsec/audit-check creates issues for new advisories. + # checks: write — rustsec/audit-check posts check annotations. permissions: issues: write - issues-reason: to create issues checks: write - checks-reason: to create check steps: - - uses: actions/checkout@v4 - + - uses: actions/checkout@v5 + - name: Run Rust security audit - uses: rustsec/audit-check@v1.4.1 + uses: rustsec/audit-check@v2 with: token: ${{ secrets.GITHUB_TOKEN }} - + - name: Install uv - uses: astral-sh/setup-uv@v4 + uses: astral-sh/setup-uv@v8 with: version: "latest" @@ -56,8 +56,8 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@v4 - + uses: actions/checkout@v5 + - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: From 250a4c44b53573c91813175dd2c9a2d53810e1b0 Mon Sep 17 00:00:00 2001 From: Brian Thorne Date: Wed, 13 May 2026 06:36:23 +1200 Subject: [PATCH 2/2] Pin to existing major tags: setup-uv@v7, audit-check@v2.0.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit astral-sh/setup-uv only publishes specific tags past v7 (no v8 alias). rustsec/audit-check has no moving major tag — pin to v2.0.0. --- .github/workflows/ci.yml | 4 ++-- .github/workflows/security.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fac5168..0e8d512 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,7 +29,7 @@ jobs: - uses: actions/checkout@v5 - name: Install uv - uses: astral-sh/setup-uv@v8 + uses: astral-sh/setup-uv@v7 with: version: "latest" @@ -59,7 +59,7 @@ jobs: - uses: actions/checkout@v5 - name: Install uv - uses: astral-sh/setup-uv@v8 + uses: astral-sh/setup-uv@v7 with: version: "latest" diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 4293c01..c4cc84a 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -26,12 +26,12 @@ jobs: - uses: actions/checkout@v5 - name: Run Rust security audit - uses: rustsec/audit-check@v2 + uses: rustsec/audit-check@v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install uv - uses: astral-sh/setup-uv@v8 + uses: astral-sh/setup-uv@v7 with: version: "latest"