⬆️(ci) upgrade GitHub Actions workflow steps to latest versions#63
⬆️(ci) upgrade GitHub Actions workflow steps to latest versions#63StephanMeijer wants to merge 1 commit intosuitenumerique:mainfrom
Conversation
Update all GitHub Actions to their latest major versions for improved performance, security patches, and Node.js runtime compatibility. Signed-off-by: Stephan Meijer <me@stephanmeijer.com>
📝 WalkthroughWalkthroughThis PR upgrades GitHub Actions workflow action versions across six CI/CD workflow files from older major versions to newer versions (e.g., v2→v3, v3→v6, v4→v6). No changes to workflow logic, control flow, or behavior beyond updated tool executables. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
This PR relates to other PR's:
|
|
✅ I manually reviewed this PR and it should work just fine. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
.github/workflows/build-and-push-docker-image-dev.yml (1)
20-20: Consider pinning actions to full commit SHAs for supply-chain hardeningMutable version tags (e.g.,
@v6) can be silently redirected to a new commit without any PR diff. Pinning every action to a verified commit SHA (e.g.,actions/checkout@<sha>) prevents a compromised upstream tag from injecting malicious code into your runner, especially important on aself-hostedrunner where persistent side-effects are possible.Tools like Dependabot or pin-github-action can automate this.
Also applies to: 23-23, 26-26, 29-29, 37-37, 44-44
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build-and-push-docker-image-dev.yml at line 20, Replace mutable action tags with immutable pinned commit SHAs: find every "uses: actions/checkout@v6" and other "uses: <owner>/<repo>@<version>" lines in this workflow (the occurrences flagged around lines 20, 23, 26, 29, 37, 44) and change them to the corresponding full commit SHA form (e.g., actions/checkout@<full-sha>); update each action reference consistently, ideally using verified SHAs from the action repos or via a tool like Dependabot/pin-github-action, and ensure the workflow still functions after pinning by testing the workflow run..github/workflows/build-and-push-docker-image.yml (1)
36-36:docker/metadata-actionwas not upgraded — intentional?All other
docker/*actions in this file were bumped to their latest versions, butdocker/metadata-actionremains atv5. If this was intentionally left out, no action needed; otherwise consider bumping it alongside the rest.♻️ Proposed version bump
- uses: docker/metadata-action@v5 + uses: docker/metadata-action@v6🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build-and-push-docker-image.yml at line 36, The workflow line using the docker metadata action is pinned to "uses: docker/metadata-action@v5" while other docker/* actions were updated; change the pin to the current recommended tag (bump from v5 to the latest stable major like v6 or the same pattern used for the other docker actions), update the workflow entry "uses: docker/metadata-action@v5" accordingly, and run/validate the CI workflow to ensure metadata generation still works with the new version..github/workflows/build-and-push-release-package.yml (1)
15-15: Node.js 18 is EOL — consider upgrading to an LTS version.Node 18 reached end-of-life in April 2025. While pre-existing and outside this PR's scope, it's a good time to upgrade to Node 20 or 22 (active LTS) since you're already touching this file.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build-and-push-release-package.yml at line 15, The workflow currently pins the GitHub Actions runner to Node via the YAML key node-version: '18', which is EOL; update that value to a supported LTS (e.g., '20' or '22') in the workflow step that uses setup-node (replace node-version: '18' with node-version: '20' or '22'), then run the CI to verify no toolchain or dependency compatibility issues and adjust any npm/node-related commands if failures surface.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build-and-push-docker-image-dev.yml:
- Line 17: The workflow currently sets runs-on: self-hosted while using
actions/checkout@v6 which requires runner v2.327.1+; before merging, verify the
self-hosted runner meets that minimum by running ./run.sh --version on the
runner and, if it is older, either upgrade the runner to v2.327.1+ or change the
workflow to use a GitHub-hosted runner (e.g., ubuntu-latest) or pin checkout to
a compatible older action version; ensure you document the chosen approach in
the PR so CI will not fail at the Checkout step.
---
Nitpick comments:
In @.github/workflows/build-and-push-docker-image-dev.yml:
- Line 20: Replace mutable action tags with immutable pinned commit SHAs: find
every "uses: actions/checkout@v6" and other "uses: <owner>/<repo>@<version>"
lines in this workflow (the occurrences flagged around lines 20, 23, 26, 29, 37,
44) and change them to the corresponding full commit SHA form (e.g.,
actions/checkout@<full-sha>); update each action reference consistently, ideally
using verified SHAs from the action repos or via a tool like
Dependabot/pin-github-action, and ensure the workflow still functions after
pinning by testing the workflow run.
In @.github/workflows/build-and-push-docker-image.yml:
- Line 36: The workflow line using the docker metadata action is pinned to
"uses: docker/metadata-action@v5" while other docker/* actions were updated;
change the pin to the current recommended tag (bump from v5 to the latest stable
major like v6 or the same pattern used for the other docker actions), update the
workflow entry "uses: docker/metadata-action@v5" accordingly, and run/validate
the CI workflow to ensure metadata generation still works with the new version.
In @.github/workflows/build-and-push-release-package.yml:
- Line 15: The workflow currently pins the GitHub Actions runner to Node via the
YAML key node-version: '18', which is EOL; update that value to a supported LTS
(e.g., '20' or '22') in the workflow step that uses setup-node (replace
node-version: '18' with node-version: '20' or '22'), then run the CI to verify
no toolchain or dependency compatibility issues and adjust any npm/node-related
commands if failures surface.
| @@ -17,16 +17,16 @@ jobs: | |||
| runs-on: self-hosted | |||
There was a problem hiding this comment.
