Skip to content

Update GitHub Actions to latest versions#39

Merged
dnegstad merged 2 commits intomainfrom
claude/bump-action-versions
May 5, 2026
Merged

Update GitHub Actions to latest versions#39
dnegstad merged 2 commits intomainfrom
claude/bump-action-versions

Conversation

@dnegstad
Copy link
Copy Markdown
Owner

@dnegstad dnegstad commented May 5, 2026

Summary

This PR updates several GitHub Actions to their latest versions across the CI/CD workflows to ensure we're using the most recent bug fixes, security patches, and features.

Key Changes

  • actions/setup-node: Updated from v6.3.0 to v6.4.0 in three workflows (build-extensions.yml, bump-version.yml)
  • actions/setup-dotnet: Updated from v4 to v5.2.0 in build-extensions.yml, adding explicit version pinning with commit hash
  • peter-evans/create-pull-request: Updated from v7.0.11 to v8.1.1 in bump-version.yml

Notable Details

  • All action references now include commit hashes for improved security and reproducibility
  • The setup-dotnet action was previously using a floating version tag (v4) and is now pinned to a specific commit hash, improving build consistency
  • These updates apply to both Ubuntu and Windows CI runners where applicable

https://claude.ai/code/session_01GSMAW9u8RuReyuzCvT6S1K

claude added 2 commits May 5, 2026 20:06
@claude
Bump pinned action versions and SHA-pin setup-dotnet
a7bdc67 
Brings every action reference current with its latest tag and converts the
remaining tag-pinned actions/setup-dotnet references to a full-length SHA so
the workflows stay compliant if the SHA-pin policy is reinstated.

- actions/setup-node: v6.3.0 → v6.4.0 (minor)
- actions/setup-dotnet: v4 (tag-pinned) → v5.2.0 (SHA-pinned). v5 only drops
  support for legacy .NET versions; we install 10.0.x, so unaffected. The
  Node 24 / runner v2.327.1+ requirement is satisfied by GitHub-hosted
  ubuntu-latest and windows-latest.
- peter-evans/create-pull-request: v7.0.11 → v8.1.1 (major). No input-shape
  changes for the inputs bump-version.yml uses (branch, commit-message,
  title, body, delete-branch). Same Node 24 / runner constraint.
@claude
Replace devcontainers/action with devcontainer CLI
d8f221a 
devcontainers/action@v1.4.3 is still a node20 action; GitHub Actions deprecates
node20 in September. The upstream Node 24 migration (PR devcontainers/action#228)
is open but unreleased.

The action is a thin wrapper around the @devcontainers/cli, so swap it for the
CLI directly. The CLI runs under the runner's installed Node (22 today, 24 next),
which sidesteps the deprecation entirely. The publish-feature job already had
docker/login-action handling GHCR auth, and the existing buildx-imagetools step
still resolves the published manifest digest for attestation.

Pinning @devcontainers/cli to 0.86.0 to match the supply-chain hygiene goals
of the rest of this branch.
@dnegstad dnegstad force-pushed the claude/bump-action-versions branch from e1b346a to d8f221a Compare May 5, 2026 21:49
@dnegstad dnegstad merged commit d7848bc into main May 5, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dnegstad @claude