Skip to content

ci: update GitHub Actions pins for Node 24#47

Closed
thepastaclaw wants to merge 1 commit into
PastaPastaPasta:release-v23.1.7from
thepastaclaw:ci/release-23.1-node24-actions
Closed

ci: update GitHub Actions pins for Node 24#47
thepastaclaw wants to merge 1 commit into
PastaPastaPasta:release-v23.1.7from
thepastaclaw:ci/release-23.1-node24-actions

Conversation

@thepastaclaw

@thepastaclaw thepastaclaw commented Jun 30, 2026

Copy link
Copy Markdown

CI Action Pin Updates

Issue Being Fixed Or Feature Implemented

GitHub Actions is warning that several workflow actions still target older
Node.js runtimes, including Node.js 20, and are being forced to run on Node.js
24 on the release-v23.1.7 branch.

This updates the release branch workflow action pins to Node 24-compatible
versions so release CI stops carrying the deprecation warning.

What Was Done?

  • Updated first-party workflow actions such as actions/checkout,
    actions/cache, artifact upload/download, attest, and
    actions/github-script to current Node 24-compatible releases.
  • Updated Docker workflow actions to the current Node 24-compatible major
    versions.
  • Updated active third-party workflow actions that still targeted older Node
    runtimes:
    • amannn/action-semantic-pull-request
    • mshick/add-pr-comment
    • eps1lon/actions-label-merge-conflict
  • Replaced actions-ecosystem/action-add-labels@v1 in merge-check.yml with
    a small actions/github-script@v8 step because the old action targets
    Node 12.
  • Kept PR comment/label workflows working after the action bumps by granting
    the needed Issues API permission and making conflict-comment updates
    nonfatal.

How Has This Been Tested?

On macOS arm64:

git diff --check pasta/release-v23.1.7..HEAD
find .github/workflows -name '*.yml' -print0 \
  | xargs -0 -n1 ruby -e 'require "yaml"; YAML.load_file(ARGV[0]); puts "ok #{ARGV[0]}"'

I also scanned the touched workflows for the deprecated action pins that
produced the warnings and checked the referenced action metadata for the active
workflow actions. The upgraded JavaScript actions resolve to node24; the
custom conflict checker action is Docker-based.

The pre-PR code review gate returned Recommendation: ship.

Breaking Changes

None. This is CI workflow configuration only.

Checklist

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated relevant unit/integration/functional/e2e tests
  • I have made corresponding changes to the documentation
  • I have assigned this pull request to a milestone

Summary by CodeRabbit

  • Chores
    • Updated multiple GitHub Actions workflows to newer major versions for checkout, caching, artifact handling, Docker builds, and PR checks.
    • Improved workflow permissions where needed for issue/label updates.
    • Made conflict-comment steps more resilient so comment-related failures won’t fail the whole job.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

All GitHub Actions workflow files are updated to newer major versions of actions (checkout v6, cache v5, upload-artifact v6, docker actions). Three conflict/merge workflows gain issues: write permissions; merge-check replaces action-add-labels@v1 with a github-script@v8 step; predict-conflicts adds continue-on-error: true to comment steps.

