meta(ci): upgrade GitHub Actions to Node 24 runtime#542
Conversation
Semver Impact of This PR🟢 Patch (bug fixes) 📋 Changelog PreviewThis is how your changes will appear in the changelog. Internal Changes 🔧
🤖 This preview updates automatically when you update the PR. |
|
Codecov Results 📊✅ 126 passed | Total: 126 | Pass Rate: 100% | Execution Time: 0ms 📊 Comparison with Base Branch
✨ No test changes detected All tests are passing successfully. ✅ Patch coverage is 100.00%. Project has 1028 uncovered lines. Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 96.02% 96.02% —%
==========================================
Files 185 185 —
Lines 25805 25805 —
Branches 0 0 —
==========================================
+ Hits 24777 24777 —
- Misses 1028 1028 —
- Partials 0 0 —Generated by Codecov Action |
Upgrade all actions to versions that use node24, fixing 13 Node.js 20 deprecation warnings. GitHub will force Node.js 24 starting June 2, 2026. - actions/checkout: v4 → v6 - actions/cache: v4 → v5 - actions/upload-artifact: v4 → v7 - actions/download-artifact: v4 → v8 - actions/setup-node: v4 → v6 - actions/create-github-app-token: v2.2.1 → v3 - dorny/paths-filter: v3.0.2 (SHA pin) → v4 Note: getsentry/codecov-action@main still uses node20 in its own action.yml — that needs a separate fix in the codecov-action repo.
BYK
force-pushed
the
meta/node24-action-upgrades
branch
from
7587484 to
aa62edc
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| - uses: actions/checkout@v4 | ||
| - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 | ||
| - uses: actions/checkout@v6 | ||
| - uses: dorny/paths-filter@v4 |
There was a problem hiding this comment.
SHA-pinned third-party action replaced with mutable tag
Medium Severity
The dorny/paths-filter reference was previously SHA-pinned (@de90cc6fb38fc0963ad72b210f1f284cd68cea36) to protect against supply chain attacks, but the upgrade switches to a mutable tag (@v4). Unlike the actions/* actions which are first-party GitHub-maintained, dorny/paths-filter is a third-party action where tag references can be moved to point to compromised code. The SHA pin for v4.0.1 (fbd0ab8f3e69293af611ebaee6363fc25e6d187d) could be used to maintain the same supply chain protection.
1 participant
Upgrade all GitHub Actions to versions that use
node24runtime, fixing 13 Node.js 20 deprecation warnings from CI. GitHub will force Node.js 24 starting June 2, 2026.Action upgrades
actions/checkout@v4@v6actions/cache@v4@v5actions/upload-artifact@v4@v7actions/download-artifact@v4@v8actions/setup-node@v4@v6actions/create-github-app-token@v2.2.1@v3dorny/paths-filterv3.0.2(SHA pin)@v428 references updated across 4 workflow files (
ci.yml,release.yml,generate-skill.yml,docs-preview.yml).Out of scope
getsentry/codecov-action@mainstill usesnode20in its ownaction.yml— needs a fix in that repooven-sh/setup-bun@v2already resolves to node24rossjrw/pr-preview-action@v1is a composite action (no Node runtime)