Bump actions/setup-python from 5 to 6 in the github-actions group #1274
+1
−1
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟡 While bumping this line, consider SHA-pinning to match the rest of the workflow. Every other third-party action in this same file is pinned by SHA with a version comment (e.g.
actions/checkout@de0fac2... # v6.0.2on lines 57/63/318/358), and sibling workflows already SHA-pin setup-python (.github/workflows/test-matrix-logic.yml:24andtest-process-result.yml:24useactions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0). The pre-existing@v5was likewise unpinned, so this isn't a regression — just a missed opportunity to bring the line into the repo's existing convention.Extended reasoning...
What the issue is. The PR updates line 322 from
actions/setup-python@v5toactions/setup-python@v6, but the new value is still a mutable major-version tag rather than a SHA pin. This is the onlysetup-pythoninvocation in the repository that is not SHA-pinned, and it is also the only third-party action invocation ine2e-tests.ymlthat is not SHA-pinned.Repo convention is unambiguous. Within
.github/workflows/e2e-tests.ymlitself, every other third-party action is SHA-pinned with a trailing version comment:actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2(lines 57, 63, 318, 358)actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1(lines 330, 364)actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1(lines 342, 375)And sibling workflows already pin
setup-pythonby SHA at exactly the v6.2.0 release that the v6 tag currently resolves to:.github/workflows/test-matrix-logic.yml:24:actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0.github/workflows/test-process-result.yml:24:actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0So the convention exists and is followed by every other action in the repo — this single line is the outlier.
Why it matters. GitHub's own hardening-guide recommends SHA-pinning third-party actions because the maintainer of an action (or anyone who compromises their account) can move a major-version tag to point at arbitrary code. With
@v6, any future force-move of the v6 tag would silently change what runs in this workflow. SHA pins are immutable.Step-by-step proof.
git show HEAD:.github/workflows/e2e-tests.yml | sed -n '322p'→- uses: actions/setup-python@v6(unpinned).git grep 'setup-python@' .github/workflows/→ returns the two sibling workflows above, both pinned by SHA, plus this one.git grep -E 'uses: actions/(checkout|download-artifact|upload-artifact)@' .github/workflows/e2e-tests.yml→ all hits include a 40-char SHA and a# vX.Y.Zcomment.actions/setup-python@v5(also unpinned), so this PR is not the cause of the unpinned state, but it touches the exact line and is the natural opportunity to fix it.Suggested fix. Replace line 322 with the same pin already used elsewhere in the repo:
Caveat (why this is a nit, not a blocker). This PR is auto-generated by Dependabot, which by default does not produce SHA pins; manually rewriting the line would also break Dependabot's update tracking for this dependency unless the repo's Dependabot config is updated to use
hashesupdates. The pre-existing@v5line was already unpinned, so merging as-is preserves the current security posture rather than degrading it. Flagging as a polish/consistency suggestion only.