feat: bump actions/runner to v2.333.1 for node24 support#3
Merged
kurok merged 3 commits intofeat/al2023-supportfrom Apr 20, 2026
Merged
feat: bump actions/runner to v2.333.1 for node24 support#3kurok merged 3 commits intofeat/al2023-supportfrom
kurok merged 3 commits intofeat/al2023-supportfrom
Conversation
The user-data bootstrap hardcoded v2.321.0, whose externals/ directory ships only node16 and node20. Any consumer trying to use a JS action that declares 'runs: using: node24' (actions/checkout@v5+, many other updated actions) fails on runners started via this action. v2.333.1 is the current stable GA runner release (2026-03-27) and bundles externals/node20 + externals/node24. No AMI change is needed because the runner brings its own Node binaries. Rebuilt dist/index.js with NODE_OPTIONS=--openssl-legacy-provider npm run package (the pinned @vercel/ncc 0.25.1 doesn't work with modern OpenSSL without that flag). The only diff inside dist/ is the two URL/filename lines that mirror the src change. Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
4 tasks
The existing pr.yml only ran 'npm run lint' and only on PRs targeting main, so PRs against feature branches had zero CI coverage. Two new jobs: - verify-dist: runs 'npm run package' and fails if the committed dist/index.js disagrees with a fresh rebuild from src/. Catches the 'forgot to rebuild dist' class of bug permanently so future runner-version bumps can't ship with a stale bundle. - verify-runner-url: extracts the pinned actions/runner version from src/aws.js and HEADs the corresponding release asset. Catches typos in the version string and release-asset naming drift before a bad AMI start wastes an EC2 lifecycle. Also drops the 'branches: [main]' filter so PRs against any branch (feat/al2023-support in particular) get linted and verified. The existing lint-code job is left untouched to keep the diff minimal. Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
…code GitHub started auto-failing workflows using actions/cache@v2 in December 2025 (deprecation notice). actions/checkout@v2 is in the same bucket. With this PR removing the 'branches: [main]' filter on pr.yml, the lint-code job now runs on every PR — so the red-flag deprecation caught by the runner causes every new PR to fail until these two pins are rotated forward. Minimal change: v2 → v4 on both uses: lines; everything else in the job stays the same. Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
This was referenced Apr 20, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bump the hardcoded
actions/runnerrelease downloaded by the EC2 user-data bootstrap from v2.321.0 to v2.333.1 (latest stable, published 2026-03-27).Changes:
src/aws.js— the two download/extract linesdist/index.js— rebuilt viaNODE_OPTIONS=--openssl-legacy-provider npm run package(pinned@vercel/ncc 0.25.1needs the flag on modern OpenSSL)Why
Downstream consumers (e.g.
namecheap/terraform-provider-namecheap) are constrained toactions/checkout@v4on any job that runs on runners started via this action.@v5and@v6both declareruns: using: node24, and the runner v2.321.0 shipped here bundles onlyexternals/node20, so the JS action fails to start.The terraform-provider-namecheap
ci.ymleven documents this inline:The comment is accurate about the symptom but misdirects on the cause — the AMI itself is fine. The runner binary is what determines which node versions are available to JS actions, because the runner loads them from its own
externals/directory, not from the host. v2.327.1+ addsexternals/node24; v2.333.1 is the current stable.Consumer action after merge
Once this is merged and
feat/al2023-supporttip advances, consumers SHA-pinned to this action rotate the pin to the new commit. For the provider repo that's theci.ymllines already SHA-pinned in namecheap/terraform-provider-namecheap#149; the same PR (or a small follow-up) can then drop theactions/checkout@v4workaround on the acceptance step and unify on@v6.Verification
src/aws.jsanddist/index.jsagree on the version string (grep shows 2 matches of2.333.1, 0 of2.321.0).dist/— verified withgit diff --numstat dist/index.js→2 2.Follow-ups
feat/al2023-support→mainand cutting a proper tagged release, so downstream consumers can SHA-pin against a release commit rather than an ever-moving feature branch. (The feat branch is still 6+ commits ahead ofmain; see ci: SHA-pin namecheap/ec2-github-runner and unify start/stop refs terraform-provider-namecheap#148.)