Changes

GitHub Actions Version Bumps and Permission Fixes

Layer / File(s) Summary
Build/test workflow action version bumps
.github/workflows/build-container.yml, .github/workflows/build-depends.yml, .github/workflows/build-src.yml, .github/workflows/cache-depends-sources.yml, .github/workflows/guix-build.yml, .github/workflows/test-src.yml
Upgrades actions/checkout (v4→v6), actions/cache (v4→v5), actions/upload-artifact (v4→v6), and Docker actions (setup-buildx v3→v4, login v3→v4, build-push v6→v7, attest-build-provenance@v1attest@v4) across all build and test workflows.
Release, lint, and semantic PR action bumps
.github/workflows/release_docker_hub.yml, .github/workflows/lint.yml, .github/workflows/clang-diff-format.yml, .github/workflows/semantic-pull-request.yml
Upgrades actions/checkout, docker/setup-qemu-action, docker/setup-buildx-action, docker/login-action, docker/metadata-action, docker/build-push-action, actions/github-script, and amannn/action-semantic-pull-request to newer major versions.
Conflict/merge workflow permissions and logic
.github/workflows/label-merge-conflicts.yml, .github/workflows/merge-check.yml, .github/workflows/predict-conflicts.yml
Adds issues: write permission to all three workflows; bumps eps1lon/actions-label-merge-conflict to v3.1.0; replaces action-add-labels@v1 with actions/github-script@v8 calling github.rest.issues.addLabels; upgrades mshick/add-pr-comment v2→v3; adds continue-on-error: true to conflict comment steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 Hop, hop, hooray for versions new,
The actions all got a fresh upgrade too!
Checkout at six, cache at five,
Our CI pipeline feels so alive.
With issues:write now properly set,
The bunny's workflows have no regret! 🌟

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the PR’s main change: updating GitHub Actions pins for Node 24 compatibility.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown

✅ No Merge Conflicts Detected

This PR currently has no conflicts with other open PRs.

@thepastaclaw
thepastaclaw force-pushed the ci/release-23.1-node24-actions branch from 811bfd1 to decce1d Compare June 30, 2026 14:48
Backport the workflow action-pin upgrades from develop that apply to this release branch, to silence GitHub's Node.js 20 deprecation warnings on the v23.1.x CI.

This updates the affected first-party and Docker actions to their Node 24-compatible majors, replaces deprecated attest-build-provenance with actions/attest, and bumps add-pr-comment usage to the current v3 action where present.
@thepastaclaw
thepastaclaw force-pushed the ci/release-23.1-node24-actions branch from decce1d to 3a36acd Compare June 30, 2026 14:50
@thepastaclaw

Copy link
Copy Markdown
Author

@coderabbitai review

@thepastaclaw
thepastaclaw marked this pull request as ready for review June 30, 2026 14:51
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/clang-diff-format.yml:
- Around line 11-12: The Checkout step in the workflow still persists Git
credentials, which is unnecessary for this job and can leak the token to later
steps. Update the `actions/checkout` step in the workflow to disable persisted
credentials by setting `persist-credentials` to false, keeping the change
localized to the `Checkout` job step.

In @.github/workflows/predict-conflicts.yml:
- Around line 32-35: The validate_conflicts step in the predict-conflicts
workflow is masking failures from handle_potential_conflicts.py, which prevents
the later conflict checks from running correctly. Remove continue-on-error from
the validate_conflicts job step and keep nonfatal behavior only on the
comment-related steps, so the validate step can fail the workflow when conflict
detection itself errors. Reference the validate_conflicts step and the
steps.validate_conflicts.outputs.has_conflicts checks when updating the
workflow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7e693d5d-a374-4a7b-a316-30926619f13d

📥 Commits

Reviewing files that changed from the base of the PR and between 01fc719 and 3a36acd.

📒 Files selected for processing (13)
  • .github/workflows/build-container.yml
  • .github/workflows/build-depends.yml
  • .github/workflows/build-src.yml
  • .github/workflows/cache-depends-sources.yml
  • .github/workflows/clang-diff-format.yml
  • .github/workflows/guix-build.yml
  • .github/workflows/label-merge-conflicts.yml
  • .github/workflows/lint.yml
  • .github/workflows/merge-check.yml
  • .github/workflows/predict-conflicts.yml
  • .github/workflows/release_docker_hub.yml
  • .github/workflows/semantic-pull-request.yml
  • .github/workflows/test-src.yml

Comment on lines 11 to +12
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
sed -n '1,80p' .github/workflows/clang-diff-format.yml
rg -n 'git push|gh |gh api|persist-credentials' .github/workflows/clang-diff-format.yml

