chore(deps)!: Update GitHub Actions (major)

[williaby]

ℹ️ Note

This PR body was truncated due to platform limits.

Summary

Multi-major version sweep of 10 GitHub Actions used across CI, security,
and release workflows. All actions are SHA-pinned with # vX.Y.Z comments
per repo convention.

Two follow-up fixes applied on top of Renovate's commit (see review thread):

• actions/dependency-review-action pinned by SHA (was using the mutable
  @v4 tag, inconsistent with the rest of the repo).
• fsfe/reuse Docker image pinned to 6.2.0@sha256:... digest (was using
  the mutable :latest tag).

Why

This is NOT a patch update. The PR performs multiple major version
upgrades, including:

• actions/checkout v4.3.1 → v6.0.2 (skips v5; runtime now requires Node 24)
• actions/upload-artifact v4.6.2 → v7.0.1 (3 majors; artifact-naming and
  uniqueness behavior changed in v4 baseline)
• actions/github-script v7.1.0 → v9.0.0 (2 majors; skips v8)
• astral-sh/setup-uv v4.2.0 → v8.1.0 (4 majors)
• actions/attest-build-provenance v1.5.2 → v4.1.0 (3 majors)
• github/codeql-action v3.35.5 → v4.35.5 (1 major)
• sigstore/cosign-installer v3.10.1 → v4.1.2 (1 major)
• fsfe/reuse-action v4.0.0 → v6.0.0 (2 majors; skips v5)
• lycheeverse/lychee-action v1.10.0 → v2.8.0 (1 major)
• actions/setup-python v5.6.0 → v6.2.0 (1 major)

PR-time CI exercises most workflows and is green, but three workflows only
run on release or schedule events (release-sign.yml, slsa-provenance.yml
build job, cifuzzy.yml) and were not exercised by this PR's CI. Watch the
next release closely.

A separate chore(security): harden checkout calls with persist-credentials: false
follow-up PR is recommended (CodeRabbit/zizmor flagged 7 checkouts; pre-existing
omission, intentionally out of scope here).

Changes

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
actions/attest-build-provenance	action	major	v1.5.2 → v4.1.0
actions/checkout	action	major	v4.3.1 → v6.0.2
actions/github-script	action	major	v7.1.0 → v9.0.0
actions/setup-python	action	major	v5.6.0 → v6.2.0
actions/upload-artifact	action	major	v4.6.2 → v7.0.1
astral-sh/setup-uv	action	major	v4.2.0 → v8.1.0
fsfe/reuse-action	action	major	v4.0.0 → v6.0.0
github/codeql-action	action	major	v3.35.5 → v4.35.5
lycheeverse/lychee-action	action	major	v1.10.0 → v2.8.0
sigstore/cosign-installer	action	major	v3.10.1 → v4.1.2

Warnings (1)

Please correct - or verify that you can safely ignore - these warnings before you merge this PR.

• actions/attest-build-provenance: Could not determine new digest for update (github-tags package actions/attest-build-provenance)

---

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Impact

• ✅ Patch update: bug fixes and security patches only
• ✅ No breaking changes

Acceptance Criteria

• All CI checks pass

Testing

• CI gates pass (tests, lint, type checking, security scan)

Notes

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v4.1.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Update RELEASE.md docs by @​bdehamer in #​836
• Bump actions/attest from 4.0.0 to 4.1.0 by @​bdehamer in #​838
  • Bump @actions/attest from 3.0.0 to 3.1.0 by @​bdehamer in actions/attest#362
  • Bump @actions/attest from 3.1.0 to 3.2.0 by @​bdehamer in actions/attest#365
  • Add new subject-version input for inclusion in storage record by @​bdehamer in actions/attest#364
  • Add storage record content to README by @​bdehamer in actions/attest#366

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

Compare Source

[!NOTE]
As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Prepare v4 release by @​bdehamer in #​835

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

v3.2.0

Compare Source

What's Changed

• Bump @​actions/core from 1.11.1 to 2.0.1 by @​dependabot[bot] in #​776
• Add more documentation on Artifact Metadata Storage Records by @​malancas in #​797
• Update actions/attest to latest version v3.2.0 by @​malancas in #​812

Full Changelog: actions/attest-build-provenance@v3.1.0...v3.2.0

v3.1.0

Compare Source

What's Changed

• Prepare v3 release by @​bdehamer in #​697
• Bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in #​749
• Bump tar from 7.5.1 to 7.5.2 by @​dependabot[bot] in #​753
• Bump glob from 10.4.5 to 10.5.0 by @​dependabot[bot] in #​754
• Bump @​types/node from 24.10.1 to 25.0.2 by @​dependabot[bot] in #​774
• Bump @​actions/attest from 1.6.0 to 2.0.0 by @​dependabot[bot] in #​736
• Bump @​actions/attest from 2.0.0 to 2.1.0 by @​dependabot[bot] in #​775
• Add support for creating artifact metadata storage records by @​malancas in #​779

New Contributors

• @​malancas made their first contribution in #​779

Full Changelog: actions/attest-build-provenance@v3...v3.1.0

v3.0.0

Compare Source

What's Changed

• Adjust node max-http-header-size setting by @​bdehamer in #​687
• Bump actions/attest from v2.4.0 to v3.0.0 by @​bdehamer in #​691
  • Bump to node24 runtime
  • Improved checksum parsing
• Bump attest-build-provenance/predicate to v2.0.0 by @​bdehamer in #​693
  • Bump to node24 runtime by @​bdehamer in #​692

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/attest-build-provenance@v2.4.0...v3.0.0

v2.4.0

Compare Source

What's Changed

• Bump undici from 5.28.5 to 5.29.0 by @​dependabot in #​633
• Bump actions/attest from 2.3.0 to 2.4.0 by @​bdehamer in #​654
  • Includes support for the new well-known summary file which will accumulate paths to all attestations generated in a given workflow run

Full Changelog: actions/attest-build-provenance@v2.3.0...v2.4.0

v2.3.0

Compare Source

What's Changed

• Bump actions/attest from 2.2.1 to 2.3.0 by @​bdehamer in #​615
  • Updates @sigstore/oci from 0.4.0 to 0.5.0

Full Changelog: actions/attest-build-provenance@v2.2.3...v2.3.0

v2.2.3

Compare Source

What's Changed

• Pin actions/attest reference by commit SHA by @​bdehamer in #​493

Full Changelog: actions/attest-build-provenance@v2.2.2...v2.2.3

v2.2.2

Compare Source

What's Changed

• Bump predicate action from 1.1.4 to 1.1.5 by @​bdehamer in #​485
  • Bump @​actions/attest from 1.5.0 to 1.6.0 by @​bdehamer in #​484
    • Update buildSLSAProvenancePredicate to populate workflow.ref field from the ref claim in the OIDC token (actions/toolkit#1969)

Full Changelog: actions/attest-build-provenance@v2.2.1...v2.2.2

v2.2.1

Compare Source

What's Changed

• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in #​457
• Bump @​octokit/request-error from 5.0.1 to 5.1.1 by @​dependabot in #​469
• Bump @​octokit/request from 8.2.0 to 8.4.1 by @​dependabot in #​478
• Bump actions/attest from 2.2.0 to 2.2.1 by @​bdehamer in #​481
  • Includes @actions/attest v1.6.0

Full Changelog: actions/attest-build-provenance@v2.2.0...v2.2.1

v2.2.0

Compare Source

What's Changed

• Bump actions/attest from v2.1.0 to v2.2.0 by @​bdehamer in #​449
  • Includes support for now subject-checksums input parameter

Full Changelog: actions/attest-build-provenance@v2.1.0...v2.2.0

v2.1.0

Compare Source

What's Changed

• Update README w/ note about GH plans supporting attestations by @​bdehamer in #​414
• Add attestation-id and attestation-url outputs by @​bdehamer in #​415

Full Changelog: actions/attest-build-provenance@v2.0.1...v2.1.0

v2.0.1

Compare Source

What's Changed

• Bump actions/attest from 2.0.0 to 2.0.1 by @​bdehamer in #​406
  • Deduplicate subjects before adding to in-toto statement

Full Changelog: actions/attest-build-provenance@v2.0.0...v2.0.1

actions/checkout (actions/checkout)

v6.0.2

Compare Source

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in #​2356

v6.0.1

Compare Source

• Add worktree support for persist-credentials includeIf by @​ericsciple in #​2327

v6.0.0

Compare Source

• Persist creds to a separate file by @​ericsciple in #​2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in #​2248

v5.0.1

Compare Source

• Port v6 cleanup to v5 by @​ericsciple in #​2301

v5.0.0

Compare Source

• Update actions checkout to use node 24 by @​salmanmkc in #​2226

actions/github-script (actions/github-script)

v9.0.0

Compare Source

New features:

• getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
• Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

• require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
• getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
• If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

• Add ACTIONS_ORCHESTRATION_ID to user-agent string by @​Copilot in #​695
• ci: use deployment: false for integration test environments by @​salmanmkc in #​712
• feat!: add getOctokit to script context, upgrade @​actions/github v9, @​octokit/core v7, and related packages by @​salmanmkc in #​700

New Contributors

• @​Copilot made their first contribution in #​695

Full Changelog: actions/github-script@v8.0.0...v9.0.0

v8.0.0

Compare Source

actions/setup-python (actions/setup-python)

v6.2.0

Compare Source

What's Changed

Dependency Upgrades

• Upgrade dependencies to Node 24 compatible versions by @​salmanmkc in #​1259
• Upgrade urllib3 from 2.5.0 to 2.6.3 in /__tests__/data by @​dependabot in #​1253 and #​1264

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

Compare Source

What's Changed

Enhancements:

• Add support for pip-install input by @​gowridurgad in #​1201
• Add graalpy early-access and windows builds by @​timfel in #​880

Dependency and Documentation updates:

• Enhanced wording and updated example usage for allow-prereleases by @​yarikoptic in #​979
• Upgrade urllib3 from 1.26.19 to 2.5.0 and document breaking changes in v6 by @​dependabot in #​1139
• Upgrade typescript from 5.4.2 to 5.9.3 and Documentation update by @​dependabot in #​1094
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pip-install input by @​dependabot in #​1199
• Upgrade requests from 2.32.2 to 2.32.4 by @​dependabot in #​1130
• Upgrade prettier from 3.5.3 to 3.6.2 by @​dependabot in #​1234
• Upgrade @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel by @​dependabot in #​1235

New Contributors

• @​yarikoptic made their first contribution in #​979

Full Changelog: actions/setup-python@v6...v6.1.0

v6.0.0

Compare Source

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in #​1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

• Add support for pip-version by @​priyagupta108 in #​1129
• Enhance reading from .python-version by @​krystof-k in #​787
• Add version parsing from Pipfile by @​aradkdj in #​1067

Bug fixes:

• Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @​aparnajyothi-y in #​1183
• Change missing cache directory error to warning by @​aparnajyothi-y in #​1182
• Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @​aparnajyothi-y in #​1122
• Include python version in PyPy python-version output by @​cdce8p in #​1110
• Update docs: clarification on pip authentication with setup-python by @​priya-kinthali in #​1156

Dependency updates:

• Upgrade idna from 2.9 to 3.7 in /tests/data by @​dependabot[bot] in #​843
• Upgrade form-data to fix critical vulnerabilities #​182 & #​183 by @​aparnajyothi-y in #​1163
• Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @​aparnajyothi-y in #​1165
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in #​1181
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in #​1095

New Contributors

• @​krystof-k made their first contribution in #​787
• @​cdce8p made their first contribution in #​1110
• @​aradkdj made their first contribution in #​1067

Full Changelog: actions/setup-python@v5...v6.0.0

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

Compare Source

v6 - What's new

[!IMPORTANT]
actions/upload-artifact@​v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in #​719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in #​744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in #​745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

Compare Source

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in #​681
• Update README.md by @​nebuk89 in #​712
• Readme: spell out the first use of GHES by @​danwkennedy in #​727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in #​725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in #​734

New Contributors

• @​GhadimiR made their first contribution in #​681
• @​nebuk89 made their first contribution in #​712
• @​danwkennedy made their first contribution in #​727
• @​patrikpolyak made their first contribution in #​725

Full Changelog: actions/upload-artifact@v4...v5.0.0

astral-sh/setup-uv (astral-sh/setup-uv)

v8.1.0: 🌈 New input no-project

Compare Source

Changes

This add the a new boolean input no-project.
It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#​856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#​860)
• Add a release-gate step to the release workflow @​zanieb (#​859)
• Draft commitish releases @​eifinger (#​858)
• Add action-types.yml to instructions @​eifinger (#​857)
• chore: update known checksums for 0.11.7 @​github-actions[bot] (#​853)
• Refactor version resolving @​eifinger (#​852)
• chore: update known checksums for 0.11.6 @​github-actions[bot] (#​850)
• chore: update known checksums for 0.11.5 @​github-actions[bot] (#​845)
• chore: update known checksums for 0.11.4 @​github-actions[bot] (#​843)
• Add a release workflow @​zanieb (#​839)
• chore: update known checksums for 0.11.3 @​github-actions[bot] (#​836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#​833)
• Pin setup-uv docs to v8 @​eifinger (#​829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @​dependabot[bot] (#​855)

v8.0.0: 🌈 Immutable releases and secure tags

Compare Source

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP]
Use the immutable tag as a version astral-sh/setup-uv@v8.0.0
Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

• Remove update-major-minor-tags workflow @​eifinger (#​826)
• Remove deprecrated custom manifest @​eifinger (#​813)

🧰 Maintenance

• Shortcircuit latest version from manifest @​eifinger (#​828)
• Simplify inputs.ts @​eifinger (#​827)
• Bump release-drafter to v7.1.1 @​eifinger (#​825)
• Refactor inputs @​eifinger (#​823)
• Replace inline compile args with tsconfig @​eifinger (#​824)
• chore: update known checksums for 0.11.2 @​github-actions[bot] (#​821)
• chore: update known checksums for 0.11.1 @​github-actions[bot] (#​817)
• chore: update known checksums for 0.11.0 @​github-actions[bot] (#​815)
• Fix latest-version workflow check @​eifinger (#​812)
• chore: update known checksums for 0.10.11/0.10.12 @​github-actions[bot] (#​811)

v7.6.0: 🌈 Fetch uv from Astral's mirror by default

Compare Source

Changes

We now default to download uv from releases.astral.sh.
This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.

🚀 Enhancements

• Fetch uv from Astral's mirror by default @​zsol (#​809)

🧰 Maintenance

• Switch to ESM for source and test, use CommonJS for dist @​eifinger (#​806)
• chore: update known checksums for 0.10.10 @​github-actions[bot] (#​804)

⬆️ Dependency updates

• chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 @​dependabot[bot] (#​808)
• Bump deps @​eifinger (#​805)

v7.5.0: 🌈 Use `astral-sh/versions` as version provider

Compare Source

No more rate-limits

This release addresses a long-standing source of timeouts and rate-limit failures in setup-uv.

