Bump CI actions for Node.js 24

[simonsmallchua]

Summary

• Bump all GitHub Actions to Node.js 24-compatible major versions ahead of the June 2026 enforcement deadline
• Covers 6 workflow files: test, fly-deploy, review-apps, auto-release, changelog-check, webflow-extension

Action	Was	Now
actions/checkout	v4	v6
actions/setup-go	v5	v6
actions/cache	v4	v5
actions/setup-node	v4	v6
actions/upload-artifact	v4	v6
actions/download-artifact	v4	v5
actions/github-script	v7	v8
golangci/golangci-lint-action	v7	v8

Test plan

• All CI workflows pass (test, deploy, changelog check)
• Node.js 20 deprecation warning no longer appears in Actions annotations

Summary by CodeRabbit

• Security

  • Enhanced database security by hardening search path configuration across system functions and enabling Row Level Security on additional tables to strengthen access controls.

• Performance

  • Improved database query performance through optimised Row Level Security evaluation semantics and added indexing to accelerate job status filtering queries.

• Chores

  • Updated continuous integration and deployment infrastructure to use latest stable versions of GitHub Actions and build tools.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 606a9313-a6a1-48ce-b422-cdaca327a6fd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

GitHub Actions workflows across six files are updated to newer major versions for checkout, setup, and scripting actions. Database migrations introduce security hardening by pinning search_path on 29 functions, refactoring RLS policies to fix evaluation semantics through subquery wrapping, consolidating overlapping policies, and adding performance indices and RLS enablement.

Changes

Cohort / File(s)	Summary
GitHub Actions Version Bumps .github/workflows/auto-release.yml, .github/workflows/changelog-check.yml, .github/workflows/fly-deploy.yml, .github/workflows/review-apps.yml, .github/workflows/test.yml, .github/workflows/webflow-extension.yml	Upgraded action versions across workflows: actions/checkout v4→v6, actions/setup-go v5→v6, actions/setup-node v4→v6, actions/github-script v7→v8, actions/cache v4→v5, golangci/golangci-lint-action v7→v8, actions/upload-artifact v4→v6, actions/download-artifact v4→v5. No workflow logic or command changes.
Documentation CHANGELOG.md	Added Security section documenting search_path pinning on 29 database functions and RLS enablement on domain_hosts. Added Changed section describing RLS policy optimisations (subquery wrapping of auth.uid()/auth.role()), policy consolidation on jobs and organisation_members, and btree index addition on jobs.status.
Database Security & Performance Hardening supabase/migrations/20260322030522_fix_database_linter_advisories.sql, supabase/migrations/20260322031654_add_rls_domain_hosts_and_jobs_status_index.sql	Applied SET search_path = public to 29 functions via ALTER FUNCTION statements. Refactored RLS policies on domains, pages, slack_user_links, notifications, and jobs to wrap auth.uid()/auth.role() in subqueries for per-query evaluation. Consolidated overlapping permissive SELECT policies on jobs and removed redundant organisation_members policy. Enabled RLS on domain_hosts table. Created btree index on jobs(status) for query optimisation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Fix database linter advisories #276: Directly related—modifies identical Supabase migrations and CHANGELOG entries for search_path pinning, RLS policy refactoring with subquery wrapping, domain_hosts RLS enablement, and jobs.status index creation.

Poem

🐰 Actions hop to newer ground,
Functions safe with paths now bound,
RLS policies dance and align,
Queries bloom with subqueries fine,
Security hardened, performance will shine! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title describes bumping CI actions for Node.js 24, but the changeset primarily updates GitHub Actions versions and includes substantial database security changes (search_path hardening, RLS policies, index creation) unrelated to Node.js 24 compatibility.	Revise the title to better reflect the full scope of changes, such as 'Update GitHub Actions versions and harden database security' or split into separate pull requests for CI updates and database changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/bold-faraday

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[supabase]

Updates to Preview Branch (claude/bold-faraday) ↗︎

Deployments	Status	Updated
Database	✅	Sun, 22 Mar 2026 06:25:06 UTC
Services	✅	Sun, 22 Mar 2026 06:25:06 UTC
APIs	✅	Sun, 22 Mar 2026 06:25:06 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks	Status	Updated
Configurations	✅	Sun, 22 Mar 2026 06:25:08 UTC
Migrations	✅	Sun, 22 Mar 2026 06:25:10 UTC
Seeding	✅	Sun, 22 Mar 2026 06:25:11 UTC
Edge Functions	✅	Sun, 22 Mar 2026 06:25:11 UTC

---

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

[github-actions]

🐝 Review App Deployed!

Homepage: https://adapt-pr-278.fly.dev

📋 Test Features:

1. Visit dashboard: https://adapt-pr-278.fly.dev/dashboard
2. Test authentication and job creation flow
3. Check dashboard functionality
4. Verify database operations work correctly

🗄️ Database: Supabase preview branch
⚠️ Preview environment - app and database cleaned up when PR closes