Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/benchmark-multinode-tmpl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ jobs:
done
fi

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/benchmark-tmpl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ jobs:
done
fi

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/claude-pr-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/claude.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v6.0.2
uses: actions/checkout@v7.0.0
with:
fetch-depth: 0
token: ${{ secrets.CLAUDE_PAT }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeowner-signoff-verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ jobs:
# files. Check out the trusted default branch; all PR content is read
# read-only via the GitHub API (gh / MCP), never from the working tree.
- name: Checkout repository (trusted default branch only)
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
ref: ${{ github.event.repository.default_branch }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/collect-evals.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/collect-results.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/collectivex-sweep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
matrix: ${{ steps.gen.outputs.matrix }}
n: ${{ steps.gen.outputs.n }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0

Check warning on line 48 in .github/workflows/collectivex-sweep.yml

View check run for this annotation

Claude / Claude Code Review

Stale `# v5.0.0` comments after SHA bump to v7.0.0

The four `actions/checkout` SHA pins in this file were bumped to `9c091bb2...` (v7.0.0) but the trailing `# v5.0.0` comments were left unchanged on lines 48, 90, 130, and 146. Every other workflow in this PR was updated to `# v7.0.0`; only this file was missed. Cosmetic only — the SHA determines the runtime version — but fixing to `# v7.0.0` keeps the file honest for reviewers.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 The four actions/checkout SHA pins in this file were bumped to 9c091bb2... (v7.0.0) but the trailing # v5.0.0 comments were left unchanged on lines 48, 90, 130, and 146. Every other workflow in this PR was updated to # v7.0.0; only this file was missed. Cosmetic only — the SHA determines the runtime version — but fixing to # v7.0.0 keeps the file honest for reviewers.

Extended reasoning...

What the inconsistency is. In .github/workflows/collectivex-sweep.yml, four actions/checkout uses were pinned to SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd with a trailing # v5.0.0 comment. That comment was already inaccurate before this PR (that SHA is the v6.0.2 tag — every other file in this repo annotates it as # v6.0.2), but Dependabot only rewrites the version comment when it matches the format it expects. Since this file's comment said # v5.0.0 rather than # v6.0.2, Dependabot bumped the SHA to 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 (v7.0.0) and left the comment alone.\n\nWhy it's misleading. A reader scanning git diff sees # v5.0.0 on both sides of the hunk and reasonably concludes the workflow is still on v5. In reality, the SHA now resolves to v7.0.0 — a major-version upgrade with a breaking change (v7.0.0 blocks checking out fork PRs for pull_request_target and workflow_run, per the release notes in the PR description). Hiding a major bump behind an incorrect comment degrades reviewer trust in every future dependabot bump of this file.\n\nCross-checking every other file in this PR. benchmark-multinode-tmpl.yml, benchmark-tmpl.yml, claude-pr-review.yml, codeowner-signoff-verify.yml, collect-evals.yml, collect-results.yml, e2e-tests.yml, profile.yml, run-sweep.yml, speedbench-al.yml, test-changelog-gate.yml, test-matrix-logic.yml, and test-process-result.yml all correctly show actions/checkout@9c091bb2... # v7.0.0 after Dependabot's bump. The SHA is identical across every file. Only collectivex-sweep.yml is left with the stale # v5.0.0 on all four occurrences.\n\nRuntime impact. None. GitHub Actions resolves uses: by SHA, not by the trailing comment, so the four steps will execute actions/checkout v7.0.0 exactly like every other workflow in this PR. This is purely a code-review / audit-trail issue.\n\nStep-by-step proof.\n1. Before this PR, line 48 read: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0. Cross-reference: benchmark-tmpl.yml (line 164 before this PR) had the same SHA annotated as # v6.0.2 — confirming the pre-existing comment was already wrong (SHA de0fac2e = v6.0.2).\n2. This PR's diff at line 48 changes only the SHA: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0.\n3. Cross-reference the new SHA against benchmark-tmpl.yml (post-PR): - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0. Same SHA, correctly labeled # v7.0.0.\n4. The PR description's Dependabot release notes explicitly confirm SHA 9c091bb is the v7.0.0 tip commit ("update error wording (#2467)" — the last commit before v7.0.0 was cut).\n5. Therefore, line 48 (and by identical logic lines 90, 130, 146) is documenting the pin as v5.0.0 when it is actually running v7.0.0.\n\nFix. One-line change per occurrence: replace # v5.0.0 with # v7.0.0 on lines 48, 90, 130, and 146 of .github/workflows/collectivex-sweep.yml. Nothing else needs to change.

with: { clean: true }
- run: pip install --quiet pyyaml
- id: gen
Expand Down Expand Up @@ -87,9 +87,9 @@
CX_NODELIST: ${{ matrix.sku == 'mi355x' && 'mia1-p01-g10,mia1-p01-g15' || '' }}
CX_STAGE_DIR: ${{ matrix.sku == 'gb200' && '/mnt/lustre01/users-public/sa-shared/cx-stage' || '' }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0
with: { clean: true }
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: cxsweep-matrix-${{ github.run_id }}
path: experimental/CollectiveX
Expand Down Expand Up @@ -127,9 +127,9 @@
if: always()
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v5.0.0
with: { clean: true }
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: cxshard-*-${{ github.run_id }}
path: _shards
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/e2e-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,13 @@ jobs:
steps:
- name: Checkout code (ref)
if: ${{ inputs.ref && inputs.ref != '' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.ref }}

- name: Checkout code (default)
if: ${{ !inputs.ref || inputs.ref == '' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.sha }}

Expand Down Expand Up @@ -323,7 +323,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.REPO_PAT }}

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/profile.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:
count: ${{ steps.filter.outputs.count }}
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.ref || github.sha }}

Expand Down Expand Up @@ -142,7 +142,7 @@ jobs:
fi

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
ref: ${{ inputs.ref || github.sha }}
Expand Down Expand Up @@ -235,7 +235,7 @@ jobs:

- name: Checkout storage repo
if: ${{ steps.run.outputs.trace != '' }}
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: SemiAnalysisAI/InferenceX-trace-storage
path: storage
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/run-sweep.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ jobs:
fi

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

Expand Down Expand Up @@ -136,7 +136,7 @@ jobs:
skip-pr-sweep: ${{ steps.gate.outputs.skip-pr-sweep }}
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Check for reusable sweep authorization
id: gate
Expand Down Expand Up @@ -205,7 +205,7 @@ jobs:
reuse-source-head-sha: ${{ steps.setup.outputs.reuse-source-head-sha }}
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

Expand Down Expand Up @@ -680,7 +680,7 @@ jobs:
needs.setup.outputs.reuse-enabled == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Download reusable source artifacts
env:
Expand Down Expand Up @@ -767,7 +767,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.REPO_PAT }}

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down Expand Up @@ -805,7 +805,7 @@ jobs:
DATABASE_URL: ${{ secrets.NEON_PROD_RO_URL }}

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Download results artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/speedbench-al.yml
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ jobs:
# matrix from a previous run is never picked up as this job's output.
rm -rf "${{ github.workspace }}/speedbench_results" 2>/dev/null || true

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test-changelog-gate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,12 +48,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.12"

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test-matrix-logic.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: '3.12'

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test-process-result.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: '3.12'

Expand Down