feat: enforce Node.js 24 for all runners and workflows#1190
Conversation
…_TO_NODE24 env var - Adds FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true to all runner Docker Compose files - Documents the variable in all example .env files - Ensures all JavaScript actions use Node.js 24 across standard, Chrome, and Chrome-Go runners See #performance, #devops, #nodejs, #ci-cd
…_JAVASCRIPT_ACTIONS_TO_NODE24 env var
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request aims to enforce the use of Node.js 24 for all JavaScript actions within the CI/CD pipelines and local runner environments. By standardizing the Node.js version, the change ensures greater consistency, improves compatibility, and allows for leveraging the latest features and performance enhancements offered by Node.js 24 across all runner types. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request consistently enforces the use of Node.js 24 across all runner configurations by adding the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true setting. The changes are applied to the example environment files and the Docker Compose configurations for all runner types. My review focuses on improving the consistency of how this new environment variable is handled in the Docker Compose files to allow for optional overrides, aligning with its inclusion in the example files.
| - GO111MODULE=${GO111MODULE:-on} | ||
| - GOPROXY=${GOPROXY:-https://proxy.golang.org,direct} | ||
| - GOSUMDB=${GOSUMDB:-sum.golang.org} | ||
| - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true |
There was a problem hiding this comment.
To maintain consistency with how other variables are handled in this file, it's recommended to allow this value to be overridden from the environment. This aligns with the addition of FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 to the .env.example files and provides flexibility for users who might need to disable this feature.
- FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=${FORCE_JAVASCRIPT_ACTIONS_TO_NODE24:-true}| - RUNNER_TYPE=chrome | ||
| - METRICS_PORT=9091 | ||
| - METRICS_UPDATE_INTERVAL=${METRICS_UPDATE_INTERVAL:-30} | ||
| - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true |
There was a problem hiding this comment.
For consistency with other environment variables in this compose file, it would be better to allow this setting to be configured via an environment variable. This change would make the configuration more flexible and consistent with the presence of FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 in the example environment files.
- FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=${FORCE_JAVASCRIPT_ACTIONS_TO_NODE24:-true}| - RUNNER_TYPE=standard | ||
| - METRICS_PORT=9091 | ||
| - METRICS_UPDATE_INTERVAL=${METRICS_UPDATE_INTERVAL:-30} | ||
| - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true |
There was a problem hiding this comment.
To ensure consistency across configurations and provide flexibility, this hardcoded value should be replaced with a reference to an environment variable with a default. This aligns with the practice used for other variables in this file and the fact that FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 is now part of the example environment files.
- FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=${FORCE_JAVASCRIPT_ACTIONS_TO_NODE24:-true}
* chore(deps): chore(deps)(deps): bump actions/cache from 4 to 5 Automatically merged Dependabot PR after CI validation. * chore(deps): chore(deps)(deps): bump trufflesecurity/trufflehog from 3.93.7 to 3.93.8 Automatically merged Dependabot PR after CI validation. * chore(deps): chore(deps)(deps): bump docker/metadata-action from 5 to 6 Automatically merged Dependabot PR after CI validation. * 🔒 Fix Personal Access Token exposure in runner-self-test.sh (#1191) * 🔒 fix: prevent Personal Access Token exposure in CLI history Modified `scripts/runner-self-test.sh` to pass the GitHub Personal Access Token (`GH_PAT`) to `curl` via stdin using the `-K-` option. This prevents the token from appearing in process listings or command history, addressing a security vulnerability. Changes: - Replaced direct `-H "Authorization: token $GH_PAT"` with a piped configuration using `printf` and `curl -K-`. - Added a security verification test in `tests/security/verify-curl-fix.sh`. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update tests/security/verify-curl-fix.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * 🔒 Fix Command Injection in Deploy Script via Unescaped Hostname (#1193) * 🔒 Fix command injection vulnerability in deploy script Added container name validation and improved docker command security by using the -- delimiter to prevent option injection. - Added `validate_container_name` function to enforce Docker naming conventions. - Updated `health_check` and `show_status` functions in `scripts/deploy.sh` to validate container names before use and use `--` in Docker commands. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * 🔒 fix(security): sanitize job name in file paths to prevent traversal (#1192) * fix(security): sanitize job name in file paths Mitigate path traversal vulnerability by sanitizing GITHUB_JOB before using it in file paths in job-started.sh and job-completed.sh. Introduced a sanitize_name function in utils.sh to replace unsafe characters with underscores. Updated unit tests accordingly. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update tests/unit/test-job-started.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update docker/utils.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * feat: enforce Node.js 24 for all runners and workflows (#1190) * feat: enforce Node.js 24 for all runners via FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env var - Adds FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true to all runner Docker Compose files - Documents the variable in all example .env files - Ensures all JavaScript actions use Node.js 24 across standard, Chrome, and Chrome-Go runners See #performance, #devops, #nodejs, #ci-cd * chore: enforce Node.js 24 for all actions in ci-cd workflow via FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env var --------- Co-authored-by: rr <rr> --------- Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* chore(deps): chore(deps)(deps): bump actions/cache from 4 to 5 Automatically merged Dependabot PR after CI validation. * chore(deps): chore(deps)(deps): bump trufflesecurity/trufflehog from 3.93.7 to 3.93.8 Automatically merged Dependabot PR after CI validation. * chore(deps): chore(deps)(deps): bump docker/metadata-action from 5 to 6 Automatically merged Dependabot PR after CI validation. * 🔒 Fix Personal Access Token exposure in runner-self-test.sh (#1191) * 🔒 fix: prevent Personal Access Token exposure in CLI history Modified `scripts/runner-self-test.sh` to pass the GitHub Personal Access Token (`GH_PAT`) to `curl` via stdin using the `-K-` option. This prevents the token from appearing in process listings or command history, addressing a security vulnerability. Changes: - Replaced direct `-H "Authorization: token $GH_PAT"` with a piped configuration using `printf` and `curl -K-`. - Added a security verification test in `tests/security/verify-curl-fix.sh`. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update tests/security/verify-curl-fix.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * 🔒 Fix Command Injection in Deploy Script via Unescaped Hostname (#1193) * 🔒 Fix command injection vulnerability in deploy script Added container name validation and improved docker command security by using the -- delimiter to prevent option injection. - Added `validate_container_name` function to enforce Docker naming conventions. - Updated `health_check` and `show_status` functions in `scripts/deploy.sh` to validate container names before use and use `--` in Docker commands. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * 🔒 fix(security): sanitize job name in file paths to prevent traversal (#1192) * fix(security): sanitize job name in file paths Mitigate path traversal vulnerability by sanitizing GITHUB_JOB before using it in file paths in job-started.sh and job-completed.sh. Introduced a sanitize_name function in utils.sh to replace unsafe characters with underscores. Updated unit tests accordingly. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update tests/unit/test-job-started.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update docker/utils.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * feat: enforce Node.js 24 for all runners and workflows (#1190) * feat: enforce Node.js 24 for all runners via FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env var - Adds FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true to all runner Docker Compose files - Documents the variable in all example .env files - Ensures all JavaScript actions use Node.js 24 across standard, Chrome, and Chrome-Go runners See #performance, #devops, #nodejs, #ci-cd * chore: enforce Node.js 24 for all actions in ci-cd workflow via FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env var --------- Co-authored-by: rr <rr> * chore: update Go version to 1.25.7 across Chrome-Go runner configs, Dockerfiles, compose, and docs --------- Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: rr <rr>
1 participant
Closes #performance, #devops, #nodejs, #ci-cd
/cc @copilot