Situation
notify-on-push workflow uses the older core-validate-commit@5.0.1 release instead of 6.0.0 causing some merge commits to be incorrectly flagged, notably all ffi commits.
Background
Workflow .github/workflows/notify-on-push.yml job validateCommitMessage specifies runs-on: ubuntu-24.04-arm.
The GitHub partner runner image inventory for ubuntu-24.04-arm shows a default installed Node.js 20.20.0.
Since there is no step in the workflow to install any alternate Node.js version, the job runs in Node.js 20.20.0 (with bundled npm 10.8.2).
The job validateCommitMessage executes:
run: echo "$COMMITS" | npx -q core-validate-commit -
npm/cli#7704 describes how npm 10.8.2 changed behavior, which is now documented for npm 11.11.1 under
npm install [<@scope>/]<name>:
Note: When installing by name without specifying a version or tag, npm prioritizes versions that match the current Node.js version based on the package's engines field. If the latest tag points to a version incompatible with your current Node.js version, npm will install the newest compatible version instead. To install a specific version regardless of engines compatibility, explicitly specify the version or tag: npm install @latest.
(This documentation addition has not been backported to the npm 10.x documentation, nor referenced in the npx 10 / npx 11 documentation.)
The npm package core-validate-commit has the following engines minimum definitions:
| core-validate-commit |
released |
engines minimum |
| 6.0.0 |
Apr 27, 2026 |
"node": "^22.21.1 |
| 5.0.1 |
Mar 18, 2026 |
"node": "^20.19.6 |
npx therefore installs the older core-validate-commit@5.0.1 since it is the highest version that satisfies the engines conditions for Node.js 20.20.0.
The consequence is that the enhancements / fixes for 6.0.0 are not available:
- add Signed-off-by and Assisted-By rules
- parse trailers using git if available, allow longer lines
- rules: add ffi subsystem
- rules: add line-length exemptions for DCO sign-offs
This is particularly noticeable for every ffi PR merged into main, that then triggers a slack notification
✖ 0:0 Invalid subsystem: "ffi" subsystem
Suggestion
In the workflow .github/workflows/notify-on-push.yml job validateCommitMessage add the following step, as commonly used in other GitHub Actions workflows:
- name: Use Node.js ${{ env.NODE_VERSION }}
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ env.NODE_VERSION }}I can't test this in a fork, so I defer to core Collaborators to review and make this change.
cc: @nodejs/actions
cc: @ShogunPanda
Situation
notify-on-push workflow uses the older
core-validate-commit@5.0.1release instead of6.0.0causing some merge commits to be incorrectly flagged, notably allfficommits.Background
Workflow .github/workflows/notify-on-push.yml job
validateCommitMessagespecifiesruns-on: ubuntu-24.04-arm.The GitHub partner runner image inventory for ubuntu-24.04-arm shows a default installed Node.js 20.20.0.
Since there is no step in the workflow to install any alternate Node.js version, the job runs in Node.js 20.20.0 (with bundled npm 10.8.2).
The job
validateCommitMessageexecutes:npm/cli#7704 describes how npm 10.8.2 changed behavior, which is now documented for npm 11.11.1 under
npm install [<@scope>/]<name>:(This documentation addition has not been backported to the npm 10.x documentation, nor referenced in the npx 10 / npx 11 documentation.)
The npm package core-validate-commit has the following engines minimum definitions:
npx therefore installs the older
core-validate-commit@5.0.1since it is the highest version that satisfies the engines conditions for Node.js 20.20.0.The consequence is that the enhancements / fixes for 6.0.0 are not available:
This is particularly noticeable for every
ffiPR merged into main, that then triggers a slack notificationSuggestion
In the workflow .github/workflows/notify-on-push.yml job
validateCommitMessageadd the following step, as commonly used in other GitHub Actions workflows:I can't test this in a fork, so I defer to core Collaborators to review and make this change.
cc: @nodejs/actions
cc: @ShogunPanda