Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore(ci): correct stale upload-artifact version comment#2164

Merged
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:chore/ci-fix-upload-artifact-version-comment
May 12, 2026
Merged

chore(ci): correct stale upload-artifact version comment#2164
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:chore/ci-fix-upload-artifact-version-comment

Conversation

@finnoybu

Copy link
Copy Markdown
Contributor

Summary

.github/workflows/weekly-security-audit.yml:74 pins actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a but labels the SHA # v4.6.2. Every other workflow in the repo pins the same SHA and labels it # v7.0.1:

  • benchmarks.yml:51
  • ci.yml:676
  • publish.yml:152, 216, 337
  • scorecard.yml:31

The SHA does resolve to v7.0.1 — confirmed via the upstream tag:

$ curl -s https://api.github.com/repos/actions/upload-artifact/git/refs/tags/v7.0.1 | jq .object.sha
"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"

So runtime behavior is correct; only the comment is stale, presumably from a copy-paste at an earlier bump.

Change

Update the comment so Dependabot, reviewers, and future bumps see a consistent # v7.0.1 label across the workflow set. One-character edit.

Verification

  • Diff is a single comment change.
  • actionlint parses cleanly (action ref unchanged).

Surfaced during independent audit conducted by @finnoybu (Ken Tannenbaum, AEGIS Initiative); [LOW, Infrastructure/CI].

`.github/workflows/weekly-security-audit.yml:74` pins
`actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a` but
labels the SHA `# v4.6.2`. Every other workflow in the repo pins the
same SHA and labels it `# v7.0.1` (verified across
`benchmarks.yml`, `ci.yml`, `publish.yml`, `scorecard.yml`).

The SHA does resolve to v7.0.1 — confirmed via the upstream tag:
`https://api.github.com/repos/actions/upload-artifact/git/refs/tags/v7.0.1`
returns this exact SHA. So the runtime behavior is correct; only the
comment is stale, presumably from a copy-paste at an earlier bump.

Update the comment so Dependabot, reviewers, and future bumps see a
consistent v7.0.1 label across the workflow set.
@github-actions

Copy link
Copy Markdown
🤖 AI Agent: docs-sync-checker — View details

Documentation is in sync.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: security-scanner — View details

No security issues found.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: breaking-change-detector — View details

No breaking changes detected.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: code-reviewer — View details

No issues found. Clean change.

@github-actions github-actions Bot added the size/XS Extra small PR (< 10 lines) label May 12, 2026
@github-actions

Copy link
Copy Markdown
🤖 AI Agent: test-generator — View details

Test coverage looks good. No gaps identified.

@github-actions

Copy link
Copy Markdown

🟡 Contributor Check: MEDIUM

Check Result
Profile MEDIUM
Credential NONE
Overall MEDIUM

Automated check by AGT Contributor Check.

@github-actions github-actions Bot added the needs-review:MEDIUM Contributor check flagged MEDIUM risk label May 12, 2026
@github-actions

Copy link
Copy Markdown

PR Review Summary

Check Status Details
🔍 Code Review ✅ Passed No issues found
🛡️ Security Scan ✅ Passed No issues found
🔄 Breaking Changes ✅ Passed No issues found
📝 Docs Sync ✅ Passed No issues found
🧪 Test Coverage ✅ Completed Analysis complete

Verdict: ✅ Ready for human review

@imran-siddique imran-siddique merged commit 43d4154 into microsoft:main May 12, 2026
13 of 14 checks passed
MohammadHaroonAbuomar pushed a commit to MohammadHaroonAbuomar/agt-acs that referenced this pull request Jun 1, 2026
)

`.github/workflows/weekly-security-audit.yml:74` pins
`actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a` but
labels the SHA `# v4.6.2`. Every other workflow in the repo pins the
same SHA and labels it `# v7.0.1` (verified across
`benchmarks.yml`, `ci.yml`, `publish.yml`, `scorecard.yml`).

The SHA does resolve to v7.0.1 — confirmed via the upstream tag:
`https://api.github.com/repos/actions/upload-artifact/git/refs/tags/v7.0.1`
returns this exact SHA. So the runtime behavior is correct; only the
comment is stale, presumably from a copy-paste at an earlier bump.

Update the comment so Dependabot, reviewers, and future bumps see a
consistent v7.0.1 label across the workflow set.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-review:MEDIUM Contributor check flagged MEDIUM risk scripts/ci/cd size/XS Extra small PR (< 10 lines)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants