From c8aecb46f4759bbb2934bf99510c89bd7fb9a759 Mon Sep 17 00:00:00 2001
From: Andrew Hsu <xuzuan@gmail.com>
Date: Tue, 16 Jun 2026 14:18:58 -0700
Subject: [PATCH 1/2] ci: upgrade buf.yml actions to Node 24 versions

Moved here from #2511 so that PR's checks stay green without
re-triggering Buf CI. Bumps the external actions used in
.github/workflows/buf.yml:

- actions/checkout v5 -> v6 (3 occurrences)
- aws-actions/configure-aws-credentials v4 -> v6 (2 occurrences)
- aws-actions/aws-secretsmanager-get-secrets v2 -> v3 (2 occurrences)

Same Node 24 rationale as the sibling per-action commits in #2511; no
input changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/buf.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/buf.yml b/.github/workflows/buf.yml
index 7d7e36648f..91d8e000f7 100644
--- a/.github/workflows/buf.yml
+++ b/.github/workflows/buf.yml
@@ -43,7 +43,7 @@ jobs:
     if: github.event_name == 'push' || github.event_name == 'pull_request'
     runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Buf – lint, format & breaking
         uses: bufbuild/buf-action@v1
         with:
@@ -63,18 +63,18 @@ jobs:
     needs: validate  # Only run after validation passes
     runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v6
         with:
           aws-region: ${{ vars.RP_AWS_CRED_REGION }}
           role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
 
-      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v3
         with:
           secret-ids: |
             ,sdlc/prod/github/buf_token
           parse-json-secrets: true
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Buf – push to registry
         uses: bufbuild/buf-action@v1
@@ -96,18 +96,18 @@ jobs:
       github.repository == 'redpanda-data/console'
     runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: aws-actions/configure-aws-credentials@v6
         with:
           aws-region: ${{ vars.RP_AWS_CRED_REGION }}
           role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
 
-      - uses: aws-actions/aws-secretsmanager-get-secrets@v2
+      - uses: aws-actions/aws-secretsmanager-get-secrets@v3
         with:
           secret-ids: |
             ,sdlc/prod/github/buf_token
           parse-json-secrets: true
 
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Buf – archive label (ignore if not found)
         uses: bufbuild/buf-action@v1

From 3072e996260cab825beb3bc1af88f8059f925f41 Mon Sep 17 00:00:00 2001
From: Andrew Hsu <xuzuan@gmail.com>
Date: Tue, 16 Jun 2026 20:18:58 -0700
Subject: [PATCH 2/2] ci: pin buf CLI to 1.65.0 in buf.yml

bufbuild/buf-action@v1 installs the latest buf release by default. buf
1.71.0 changed the formatter (it collapses short nested message
literals onto one line), so `buf format --diff` in the validate job
started failing on protos that are formatted for the repo's pinned buf
1.65.0 (BUF_VERSION in taskfiles/proto.yaml, used by `task proto:generate`).

Pin buf-action to 1.65.0 so CI's lint/format checks use the same buf
version as code generation -- one source of truth -- instead of drifting
whenever buf publishes a new release.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/buf.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/buf.yml b/.github/workflows/buf.yml
index 91d8e000f7..1055c6af07 100644
--- a/.github/workflows/buf.yml
+++ b/.github/workflows/buf.yml
@@ -47,6 +47,8 @@ jobs:
       - name: Buf – lint, format & breaking
         uses: bufbuild/buf-action@v1
         with:
+          # buf CLI version - keep in sync with BUF_VERSION in taskfiles/proto.yaml
+          version: 1.65.0
           lint: true
           format: true
           breaking: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'Buf Skip Breaking') }}
@@ -79,6 +81,8 @@ jobs:
       - name: Buf – push to registry
         uses: bufbuild/buf-action@v1
         with:
+          # buf CLI version - keep in sync with BUF_VERSION in taskfiles/proto.yaml
+          version: 1.65.0
           # No validation - already done in validate job
           lint: false
           format: false
@@ -112,6 +116,8 @@ jobs:
       - name: Buf – archive label (ignore if not found)
         uses: bufbuild/buf-action@v1
         with:
+          # buf CLI version - keep in sync with BUF_VERSION in taskfiles/proto.yaml
+          version: 1.65.0
           # Only archive - no other operations
           push: true
           token: ${{ env.BUF_TOKEN }}