Deprecating the `latest` and `vX.Y` tags of the `julia-actions/setup-julia` GitHub Action

Tooling
1

We recently released v3 of julia-actions/setup-julia, which is a GitHub Action that installs Julia for use in your GitHub Actions CI jobs. I want to talk a bit about the tags on that repo. This discussion only affects the latest tag and tags of the form vX.Y (e.g. v2.7). If you don’t use those tags, you can skip the rest of this post.

Changes

In the past (for setup-julia v1 and v2), we maintained a tag called latest, which pointed to the absolute latest version of setup-julia. Going forward, for setup-julia v3 and later, we will no longer update the latest tag. So you should stop using the latest tag going forward.

In the past (for setup-julia v1 and v2), we would maintain tags of the form vX.Y (e.g. v2.7). Going forward, for setup-julia v3 and later, we will not be creating tags of the form vX.Y. So you should stop using the vX.Y tags going forward.

Recommendation

We recommend[1] that most people pin setup-julia to the full-length commit hash, for example:


- uses: julia-actions/setup-julia@f6f565d9f7cf12f53dc8045742460d6260ad3b39 # v3.0.1

And then use Dependabot (or a similar tool, such as Renovate) to keep those commit hashes up-to-date.

But if you don’t want to use a full-length commit hash, you can instead use the v3 convenience tag, for example:


- uses: julia-actions/setup-julia@v3

  1. See also: Using third-party actions → Pin actions to a full-length commit SHA ↩︎

2

I currently use:

    strategy:
      fail-fast: false
      matrix:
        version:
          - '1.11'
          - '1.12'
        os:
          - ubuntu-latest
          - windows-latest
        arch:
          - x64

    steps:
      - uses: actions/checkout@v6
      - uses: julia-actions/setup-julia@v2
        with:
          version: ${{ matrix.version }}
          arch: ${{ matrix.arch }}

Would I have to change that?

3

You can use that same approach. Although you should upgrade from setup-julia@v2 to setup-julia@v3.

4

Also, for most use cases, you can get rid of arch entirely - remove it from your matrix, and remove it when calling setup-julia. When you omit arch, setup-julia will automatically choose the architecture of the runner that you’re running on, which is the right behavior for most use cases.

So, your code example would become:

    strategy:
      fail-fast: false
      matrix:
        version:
          - '1.11'
          - '1.12'
        os:
          - ubuntu-latest
          - windows-latest

    steps:
      - uses: actions/checkout@v6
      - uses: julia-actions/setup-julia@v3
        with:
          version: ${{ matrix.version }}
5

Where would one find evidence (or even an assertion) that, say,
julia-actions/setup-julia@f6f565d9f7cf12f53dc8045742460d6260ad3b39
has passed some sort of security review?