Skip to content

ci: update GitHub Actions checkout and setup-python to latest versions#334

Closed
Mukller wants to merge 1 commit into
razorpay:masterfrom
Mukller:fix/update-github-actions-versions
Closed

ci: update GitHub Actions checkout and setup-python to latest versions#334
Mukller wants to merge 1 commit into
razorpay:masterfrom
Mukller:fix/update-github-actions-versions

Conversation

@Mukller

@Mukller Mukller commented Jul 8, 2026

Copy link
Copy Markdown

CI: Update GitHub Actions to latest versions

GitHub Actions actions/checkout and actions/setup-python have newer versions
with bug fixes, performance improvements, and Node.js compatibility updates:

  • actions/checkout@v3@v4 (Node.js 20, improved performance)
  • actions/setup-python@v3/v4@v5 (Node.js 20, improved caching)

Files updated:

  • .github/workflows/ci.yml: checkout: 3 occurrence(s), setup-python: 3 occurrence(s)

Why this matters:

  • Node.js 16 (used by older action versions) is EOL since September 2024
  • GitHub emits deprecation warnings for v3 and older actions in CI logs
  • v4/v5 are functionally equivalent drop-in replacements

@semgrep-code-razorpay

Copy link
Copy Markdown

Semgrep found 6 github-actions-mutable-action-tag findings:

GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

⚪️ This finding does not block your pull request.
Ignore this finding from github-actions-mutable-action-tag

@Mukller Mukller closed this by deleting the head repository Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant