#10531 - Use non-deprecated Github Actions

[jmarrec]

Pull request overview

• Fixes Using deprecated Github Actions #10531

Pull Request Author

Add to this list or remove from it as applicable. This is a simple templated set of guidelines.

• Title of PR should be user-synopsis style (clearly understandable in a standalone changelog context)
• Label the PR with at least one of: Defect, Refactoring, NewFeature, Performance, and/or DoNoPublish
• Pull requests that impact EnergyPlus code must also include unit tests to cover enhancement or defect repair
• Author should provide a "walkthrough" of relevant code changes using a GitHub code review comment process
• If any diffs are expected, author must demonstrate they are justified using plots and descriptions
• If changes fix a defect, the fix should be demonstrated in plots and descriptions
• If any defect files are updated to a more recent version, upload new versions here or on DevSupport
• If IDD requires transition, transition source, rules, ExpandObjects, and IDFs must be updated, and add IDDChange label
• If structural output changes, add to output rules file and add OutputChange label
• If adding/removing any LaTeX docs or figures, update that document's CMakeLists file dependencies

Reviewer

This will not be exhaustively relevant to every PR.

• Perform a Code Review on GitHub
• If branch is behind develop, merge develop and build locally to check for side effects of the merge
• If defect, verify by running develop branch and reproducing defect, then running PR and reproducing fix
• If feature, test running new feature, try creative ways to break it
• CI status: all green or justified
• Check that performance is not impacted (CI Linux results include performance check)
• Run Unit Test(s) locally
• Check any new function arguments for performance impacts
• Verify IDF naming conventions and styles, memos and notes and defaults
• If new idf included, locally check the err file and other outputs

[jmarrec]

This might need tweaking to be less annoying (filtering on semver:major only maybe), we'll see. I'll do it as needed.

[Myoldmopar]

Filtering to semver:major does seem pretty reasonable. But also...maybe weekly isn't too bad regardless. Is there a dependabot or whatever that can open PRs automatically to take the weekly pain down a bit?

[jmarrec]

this will open PRs yes. https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#about-dependabot-pull-requests

[jmarrec]

New script to run locally to automatically update GHA actions

If you pass "--safe" it will only check the actions that start with "actions/xxx" meaning they are official github actions. Compatibility is pretty much a given here from experience. (actions/checkout, actions/setup-python, actions/upload-artifact, etc)

[jmarrec]

One of two deps that aren't github official that I bumped

[Myoldmopar]

Sounds good. Same question about using the full SHA for resilience/safety? Probably not important, just asking.

[jmarrec]

This is a "community" maintained action, so pinning to a minor/patch isn't a bad idea.

[jmarrec]

Other of two deps that aren't github official that I bumped

[Myoldmopar]

No problem at all with this, it's a great improvement. And adding a weekly check plus a locally running script to auto-update them is very nice.

One question I have is...what if we want to pin to a specific version for a while? This will continually complain? Is there 'exclude-list' capability?

In any case, this should merge right away.

[Myoldmopar]

This is good, of course. Any preference to using the full SHA instead of a tag? Is that safer/preferred?

[jmarrec]

Github official actions are safe to pin to a major tag.

[Myoldmopar]

Sounds good. Same question about using the full SHA for resilience/safety? Probably not important, just asking.

[Myoldmopar]

Filtering to semver:major does seem pretty reasonable. But also...maybe weekly isn't too bad regardless. Is there a dependabot or whatever that can open PRs automatically to take the weekly pain down a bit?

[Myoldmopar]

Totally happy. No reason to hold. We can continue to tweak this along with everything else at any time. Thanks @jmarrec

[jmarrec]

One question I have is...what if we want to pin to a specific version for a while? This will continually complain? Is there 'exclude-list' capability?

exactly. It's called "ignore", see https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-disabling-version-updates-for-some-dependencies

eg

    ignore:
      # Ignore updates to packages that start with 'aws'
      # Wildcards match zero or more arbitrary characters
      - dependency-name: "aws*"
      # Ignore some updates to the 'express' package
      - dependency-name: "express"
        # Ignore only new versions for 4.x and 5.x
        versions: ["4.x", "5.x"]