ci: upgrade GitHub Actions to Node 24-compatible versions#2511
Merged
Conversation
Contributor
|
The latest Buf updates on your PR. Results from workflow Buf CI / validate (pull_request).
|
3 tasks
Updates 4 occurrences across 4 workflow files. v5 runs on Node 24; v4 runs on Node 20, which is being deprecated on GitHub Actions runners. The only change is the runtime bump -- no input or API changes. See https://github.com/actions/cache/releases/tag/v5.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 9 occurrences across 4 workflow files. v5 and v6 both run on Node 24, so this is not a runtime change -- it aligns the pin with the current major. v6 persists the auth token to a separate file instead of .git/config; our checkout and build steps don't read .git/config, so the change is transparent. (buf.yml's checkout bump is handled separately in #2512.) See https://github.com/actions/checkout/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 5 occurrences across 4 workflow files. v9 runs on Node 24
(switched at v8); v7 runs on Node 20, which is being deprecated on
GitHub Actions runners.
v9 makes the bundled packages ESM-only: require('@actions/github') no
longer works inside scripts, and getOctokit is now an injected
parameter (redeclaring it with const/let throws). All of our scripts
use only the pre-injected github, context, and core objects to call
createCommitStatus / core.setOutput, so none are affected.
See https://github.com/actions/github-script/releases/tag/v9.0.0
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
v6 runs on Node 24 (switched at v5); v4 runs on Node 20, which is being deprecated on GitHub Actions runners. v5+ adds automatic dependency caching (narrowed to npm in v6) when package.json declares a packageManager field. Our step sets only node-version and then installs a global npm package -- no project dependencies and no `cache:` input -- so the new auto-caching has no effect here. See https://github.com/actions/setup-node/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 3 occurrences in frontend-verify.yml. v7 runs on Node 24 (switched at v6); v4 runs on Node 20, which is being deprecated on GitHub Actions runners. v7 ships the action as ESM (internal to the action -- no effect on YAML usage) and adds an opt-in `archive` input. Our uploads pass only name / path / retention-days, and the matrix job already uses a unique artifact name per shard, so no input or behavior changes apply. See https://github.com/actions/upload-artifact/releases/tag/v7.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 2 occurrences (backend-lint-test, proto-generate). v1 runs on Node 16, which has already been removed from GitHub Actions runners; v2 runs on Node 20. arduino/setup-task has no Node 24 release yet, so v2 is the newest available -- this gets the action off Node 16 now, and a Node 24 bump can follow once upstream ships one. The `version: 3.x` and repo-token inputs are unchanged between v1 and v2. See https://github.com/arduino/setup-task/releases/tag/v2.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 4 occurrences across 4 workflow files. v3 runs on Node 24; v2 runs on Node 20, which is being deprecated on GitHub Actions runners. No input changes affect our usage (secret-ids + parse-json-secrets). (buf.yml's bump is handled separately in #2512.) See https://github.com/aws-actions/aws-secretsmanager-get-secrets/releases/tag/v3.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 4 occurrences across 4 workflow files. v6 runs on Node 24; v4 runs on Node 20, which is being deprecated on GitHub Actions runners. Our usage only sets aws-region and role-to-assume (string inputs), so the v5 input-validation change (invalid booleans now throw instead of coercing to false) does not affect us. (buf.yml's bump is handled separately in #2512.) See https://github.com/aws-actions/configure-aws-credentials/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
v9 runs on Node 24; v8 runs on Node 20, which is being deprecated on GitHub Actions runners. v8 -> v9 stays within the golangci-lint v2.x era -- the v1 -> v2 binary fork happened at v7, not here. Our step pins `version: v2.10` and an explicit `--config=.golangci.yaml`, so the action neither resolves a floating binary version nor changes the default linter set; this is a runtime-only bump for us. See https://github.com/golangci/golangci-lint-action/releases/tag/v9.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 3 occurrences across 2 workflow files. The pinned commit (caebe2a7) is an untagged v2.x-era build that runs on Node 16, which has already been removed from GitHub Actions runners. v4 runs on Node 24. Pinned to the floating v4 tag (currently v4.0.1) rather than v4.0.0, whose action.yml declared the wrong Node version (fixed in v4.0.1). The token / repository / event-type / client-payload inputs we pass are unchanged. See https://github.com/peter-evans/repository-dispatch/releases/tag/v4.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
andrewhsu
force-pushed
the
ci/upgrade-actions-node24
branch
from
1824d20 to
82f7df0
Compare
andrewhsu
added a commit
that referenced
this pull request
Jun 16, 2026
Moved here from #2511 so that PR's checks stay green without re-triggering Buf CI. Bumps the external actions used in .github/workflows/buf.yml: - actions/checkout v5 -> v6 (3 occurrences) - aws-actions/configure-aws-credentials v4 -> v6 (2 occurrences) - aws-actions/aws-secretsmanager-get-secrets v2 -> v3 (2 occurrences) Same Node 24 rationale as the sibling per-action commits in #2511; no input changes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Member
Author
|
i've moved |
andrewhsu
requested review from
a team,
PrzemekZglinicki,
c-julin and
malinskibeniamin
and removed request for
a team
andrewhsu
added a commit
that referenced
this pull request
Jun 17, 2026
Moved here from #2511 so that PR's checks stay green without re-triggering Buf CI. Bumps the external actions used in .github/workflows/buf.yml: - actions/checkout v5 -> v6 (3 occurrences) - aws-actions/configure-aws-credentials v4 -> v6 (2 occurrences) - aws-actions/aws-secretsmanager-get-secrets v2 -> v3 (2 occurrences) Same Node 24 rationale as the sibling per-action commits in #2511; no input changes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
malinskibeniamin
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GitHub is deprecating Node 20 on Actions runners (Node 16 is already removed). Workflows pinned to actions running on those runtimes will eventually break. This PR upgrades the external actions in
.github/workflows/to a Node 24-supporting version — one commit per action, so each upgrade can be reviewed and reverted independently. Each commit body links to the upstream release notes and calls out any breaking change relevant to our usage.Upgrades
actions/cacheactions/checkoutactions/github-scriptactions/setup-nodeactions/upload-artifactarduino/setup-taskaws-actions/aws-secretsmanager-get-secretsaws-actions/configure-aws-credentialsgolangci/golangci-lint-actionpeter-evans/repository-dispatch@caebe2a7(untagged ~v2.x)Notes
actions/checkoutv5 → v6 — v5 already runs on Node 24, so this is a currency bump to the approved major, not a runtime change. v6 persists the auth token to a separate file instead of.git/config; our checkout/build steps don't read.git/config.actions/github-scriptv7 → v9 — v9 makes the bundled packages ESM-only (require('@actions/github')stops working;getOctokitbecomes an injected parameter). All five of ourscript:bodies use only the pre-injectedgithub/context/core, so none are affected.golangci/golangci-lint-actionv8 → v9 — stays within the golangci-lint v2.x era; the v1→v2 binary fork happened at v7. We pinversion: v2.10and--config=.golangci.yaml, so neither the binary version nor the linter set changes.peter-evans/repository-dispatch— was pinned to an untagged Node 16 commit (caebe2a7). Moved to the floatingv4tag (currently v4.0.1, Node 24); pinned tov4rather thanv4.0.0, whoseaction.ymldeclared the wrong Node version (fixed in v4.0.1). Ourtoken/repository/event-type/client-payloadinputs are unchanged.ACTIONS_BOT_TOKEN→console-enterprise). We accept the standard publisher-trust posture here for consistency with the rest of.github/workflows/(every other action uses a floating major tag) and withverify_actions.py's approvedv4pin — and the prior SHA was itself stale (Node 16), not a current audited pin. If we want to harden later, the right move is to SHA-pin all third-party actions and add Dependabot/Renovate to surface upgrades, rather than singling out this one.Out of scope / follow-up
arduino/setup-task— bumped v1 → v2 to get off the already-removed Node 16 runtime, but v2 runs on Node 20, not Node 24 — there is no Node 24 release yet. A further bump should follow once upstream ships one. (This is also whyverify_actions.pystill listsarduino/setup-task@v2asunknown— the action isn't in the tool'sallowed_actionsmap.)Verification
verify_actions.py .github/workflows/→ all 41 version-mismatch violations resolved; the only remaining lines are the twoarduino/setup-task@v2unknownrefs (explained above).uses:version-string changes — no logic touched, and no newyamllintfindings (repo has no yaml-lint CI).Test plan
buf,proto-generate,backend-lint-test,frontend-verify,frontend-react-doctor).changelog(tag push),repository-dispatch/enterprise-ci-skip(push),fork-pr-dispatch(fork PRworkflow_run).🤖 Generated with Claude Code