ci: update GitHub Actions pins for Node 24#47
Conversation
📝 WalkthroughWalkthroughAll GitHub Actions workflow files are updated to newer major versions of actions (checkout v6, cache v5, upload-artifact v6, docker actions). Three conflict/merge workflows gain ChangesGitHub Actions Version Bumps and Permission Fixes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
✅ No Merge Conflicts DetectedThis PR currently has no conflicts with other open PRs. |
53b99af to
01fc719
Compare
811bfd1 to
decce1d
Compare
Backport the workflow action-pin upgrades from develop that apply to this release branch, to silence GitHub's Node.js 20 deprecation warnings on the v23.1.x CI. This updates the affected first-party and Docker actions to their Node 24-compatible majors, replaces deprecated attest-build-provenance with actions/attest, and bumps add-pr-comment usage to the current v3 action where present.
decce1d to
3a36acd
Compare
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/clang-diff-format.yml:
- Around line 11-12: The Checkout step in the workflow still persists Git
credentials, which is unnecessary for this job and can leak the token to later
steps. Update the `actions/checkout` step in the workflow to disable persisted
credentials by setting `persist-credentials` to false, keeping the change
localized to the `Checkout` job step.
In @.github/workflows/predict-conflicts.yml:
- Around line 32-35: The validate_conflicts step in the predict-conflicts
workflow is masking failures from handle_potential_conflicts.py, which prevents
the later conflict checks from running correctly. Remove continue-on-error from
the validate_conflicts job step and keep nonfatal behavior only on the
comment-related steps, so the validate step can fail the workflow when conflict
detection itself errors. Reference the validate_conflicts step and the
steps.validate_conflicts.outputs.has_conflicts checks when updating the
workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7e693d5d-a374-4a7b-a316-30926619f13d
📒 Files selected for processing (13)
.github/workflows/build-container.yml.github/workflows/build-depends.yml.github/workflows/build-src.yml.github/workflows/cache-depends-sources.yml.github/workflows/clang-diff-format.yml.github/workflows/guix-build.yml.github/workflows/label-merge-conflicts.yml.github/workflows/lint.yml.github/workflows/merge-check.yml.github/workflows/predict-conflicts.yml.github/workflows/release_docker_hub.yml.github/workflows/semantic-pull-request.yml.github/workflows/test-src.yml
| - name: Checkout | ||
| uses: actions/checkout@v3 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
sed -n '1,80p' .github/workflows/clang-diff-format.yml
rg -n 'git push|gh |gh api|persist-credentials' .github/workflows/clang-diff-format.ymlRepository: PastaPastaPasta/dash
Length of output: 892
🏁 Script executed:
python3 - <<'PY'
from pathlib import Path
import re
p = Path('.github/workflows/clang-diff-format.yml')
text = p.read_text()
print("has_checkout", 'actions/checkout@v6' in text)
print("has_fetch", 'git fetch --no-tags -fu origin develop:develop' in text)
print("has_push_or_gh", bool(re.search(r'git push|gh api|gh ', text)))
print("checkout_with_block", bool(re.search(r'uses:\s*actions/checkout@v6\s*\n\s*with:', text)))
PYRepository: PastaPastaPasta/dash
Length of output: 238
🌐 Web query:
actions/checkout v6 persist-credentials default token extraheader git fetch subsequent steps documentation
💡 Result:
In actions/checkout v6, the persist-credentials input defaults to true [1][2]. When enabled, it configures Git to use the authentication token provided by the GitHub Actions runner for subsequent git operations, such as git fetch, within the workflow [1][3]. Key details regarding this functionality include: Credential Storage: Unlike previous versions that modified the local.git/config file directly, v6 improves security by writing credentials to a separate file located within $RUNNER_TEMP [1][4]. This file is then referenced via includeIf directives in the local Git configuration [5]. Subsequent Steps: Because the runner configures Git to point to these credentials automatically, subsequent steps in your workflow that execute Git commands (e.g., git fetch, git push) will remain authenticated without requiring additional manual configuration [1][2]. Docker Container Actions: Running authenticated Git commands from within a Docker container action requires Actions Runner v2.329.0 or later [1][3]. For these operations to succeed, the $RUNNER_TEMP directory must be accessible inside the container (e.g., via volume mapping), as the container must be able to read the credentials file referenced by the includeIf directive [5]. Opting Out: To disable this behavior and prevent the action from persisting credentials, set the persist-credentials input to false [1][2]. The action does not explicitly document an input for an extraheader; it manages authentication through standard Git credential helper mechanisms and includeIf configurations rather than by manually injecting global Git extraHeaders [1][5].
