Fix typesafe workflow

[leonard84]

• Update github-workflows-kt to 3.7.0 to fix failure
• Update dependency actions:upload-artifact___major to v6
• Update generated workflow
• Update Checkout to v6

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions and action versions (including checkout) across workflows for compatibility.
  • Upgraded the workflow automation framework to a newer release for stability.
  • Migrated action interfaces to their newer variants to align with upstream changes and improve CI reliability.
  • Adjusted documentation, scanning, and artifact-publishing workflows for more consistent behavior.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated GitHub Actions Kotlin workflow scripts and generated YAML to bump github-workflows-kt to 3.7.0, upgrade action major ranges (notably actions/checkout and actions/upload-artifact), and replace some typed action imports/usages (CodeQL/Codecov) with their Untyped variants and adjusted constructor parameter names.

Changes

Cohort / File(s)	Summary
Kotlin workflow scripts (general deps) .github/workflows/branches-and-prs.main.kts, .github/workflows/common.main.kts, .github/workflows/docs-pr.main.kts, .github/workflows/release.main.kts	Bumped io.github.typesafegithub:github-workflows-kt 3.6.0 → 3.7.0 and updated actions/checkout major constraint to [v6,v7-alpha); docs-pr also updated actions/upload-artifact range.
CodeQL Kotlin workflow .github/workflows/codeql-analysis.main.kts	Bumped github-workflows-kt to 3.7.0; updated actions/checkout and CodeQL action ranges; replaced typed imports/usages (CodeqlActionInit/CodeqlActionAnalyze) with untyped variants (CodeqlActionInit_Untyped/CodeqlActionAnalyze_Untyped).
Codecov import/usage in release script .github/workflows/release.main.kts	Replaced CodecovAction import/usage with CodecovAction_Untyped and adapted parameter name from failCiIfError to failCiIfError_Untyped.
Generated YAML workflows .github/workflows/codeql-analysis.yaml, .github/workflows/docs-pr.yaml, .github/workflows/branches-and-prs.yaml, .github/workflows/release.yaml	Updated actions/checkout@v5 → actions/checkout@v6; updated actions/upload-artifact@v5 → @v6 where present. No control-flow changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Use fixed version to fix CodeQL workflow #2291: Similar edits to the CodeQL workflow file, updating CodeQL action versions and switching to untyped action usages.

Poem

🐰 I hopped through YAML and KTS,
Swapped a few imports with care,
Untyped actions now dance and play,
Pipelines hum with versions new,
Nibble a carrot — CI delights! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix typesafe workflow' accurately describes the main objective of the PR, which is to update github-workflows-kt dependency and fix related workflow issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR updates GitHub Actions workflow dependencies to fix a failure in the typesafe workflow system. The main changes include:

• Updated github-workflows-kt from 3.6.0 to 3.7.0 across all workflow files
• Updated actions/checkout from v5 to v6 in the CodeQL workflow
• Updated actions/upload-artifact from v5 to v6 in the docs workflow
• Switched CodeQL actions to use _Untyped variants with pinned versions [v4.32.4,v5-alpha) to address type system changes

The changes are necessary to fix workflow failures and maintain compatibility with the latest action versions. One minor issue was found with inconsistent version formatting in the upload-artifact dependency range specification.

Confidence Score: 4/5

• Safe to merge after fixing the minor version format inconsistency
• The PR contains necessary dependency updates with one minor syntax issue in version range formatting that should be corrected for consistency
• docs-pr.main.kts has a version format inconsistency that should be fixed

Important Files Changed

Filename	Overview
.github/workflows/common.main.kts	Updated github-workflows-kt from 3.6.0 to 3.7.0 - straightforward version bump
.github/workflows/codeql-analysis.main.kts	Updated checkout to v6, pinned CodeQL actions to v4.32.4+, switched to _Untyped variants due to type system changes
.github/workflows/docs-pr.main.kts	Updated upload-artifact dependency range to [v5,7.0) which uses inconsistent version format (v5 vs 7.0)

_{Last reviewed commit: 4811089}

[greptile-apps]

_{7 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.main.kts (1)

27-27: ⚠️ Potential issue | 🔴 Critical

Same unresolved CodecovAction issue as in branches-and-prs.main.kts.

The @file:DependsOn, import, and uses(action = CodecovAction(...)) call are identical in structure to the pattern that's already confirmed broken by the pipeline failures. This file will fail to compile for the same reason. Apply the same _Untyped fix described in the branches-and-prs.main.kts comment.

Also applies to: 31-31, 104-109

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.main.kts at line 27, Replace the unresolved
CodecovAction usage with the untyped variant: change the
`@file`:DependsOn("codecov:codecov-action___major:[v5,v6-alpha)") / import that
brings in CodecovAction and any uses(action = CodecovAction(...)) occurrences to
instead reference the untyped helper (e.g., CodecovAction_Untyped) and adjust
the import/dependsOn to the corresponding untyped artifact; update every
occurrence of CodecovAction (including the one shown and the other occurrences
in the file) to use CodecovAction_Untyped so the script compiles.

🧹 Nitpick comments (1)

.github/workflows/docs-pr.main.kts (1)

27-27: Inconsistent version range notation — upper bound 7.0 is missing the v prefix.

Every other binding range in this PR uses a v-prefixed upper bound (e.g., [v5,v6-alpha), [v6,v7-alpha)). While the generated YAML confirms the resolver currently handles 7.0 correctly, aligning the notation would be safer and more consistent.

♻️ Proposed normalisation

-@file:DependsOn("actions:upload-artifact___major:[v5,7.0)")
+@file:DependsOn("actions:upload-artifact___major:[v5,v7-alpha)")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docs-pr.main.kts at line 27, Inconsistent version-range
notation: the `@file`:DependsOn annotation currently uses an upper bound "7.0"
without the "v" prefix; update the dependency string
`@file`:DependsOn("actions:upload-artifact___major:[v5,7.0)") to use a v-prefixed
upper bound (e.g., change "7.0" to "v7.0") so it matches the other ranges like
"[v5,v6-alpha)" and "[v6,v7-alpha)" and keeps notation consistent across the
workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/codeql-analysis.yaml:
- Line 47: The workflow currently uses "uses: 'actions/checkout@v6'" which
requires self-hosted runners >= 2.329.0; either update your self-hosted Actions
Runners to at least v2.329.0 so they can access the persisted credentials, or
change the checkout action to a lower-major release (e.g., actions/checkout@v3
or `@v2`) that is compatible with your runners; update the "uses:
'actions/checkout@v6'" entry accordingly or document the runner upgrade
requirement in the workflow repo.

In @.github/workflows/docs-pr.yaml:
- Line 54: The workflow currently uses "uses: 'actions/upload-artifact@v6'",
which requires Actions Runner ≥ 2.327.1 and Node.js 24; to avoid breaking
self-hosted runners either downgrade to a compatible version (e.g., change to
"uses: 'actions/upload-artifact@v3'") or add a clear comment/condition ensuring
self-hosted runners are upgraded to >=2.327.1, and document this requirement in
the workflow file or repo README so merges don't break CI.

---

Outside diff comments:
In @.github/workflows/release.main.kts:
- Line 27: Replace the unresolved CodecovAction usage with the untyped variant:
change the `@file`:DependsOn("codecov:codecov-action___major:[v5,v6-alpha)") /
import that brings in CodecovAction and any uses(action = CodecovAction(...))
occurrences to instead reference the untyped helper (e.g.,
CodecovAction_Untyped) and adjust the import/dependsOn to the corresponding
untyped artifact; update every occurrence of CodecovAction (including the one
shown and the other occurrences in the file) to use CodecovAction_Untyped so the
script compiles.

---

Nitpick comments:
In @.github/workflows/docs-pr.main.kts:
- Line 27: Inconsistent version-range notation: the `@file`:DependsOn annotation
currently uses an upper bound "7.0" without the "v" prefix; update the
dependency string `@file`:DependsOn("actions:upload-artifact___major:[v5,7.0)") to
use a v-prefixed upper bound (e.g., change "7.0" to "v7.0") so it matches the
other ranges like "[v5,v6-alpha)" and "[v6,v7-alpha)" and keeps notation
consistent across the workflow.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/codeql-analysis.main.kts (1)

31-32: Consider switching back to typed CodeQL bindings once available.

_Untyped variants are the right workaround while typed bindings for [v4.32.4,v5-alpha) aren't published yet. Since neither CodeqlActionInit_Untyped nor CodeqlActionAnalyze_Untyped receives any parameters today, there's no immediate risk. If parameters ever need to be added, though, typos in key names will go undetected until YAML generation and runtime rather than compile time.

When a future github-workflows-kt update ships typed wrappers for this version range, swap back to the non-_Untyped imports:

♻️ Suggested future swap (once typed bindings are published)

-import io.github.typesafegithub.workflows.actions.github.CodeqlActionAnalyze_Untyped
-import io.github.typesafegithub.workflows.actions.github.CodeqlActionInit_Untyped
+import io.github.typesafegithub.workflows.actions.github.CodeqlActionInit
+import io.github.typesafegithub.workflows.actions.github.CodeqlActionAnalyze

-            action = CodeqlActionInit_Untyped(
+            action = CodeqlActionInit(

-            action = CodeqlActionAnalyze_Untyped()
+            action = CodeqlActionAnalyze()

Also applies to: 88-91, 129-131

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql-analysis.main.kts around lines 31 - 32, The file
currently imports CodeqlActionInit_Untyped and CodeqlActionAnalyze_Untyped as a
deliberate workaround; update nothing now but add a TODO and plan: when
github-workflows-kt publishes typed wrappers for the target CodeQL versions,
replace imports of CodeqlActionInit_Untyped and CodeqlActionAnalyze_Untyped with
their typed counterparts (CodeqlActionInit and CodeqlActionAnalyze), and remove
the _Untyped usages throughout the file (also at the other occurrences noted
around lines 88-91 and 129-131) to restore compile-time checking for action
parameters.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/branches-and-prs.yaml:
- Line 38: Update the actions/checkout@v6 usage to handle the new
persist-credentials behavior and document the runner requirement: add a with:
persist-credentials: false (or explicitly set the credential behavior your job
expects) for the step that uses the symbol "uses: 'actions/checkout@v6'", and
add a short note in the workflow that self-hosted runners must be v2.329.0 or
later to run authenticated git commands from container actions (the same change
should be applied to the other checkout occurrences referenced at lines
109-111).

In @.github/workflows/codeql-analysis.yaml:
- Line 47: The workflow uses actions/checkout@v6 which requires Actions Runner
>= v2.329.0 for authenticated git commands from Docker container actions; update
the workflow file to either (a) document this requirement (add a comment near
the uses: 'actions/checkout@v6' line) and assert jobs run on GitHub-hosted
runners (runs-on: ubuntu-latest), or (b) add a guard/notice for any self-hosted
runners so maintainers know to upgrade their runner to >= v2.329.0 or switch to
a compatible checkout action; reference the uses: 'actions/checkout@v6'
occurrence when making the change.

In @.github/workflows/release.yaml:
- Line 89: Replace the incompatible actions/checkout@v6 usage with a
runner-compatible checkout action across the three checkout steps mentioned (the
occurrences with actions/checkout@v6, including the checkout in the
publish-release-docs job and the other two occurrences) so the $RUNNER_TEMP
credential mechanism works for subsequent git operations; update each
actions/checkout reference to the runner-compatible version used elsewhere
(e.g., actions/checkout@v3) or explicitly set persist-credentials: true on those
checkout steps to ensure git checkout -b and git push run correctly as ordinary
run steps.

---

Nitpick comments:
In @.github/workflows/codeql-analysis.main.kts:
- Around line 31-32: The file currently imports CodeqlActionInit_Untyped and
CodeqlActionAnalyze_Untyped as a deliberate workaround; update nothing now but
add a TODO and plan: when github-workflows-kt publishes typed wrappers for the
target CodeQL versions, replace imports of CodeqlActionInit_Untyped and
CodeqlActionAnalyze_Untyped with their typed counterparts (CodeqlActionInit and
CodeqlActionAnalyze), and remove the _Untyped usages throughout the file (also
at the other occurrences noted around lines 88-91 and 129-131) to restore
compile-time checking for action parameters.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/branches-and-prs.main.kts (1)

23-26: Consider opting into the 3.7.0 consistency-check checkout version feature.

github-workflows-kt 3.7.0 introduced an opt-in feature where the consistency check job automatically uses the actions/checkout version from the classpath Maven artifact, allowing future Renovate bumps to actions:checkout___major to propagate automatically without manual fixes. Since this PR bumps checkout to [v6,v7-alpha), opting in here would prevent the consistency check job (currently using the bundled v4) from drifting out of sync with the main workflows.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/branches-and-prs.main.kts around lines 23 - 26, The
consistency-check job is still using the bundled actions/checkout v4 rather than
the classpath version; update this script to opt into the github-workflows-kt
3.7.0 consistency-check checkout-version feature so the check will use the
classpath actions/checkout version you declared. Concretely, enable the 3.7.0
opt-in in this file (where you have
`@file`:DependsOn("io.github.typesafegithub:github-workflows-kt:3.7.0")) so the
consistency-check picks up the
`@file`:DependsOn("actions:checkout___major:[v6,v7-alpha)") setting instead of the
bundled v4.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/branches-and-prs.main.kts:
- Around line 23-26: The consistency-check job is still using the bundled
actions/checkout v4 rather than the classpath version; update this script to opt
into the github-workflows-kt 3.7.0 consistency-check checkout-version feature so
the check will use the classpath actions/checkout version you declared.
Concretely, enable the 3.7.0 opt-in in this file (where you have
`@file`:DependsOn("io.github.typesafegithub:github-workflows-kt:3.7.0")) so the
consistency-check picks up the
`@file`:DependsOn("actions:checkout___major:[v6,v7-alpha)") setting instead of the
bundled v4.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.12%. Comparing base (1e5a645) to head (bdd5619).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #2299   +/-   ##
=========================================
  Coverage     82.12%   82.12%           
+ Complexity     4795     4793    -2     
=========================================
  Files           469      469           
  Lines         14958    14958           
  Branches       1888     1888           
=========================================
  Hits          12285    12285           
  Misses         1984     1984           
  Partials        689      689           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.