COMP: Pin mutable CI action references to fixed versions#81
Merged
hjmjohnson merged 1 commit intoJun 8, 2026
Merged
Conversation
Replace floating/mutable GitHub Actions refs with fixed versions so CI is reproducible and not silently affected by upstream action changes: - pypa/gh-action-pypi-publish: @master -> @v1.14.0. This action performs the credentialed PyPI publish (user: __token__), so a moving branch ref is the highest-risk floating reference in the tree. - lukka/get-cmake: @latest (x4) -> @v4.3.3, the release @latest currently resolves to (no behavior change, just frozen). - lukka/get-cmake in test-gpu.yml: @v3.22.2 -> @v4.3.3. v3.22.2 bundles an @actions/cache that calls the retired Actions cache API and aborts fatally; it is dormant only because that job is gated. - InsightSoftwareConsortium/ITKClangFormatLinterAction: @main -> pinned commit SHA (the action publishes no release tags). - Jimver/cuda-toolkit: @v0.2.21 -> @v0.2.35. - actions/setup-python in test-notebooks.yml: @V3 -> @v5 to match the other jobs.
dzenanz
approved these changes
Jun 8, 2026
Member
Author
|
@dzenanz Thanks! I hope this is the last PR here for a while. I am going to work on ITK remote module update of VkFFTBackend, and then the open ANTs PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pin the remaining floating/mutable GitHub Actions references to fixed versions so CI is reproducible and not silently affected by upstream action changes. Pure CI hygiene — no source or build-logic changes.
The highest-value fix is
pypa/gh-action-pypi-publish@master→@v1.14.0: that action runs the credentialed PyPI publish (user: __token__), so a moving branch ref is the riskiest reference in the tree.All changes (6 refs across 4 workflows)
pypa/gh-action-pypi-publish@master@v1.14.0lukka/get-cmake@latest(×4)@v4.3.3Jimver/cuda-toolkit@v0.2.21@v0.2.35lukka/get-cmake@v3.22.2@v4.3.3ITKClangFormatLinterAction@main@bab3a0bb26af8a23c7cc2c1d4265834415089eb5(SHA; action has no release tags)actions/setup-python@v3@v5get-cmake@v4.3.3is the release@latestcurrently resolves to, so the four@latestswaps are behavior-preserving.get-cmake@v3.22.2in test-gpu.yml bundles an@actions/cachethat calls the retired Actions cache API and aborts fatally; dormant only because that job is gated. Unified to@v4.3.3.Validation
Workflow files can only be exercised by CI itself (no local run). All four YAML files parse, no mutable/stale refs remain, and
pre-commit run --all-filespasses on the branch.