Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/benchmark-multinode-tmpl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ jobs:
done
fi

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/benchmark-tmpl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ jobs:
# job's output when replay fails early.
rm -rf "${{ github.workspace }}/results" 2>/dev/null || true

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/claude-pr-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/claude.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0
with:
fetch-depth: 0
token: ${{ secrets.CLAUDE_PAT }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeowner-signoff-verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ jobs:
# files. Check out the trusted default branch; all PR content is read
# read-only via the GitHub API (gh / MCP), never from the working tree.
- name: Checkout repository (trusted default branch only)
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
ref: ${{ github.event.repository.default_branch }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/collect-evals.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/collect-results.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/collectivex-sweep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
matrix: ${{ steps.gen.outputs.matrix }}
n: ${{ steps.gen.outputs.n }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0

Check notice on line 48 in .github/workflows/collectivex-sweep.yml

View check run for this annotation

Claude / Claude Code Review

Misleading version pin comments in collectivex-sweep.yml

The actions/checkout SHA on lines 48, 90, and 130 was bumped to `9c091bb2...` (v7.0.0) — the same SHA that every other workflow in this PR annotates with `# v7.0.0` — but these three lines still trail with `# v5.0.0`, a two-major-version lie. The mismatch is pre-existing (prior SHA `de0fac2...` was v6.0.2 with the same `# v5.0.0` comment), but this PR widens the gap and is the natural place to fix it: update all three trailing comments from `# v5.0.0` to `# v7.0.0`.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟣 The actions/checkout SHA on lines 48, 90, and 130 was bumped to 9c091bb2... (v7.0.0) — the same SHA that every other workflow in this PR annotates with # v7.0.0 — but these three lines still trail with # v5.0.0, a two-major-version lie. The mismatch is pre-existing (prior SHA de0fac2... was v6.0.2 with the same # v5.0.0 comment), but this PR widens the gap and is the natural place to fix it: update all three trailing comments from # v5.0.0 to # v7.0.0.

Extended reasoning...

What the bug is

In .github/workflows/collectivex-sweep.yml, three actions/checkout step pins (lines 48, 90, 130) were bumped from SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd to 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0. The new SHA is unambiguously actions/checkout v7.0.0 — every other workflow file in this same PR pins the identical SHA with a # v7.0.0 comment (e.g. benchmark-tmpl.yml, claude-pr-review.yml, codeowner-signoff-verify.yml, e2e-tests.yml, profile.yml, run-sweep.yml, etc.). However, in this file the trailing comment was left as # v5.0.0, producing a two-major-version mismatch between the pin and its annotation.

How it manifests / why existing code doesn't prevent it

This is a pre-existing mismatch: the previous pin de0fac2... is actions/checkout v6.0.2 (confirmable from every other workflow's pre-PR # v6.0.2 comment), yet this file's comment was already # v5.0.0 before this PR. Dependabot updates the SHA but does not normalize an already-wrong trailing comment, so the bump from v6 to v7 propagated without fixing the lie — and future dependabot bumps will continue to do so. Nothing in the workflow currently parses or validates that the comment matches the pinned SHA.

Impact

Runtime behavior is unaffected — the SHA wins, so v7.0.0 is what actually runs. The harm is documentation/maintenance:

  • A reviewer reading # v5.0.0 will look up v5 release notes and miss v7's new behavior, most notably the new pull_request_target/workflow_run fork-blocking semantics introduced in v7 (PR #2454).
  • Auditors checking pinned versions will see an inconsistency between what is pinned and what is labeled, eroding trust in the workflow file as an accurate record of what runs.
  • Future dependabot bumps will continue carrying the wrong comment forward indefinitely.

Step-by-step proof

  1. Open the PR diff for .github/workflows/collectivex-sweep.yml. Three hunks change actions/checkout lines (the setup, sweep, and aggregate jobs). Each hunk is of the form:

    -      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0
    +      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0
    

    The SHA changed; the trailing # v5.0.0 comment did not.

  2. Cross-check the new SHA against any other workflow in this PR — e.g. .github/workflows/claude-pr-review.yml:

    -        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    +        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
    

    Same SHA, comment # v7.0.0. The dependabot PR description also confirms this is the v7.0.0 release: actions/checkout/commit/9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 is listed under the v7.0.0 commits, and the previous de0fac2... is v6.0.2 (every other workflow's pre-PR pin used that SHA with # v6.0.2).

  3. Conclusion: on lines 48, 90, and 130 of collectivex-sweep.yml, the SHA pins v7.0.0 but the comment claims v5.0.0 — a two-major-version mismatch.

How to fix

Change the trailing comment on all three lines from # v5.0.0 to # v7.0.0:

Suggested change
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

(apply the same one-character — well, two-digit — fix to lines 48, 90, and 130.)

with: { clean: true }
- run: pip install --quiet pyyaml
- id: gen
Expand Down Expand Up @@ -87,9 +87,9 @@
CX_NODELIST: ${{ matrix.sku == 'mi355x' && 'mia1-p01-g10,mia1-p01-g15' || '' }}
CX_STAGE_DIR: ${{ matrix.sku == 'gb200' && '/mnt/lustre01/users-public/sa-shared/cx-stage' || '' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0
with: { clean: true }
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: cxsweep-matrix-${{ github.run_id }}
path: experimental/CollectiveX
Expand Down Expand Up @@ -127,9 +127,9 @@
if: always()
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0
with: { clean: true }
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: cxshard-*-${{ github.run_id }}
path: _shards
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/e2e-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,13 @@ jobs:
steps:
- name: Checkout code (ref)
if: ${{ inputs.ref && inputs.ref != '' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.ref }}

- name: Checkout code (default)
if: ${{ !inputs.ref || inputs.ref == '' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.sha }}

Expand Down Expand Up @@ -315,7 +315,7 @@ jobs:
if: ${{ always() && (needs.test-sweep-agentic.result != 'skipped' || needs.test-sweep-multi-node-agentic.result != 'skipped') }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
submodules: true

Expand Down Expand Up @@ -355,7 +355,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.REPO_PAT }}

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/profile.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:
count: ${{ steps.filter.outputs.count }}
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.ref || github.sha }}

Expand Down Expand Up @@ -142,7 +142,7 @@ jobs:
fi

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
ref: ${{ inputs.ref || github.sha }}
Expand Down Expand Up @@ -235,7 +235,7 @@ jobs:

- name: Checkout storage repo
if: ${{ steps.run.outputs.trace != '' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: SemiAnalysisAI/InferenceX-trace-storage
path: storage
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/run-sweep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ jobs:
fi

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

Expand Down Expand Up @@ -136,7 +136,7 @@ jobs:
skip-pr-sweep: ${{ steps.gate.outputs.skip-pr-sweep }}
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Check for reusable sweep authorization
id: gate
Expand Down Expand Up @@ -205,7 +205,7 @@ jobs:
reuse-source-head-sha: ${{ steps.setup.outputs.reuse-source-head-sha }}
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

Expand Down Expand Up @@ -678,7 +678,7 @@ jobs:
needs.setup.outputs.reuse-enabled == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Download reusable source artifacts
env:
Expand Down Expand Up @@ -763,7 +763,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.REPO_PAT }}

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down Expand Up @@ -801,7 +801,7 @@ jobs:
DATABASE_URL: ${{ secrets.NEON_PROD_RO_URL }}

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Download results artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/speedbench-al.yml
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ jobs:
# matrix from a previous run is never picked up as this job's output.
rm -rf "${{ github.workspace }}/speedbench_results" 2>/dev/null || true

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test-changelog-gate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test-matrix-logic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test-process-result.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
Expand Down