Citations:
- 1: https://github.com/actions/checkout/tree/v6.0.2?tab=readme-ov-file
- 2: https://github.com/actions/checkout
- 3: https://github.com/actions/checkout/?tab=readme-ov-file
- 4: https://github.com/actions/checkout?tab=readme-ov-file
- 5: checkout@v6 credentials don't work with Docker container actions - no workaround available actions/checkout#2359
Disable persisted checkout credentials here. This job doesn’t need authenticated follow-up git operations, and the later repo-controlled script would still inherit the token if it stays enabled. Add persist-credentials: false to the checkout step.
Suggested change
- name: Checkout
uses: actions/checkout@v6
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| uses: actions/checkout@v6 | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/clang-diff-format.yml around lines 11 - 12, The Checkout
step in the workflow still persists Git credentials, which is unnecessary for
this job and can leak the token to later steps. Update the `actions/checkout`
step in the workflow to disable persisted credentials by setting
`persist-credentials` to false, keeping the change localized to the `Checkout`
job step.
Source: Linters/SAST tools
| - name: validate potential conflicts | ||
| id: validate_conflicts | ||
| run: pip3 install hjson && .github/workflows/handle_potential_conflicts.py "$conflicts" | ||
| continue-on-error: true |
There was a problem hiding this comment.
🩺 Stability & Availability | 🟠 Major | ⚡ Quick win
continue-on-error: true on the validate step silently masks conflict-detection failures.
If handle_potential_conflicts.py errors out, the step no longer fails the job; instead steps.validate_conflicts.outputs.has_conflicts stays unset, so both the "Post conflict comment" and "Fail if conflicts exist" (Line 60-62) steps are skipped and the job reports success. A genuine conflict-detection failure (e.g. API/network error) would then pass silently. If you only intend the comment steps to be nonfatal, drop continue-on-error from the validate step itself and keep it on the comment steps.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/predict-conflicts.yml around lines 32 - 35, The
validate_conflicts step in the predict-conflicts workflow is masking failures
from handle_potential_conflicts.py, which prevents the later conflict checks
from running correctly. Remove continue-on-error from the validate_conflicts job
step and keep nonfatal behavior only on the comment-related steps, so the
validate step can fail the workflow when conflict detection itself errors.
Reference the validate_conflicts step and the
steps.validate_conflicts.outputs.has_conflicts checks when updating the
workflow.
|
Closing this mistaken fork-target PR. The official PR is dashpay#7395. |
CI Action Pin Updates
Issue Being Fixed Or Feature Implemented
GitHub Actions is warning that several workflow actions still target older
Node.js runtimes, including Node.js 20, and are being forced to run on Node.js
24 on the
release-v23.1.7branch.This updates the release branch workflow action pins to Node 24-compatible
versions so release CI stops carrying the deprecation warning.
What Was Done?
actions/checkout,actions/cache, artifact upload/download, attest, andactions/github-scriptto current Node 24-compatible releases.versions.
runtimes:
amannn/action-semantic-pull-requestmshick/add-pr-commenteps1lon/actions-label-merge-conflictactions-ecosystem/action-add-labels@v1inmerge-check.ymlwitha small
actions/github-script@v8step because the old action targetsNode 12.
the needed Issues API permission and making conflict-comment updates
nonfatal.
How Has This Been Tested?
On macOS arm64:
I also scanned the touched workflows for the deprecated action pins that
produced the warnings and checked the referenced action metadata for the active
workflow actions. The upgraded JavaScript actions resolve to
node24; thecustom conflict checker action is Docker-based.
The pre-PR code review gate returned
Recommendation: ship.Breaking Changes
None. This is CI workflow configuration only.
Checklist
Summary by CodeRabbit