Repository: PastaPastaPasta/dash

Length of output: 892


🏁 Script executed:

python3 - <<'PY'
from pathlib import Path
import re

p = Path('.github/workflows/clang-diff-format.yml')
text = p.read_text()
print("has_checkout", 'actions/checkout@v6' in text)
print("has_fetch", 'git fetch --no-tags -fu origin develop:develop' in text)
print("has_push_or_gh", bool(re.search(r'git push|gh api|gh ', text)))
print("checkout_with_block", bool(re.search(r'uses:\s*actions/checkout@v6\s*\n\s*with:', text)))
PY

Repository: PastaPastaPasta/dash

Length of output: 238


🌐 Web query:

actions/checkout v6 persist-credentials default token extraheader git fetch subsequent steps documentation

💡 Result:

In actions/checkout v6, the persist-credentials input defaults to true [1][2]. When enabled, it configures Git to use the authentication token provided by the GitHub Actions runner for subsequent git operations, such as git fetch, within the workflow [1][3]. Key details regarding this functionality include: Credential Storage: Unlike previous versions that modified the local.git/config file directly, v6 improves security by writing credentials to a separate file located within $RUNNER_TEMP [1][4]. This file is then referenced via includeIf directives in the local Git configuration [5]. Subsequent Steps: Because the runner configures Git to point to these credentials automatically, subsequent steps in your workflow that execute Git commands (e.g., git fetch, git push) will remain authenticated without requiring additional manual configuration [1][2]. Docker Container Actions: Running authenticated Git commands from within a Docker container action requires Actions Runner v2.329.0 or later [1][3]. For these operations to succeed, the $RUNNER_TEMP directory must be accessible inside the container (e.g., via volume mapping), as the container must be able to read the credentials file referenced by the includeIf directive [5]. Opting Out: To disable this behavior and prevent the action from persisting credentials, set the persist-credentials input to false [1][2]. The action does not explicitly document an input for an extraheader; it manages authentication through standard Git credential helper mechanisms and includeIf configurations rather than by manually injecting global Git extraHeaders [1][5].

Citations:


Disable persisted checkout credentials here. This job doesn’t need authenticated follow-up git operations, and the later repo-controlled script would still inherit the token if it stays enabled. Add persist-credentials: false to the checkout step.

Suggested change
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v6
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/clang-diff-format.yml around lines 11 - 12, The Checkout
step in the workflow still persists Git credentials, which is unnecessary for
this job and can leak the token to later steps. Update the `actions/checkout`
step in the workflow to disable persisted credentials by setting
`persist-credentials` to false, keeping the change localized to the `Checkout`
job step.

Source: Linters/SAST tools

Comment on lines 32 to 35
- name: validate potential conflicts
id: validate_conflicts
run: pip3 install hjson && .github/workflows/handle_potential_conflicts.py "$conflicts"
continue-on-error: true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

continue-on-error: true on the validate step silently masks conflict-detection failures.

If handle_potential_conflicts.py errors out, the step no longer fails the job; instead steps.validate_conflicts.outputs.has_conflicts stays unset, so both the "Post conflict comment" and "Fail if conflicts exist" (Line 60-62) steps are skipped and the job reports success. A genuine conflict-detection failure (e.g. API/network error) would then pass silently. If you only intend the comment steps to be nonfatal, drop continue-on-error from the validate step itself and keep it on the comment steps.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/predict-conflicts.yml around lines 32 - 35, The
validate_conflicts step in the predict-conflicts workflow is masking failures
from handle_potential_conflicts.py, which prevents the later conflict checks
from running correctly. Remove continue-on-error from the validate_conflicts job
step and keep nonfatal behavior only on the comment-related steps, so the
validate step can fail the workflow when conflict detection itself errors.
Reference the validate_conflicts step and the
steps.validate_conflicts.outputs.has_conflicts checks when updating the
workflow.

@thepastaclaw

Copy link
Copy Markdown
Author

Closing this mistaken fork-target PR. The official PR is dashpay#7395.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant