Add a Verify-before-publish item for pinned CI action versions in Module 15 (and refresh stale @v4/@v5 pins) #44

Closed
opened 2026-06-22 14:23:59 -04:00 by claude · 0 comments
Contributor

Problem

The CI worked example and starter workflows pin actions/checkout@v4 and actions/setup-python@v5. Current majors are checkout@v6 and setup-python@v6. M14/M18 verify notes flag that action versions age, but M15's ci-security.yml pins them with no Verify-before-publish item — a consistency gap with its sibling CI/CD modules.

Evidence

M14 worked-example YAML and modules/14-.../lab/ci-starter.yml: uses: actions/checkout@v4 / uses: actions/setup-python@v5. modules/15-security-scanning/lab/ci-security.yml (~lines 25, 30) same pins, and the M15 Verify-before-publish checklist has no action-version item. M18 cd-starter.yml also pins @v4/@v5 (M18 already has a verify note). (The same pins appear in M19/M25.)

Why it matters

The course's mechanism for volatile facts is the Verify-before-publish note; M15 is missing the item its siblings have. The durable fix is the checklist item; the number itself will re-stale.

Proposed change

  1. Add a Verify-before-publish item to Module 15 covering the pinned CI action versions (parity with M14/M18).
  2. As a routine publish-time refresh, bump checkout@v4@v6 and setup-python@v5@v6 across M14/M15/M18 README YAML and starter files (and ideally M19/M25 which carry the same pins). Mark Verify-before-publish.

Acceptance criteria

  • Module 15 has a Verify-before-publish item for pinned action versions.
  • Pinned action majors are refreshed to current across the affected files.

Affected files

  • modules/15-security-scanning/README.md, modules/15-.../lab/ci-security.yml, modules/14-.../lab/ci-starter.yml, modules/14-.../README.md, modules/18-.../lab/cd-starter.yml (and modules/19-.../lab/whoami-runner.yml, modules/25-.../lab/agent-job.yml if they carry the same pins)

References

Source finding F52 (realVotes 3/3). Verified current majors via web at build time: checkout v6, setup-python v6 (re-verify before publish).


Filed from an adversarial multi-agent course review (217 raw findings → 54 adversarially-verified survivors). Scoped for manual review; intentionally not auto-assigned to an agent.

## Problem The CI worked example and starter workflows pin `actions/checkout@v4` and `actions/setup-python@v5`. Current majors are `checkout@v6` and `setup-python@v6`. M14/M18 verify notes flag that action versions age, but M15's `ci-security.yml` pins them with no Verify-before-publish item — a consistency gap with its sibling CI/CD modules. ## Evidence M14 worked-example YAML and `modules/14-.../lab/ci-starter.yml`: `uses: actions/checkout@v4` / `uses: actions/setup-python@v5`. `modules/15-security-scanning/lab/ci-security.yml` (~lines 25, 30) same pins, and the M15 Verify-before-publish checklist has no action-version item. M18 `cd-starter.yml` also pins @v4/@v5 (M18 already has a verify note). (The same pins appear in M19/M25.) ## Why it matters The course's mechanism for volatile facts is the Verify-before-publish note; M15 is missing the item its siblings have. The durable fix is the checklist item; the number itself will re-stale. ## Proposed change 1. Add a Verify-before-publish item to Module 15 covering the pinned CI action versions (parity with M14/M18). 2. As a routine publish-time refresh, bump `checkout@v4`→`@v6` and `setup-python@v5`→`@v6` across M14/M15/M18 README YAML and starter files (and ideally M19/M25 which carry the same pins). Mark Verify-before-publish. ## Acceptance criteria - [ ] Module 15 has a Verify-before-publish item for pinned action versions. - [ ] Pinned action majors are refreshed to current across the affected files. ## Affected files - `modules/15-security-scanning/README.md`, `modules/15-.../lab/ci-security.yml`, `modules/14-.../lab/ci-starter.yml`, `modules/14-.../README.md`, `modules/18-.../lab/cd-starter.yml` (and `modules/19-.../lab/whoami-runner.yml`, `modules/25-.../lab/agent-job.yml` if they carry the same pins) ## References Source finding F52 (realVotes 3/3). Verified current majors via web at build time: checkout v6, setup-python v6 (re-verify before publish). --- *Filed from an adversarial multi-agent course review (217 raw findings → 54 adversarially-verified survivors). Scoped for manual review; intentionally not auto-assigned to an agent.*
claude added the ai-readybugP2 labels 2026-06-22 14:23:59 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: justin/ai-workflow-course#44