Previously, the action resolved version identifiers like 0.5.x by iterating over available uv releases via the GitHub API to find the best match. In contrast, latest and exact versions such as 0.5.0 skipped version resolution entirely and downloaded uv directly.

The manifest-file input was an earlier attempt to improve this. It allows providing an url to a file that lists available versions, checksums, and even custom download URLs. The action also shipped with such a manifest.
However, because that bundled file could become outdated whenever new uv releases were published, the action still had to fall back to the GitHub API in many cases.

This release solves the problem by sourcing version data from Astral’s versions repository via the raw content endpoint:

https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson

By using the raw endpoint instead of the GitHub API, version resolution no longer depends on API authentication and is much less likely to run into rate limits or timeouts.

---

[!TIP]
The next section is only interesting for users of the manifest-file input

The manifest-file input lets you override that source with your own URL, for example to test custom uv builds or alternate download locations.

The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:

{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}

[!WARNING]
The old format still works but is deprecated. A warning will be logged when you use it.

Changes

• docs: replace copilot instructions with AGENTS.md @​eifinger (#​794)

🚀 Enhancements

• Use astral-sh/versions as primary version provider @​eifinger (#​802)

📚 Documentation

• docs: add cross-client dependabot rollup skill @​eifinger (#​793)

v7.4.0: 🌈 Add riscv64 architecture support to platform detection

Compare Source

Changes

Thank you @​luhenry for adding support for riscv64 arch

🚀 Enhancements

• Add riscv64 architecture support to platform detection @​luhenry (#​791)

🧰 Maintenance

• Delete .github/workflows/dependabot-build.yml @​eifinger (#​789)
• Harden Dependabot build workflow @​eifinger (#​788)
• Fix: check PR author instead of event sender for Dependabot detection @​eifinger-bot (#​787)
• chore: update known checksums for 0.10.9 @​github-actions[bot] (#​783)
• Add workflow to auto-build dist on Dependabot PRs @​eifinger-bot (#​782)
• chore: update known checksums for 0.10.8 @​github-actions[bot] (#​779)
• chore: update known checksums for 0.10.7 @​github-actions[bot] (#​775)

⬆️ Dependency updates

• chore(deps): bump versions @​eifinger (#​792)
• Bump actions/setup-node from 6.2.0 to 6.3.0 @​dependabot[bot] (#​790)
• Bump eifinger/actionlint-action from 1.10.0 to 1.10.1 @​dependabot[bot] (#​778)

v7.3.1: 🌈 fall back to VERSION_CODENAME when VERSION_ID is not available

Compare Source

Changes

This release adds support for running in containers like debian:testing or debian:unstable

🐛 Bug fixes

• fix: fall back to VERSION_CODENAME when VERSION_ID is not available @​eifinger-bot (#​774)

🧰 Maintenance

• chore: update known checksums for 0.10.6 @​github-actions[bot] (#​771)
• chore: update known checksums for 0.10.5 @​github-actions[bot] (#​770)
• chore: update known checksums for 0.10.4 @​github-actions[bot] (#​768)
• chore: update known checksums for 0.10.3 @​github-actions[bot] (#​767)
• chore: update known checksums for 0.10.2 @​github-actions[bot] (#​765)
• chore: update known checksums for 0.10.1 @​github-actions[bot] (#​764)

⬆️ Dependency updates

• Bump github/codeql-action from 4.31.9 to 4.32.2 @​dependabot[bot] (#​766)
• Bump zizmorcore/zizmor-action from 0.4.1 to 0.5.0 @​dependabot[bot] (#​763)

v7.3.0: 🌈 New features and bug fixes for activate-environment

Compare Source

Changes

This release contains a few bug fixes and a new feature for the activate-environment functionality.

🐛 Bug fixes

• fix: warn instead of error when no python to cache @​eifinger (#​762)
• fix: use --clear to create venv @​eifinger (#​761)

🚀 Enhancements

• feat: add venv-path input for activate-environment @​eifinger (#​746)

🧰 Maintenance

• chore: update known checksums for 0.10.0 @​github-actions[bot] (#​759)
• refactor: tilde-expansion tests as unittests and no self-hosted tests @​eifinger (#​760)
• chore: update known checksums for 0.9.30 @​github-actions[bot] (#​756)
• chore: update known checksums for 0.9.29 @​github-actions[bot] (#​748)

📚 Documentation

• Fix punctuation @​pm-dev563 (#​747)

⬆️ Dependency updates

• Bump typesafegithub/github-actions-typing from 2.2.1 to 2.2.2 @​dependabot[bot] (#​753)
• Bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 @​dependabot[bot] (#​751)
• Bump actions/checkout from 6.0.1 to 6.0.2 @​dependabot[bot] (#​740)
• Bump release-drafter/release-drafter from 6.1.0 to 6.2.0 @​dependabot[bot] (#​743)
• Bump eifinger/actionlint-action from 1.9.3 to 1.10.0 @​dependabot[bot] (#​731)
• Bump actions/setup-node from 6.1.0 to 6.2.0 @​dependabot[bot] (#​738)

v7.2.1: 🌈 update known checksums up to 0.9.28

Compare Source

Changes

🧰 Maintenance

• chore: update known checksums for 0.9.28 @​github-actions[bot] (#​744)
• chore: update known checksums for 0.9.27 @​github-actions[bot] (#​742)
• chore: update known checksums for 0.9.26 @​github-actions[bot] (#​734)
• chore: update known checksums for 0.9.25 @​github-actions[bot] (#​733)
• chore: update known checksums for 0.9.24 @​github-actions[bot] (#​730)

📚 Documentation

• Clarify impact of using actions/setup-python @​eifinger (#​732)

⬆️ Dependency updates

• Bump zizmorcore/zizmor-action from 0.3.0 to 0.4.1 @​dependabot[bot] (#​741)

v7.2.0: 🌈 add outputs python-version and python-cache-hit

Compare Source

Changes

Among some minor typo fixes and quality of life features for developers of actions the m

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Walkthrough

Eight GitHub Actions workflow files receive pinned version updates for their constituent actions (checkout, setup tools, code quality/artifact handlers, and signing tools) while maintaining all existing workflow logic, job configurations, and step inputs.

Changes

GitHub Actions Dependency Updates

Layer / File(s)

Summary

Workflow action version updates .github/workflows/cifuzzy.yml, .github/workflows/codeql.yml, .github/workflows/dependency-review.yml, .github/workflows/fips-compatibility.yml, .github/workflows/performance-regression.yml, .github/workflows/pr-validation.yml, .github/workflows/release-sign.yml, .github/workflows/reuse.yml, .github/workflows/slsa-provenance.yml

All eight CI/CD workflows receive GitHub Actions version pin upgrades: actions/checkout (v4 → v6), actions/setup-python (v5 → v6), astral-sh/setup-uv (v4 → v8), actions/upload-artifact (v4 → v7), github/codeql-action (v3 → v4), sigstore/cosign-installer (v3 → v4), fsfe/reuse-action (v4 → v6), lycheeverse/lychee-action (v2.x), actions/github-script, and actions/attest-build-provenance (v1 → v4). All step logic, inputs, permissions, and scheduling remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• Dependency Dashboard llc-manager#12: Updates pinned GitHub Action versions across dependency-review.yml, codeql.yml, and other .github/workflows/ files matching this PR's Renovate-driven dependency upgrades.
• Dependency Dashboard cookiecutter-python-template#35: Updates pinned GitHub Actions versions across multiple .github/workflows/ files in a Renovate-driven dependency refresh.
• Dependency Dashboard gleif#23: Dependency Dashboard Renovate updates target the same workflow files and action version bumps reflected in this PR.
• ByronWilliamsCPA/template-sample#4: Updates GitHub Actions version pins in workflow files, including slsa-provenance and actions/attest-build-provenance bumps.
• ByronWilliamsCPA/cookiecutter-template-sample#3: Updates pinned GitHub Action versions in .github/workflows/slsa-provenance.yml and related action upgrades matching Renovate dependency changes.
• ByronWilliamsCPA/taxdome#7: Updates pinned GitHub Action versions in .github/workflows/reuse.yml and pr-validation.yml with overlapping dependency changes.
• ByronWilliamsCPA/maester-tests#14: Updates the same GitHub Actions workflow pins (e.g., actions/checkout → v6.0.2) across workflows.
• Dependency Dashboard family-office-portal#6: Updates pinned GitHub Action versions across .github/workflows/ files matching Renovate dependency updates.
• Dependency Dashboard reference-library#10: Modifies the same GitHub Actions workflow pins for actions/checkout, github/codeql-action, and other actions.
• Dependency Dashboard DeQA-Doc#16: Updates pinned GitHub Action versions (e.g., actions/checkout → v6.0.2, github/codeql-action, fsfe/reuse-action) matching Renovate Dependency Dashboard updates.

Suggested labels

ci

Poem

🐰 In workflows bright, the versions dance,
From v4 to v6, a stepping stance,
Each action pinned, each tool made new,
CI/CD flows now fresh and true!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(deps)!: Update GitHub Actions (major)' accurately and specifically describes the main change—updating GitHub Actions across 10 workflows to new major versions with breaking change implications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/major-github-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates pinned versions (commit SHAs) of several GitHub Actions used across the repository’s CI/security workflows, aligning them with newer major releases.

Changes:

• Bump core CI actions (checkout, setup-python, upload-artifact) to newer major versions across multiple workflows.
• Upgrade security/scanning actions (SonarSource scan action, CodeQL action, GitHub Script, SLSA provenance attestation, cosign installer, lychee, REUSE).
• Refresh UV setup action in workflows that use astral-sh/setup-uv.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/sonarcloud.yml	Updates checkout/setup-python/Sonar scan/upload-artifact action pins for SonarCloud analysis.
.github/workflows/slsa-provenance.yml	Updates action pins used during build + provenance attestation generation.
.github/workflows/reuse.yml	Updates checkout/REUSE/upload-artifact action pins for license compliance checks.
.github/workflows/release-sign.yml	Updates checkout + cosign-installer pins for signing release artifacts.
.github/workflows/pr-validation.yml	Updates checkout/setup-python/setup-uv/lychee pins for PR validation checks.
.github/workflows/fips-compatibility.yml	Updates checkout/setup-uv/upload-artifact/github-script pins for FIPS checks and PR commenting.
.github/workflows/dependency-review.yml	Updates checkout pin in dependency review workflow.
.github/workflows/codeql.yml	Updates checkout/setup-python/setup-uv/CodeQL pins for CodeQL scanning.
.github/workflows/cifuzzy.yml	Updates checkout/CodeQL upload-sarif/upload-artifact pins for fuzzing workflow.

Comments suppressed due to low confidence (2)

.github/workflows/sonarcloud.yml:114

• SonarSource/sonarqube-scan-action v8 changes the default for signature verification (skipSignatureVerification now defaults to false per the upstream release notes). Since this workflow doesn’t set that input explicitly, the upgrade changes behavior and may cause unexpected failures if signature verification can’t run in the runner environment. Consider setting skipSignatureVerification explicitly (true/false) to make the intended behavior stable across upgrades.

      - name: SonarCloud Scan
        uses: SonarSource/sonarqube-scan-action@59db25f34e16620e48ab4bb9e4a5dce155cb5432 # v8.0.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed for PR decoration
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}      # SonarCloud authentication
        with:
          args: >

.github/workflows/dependency-review.yml:28

• This workflow pins actions/checkout by commit SHA, but actions/dependency-review-action is still referenced by the mutable tag @v4. For supply-chain safety and consistency with the rest of these workflow updates, pin dependency-review-action to a specific commit SHA (and keep the version in a comment) to prevent unintended changes from a tag move.

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Dependency Review
        uses: actions/dependency-review-action@v4
        with:

[williaby]

Fixed in commit ae82201: fsfe/reuse:latest replaced with fsfe/reuse:6.2.0@sha256:85462a75c0f8efda09ddd190b92816b70e7662577c8427429e11e1b9f25a992e (tag+digest immutable form). The 6.2.0 digest currently matches what :latest resolved to, so this preserves semantics while making the image pull reproducible.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/attest-build-provenance	a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32	Unknown	Unknown
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-python	a309ff8b426b58ec0e2a45f0f869d46889d02405	🟢 5.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/actions/upload-artifact	043fb46d1a93c77aae656e7c1c64a875d1fc6a0a	🟢 5.6	Details Check Score Reason Maintained 🟢 6 6 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 6 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 8 Found 8/9 approved changesets -- score normalized to 8 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches
actions/astral-sh/setup-uv	08807647e7069bb48b6ef5acd8ec9567f424441b	Unknown	Unknown

Scanned Files

• .github/workflows/performance-regression.yml
• .github/workflows/slsa-provenance.yml

[github-actions]

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric	Baseline (main)	PR Branch	Change
p95_ms	2.42	2.45	+1.3%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric	Baseline	PR	Change
p50_ms	1.87	1.87	📈 0.1%
p95_ms	2.42	2.45	📈 1.3%
p99_ms	2.53	2.56	📈 1.0%
mean_ms	1.42	1.42	📈 0.5%
min_ms	0.06	0.06	➡️ 0.0%
max_ms	2.62	2.56	📉 -2.1%
throughput_ops	706.89	703.45	📉 -0.5%
total_iterations	500.00	500.00	➡️ 0.0%
avg_p95_all_benchmarks_ms	1.00	0.98	📉 -2.2%
avg_throughput_all_benchmarks_ops	1103246.44	1059042.53	📉 -4.0%

About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

• Regression Threshold: 10%
• Warmup Iterations: 5
• Benchmark Iterations: 50
• Baseline Source: generated

To reproduce locally:

uv run python scripts/benchmark.py --iterations 1000 

[github-actions]

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric	Baseline (main)	PR Branch	Change
p95_ms	2.55	2.65	+3.6%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric	Baseline	PR	Change
p50_ms	1.88	1.87	📉 -0.1%
p95_ms	2.55	2.65	📈 3.6%
p99_ms	2.69	2.83	📈 5.4%
mean_ms	1.45	1.49	📈 2.8%
min_ms	0.06	0.06	📈 3.6%
max_ms	2.94	2.85	📉 -2.8%
throughput_ops	688.15	669.92	📉 -2.6%
total_iterations	500.00	500.00	➡️ 0.0%
avg_p95_all_benchmarks_ms	1.14	1.04	📉 -8.9%
avg_throughput_all_benchmarks_ops	888535.44	1063144.62	📈 19.7%

About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

• Regression Threshold: 10%
• Warmup Iterations: 5
• Benchmark Iterations: 50
• Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

[github-actions]

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric	Baseline (main)	PR Branch	Change
p95_ms	2.54	2.53	-0.2%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric	Baseline	PR	Change
p50_ms	1.87	1.87	📉 -0.2%
p95_ms	2.54	2.53	📉 -0.2%
p99_ms	2.70	2.61	📉 -3.3%
mean_ms	1.45	1.44	📉 -0.8%
min_ms	0.06	0.06	➡️ 0.0%
max_ms	2.97	2.62	📉 -12.0%
throughput_ops	688.50	693.76	📈 0.8%
total_iterations	500.00	500.00	➡️ 0.0%
avg_p95_all_benchmarks_ms	1.05	1.01	📉 -3.2%
avg_throughput_all_benchmarks_ops	1056224.68	1055952.29	📉 -0.0%

About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

• Regression Threshold: 10%
• Warmup Iterations: 5
• Benchmark Iterations: 50
• Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cifuzzy.yml:
- Around line 42-43: The checkout step named "Checkout repository" uses
actions/checkout without disabling persisted credentials; update that step (the
one using actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to include
persist-credentials: false so the runner does not leave Git credentials
persisted after checkout.

In @.github/workflows/dependency-review.yml:
- Around line 29-30: The checkout step using actions/checkout (uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) persists the GitHub
token by default; add persist-credentials: false to that checkout step to
disable storing credentials in git config for this read-only PR analysis
workflow so no token is retained after checkout.

In @.github/workflows/fips-compatibility.yml:
- Around line 57-59: The checkout steps currently call
actions/checkout@de0fac2e4500... without disabling credential persistence;
update both Checkout repository steps (the one using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd and the second
checkout in the fips-runtime-test job) to include persist-credentials: false so
the GitHub token is not written to the workspace and cannot be used by
downstream steps.

In @.github/workflows/performance-regression.yml:
- Around line 55-56: The checkout step uses actions/checkout@de0fac2e... without
disabling credential persistence; add the persist-credentials: false option to
the Checkout step (the actions/checkout usage) so credentials are not stored in
the runner after checkout, ensuring the workflow does not keep GitHub tokens in
the environment when no authenticated git operations occur.

In @.github/workflows/pr-validation.yml:
- Around line 55-57: The checkout action usages (uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) currently omit
persist-credentials and must explicitly disable credential persistence; locate
each actions/checkout invocation in the workflow (the three occurrences of uses:
actions/checkout@...) and add persist-credentials: false under the step to
ensure repository credentials are not stored for subsequent steps or jobs.

In @.github/workflows/release-sign.yml:
- Around line 24-25: The checkout step uses actions/checkout@de0fac2e... but
currently leaves credentials persisted; update the Checkout step (the
actions/checkout invocation) to set persist-credentials: false so the checkout
action does not inject or persist the workflow token (GH_TOKEN) into the
workspace for the signing job; this change should be applied to the existing
Checkout step in the release-sign workflow where actions/checkout is used.

In @.github/workflows/reuse.yml:
- Around line 28-29: Update both Checkout steps that use actions/checkout (the
step named "Checkout repository" and the other checkout step later) to include
the security flag persist-credentials: false under the step to prevent automatic
credential persistence; locate the steps that reference uses:
actions/checkout@de0fac2e4500d... and the second actions/checkout occurrence and
add persist-credentials: false as a top-level key in each step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 71aca43e-ac08-45da-88f4-f916d965bbbc

📥 Commits

Reviewing files that changed from the base of the PR and between ca8cb77 and 575d536.

📒 Files selected for processing (9)

• .github/workflows/cifuzzy.yml
• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/fips-compatibility.yml
• .github/workflows/performance-regression.yml
• .github/workflows/pr-validation.yml
• .github/workflows/release-sign.yml
• .github/workflows/reuse.yml
• .github/workflows/slsa-provenance.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Find and examine the cifuzzy.yml workflow file
find . -name "cifuzzy.yml" -type f

Repository: ByronWilliamsCPA/rag-processor

Length of output: 106

---

🏁 Script executed:

# Once found, examine the checkout section and surrounding context
cat -n .github/workflows/cifuzzy.yml | head -100

Repository: ByronWilliamsCPA/rag-processor

Length of output: 3987

---

Disable persisted Git credentials in checkout.

Line 43: actions/checkout leaves credentials persisted by default. Set persist-credentials: false since this workflow performs no authenticated git operations after checkout, reducing token exposure.

🔒 Suggested fix

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout repository
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 42-43: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cifuzzy.yml around lines 42 - 43, The checkout step named
"Checkout repository" uses actions/checkout without disabling persisted
credentials; update that step (the one using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to include
persist-credentials: false so the runner does not leave Git credentials
persisted after checkout.

[williaby]

Deferred to a follow-up PR. The finding is valid hardening guidance, but the omission of persist-credentials: false is pre-existing — it was absent on the prior v4.3.1 checkout pin too, not introduced by this Renovate version-bump PR. Keeping this PR scoped to the action version bumps and SHA pinning of dependency-review-action + fsfe/reuse image. A separate chore(security): harden checkout calls PR will address all checkout invocations missing the flag (codeql.yml already has it; 7 others remain across this list of files). Not blocking this PR's merge.

[coderabbitai]

@williaby, understood — the omission is clearly pre-existing and out of scope for a version-bump-only PR. The scoping rationale is sound.

Would you like me to open a GitHub issue to track the follow-up hardening work? I can create it with a reference back to this PR and list the seven workflow files that still need persist-credentials: false added to their checkout steps, so nothing gets lost before the dedicated chore(security): harden checkout calls PR lands.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/dependency-review.yml

Repository: ByronWilliamsCPA/rag-processor

Length of output: 1854

---

🏁 Script executed:

# Check if there are other checkout steps in the repository's workflows to see patterns
rg "actions/checkout" .github/workflows/ -A 2 -B 1

Repository: ByronWilliamsCPA/rag-processor

Length of output: 3904

---

Disable credential persistence in checkout step.

Line 30 should set persist-credentials: false to prevent the GitHub token from being stored in git config. This workflow is a read-only PR analysis job that doesn't require authenticated git operations and shouldn't retain credentials.

🔒 Suggested fix

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout repository
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 29-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml around lines 29 - 30, The checkout
step using actions/checkout (uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) persists the GitHub
token by default; add persist-credentials: false to that checkout step to
disable storing credentials in git config for this read-only PR analysis
workflow so no token is retained after checkout.

[williaby]

Deferred to a follow-up PR. The finding is valid hardening guidance, but the omission of persist-credentials: false is pre-existing — it was absent on the prior v4.3.1 checkout pin too, not introduced by this Renovate version-bump PR. Keeping this PR scoped to the action version bumps and SHA pinning of dependency-review-action + fsfe/reuse image. A separate chore(security): harden checkout calls PR will address all checkout invocations missing the flag (codeql.yml already has it; 7 others remain across this list of files). Not blocking this PR's merge.

[coderabbitai]

@williaby, that's a reasonable scoping call — keeping the Renovate PR focused purely on version bumps is cleaner. The finding is noted, and it's helpful to know codeql.yml already has the flag set while 7 others still need it.

Would you like me to open a GitHub issue to track the chore(security): harden checkout calls follow-up? I can pre-populate it with the list of workflows that still need persist-credentials: false so nothing slips through.

---

✏️ Learnings added

Learnt from: williaby
Repo: ByronWilliamsCPA/rag-processor PR: 19
File: .github/workflows/dependency-review.yml:29-30
Timestamp: 2026-05-21T04:02:02.792Z
Learning: In the ByronWilliamsCPA/rag-processor repository, `codeql.yml` already sets `persist-credentials: false` on its `actions/checkout` step, but 7 other workflow files (cifuzzy.yml, dependency-review.yml, fips-compatibility.yml, performance-regression.yml, pr-validation.yml, release-sign.yml, reuse.yml, slsa-provenance.yml) are missing this flag. A follow-up `chore(security): harden checkout calls` PR is planned to address all remaining checkout invocations.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

fd -t f "fips-compatibility.yml" .github/workflows/

Repository: ByronWilliamsCPA/rag-processor

Length of output: 115

---

🏁 Script executed:

cat -n .github/workflows/fips-compatibility.yml

Repository: ByronWilliamsCPA/rag-processor

Length of output: 9979

---

🏁 Script executed:

# Verify that actions/checkout supports persist-credentials parameter
web_search "actions/checkout persist-credentials false security best practice"

Repository: ByronWilliamsCPA/rag-processor

Length of output: 125

---

🌐 Web query:

actions/checkout persist-credentials false github actions security

💡 Result:

The persist-credentials input for the actions/checkout GitHub Action controls whether the repository's authentication token (typically the GITHUB_TOKEN) is persisted in the local Git configuration (.git/config) after the checkout step [1][2]. By default, persist-credentials is true [1][2]. When enabled, this allows subsequent steps in the same job to execute authenticated Git commands (e.g., git fetch, git push) without needing to manually re-authenticate [1][2]. Security Implications: - Potential for Exposure: Because the token is stored in the Git configuration, any subsequent step or script running within the same job—including potentially compromised third-party actions—can access the token [3][4]. - Artifact Leaks: If a workflow creates and uploads artifacts of the repository (e.g., using actions/upload-artifact), the credential stored in .git/config may be inadvertently included in the uploaded artifact, potentially exposing the token if the artifact is public or accessible to unauthorized users [5]. Recent Security Improvements: GitHub has updated actions/checkout to improve how these credentials are handled. Instead of storing them directly in .git/config, the action now persists credentials in a separate, temporary file located under $RUNNER_TEMP [1][2][6]. It uses Git's includeIf mechanism to conditionally apply these credentials only when performing Git operations within that specific workspace [6]. Recommendation: To follow the principle of least privilege, you should set persist-credentials: false in any workflow that does not explicitly require authenticated Git operations (such as pushing changes) [4]. This reduces the attack surface by ensuring that even if a workflow step is compromised, the GITHUB_TOKEN is not readily available in the local configuration [4]. Example: - uses: actions/checkout@v4 with: persist-credentials: false

Citations:

• 1: https://github.com/actions/checkout/blob/main/README.md
• 2: https://github.com/actions/checkout
• 3: Remove persist-credentials or change the default to false actions/checkout#485
• 4: Add persist-credentials: false to GitHub Actions checkout steps aquasecurity/trivy#10305
• 5: https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials/
• 6: Persist creds to a separate file actions/checkout#2286

---

Disable persisted credentials in both checkout steps.

Lines 58 and 204 should set persist-credentials: false to reduce token exposure in downstream steps. Since neither job performs authenticated Git operations (only checkout, running Python scripts, and uploading artifacts), the credential is unnecessary and should not be persisted per security best practices.

Suggested fix

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+       with:
+         persist-credentials: false

Apply the same change at line 204 in the fips-runtime-test job.

Also applies to: 203-205

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 57-58: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/fips-compatibility.yml around lines 57 - 59, The checkout
steps currently call actions/checkout@de0fac2e4500... without disabling
credential persistence; update both Checkout repository steps (the one using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd and the second
checkout in the fips-runtime-test job) to include persist-credentials: false so
the GitHub token is not written to the workspace and cannot be used by
downstream steps.

[williaby]

Deferred to a follow-up PR. The finding is valid hardening guidance, but the omission of persist-credentials: false is pre-existing — it was absent on the prior v4.3.1 checkout pin too, not introduced by this Renovate version-bump PR. Keeping this PR scoped to the action version bumps and SHA pinning of dependency-review-action + fsfe/reuse image. A separate chore(security): harden checkout calls PR will address all checkout invocations missing the flag (codeql.yml already has it; 7 others remain across this list of files). Not blocking this PR's merge.

[coderabbitai]

@williaby — that's a fair and well-reasoned scoping decision. The finding is valid security hardening, but since it predates this PR and is being tracked for a dedicated follow-up, it shouldn't block these version bumps.

Would you like me to open a GitHub issue to track the chore(security): harden checkout calls work? I can pre-populate it with the list of affected workflow files (the 7 remaining without persist-credentials: false) and backlink it to this PR.

---

✏️ Learnings added

Learnt from: williaby
Repo: ByronWilliamsCPA/rag-processor PR: 19
File: .github/workflows/fips-compatibility.yml:57-59
Timestamp: 2026-05-21T04:02:05.271Z
Learning: In the ByronWilliamsCPA/rag-processor repository, `persist-credentials: false` is intentionally absent from most `actions/checkout` steps across `.github/workflows/` — it is pre-existing technical debt, not introduced by individual PRs. Only `codeql.yml` currently sets this flag. A dedicated follow-up PR (`chore(security): harden checkout calls`) is planned to add it to the remaining 7 workflow files: cifuzzy.yml, dependency-review.yml, fips-compatibility.yml, performance-regression.yml, pr-validation.yml, release-sign.yml, reuse.yml, and slsa-provenance.yml.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/performance-regression.yml | head -70

Repository: ByronWilliamsCPA/rag-processor

Length of output: 2880

---

🏁 Script executed:

rg "persist-credentials" .github/workflows/

Repository: ByronWilliamsCPA/rag-processor

Length of output: 140

---

🌐 Web query:

GitHub Actions checkout action persist-credentials security best practice

💡 Result:

Best practice: set persist-credentials: false on every actions/checkout step unless you specifically need authenticated git credentials (e.g., for pushing back) in later steps. GitHub’s actions/checkout docs describe that the token/credential is persisted in the local git config by default and removed during post-job cleanup, and recommend using persist-credentials: false to opt out [1][2]. Example (hardened checkout): uses: actions/checkout@v4 with: persist-credentials: false Why: - Persisting credentials means the auth token/credential can be present in the checked-out workspace’s git configuration and therefore is more exposed to any process running after checkout in the same job. The actions/checkout project explicitly documents that behavior and the opt-out flag [1][2]. - Security guidance and community recommendations commonly call out using persist-credentials: false to reduce credential exposure risk if the workflow or environment is compromised [3]. Notes / tradeoffs: - If you truly need to run authenticated git commands later (push, create tags/releases, etc.), you may need credentials. In that case, prefer minimizing scope and permissions (e.g., least-privilege GITHUB_TOKEN permissions), and consider reconfiguring credentials only for the step that needs them (some workflows re-set the remote URL after using persist-credentials: false) [4]. Summary recommendation: - Default to persist-credentials: false for checkout steps; only opt in when a later step must perform authenticated git operations, and then constrain permissions as tightly as possible. [1][2][3]

Citations:

• 1: https://github.com/actions/checkout
• 2: https://github.com/actions/checkout/blob/main/README.md
• 3: https://cheatsheetseries.owasp.org/cheatsheets/GitHub_Actions_Security_Cheat_Sheet.html
• 4: Reconfigure credentials when `persist-credentials: false` is set stefanzweifel/git-auto-commit-action#356

---

Harden checkout by disabling credential persistence.

Line 56 should explicitly set persist-credentials: false. The workflow performs no authenticated git operations after checkout, and GitHub's documentation recommends this setting to minimize credential exposure.

🔒 Suggested fix

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout repository
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 55-56: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/performance-regression.yml around lines 55 - 56, The
checkout step uses actions/checkout@de0fac2e... without disabling credential
persistence; add the persist-credentials: false option to the Checkout step (the
actions/checkout usage) so credentials are not stored in the runner after
checkout, ensuring the workflow does not keep GitHub tokens in the environment
when no authenticated git operations occur.

[williaby]

Deferred to a follow-up PR. The finding is valid hardening guidance, but the omission of persist-credentials: false is pre-existing — it was absent on the prior v4.3.1 checkout pin too, not introduced by this Renovate version-bump PR. Keeping this PR scoped to the action version bumps and SHA pinning of dependency-review-action + fsfe/reuse image. A separate chore(security): harden checkout calls PR will address all checkout invocations missing the flag (codeql.yml already has it; 7 others remain across this list of files). Not blocking this PR's merge.

[coderabbitai]

@williaby, understood — the finding is valid but genuinely pre-existing, and keeping Renovate bump PRs narrowly scoped is the right call. The planned chore(security): harden checkout calls PR sounds like the correct place to address all 7 remaining checkout invocations at once.

Would you like me to open a GitHub issue to track that follow-up hardening work? I can link back to this PR and comment for context.

---

✏️ Learnings added

Learnt from: williaby
Repo: ByronWilliamsCPA/rag-processor PR: 19
File: .github/workflows/performance-regression.yml:55-56
Timestamp: 2026-05-21T04:02:05.948Z
Learning: In the ByronWilliamsCPA/rag-processor repository, `persist-credentials: false` is already set on the `actions/checkout` step in `.github/workflows/codeql.yml`, but is missing from 7 other workflow files: `cifuzzy.yml`, `dependency-review.yml`, `fips-compatibility.yml`, `performance-regression.yml`, `pr-validation.yml`, `release-sign.yml`, and `reuse.yml`. A follow-up PR titled `chore(security): harden checkout calls` is planned to address all remaining checkout steps missing this flag.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/pr-validation.yml | sed -n '50,135p'

Repository: ByronWilliamsCPA/rag-processor

Length of output: 3629

---

Disable checkout credential persistence across all jobs.

Lines 56, 97, and 129 should all set persist-credentials: false to minimize credential exposure in workflows where repository credentials are unnecessary.

🔒 Suggested fix

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
...
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
...
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

Also applies to: 97–98, 129–130

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 55-56: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-validation.yml around lines 55 - 57, The checkout
action usages (uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd)
currently omit persist-credentials and must explicitly disable credential
persistence; locate each actions/checkout invocation in the workflow (the three
occurrences of uses: actions/checkout@...) and add persist-credentials: false
under the step to ensure repository credentials are not stored for subsequent
steps or jobs.

[williaby]

Deferred to a follow-up PR. The finding is valid hardening guidance, but the omission of persist-credentials: false is pre-existing — it was absent on the prior v4.3.1 checkout pin too, not introduced by this Renovate version-bump PR. Keeping this PR scoped to the action version bumps and SHA pinning of dependency-review-action + fsfe/reuse image. A separate chore(security): harden checkout calls PR will address all checkout invocations missing the flag (codeql.yml already has it; 7 others remain across this list of files). Not blocking this PR's merge.

[coderabbitai]

@williaby, understood — the gap is pre-existing and out of scope for a Renovate version-bump PR. Keeping the change set focused is the right call.

Would you like me to open a GitHub issue to track the follow-up chore(security): harden checkout calls work? I can capture the 7 affected workflow files (excluding codeql.yml which already has the flag) and link back to this PR for context.

---

✏️ Learnings added

Learnt from: williaby
Repo: ByronWilliamsCPA/rag-processor PR: 19
File: .github/workflows/pr-validation.yml:55-57
Timestamp: 2026-05-21T04:02:06.311Z
Learning: In the ByronWilliamsCPA/rag-processor repository, `persist-credentials: false` is missing from `actions/checkout` steps in 7 workflow files (all except `.github/workflows/codeql.yml`, which already has it). This is a pre-existing gap, not introduced by any specific PR. A dedicated follow-up PR (`chore(security): harden checkout calls`) is planned to address all remaining occurrences.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

find .github/workflows -name "release-sign.yml" -type f

Repository: ByronWilliamsCPA/rag-processor

Length of output: 109

---

🏁 Script executed:

cat -n .github/workflows/release-sign.yml

Repository: ByronWilliamsCPA/rag-processor

Length of output: 3549

---

Disable checkout credential persistence in the signing job.

Line 25 should set persist-credentials: false, especially with write-scoped token permissions in this job. The workflow uses explicit GH_TOKEN from secrets in downstream steps, so checkout credentials do not need to persist.

🔒 Suggested fix

       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 24-25: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-sign.yml around lines 24 - 25, The checkout step
uses actions/checkout@de0fac2e... but currently leaves credentials persisted;
update the Checkout step (the actions/checkout invocation) to set
persist-credentials: false so the checkout action does not inject or persist the
workflow token (GH_TOKEN) into the workspace for the signing job; this change
should be applied to the existing Checkout step in the release-sign workflow
where actions/checkout is used.

[williaby]

Deferred to a follow-up PR. The finding is valid hardening guidance, but the omission of persist-credentials: false is pre-existing — it was absent on the prior v4.3.1 checkout pin too, not introduced by this Renovate version-bump PR. Keeping this PR scoped to the action version bumps and SHA pinning of dependency-review-action + fsfe/reuse image. A separate chore(security): harden checkout calls PR will address all checkout invocations missing the flag (codeql.yml already has it; 7 others remain across this list of files). Not blocking this PR's merge.

[coderabbitai]

@williaby, understood — the finding predates this PR and keeping the Renovate bump scoped is the right call. Would you like me to open a GitHub issue to track the chore(security): harden checkout calls work? I can file it now with a reference back to this PR and list the seven workflow files that still need persist-credentials: false.

---

✏️ Learnings added

Learnt from: williaby
Repo: ByronWilliamsCPA/rag-processor PR: 19
File: .github/workflows/release-sign.yml:24-25
Timestamp: 2026-05-21T04:02:09.835Z
Learning: In the ByronWilliamsCPA/rag-processor repository, `persist-credentials: false` is already set on the `actions/checkout` step in `.github/workflows/codeql.yml`. The following workflow files are missing it and are tracked for a follow-up hardening PR (`chore(security): harden checkout calls`): `cifuzzy.yml`, `dependency-review.yml`, `fips-compatibility.yml`, `performance-regression.yml`, `pr-validation.yml`, `release-sign.yml`, `reuse.yml`, and `slsa-provenance.yml`.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/reuse.yml | sed -n '20,60p'

Repository: ByronWilliamsCPA/rag-processor

Length of output: 1591

---

Add persist-credentials: false to both checkout actions.

Both lines 29 and 52 are missing the credential persistence hardening flag required for secure secret handling in GitHub Actions workflows.

Suggested fix

       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout repository
	uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 28-29: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/reuse.yml around lines 28 - 29, Update both Checkout steps
that use actions/checkout (the step named "Checkout repository" and the other
checkout step later) to include the security flag persist-credentials: false
under the step to prevent automatic credential persistence; locate the steps
that reference uses: actions/checkout@de0fac2e4500d... and the second
actions/checkout occurrence and add persist-credentials: false as a top-level
key in each step.

[williaby]

Deferred to a follow-up PR. The finding is valid hardening guidance, but the omission of persist-credentials: false is pre-existing — it was absent on the prior v4.3.1 checkout pin too, not introduced by this Renovate version-bump PR. Keeping this PR scoped to the action version bumps and SHA pinning of dependency-review-action + fsfe/reuse image. A separate chore(security): harden checkout calls PR will address all checkout invocations missing the flag (codeql.yml already has it; 7 others remain across this list of files). Not blocking this PR's merge.

[coderabbitai]

@williaby, understood — the finding is pre-existing and keeping this PR scoped to the version bumps is the right call. Thanks for the clear context on codeql.yml already being hardened.

Would you like me to open a GitHub issue to track the follow-up chore(security): harden checkout calls work? I can include the list of the 7 affected workflow files and a backlink to this PR so nothing gets lost.

---

✏️ Learnings added

Learnt from: williaby
Repo: ByronWilliamsCPA/rag-processor PR: 19
File: .github/workflows/reuse.yml:28-29
Timestamp: 2026-05-21T04:02:10.387Z
Learning: In the ByronWilliamsCPA/rag-processor repository, `persist-credentials: false` is already set in `.github/workflows/codeql.yml` checkout steps but is missing from 7 other workflow files: `cifuzzy.yml`, `dependency-review.yml`, `fips-compatibility.yml`, `performance-regression.yml`, `pr-validation.yml`, `release-sign.yml`, and `reuse.yml`. A dedicated follow-up PR (`chore(security): harden checkout calls`) is planned to address all remaining checkout invocations missing the flag. Do not flag this as a new issue in PRs that are purely version-bump changes; it is pre-existing.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[williaby]

PR Review

CI is green and every action is SHA-pinned with a version comment. No Critical findings. A small number of Important items below are worth addressing before merge; one Suggested item is intentionally deferred to a follow-up.

Important (should fix)

• PR body says "scheduled patch update / no API changes" — but this is a multi-major sweep. The diff bumps 10 actions across major versions, including actions/checkout v4.3.1 → v6.0.2 (skips v5, now requires Node 24), actions/upload-artifact v4.6.2 → v7.0.1 (+3 majors), actions/github-script v7 → v9 (skips v8), astral-sh/setup-uv v4 → v8 (+4 majors), and actions/attest-build-provenance v1.5.2 → v4.1.0 (+3 majors). Update the description so audit/incident readers aren't misled about scope. (Copilot raised this too.)

• dependency-review.yml:30: actions/dependency-review-action is still referenced by mutable tag @v4, while every other action in the repo is SHA-pinned. Pin to a specific commit SHA for supply-chain consistency.

• reuse.yml:38 (Generate REUSE SPDX step): the step pulls fsfe/reuse:latest (mutable Docker tag), creating a supply-chain and reproducibility risk. Pin to a specific tag or digest.

Suggested (defer to follow-up PR)

• persist-credentials: false is missing on 7 actions/checkout invocations (cifuzzy, dependency-review, fips-compatibility, performance-regression, pr-validation, release-sign, reuse). CodeRabbit + zizmor flagged these, but the omissions are pre-existing (they were absent on the old v4.3.1 pins too); not introduced by this Renovate bump. Recommend a separate chore(security): harden checkout calls PR rather than expanding this PR's scope. codeql.yml already sets the flag correctly.

Operational notes

• Branch is behind main — rebase before merge so the green CI signal reflects current main + this PR rather than an older base.
• Three workflows (release-sign.yml, slsa-provenance.yml build job, cifuzzy.yml) only run on release/schedule events. PR-time CI did not exercise them; their new action versions are unproven until the next release. Worth watching the next release closely.

Copilot ruleset review and CodeRabbit have already posted inline comments; the SonarCloud quality gate passed.

🤖 Generated with Claude Code

[github-actions]

✅ Performance Regression Check

Status: PERFORMANCE OK

Metric	Baseline (main)	PR Branch	Change
p95_ms	2.50	2.52	+1.0%

Threshold: +/-10% allowed regression

✅ Performance is within acceptable range.

Additional Metrics

Metric	Baseline	PR	Change
p50_ms	1.87	1.90	📈 1.7%
p95_ms	2.50	2.52	📈 1.0%
p99_ms	2.54	2.66	📈 5.1%
mean_ms	1.41	1.44	📈 2.2%
min_ms	0.06	0.06	➡️ 0.0%
max_ms	2.54	2.68	📈 5.5%
throughput_ops	708.28	692.91	📉 -2.2%
total_iterations	500.00	500.00	➡️ 0.0%
avg_p95_all_benchmarks_ms	1.01	1.00	📉 -0.9%
avg_throughput_all_benchmarks_ops	955271.50	1002978.70	📈 5.0%

About Performance Regression Testing

This automated check compares p95_ms on this PR against the main branch baseline.

• Regression Threshold: 10%
• Warmup Iterations: 5
• Benchmark Iterations: 50
• Baseline Source: generated

To reproduce locally:

uv run --frozen  python scripts/benchmark.py --iterations 1000 

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[williaby]

PR Fix Summary

Applied via /pr-fix workflow.

Changes pushed (force-push to renovate/major-github-actions):

1. Rebased onto current main (was BEHIND by 2 commits: docs: enrich route OpenAPI metadata + fix(ci): install dev extras for compat matrix #28 + ci(mutation): run mutation testing weekly only, drop PR trigger #35). The PR's commit was replayed as 205ca78 on top of e284418. No conflicts (file sets were disjoint).

2. fix(ci): pin dependency-review-action and fsfe/reuse to immutable refs (ae82201) — 2 files, +4/-2 lines:

   • .github/workflows/dependency-review.yml: actions/dependency-review-action@v4 → @2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 (matches repo SHA-pinning convention; staying on v4 line, v5 bump deferred to a separate PR).
   • .github/workflows/reuse.yml: fsfe/reuse:latest → fsfe/reuse:6.2.0@sha256:85462a75c0f8efda09ddd190b92816b70e7662577c8427429e11e1b9f25a992e (tag+digest immutable form).

PR description updated: ## Summary and ## Why now accurately describe this as a multi-major sweep (Copilot finding on sonarcloud.yml, line: null, addressed at the PR-body level since it was a file-scope review comment).

Pre-commit verification: All hooks passed locally, including Validate GitHub Workflows (JSON-schema check against the official GitHub Actions schema). YAML parsing verified for both edited files.

Deferred to a separate follow-up PR (chore(security): harden checkout calls):

• persist-credentials: false on 7 actions/checkout invocations flagged by CodeRabbit/zizmor (cifuzzy, dependency-review, fips-compatibility, performance-regression, pr-validation × 3 jobs, release-sign, reuse × 2). All omissions are pre-existing; codeql.yml already has the flag set correctly. Replies posted on each thread.

Operational notes:

• Three workflows (release-sign.yml, slsa-provenance.yml build job, cifuzzy.yml) only run on release/schedule events. PR-time CI did not exercise them; their new action versions are unproven until the next release fires.
• The push triggered a pull_request: synchronize event; CI re-running now.
• The GitHub vulnerability advisory mentioned at push time (15 vulns on default branch) is a Dependabot scan on main, separate from this PR.

🤖 Generated with Claude Code