Skip to content

[build] update GitHub Actions to latest major versions#17475

Merged
titusfortner merged 1 commit into
trunkfrom
actions_deps
May 16, 2026
Merged

[build] update GitHub Actions to latest major versions#17475
titusfortner merged 1 commit into
trunkfrom
actions_deps

Conversation

@titusfortner
Copy link
Copy Markdown
Member

@titusfortner titusfortner commented May 16, 2026

💥 What does this PR do?

We're getting a bunch of warnings about support deprecations on older actions. Got the list to update from #13964, reviewed all changes, and nothing should be an issue here.

Agent evaluation:

The commonly-cited breaking changes in github-script@v9, create-pull-request@v8, download-artifact@v5, and setup-node@v6 do not apply to how Selenium uses these actions. The universal theme across most of these is a Node.js 20 → 24 runtime upgrade, which requires Actions Runner v2.327.1+ — GitHub-hosted runners already satisfy this.

@selenium-ci selenium-ci added the B-build Includes scripting, bazel and CI integrations label May 16, 2026
@qodo-code-review
Copy link
Copy Markdown
Contributor

qodo-code-review Bot commented May 16, 2026

Review Summary by Qodo

Update GitHub Actions to latest major versions

✨ Enhancement

Grey Divider

Walkthroughs

Description 
• Update GitHub Actions to latest major versions across all workflows
• Upgrade checkout from v4 to v6, cache actions from v4 to v5
• Update artifact actions from v5 to v6, download-artifact from v4 to v5
• Upgrade setup-node v4 to v6, github-script v7 to v9
• Update additional actions: setup-bazel, ghaction-import-gpg, stale, and others
Diagram 
flowchart LR
  A["GitHub Actions<br/>v4/v5/v7 versions"] -- "Update to latest<br/>major versions" --> B["GitHub Actions<br/>v5/v6/v9 versions"]
  B -- "Node.js 20 to 24<br/>runtime upgrade" --> C["Enhanced compatibility<br/>and security"]
Loading

Grey Divider

File Changes

1. .github/workflows/bazel.yml Dependencies +8/-8

Update checkout, cache, setup-node, and artifact actions

.github/workflows/bazel.yml

2. .github/workflows/ci-build-index.yml Dependencies +2/-2

Update download-artifact and cache/save actions

.github/workflows/ci-build-index.yml

3. .github/workflows/ci-lint.yml Dependencies +4/-4

Update checkout, paths-filter, and github-script actions

.github/workflows/ci-lint.yml

View more (16)
4. .github/workflows/ci-rust.yml Dependencies +15/-15

Update checkout, upload-artifact, download-artifact actions

.github/workflows/ci-rust.yml

5. .github/workflows/ci.yml Dependencies +1/-1

Update download-artifact action version

.github/workflows/ci.yml

6. .github/workflows/commit-changes.yml Dependencies +2/-2

Update checkout and download-artifact actions

.github/workflows/commit-changes.yml

7. .github/workflows/delete-comments.yml Dependencies +3/-3

Update github-script action to v9

.github/workflows/delete-comments.yml

8. .github/workflows/issue-labeler.yml Dependencies +5/-5

Update checkout and github-script actions

.github/workflows/issue-labeler.yml

9. .github/workflows/label-commenter.yml Dependencies +1/-1

Update checkout action version

.github/workflows/label-commenter.yml

10. .github/workflows/lock.yml Dependencies +1/-1

Update lock-threads action to v6

.github/workflows/lock.yml

11. .github/workflows/mirror-selenium-releases.yml Dependencies +1/-1

Update checkout action version

.github/workflows/mirror-selenium-releases.yml

12. .github/workflows/nightly.yml Dependencies +2/-2

Update checkout and download-artifact actions

.github/workflows/nightly.yml

13. .github/workflows/pin-browsers.yml Dependencies +3/-3

Update checkout, download-artifact, create-pull-request actions

.github/workflows/pin-browsers.yml

14. .github/workflows/pr-labeler.yml Dependencies +2/-2

Update checkout and labeler actions

.github/workflows/pr-labeler.yml

15. .github/workflows/pre-release.yml Dependencies +5/-5

Update checkout, download-artifact, create-pull-request actions

.github/workflows/pre-release.yml

16. .github/workflows/release.yml Dependencies +6/-6

Update checkout and download-artifact actions

.github/workflows/release.yml

17. .github/workflows/restrict-trunk.yml Dependencies +1/-1

Update checkout action version

.github/workflows/restrict-trunk.yml

18. .github/workflows/stale.yml Dependencies +4/-4

Update stale action from v9 to v10

.github/workflows/stale.yml

19. .github/workflows/update-documentation.yml Dependencies +2/-2

Update checkout and download-artifact actions

.github/workflows/update-documentation.yml

Grey Divider

Qodo Logo

@qodo-code-review
Copy link
Copy Markdown
Contributor

qodo-code-review Bot commented May 16, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

Grey Divider


Remediation recommended

1. Org block token missing 🐞 Bug ☼ Reliability
Description 
The Delete Comments workflow attempts to call github.rest.orgs.blockUser via
actions/github-script, but it never supplies an org-admin token (it relies on the default token)
and only declares issues: write permissions. This will fail when triggered and can cause the
entire spam-moderation workflow run to fail after deleting the comment.
Code

.github/workflows/delete-comments.yml[R35-40]

      - name: Block user from the org if their comment contained any of the banned strings
        if: steps.check_comment.outputs.result == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
        with:
          script: |
            const username = context.payload.comment.user.login
Evidence 
The workflow explicitly sets only issues: write permissions and uses the default github-script
token (no github-token override), yet calls the org-level orgs.blockUser API, which requires
elevated org privileges not provided in this workflow.

.github/workflows/delete-comments.yml[7-44]
.github/workflows/commit-changes.yml[42-47]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`.github/workflows/delete-comments.yml` calls `github.rest.orgs.blockUser`, but does not pass a token with org-admin privileges to `actions/github-script`. As a result, the block step will fail at runtime (typically 403) and can fail the workflow run.

## Issue Context
The workflow currently only declares `permissions: issues: write` and does not set `with: github-token:` on the `github-script` steps.

## Fix Focus Areas
- .github/workflows/delete-comments.yml[7-44]

## Suggested fix
- Provide a dedicated org-admin secret token (e.g., an existing bot token if it has the needed org scope) and pass it explicitly:
 - `with: github-token: ${{ secrets.<ORG_ADMIN_TOKEN> }}` on the block step (and optionally on all github-script steps for consistency).
- If blocking is best-effort, wrap the block call in `try/catch` (or set `continue-on-error: true` on that step) so comment deletion does not get marked as a failed run when blocking is not permitted.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

Qodo Logo

@titusfortner titusfortner merged commit fd13eda into trunk May 16, 2026
29 checks passed
@titusfortner titusfortner deleted the actions_deps branch May 16, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

B-build Includes scripting, bazel and CI integrations

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@titusfortner @selenium-ci