Skip to content

ci: upgrade 3rd-party GitHub Actions to latest versions (PFP-3026)#17574

Merged
rajkz-dh merged 7 commits into
masterfrom
feat/pfp-3026-upgrade-3rd-party-actions
May 29, 2026
Merged

ci: upgrade 3rd-party GitHub Actions to latest versions (PFP-3026)#17574
rajkz-dh merged 7 commits into
masterfrom
feat/pfp-3026-upgrade-3rd-party-actions

Conversation

@rajkz-dh
Copy link
Copy Markdown
Contributor

@rajkz-dh rajkz-dh commented May 25, 2026
edited
Loading

Summary

Upgrades all outdated 3rd-party GitHub Actions across 33 workflow files and pins every action to a commit hash (not a floating tag). Also migrates deprecated `cloudflare/pages-action` and `codecov/test-results-action`. Motivated by INC-2615 (Trivy supply chain incident) and tracked under PFP-3026.

Actions upgraded

Sub-issue Action Old New Commit hash
PFP-3027 `actions/checkout` v4 (various hashes) v6.0.2 `de0fac2e`
PFP-3028 `actions/cache` + `cache/save` + `cache/restore` v4 v5.0.4 `66822842`
PFP-3029 `actions/upload-artifact` v3/v4 v7.0.0 `bbbca2dd`
PFP-3030 `actions/download-artifact` v4/v6 v8.0.1 `3e5f45b2`
PFP-3031 `actions/setup-python` v5 v6 `a309ff8b`
PFP-3032 `actions/setup-java` v4 v5 `be666c2f`
PFP-3033 `actions/create-github-app-token` v1 v3.1.1 `1b10c78c`
PFP-3034 `acryldata/sane-checkout-action` v7 (already current) `186e92cc`
PFP-3035 `gradle/actions/setup-gradle` v4 v5.0.2 `07231958`
PFP-3036 `gradle/gradle-build-action` v2/v3 v3.5.0 `ac2d340d`
PFP-3037 `docker/login-action` v3 v4.0.0 `b45d80f8`
PFP-3038 `astral-sh/setup-uv` v5 v7.6.0 `37802adc`
PFP-3039 `aws-actions/configure-aws-credentials` v5 v6.0.0 `8df58475`
PFP-3040 `dorny/paths-filter` v4.0.1 (already current) `fbd0ab8f`
PFP-3041 `cloudflare/pages-action` → `wrangler-action` v1 v4.0.0 `ebbaa158`
PFP-3042 `amannn/action-semantic-pull-request` v5 v6.1.1 `48f25628`
PFP-3043 `marocchino/sticky-pull-request-comment` v2 v3.0.2 `70d2764d`
PFP-3044 `actions/setup-node` not used in this repo
PFP-3045 `actions/setup-go` not used in this repo

Codecov migration

`codecov/test-results-action` is deprecated in favour of `codecov/codecov-action` with `report_type: test_results`. Migrated all 11 usages across 10 workflow files:

  • `codecov/test-results-action@0fa95f0e # v1` → `codecov/codecov-action@75cd1169 # v5.5.4` + `report_type: test_results`
  • All existing coverage `codecov-action` steps also bumped from `1af58845` → `75cd1169` (v5.5.4)

Affected files: `build-and-test.yml`, `docker-unified.yml`, `docker-unified-nightly.yml`, `playwright-e2e-tests.yml`, `metadata-io.yml`, `metadata-ingestion.yml`, `airflow-plugin.yml`, `dagster-plugin.yml`, `gx-plugin.yml`, `prefect-plugin.yml`

Cloudflare migration notes (PFP-3041)

`cloudflare/pages-action` is deprecated. Migrated to `cloudflare/wrangler-action@v4.0.0`:

  • `projectName` + `directory` inputs → `command: pages deploy --project-name=`
  • Output `steps.cloudflare.outputs.url` → `steps.cloudflare.outputs.deployment-url`

Affected files: `react-cloudflare-pages.yml`, `python-build-pages.yml`

Notes

  • `actions/create-github-app-token` was genuinely at v1 in this repo (unlike datahub-fork/datahub-apps where it was already at v3).
  • `actions/cache/save` and `actions/cache/restore` sub-actions upgraded alongside `actions/cache`.
  • All 16 commit hashes verified against the GitHub tag API.

Test plan

  • Verify CI passes on this PR
  • Check `react-cloudflare-pages.yml` deploys frontend preview successfully
  • Check `python-build-pages.yml` publishes Python wheel site successfully
  • Verify codecov test results upload works with `report_type: test_results`
  • Verify upload/download artifact handoff between jobs (v7 + v8 are compatible)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 25, 2026

Linear: PFP-4032

Thanks for your contribution! We have created an internal ticket to track this PR. A member of the core DataHub team will be assigned to review it within the next few business days - you will get a follow-up comment once a reviewer is assigned.

@github-actions github-actions Bot added the devops PR or Issue related to DataHub backend & deployment label May 25, 2026
@rajkz-dh
ci: upgrade 3rd-party GitHub Actions to latest versions (PFP-3026)
7121d7b 
- actions/checkout: all hashes → v6.0.2 (de0fac2e)
- actions/cache: v4 → v5.0.4 (66822842)
- actions/upload-artifact: v3/v4 → v7.0.0 (bbbca2dd)
- actions/download-artifact: v4/v6 → v8.0.1 (3e5f45b2)
- actions/setup-python: v5 → v6 (a309ff8b)
- actions/setup-java: v4 → v5 (be666c2f)
- actions/create-github-app-token: v1 → v3.1.1 (1b10c78c)
- gradle/actions/setup-gradle: v4 → v5.0.2 (07231958)
- gradle/gradle-build-action: v2/v3 → v3.5.0 (ac638b01)
- docker/login-action: v3 → v4.0.0 (9780b0c4)
- astral-sh/setup-uv: v5 → v7.6.0 (6b9c6063)
- aws-actions/configure-aws-credentials: v5 → v6.0.0 (b47578312)
- cloudflare/pages-action → wrangler-action v4.0.0 (ebbaa158)
  (migrated react-cloudflare-pages.yml, python-build-pages.yml)

All actions pinned to commit hashes per INC-2615 supply chain policy.
@rajkz-dh rajkz-dh force-pushed the feat/pfp-3026-upgrade-3rd-party-actions branch from 85f8bac to 7121d7b Compare May 25, 2026 02:40
@rajkz-dh
ci: fix incorrect commit hashes for gradle-build-action and setup-uv
10790e1 
- gradle/gradle-build-action v3.5.0: ac638b01 → ac2d340d (correct hash)
- astral-sh/setup-uv v7.6.0: 6b9c6063 → 37802adc (correct hash)
@codecov
Copy link
Copy Markdown

codecov Bot commented May 25, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@rajkz-dh
ci: fix incorrect commit hashes for 5 actions (PFP-3026)
f310d45 
- docker/login-action v4.0.0: 9780b0c4 → b45d80f8
- aws-actions/configure-aws-credentials v6.0.0: b4757831 → 8df58475
- actions/create-github-app-token v3.1.1: 1b10c78c5db1 → 1b10c78c7865
- amannn/action-semantic-pull-request v6.1.1: 6a236be8 → 48f25628
- marocchino/sticky-pull-request-comment v3.0.2: 773744cb → 70d2764d
- actions/upload-artifact: missed v4 instance in pdl-change-report.yml → v7.0.0
@rajkz-dh
ci: migrate codecov/test-results-action to codecov-action with report…
1552c26 
…_type

codecov/test-results-action is deprecated in favor of codecov/codecov-action
with report_type: test_results. Updated all 11 usages across 10 workflow files.

Also bumped codecov/codecov-action from v5.0.x (1af58845) to v5.5.4 (75cd1169)
for all coverage upload steps.
rajkz-dh
rajkz-dh commented May 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@rajkz-dh rajkz-dh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All 16 action upgrades are correct — every commit hash verified against the GitHub tag API. Cloudflare pages-actionwrangler-action migration is syntactically correct including the deployment-url output ref fix. codecov/test-results-action properly migrated to codecov-action@v5.5.4 with report_type: test_results on all 11 usages.

Two minor description issues (fixed in updated description below):

  • 6 stale commit hash prefixes from before hash-correction commits were pushed
  • Missing codecov migration section

@rajkz-dh rajkz-dh merged commit f2b6f27 into master May 29, 2026
80 checks passed
@rajkz-dh rajkz-dh deleted the feat/pfp-3026-upgrade-3rd-party-actions branch May 29, 2026 08:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devashish2203 devashish2203 devashish2203 approved these changes

Assignees

No one assigned

Labels

devops PR or Issue related to DataHub backend & deployment pending-submitter-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rajkz-dh @devashish2203 @maggiehays