❓ Verification inconclusive
Script executed:
#!/bin/bash
# Find all workflow files referencing self-hosted runners
echo "=== Workflows using self-hosted runners ==="
rg -n "self-hosted" --type yaml .github/workflows/ 2>/dev/null || echo "No matches found"
echo -e "\n=== All workflows in .github/workflows ==="
ls -la .github/workflows/ 2>/dev/null || echo "Directory not found"
echo -e "\n=== Check for runner setup/configuration scripts ==="
fd -e sh -e bash --type f . 2>/dev/null | xargs rg -l "node" 2>/dev/null | grep -E "(setup|bootstrap|runner|provision)" | head -10
echo -e "\n=== Check for documentation about runners ==="
fd -e md --type f . 2>/dev/null | xargs rg -l "self-hosted\|runner.*setup\|node.*version" 2>/dev/null | head -10Repository: suitenumerique/projects
Repository: suitenumerique/projects
Exit code: 0
stdout:
=== Workflows using self-hosted runners ===
.github/workflows/build-and-push-docker-image.yml:9: runs-on: self-hosted
.github/workflows/build-and-push-docker-image-dev.yml:17: runs-on: self-hosted
.github/workflows/build-and-push-docker-base-image.yml:16: runs-on: self-hosted
=== All workflows in .github/workflows ===
total 24
drwxr-xr-x 2 jailuser jailuser 160 Feb 19 18:41 .
drwxr-xr-x 4 jailuser jailuser 80 Feb 19 18:41 ..
-rw-r--r-- 1 jailuser jailuser 1113 Feb 19 18:41 build-and-push-docker-base-image.yml
-rw-r--r-- 1 jailuser jailuser 1350 Feb 19 18:41 build-and-push-docker-image-dev.yml
-rw-r--r-- 1 jailuser jailuser 1459 Feb 19 18:41 build-and-push-docker-image.yml
-rw-r--r-- 1 jailuser jailuser 1387 Feb 19 18:41 build-and-push-release-package.yml
-rw-r--r-- 1 jailuser jailuser 1877 Feb 19 18:41 build-and-test.yml
-rw-r--r-- 1 jailuser jailuser 675 Feb 19 18:41 lint.yml
=== Check for runner setup/configuration scripts ===
=== Check for documentation about runners ===
actions/checkout v6 Node.js version requirement
actions/checkout@v6 is a JavaScript action that runs on the node24 runtime (runs.using: node24). [1]
Because it uses the Node.js 24 runtime, your environment needs a GitHub Actions runner version that supports it—minimum Actions Runner v2.327.1. [2]
Additionally, if you run authenticated git commands from a Docker container action, checkout@v6 requires Actions Runner v2.329.0 or later. [2]
Sources:
[1] actions/checkout action.yml (v6) showing runs.using: node24 (raw.githubusercontent.com)
[2] actions/checkout README notes on Node.js 24 runtime + runner minimums (github.com)
Citations:
- 1: https://raw.githubusercontent.com/actions/checkout/v6/action.yml
- 2: https://github.com/actions/checkout
actions/checkout@v6 release date December 2025
actions/checkout had a v6 release in December 2025: v6.0.1, published December 2, 2025. [1]
(For context, the initial v6.0.0 release was November 20, 2025, i.e., not in December.) [1]
Sources: [1]
Confirm self-hosted runner is v2.327.1+ before merging
actions/checkout@v6 (released December 2, 2025) requires GitHub Actions Runner v2.327.1 or later, which is when Node.js 24 runtime support was added. Unlike GitHub-hosted runners that are automatically kept up to date, self-hosted runners (line 17) require manual provisioning. If the runner is older than v2.327.1, the workflow will fail at the Checkout step.
Verify the self-hosted runner version with: ./run.sh --version
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/build-and-push-docker-image-dev.yml at line 17, The
workflow currently sets runs-on: self-hosted while using actions/checkout@v6
which requires runner v2.327.1+; before merging, verify the self-hosted runner
meets that minimum by running ./run.sh --version on the runner and, if it is
older, either upgrade the runner to v2.327.1+ or change the workflow to use a
GitHub-hosted runner (e.g., ubuntu-latest) or pin checkout to a compatible older
action version; ensure you document the chosen approach in the PR so CI will not
fail at the Checkout step.
There was a problem hiding this comment.
@StephanMeijer Thank you for the positive feedback! I'm glad the review comment was helpful. If you need any assistance verifying the runner version or have questions about the workflow updates, feel free to let me know! 🐰
ヽ(✿゚▽゚)ノ ✨
|
Rebased this branch on the latest target branch and force-pushed. |
1 participant
Purpose / Proposal
I was looking into adding Docker build support for
linux/arm64in several repositories of https://github.com/suitenumerique. During that, I noticed several repositories have outdated GitHub Workflow steps. This pull request has the purpose to update them.External contributions
git commit --signoff(DCO compliance)git commit -S)<gitmoji>(type) title description## [Unreleased]section (if noticeable change)Testing happens when GitHub Workflows are being executed.
The creation of this pull request was done semi-automatically. I did automate a bunch, but I reviewed all changes manually to check if they are backwards compatible.
Summary by CodeRabbit