Fix invalid GitHub Action versions blocking CI

[MasumRab]

Fixes the duplicate bandit dependency that was blocking uv sync during CI runs.

---

PR created automatically by Jules for task 8825342107962755172 started by @MasumRab

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[sourcery-ai]

Sorry @MasumRab, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[coderabbitai]

Warning

Rate limit exceeded

@MasumRab has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 46 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 14 minutes and 46 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 222f9652-712c-4a64-ae96-fa84249c5ecb

📥 Commits

Reviewing files that changed from the base of the PR and between cbf7b31 and 7cd29e4.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (11)

• .github/workflows/ci.yml
• .github/workflows/ci.yml.orig
• .github/workflows/ci.yml.rej
• .github/workflows/deploy-staging.yml
• .github/workflows/gemini-review.yml
• .github/workflows/pr-check.yml
• .github/workflows/push-check.yml
• setup/launch.py
• setup/launch.py.rej
• setup/services.py
• update-ci-actions.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cto/fix-download-artifact-version-8825342107962755172

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🤖 Hi @MasumRab, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[github-actions]

🤖 I'm sorry @MasumRab, but I was unable to process your request. Please see the logs for more details.

[gemini-code-assist]

Code Review

This pull request transitions the CI action update script to use regex patterns for version matching, adds support for the setup-node action, and removes duplicate package entries from uv.lock. Reviewer feedback correctly identified that several target versions were non-existent, which would break workflows, and suggested a more efficient implementation for the file update logic to avoid redundant regex operations.

[gemini-code-assist]

Thanks for updating the action versions. I noticed that a couple of the target versions for the actions are not correct. astral-sh/setup-uv's latest major version is v1, and codecov/codecov-action's is v4. Using non-existent versions like @v5 will cause this script to produce invalid workflow files.

I've updated them to the correct latest stable versions.

Suggested change

	ACTION_UPDATES = {
	r'actions/checkout@v4': 'actions/checkout@v6',
	r'actions/checkout@v5': 'actions/checkout@v6',
	r'actions/setup-python@v4': 'actions/setup-python@v6',
	r'actions/setup-python@v5': 'actions/setup-python@v6',
	r'astral-sh/setup-uv@v4': 'astral-sh/setup-uv@v7',
	r'astral-sh/setup-uv@v5': 'astral-sh/setup-uv@v7',
	r'astral-sh/setup-uv@v6': 'astral-sh/setup-uv@v7',
	r'actions/download-artifact@v4': 'actions/download-artifact@v8',
	r'actions/download-artifact@v5': 'actions/download-artifact@v8',
	r'actions/upload-artifact@v4': 'actions/upload-artifact@v5',
	r'codecov/codecov-action@v4': 'codecov/codecov-action@v5',
	r'actions/checkout@v[0-9]+': 'actions/checkout@v4',
	r'actions/setup-python@v[0-9]+': 'actions/setup-python@v5',
	r'astral-sh/setup-uv@v[0-9]+': 'astral-sh/setup-uv@v5',
	r'actions/download-artifact@v[0-9]+': 'actions/download-artifact@v4',
	r'actions/upload-artifact@v[0-9]+': 'actions/upload-artifact@v4',
	r'codecov/codecov-action@v[0-9]+': 'codecov/codecov-action@v5',
	r'actions/setup-node@v[0-9]+': 'actions/setup-node@v4',
	}
	ACTION_UPDATES = {
	r'actions/checkout@v[0-9]+': 'actions/checkout@v4',
	r'actions/setup-python@v[0-9]+': 'actions/setup-python@v5',
	r'astral-sh/setup-uv@v[0-9]+': 'astral-sh/setup-uv@v1',
	r'actions/download-artifact@v[0-9]+': 'actions/download-artifact@v4',
	r'actions/upload-artifact@v[0-9]+': 'actions/upload-artifact@v4',
	r'codecov/codecov-action@v[0-9]+': 'codecov/codecov-action@v4',
	r'actions/setup-node@v[0-9]+': 'actions/setup-node@v4',
	}

[gemini-code-assist]

The logic to determine if an update is needed is overly complex and inefficient, as it involves multiple regex operations (search, findall, sub) for each pattern.

You can simplify this significantly by performing the re.sub operation and then comparing the result with the content before the substitution. This is more concise, easier to read, and more performant.

Suggested change

	for old_pattern, new_version in ACTION_UPDATES.items():
	if re.search(old_pattern, updated):
	updated = re.sub(old_pattern, new_version, updated)
	changes_made.append(f"{old_pattern} -> {new_version}")
	# Check if it's already at the target version or higher
	# Actually, just force it to the target version for now
	matches = re.findall(old_pattern, updated)
	needs_update = False
	for match in matches:
	if match != new_version:
	needs_update = True
	break
	if needs_update:
	updated = re.sub(old_pattern, new_version, updated)
	changes_made.append(f"{old_pattern} -> {new_version}")
	for old_pattern, new_version in ACTION_UPDATES.items():
	new_content = re.sub(old_pattern, new_version, updated)
	if new_content != updated:
	updated = new_content
	changes_made.append(f"{old_pattern} -> {new_version}")

[mergify]

👋 @MasumRab your PR is conflicting and needs to be updated to be merged.

[sonarqubecloud]

Quality Gate failed

Failed conditions
8 Security Hotspots
5.2% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud