ci: bump JS actions to Node 24 majors (PR Labeling & Hygiene)#6
Merged
Conversation
…flows Bumps the four Node-20 JS actions used by the PR Labeling & Hygiene system to their Node 24 majors ahead of the deprecation deadlines: - actions/checkout v4 -> v6 (4 files; v6.0.0, 2025-12-02) - actions/setup-python v5 -> v6 (test-scripts.yml; v6.0.0, 2025-09-04) - actions/stale v9 -> v10 (stale-reusable.yml; v10.0.0, 2025-09-04) - astral-sh/ruff-action v3 -> v4 (lint.yml, 2x; v4.0.0, 2026-04-12) Files touched: - .github/workflows/pr-labeler-reusable.yml (checkout) - .github/workflows/label-sync-reusable.yml (checkout) - .github/workflows/stale-reusable.yml (stale) - .github/workflows/lint.yml (checkout x1, ruff-action x2) - .github/workflows/test-scripts.yml (checkout, setup-python) Why now: - 2026-06-02: GitHub flips runner default to Node 24 - 2026-09-16: Node 20 removed from runners (hard cutoff) PR-time CI (lint + test-scripts) validates checkout/setup-python/ruff end-to-end. The three reusable workflows are workflow_call-only and need post-merge validation against a downstream caller (interservice- contracts is the smoke-test target per the plan). stale@v10 release notes verified: only "Upgrade to node 24" breaking change + new sort-by enhancement; all 12 inputs we configure remain unchanged. All 7 caller repos reference the reusables by @main, so the bump auto-propagates on next invocation. Plan: /Users/bryan.beverly/.cursor/plans/node24_actions_bump_200bd169.plan.md Made-with: Cursor
CI revealed `Unable to resolve action astral-sh/ruff-action@v4`. The v4.0.0 release introduced immutable releases as a deliberate model change; the maintainers no longer publish a rolling `v4` tag. Pin to the explicit patch instead. Future v4.0.x patches will need an explicit bump (or migration to a SHA pin), but that's the trade-off for using this action's new immutable-only release model. Made-with: Cursor
bryanbeverly
added
size/S
samdatkins
approved these changes
Apr 29, 2026
This was referenced Apr 29, 2026
Merged
dustin-decker
pushed a commit
to trufflesecurity/helm-charts
that referenced
this pull request
May 1, 2026
## Summary Bumps `actions/checkout` from `@v4` to `@v6` in `release-helm.yaml`, the only Node-20-era action ref in this repo. Part of the org-wide Node 24 baseline cleanup ahead of GitHub's **2026-09-16 Node 20 removal** deadline (and the earlier **2026-06-02** runner-default flip). ## Action bumps | action | from | to | |---|---|---| | `actions/checkout` | `@v4` | `@v6` | ## Per-PR preflight - [x] Rolling `@v6` tag verified (`actions/checkout` SHA `de0fac2e...`, 2026-04-29). - [x] No conflicting Dependabot/Renovate PRs (none open in this repo). - [x] No surprise reusable-workflow dependencies in `.github/workflows/`. - [x] `helm/chart-releaser-action` already SHA-pinned (untouched). ## Risk **Low.** Pure Node-runtime bump. Defaults (`fetch-depth: 0`) unchanged across v4 → v5 → v6. ## Validation PR-time CI exercises the workflow indirectly via path filters; the workflow itself runs on `release` events, so post-merge validation is the next chart release. To confirm Node 24 in play after the next natural trigger: \`\`\` gh run view <run-id> --repo trufflesecurity/helm-charts --log 2>/dev/null | \\ grep -E \"Node\\.js (16|20) actions are deprecated\" \`\`\` Empty output = green (per [Lesson #2 of the org-wide plan](https://github.com/trufflesecurity)). ## References - Org-wide plan: \`.cursor/plans/org-wide_node_24_follow-up_a33207ac.plan.md\` - Approval doc: \`projects/node24-baseline-approval-plan.md\` - Predecessor PRs (already merged 2026-04-29): trufflesecurity/.github#6, trufflesecurity/.github-private#9 Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Single CI dependency bump in a release workflow with no logic changes beyond the action version update. > > **Overview** > Updates the Helm chart release GitHub Actions workflow to use `actions/checkout@v6` instead of `@v4`, keeping the checkout behavior (including `fetch-depth: 0`) the same while moving to the newer Node runtime baseline. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit b98b0bf. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps the four Node-20 JS actions used by the PR Labeling & Hygiene system to their Node 24 majors, ahead of the GitHub Actions deprecation deadlines.
actions/checkout@v4@v6actions/setup-python@v5@v6actions/stale@v9@v10astral-sh/ruff-action@v3@v45 files, 9 line changes total.
