fix(ci): update GitHub Actions to Node.js 24#689
Merged
wizzomafizzo merged 1 commit intomainfrom Apr 16, 2026
Merged
Conversation
…puts Upgrade actions with Node 24 versions available: - docker/setup-buildx-action v3 → v4 (removes deprecated `install` input) - actions/upload-artifact v4 → v6 - actions/download-artifact v4 → v7 Replace actions with no Node 24 version available: - arduino/setup-task → `gh release download` from go-task/task - pozetroninc/github-action-get-latest-release → `gh api` call Node.js 20 actions will be forced to Node.js 24 starting June 2, 2026 and removed entirely September 16, 2026.
📝 WalkthroughWalkthroughGitHub Actions workflow files were updated to replace the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/build.yml (1)
151-157: Pin the Task release instead of downloadinglatest.Omitting the tag makes every build depend on whatever
go-task/taskpublishes next, which hurts reproducibility and can break historic rebuilds unexpectedly. Please download an explicit Task release tag here and reuse that same pin across both install steps.♻️ Suggested shape
- name: Install Task + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TASK_VERSION: v3.0.0 run: | - gh release download -R go-task/task -p 'task_linux_amd64.tar.gz' -O /tmp/task.tar.gz + gh release download "$TASK_VERSION" -R go-task/task -p 'task_linux_amd64.tar.gz' -O /tmp/task.tar.gz sudo tar -xzf /tmp/task.tar.gz -C /usr/local/bin task rm /tmp/task.tar.gz - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Also applies to: 405-411
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build.yml around lines 151 - 157, The workflow currently downloads Task without a pinned release; update the "Install Task" step (the job step named "Install Task" that runs `gh release download -R go-task/task -p 'task_linux_amd64.tar.gz'`) to use an explicit release tag: introduce a single variable (e.g., TASK_VERSION) at the top of the workflow and replace the unpinned download with a download that references that tag, then apply the same TASK_VERSION variable in the other install step mentioned (the similar step around lines 405-411) so both installs use the identical pinned release for reproducible builds.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/build.yml:
- Around line 151-157: The workflow currently downloads Task without a pinned
release; update the "Install Task" step (the job step named "Install Task" that
runs `gh release download -R go-task/task -p 'task_linux_amd64.tar.gz'`) to use
an explicit release tag: introduce a single variable (e.g., TASK_VERSION) at the
top of the workflow and replace the unpinned download with a download that
references that tag, then apply the same TASK_VERSION variable in the other
install step mentioned (the similar step around lines 405-411) so both installs
use the identical pinned release for reproducible builds.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: dba1909d-1ed9-40f6-9a27-949b45d6b284
📒 Files selected for processing (5)
.github/workflows/build.yml.github/workflows/fuzz.yml.github/workflows/lint-and-test.yml.github/workflows/scorecard.yml.github/workflows/zigcc-build.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docker/setup-buildx-actionv3 → v4 (Node 24, removes deprecatedinstallinput)actions/upload-artifactv4 → v6 (Node 24)actions/download-artifactv4 → v7 (Node 24)arduino/setup-taskwithgh release downloadfrom go-task/task (no Node 24 version available)pozetroninc/github-action-get-latest-releasewithgh apicall (no Node 24 version available)Node.js 20 actions will be forced to Node.js 24 starting June 2, 2026 and removed September 16, 2026. The two replaced actions had no Node 24 release, so they've been swapped for authenticated
ghCLI commands that run no third-party code.Affected workflows:
build.yml,fuzz.yml,lint-and-test.yml,scorecard.yml,zigcc-build.ymlSummary by CodeRabbit