kandersolar
commented
1 year ago @kanderso-nrel is there a way to test if this works?
Just open a PR upgrading them and see what happens in the PR checks. I'd be a little surprised if we have to do anything more than change @v2 to @v4 in the workflow configurations.
In theory best practice would be to always audit the code for any new versions of actions before using them in a workflow (especially the deploy to PyPI workflow). In the real world I think it's reasonable to trust that an action maintained by github itself will not be malicious.
During the most recent GitHub Actions (example) the following warnings have been raised:
The checkout@v2 action is used by all three of the GitHub Actions workflows used in this repository.
I suppose we should update to actions/checkout@v3 and actions/setup-python@v4. @kanderso-nrel is there a way to test if this works?