Why now
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=trueopt-out).GitHub changelog.
Files touched
.github/workflows/pr-labeler-reusable.yml-actions/checkout@v4to@v6.github/workflows/label-sync-reusable.yml-actions/checkout@v4to@v6.github/workflows/stale-reusable.yml-actions/stale@v9to@v10.github/workflows/lint.yml-actions/checkout@v4to@v6,astral-sh/ruff-action@v3to@v4(2x).github/workflows/test-scripts.yml-actions/checkout@v4to@v6,actions/setup-python@v5to@v6PR-time CI coverage
lint.ymlruns on every PR -> validatescheckout@v6andruff-action@v4end-to-end.test-scripts.ymltriggers because the PR touches it (paths filter matches) -> validatescheckout@v6andsetup-python@v6.pr-labeler-reusable.yml,label-sync-reusable.yml,stale-reusable.ymlareworkflow_call-only and do not run in this repo's PR-time CI. Their bumps need post-merge validation against a downstream caller (see Test plan).Pre-merge verification (already done)
interservice-contracts,helm-charts,driftwood-server,infrastructure,slack-integration-service,integrations,thog) reference the reusables by@main, so bumps auto-propagate.actions/stale@v10release notes reviewed: only breaking change is "Upgrade to node 24" + newsort-byenhancement. All 12 inputs we configure instale-reusable.yml(days-before-pr-stale,days-before-pr-close,days-before-issue-stale: -1,days-before-issue-close: -1,stale-pr-label,exempt-pr-labels,exempt-draft-pr,remove-stale-when-updated,delete-branch,operations-per-run,stale-pr-message,close-pr-message) remain unchanged in v10.Test plan
PR-time:
Python (ruff)job is green (validatescheckout@v6+ruff-action@v4).Workflows (actionlint)job is green (validatescheckout@v6for the actionlint context).testjob inTest scriptsworkflow is green (validatescheckout@v6+setup-python@v6).Post-merge (low-traffic smoke target:
interservice-contracts):gh workflow run stale.yml --repo trufflesecurity/interservice-contractsand confirmNode.js version: v24.x.xin the action's invocation log.gh workflow run pr-labeler.yml --repo trufflesecurity/interservice-contracts(no-op default, safe) and confirm Node 24 in theCheckout shared scriptsstep.gh workflow run sync-labels.yml --repo trufflesecurity/interservice-contracts(idempotent + additive) and confirm Node 24 in theCheckout shared labels and scriptstep.Caller canary (~24h post-merge):
Risk
stale@v10(highest blast radius: 7 repos x nightly cron) - v10 changelog has no input renames; the-1safety belts ondays-before-issue-stale/days-before-issue-closeare intact.checkout@v6- low risk; no submodules, no LFS, default fetch in all 4 usages.ruff-action@v4- low risk for oursrc+argsonly usage; v4 is a composite-action rewrite.setup-python@v6- low risk; only changes the Node runtime.Rollback
Revert this PR. Stale reverts on the next nightly cron; reusables revert on the next caller invocation; lint/test-scripts revert on the next CI run that touches them.
Plan reference
node24 actions bump plan. Companion PR (single-line
checkout@v6bump in.github-private): trufflesecurity/.github-private#9.Made with Cursor
Note
Low Risk
Low risk version bumps to third-party GitHub Actions in CI/reusable workflows; main risk is minor behavior changes in updated actions affecting downstream reusable-workflow callers.
Overview
Updates workflow dependencies by bumping
actions/checkouttov6across linting and reusable PR-label/label-sync workflows,actions/setup-pythontov6intest-scripts.yml, andactions/staletov10in the stale PR reusable.Also upgrades
astral-sh/ruff-actionfromv3to pinnedv4.0.0for bothcheckandformat --checkruns inlint.yml.Reviewed by Cursor Bugbot for commit fde5dc2. Bugbot is set up for automated code reviews on this repo. Configure here.