Update GitHub Actions to latest stable versions and add skills#8062
Conversation
- actions/checkout@v4 → v6 - actions/setup-node@v4 → v6 - actions/setup-python@v4,v5 → v6 - actions/setup-go@v5 → v6 - actions/github-script@v5 → v7 - golangci/golangci-lint-action@v8 → v9 Agent-Logs-Url: https://github.com/Azure/azure-dev/sessions/c7e2c320-a9b0-4304-88e8-7b19ac8c025b Co-authored-by: hemarina <104857065+hemarina@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Azure/azure-dev/sessions/aec07adf-118a-429b-ad04-a9dc927108bd Co-authored-by: hemarina <104857065+hemarina@users.noreply.github.com>
hemarina
requested review from
danieljurek,
jongio,
rajeshkamal5050,
tg-msft,
vhvb1989 and
wbreza
as code owners
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s GitHub Actions workflow dependencies by bumping referenced actions to newer major versions across CI, linting, governance, and release workflows.
Changes:
- Bumped
actions/checkout,actions/setup-node,actions/setup-go, andactions/setup-pythonmajor versions in multiple workflows. - Updated
actions/github-scriptusages tov9across workflows that rely on JavaScript helper scripts. - Updated
golangci/golangci-lint-actiontov9in the Go lint workflow.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/vscode-ci.yml | Bumps checkout/setup-node and github-script used by VS Code extension CI. |
| .github/workflows/validate-go-version.yml | Bumps checkout version for the Go version consistency check. |
| .github/workflows/schema-ci.yml | Bumps checkout/setup-node and setup-python for schema validation CI. |
| .github/workflows/pr-governance.yml | Bumps checkout and github-script for PR governance automation. |
| .github/workflows/lint-go.yml | Bumps checkout and golangci-lint action major versions. |
| .github/workflows/lint-bicep.yml | Bumps checkout version for Bicep lint workflow. |
| .github/workflows/ext-registry-ci.yml | Bumps checkout version for extension registry CI workflow. |
| .github/workflows/eval-unit.yml | Bumps checkout/setup-go/setup-node/setup-python for eval unit test workflow. |
| .github/workflows/devops-ext-ci.yml | Bumps checkout/setup-node for Azure DevOps extension CI. |
| .github/workflows/devcontainer-feature-test.yml | Bumps checkout for devcontainer feature test workflows. |
| .github/workflows/devcontainer-feature-release.yml | Bumps checkout for devcontainer feature release workflow. |
| .github/workflows/cspell-misc.yml | Bumps checkout/setup-node for misc spellcheck workflow. |
| .github/workflows/cspell-ext.yml | Bumps checkout/setup-node for extension spellcheck workflow. |
| .github/workflows/copilot-setup-steps.yml | Bumps checkout/setup-node for Copilot coding agent environment setup. |
| .github/workflows/cli-ci.yml | Bumps checkout/setup-node for CLI CI and misc checks. |
| .github/workflows/approval-ext-azure-ai-agents.yml | Bumps checkout and updates github-script reference for approval gate workflow. |
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Version bumps all check out - confirmed v6 exists for checkout/setup-node/setup-python/setup-go, and v9 exists for github-script and golangci-lint-action.
Checked the scripts in .github/scripts/ for compatibility with github-script@v9 (which drops require('@actions/github') support). All scripts use the standard injected {github, context, core} pattern, so no breakage expected there.
One concern flagged inline: the SHA pin removal in the approval gate workflow.
vhvb1989
left a comment
vhvb1989
left a comment
There was a problem hiding this comment.
It would be nice if you can create one skill in the repo to check if any of these needs update and doing and update
Co-authored-by: Jon Gallant <2163001+jongio@users.noreply.github.com>
wbreza
left a comment
wbreza
left a comment
There was a problem hiding this comment.
Clean dependency update — looks good. A couple of minor observations to supplement existing reviews:
-
Pinning style inconsistency (low):
approval-ext-azure-ai-agents.ymluses SHA pinning forgithub-script(@3a2844b7…) whilepr-governance.ymlandvscode-ci.ymluse tag pinning (@v9). Pre-existing, but could be normalized in a follow-up. -
Completeness (info): 16/23 workflows updated. The 5
lint-ext-*.ymlfiles are covered transitively vialint-go.yml. Worth confirmingevent.ymldoesn't need a checkout bump as well.
jongio's compatibility verification for github-script@v9 checks out — all scripts use the standard injected {github, context, core} pattern.
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
SHA pin restored on the approval gate workflow. All version bumps verified, scripts compatible with github-script v9.
|
@copilot Check if event.yml need a checkout bump as well. |
|
hemarina
changed the title
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
The latest commit reverts the SHA pin that was just added to address my previous feedback. This contradicts the tool-version-upgrade SKILL.md updated in the same push, which says 'Never demote a SHA pin to a bare tag' and cites this exact file as a supply-chain hardening example.
wbreza
left a comment
wbreza
left a comment
There was a problem hiding this comment.
Re-review after commit 5 ("add skills")
The original workflow version bumps (commits 1–4) remain clean — my prior APPROVE still stands for those changes.
New observations on commit 5:
-
Scope expansion (medium): Commit 5 adds a substantial rewrite of .github/skills/tool-version-upgrade/SKILL.md (+280/−14 lines), documenting GitHub Actions as a new supported tool category. This is a significant addition not reflected in the PR description — consider updating the body to cover this.
-
Separate concern (low): The SKILL.md documentation rewrite is a distinct change from the workflow bumps. For cleaner review history, this could have been a separate PR, but it's not blocking.
-
Approval coverage (info): All three prior approvals (vhvb1989, wbreza, jongio) were submitted before commit 5. Worth confirming reviewers are aware of the expanded scope.
The SKILL.md content itself looks well-structured — covers SHA pin handling, YAML validation, inventory scanning, and PR templates for GitHub Actions upgrades.
wbreza
left a comment
wbreza
left a comment
There was a problem hiding this comment.
Re-approving after reviewing commit 5 ("add skills"). The SKILL.md expansion is well-structured and the workflow bumps remain clean. LGTM.
|
/check-enforcer override |
Bump all GitHub Actions in workflow files to their latest stable major versions.
actions/checkoutv4 → v6actions/setup-nodev4 → v6actions/setup-pythonv4/v5 → v6actions/setup-gov5 → v6actions/github-scriptv5/v7 → v9golangci/golangci-lint-actionv8 → v9Actions already at latest (
upload-artifact@v4,stale@v10,devcontainers/action@v1,setup-terraform@v3) were left unchanged.