ci: bump GitHub Actions to Node 24 runtimes#208
Merged
Conversation
GitHub forces node20 JavaScript actions onto the Node 24 runner from 2026-06-16 and removes Node 20 from runners on 2026-09-16. Bump every repo-owned action whose action.yml declares runs.using: node20 to the lowest major that declares node24 (verified against each action's raw action.yml at the pinned tag): - actions/checkout v4 -> v5 (node24) - actions/cache v4 -> v5 (node24) - actions/upload-artifact v4 -> v6 (v5 is STILL node20; v6 is node24) - pnpm/action-setup v4 -> v5 (node24) - actions/setup-node v4 -> v5 (node24) codecov/codecov-action stays at v5: its action.yml is runs.using: composite (a wrapper, exempt from the node20 JS-action deprecation) and no major declares node24. Residual: it transitively pins github-script@v7 (node20); codecov@v6 would update that leaf to github-script@v8 (node24) -- out of scope here. node-version: '22' in the prepare composite is the build toolchain Node, unrelated to the action-runtime deprecation, and is left unchanged.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
WalkthroughGitHub Actions のマーケットプレイスアクション群を一括バージョン更新。Composite action 内の pnpm/action-setup、actions/setup-node を v5 に、全ワークフロー内の actions/checkout を v5 に、e2e と test ワークフロー内のキャッシュ管理と成果物アップロードアクションを v5~v6 に更新。 ChangesGitHub Actions依存関係更新
🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #208 +/- ##
=======================================
Coverage 66.68% 66.68%
=======================================
Files 198 198
Lines 6127 6127
Branches 1384 1384
=======================================
Hits 4086 4086
Misses 1623 1623
Partials 418 418
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build.yml:
- Around line 14-15: In the Checkout step using actions/checkout@v5, pin the
action to a specific commit SHA instead of the floating tag and explicitly
disable credential persistence: change the uses reference to the full commit SHA
for actions/checkout and add persist-credentials: false under the step (the step
labeled "Checkout" that currently uses actions/checkout@v5) so the checkout
action is immutably pinned and Git credentials are not written into the local
repo config.
In @.github/workflows/fallow.yml:
- Around line 28-29: Replace the Checkout step that currently uses
"actions/checkout@v5" so it pins the action to the full commit SHA (e.g., "uses:
actions/checkout@<full-sha>") and add a with block that sets
"persist-credentials: false" (i.e., add "with:" then "persist-credentials:
false" under the Checkout step). Update the step named "Checkout" (the one with
uses: actions/checkout@v5) accordingly, and apply the same pinning +
persist-credentials change to any other workflows that still reference
actions/checkout@v5.
In @.github/workflows/lint.yml:
- Around line 14-15: The Checkout step currently uses the floating reference
"uses: actions/checkout@v5"; replace that with a fixed commit SHA (e.g.,
actions/checkout@<commit-sha> for the v5 release you verified) and add a with
block setting persist-credentials: false under the same step (the step named
"Checkout" that contains the uses: actions/checkout... line) so the step both
pins the action to a specific SHA and disables credential persistence.
In @.github/workflows/test.yml:
- Around line 14-15: Replace the tag references for GitHub Actions usages with
commit SHAs and add the persist-credentials setting: change the step using
"actions/checkout@v5" (the "Checkout" step) to use the corresponding commit SHA
instead of `@v5` and add a with block containing "persist-credentials: false";
likewise change any "actions/cache@v5" uses to their specific commit SHAs;
ensure indentation/ YAML structure is correct so the new with: block nests under
the checkout step and the uses lines are updated to the SHA values.
In @.github/workflows/typecheck.yml:
- Around line 14-15: The workflow uses a floating tag for the checkout action
and doesn't disable credential persistence: replace the uses:
actions/checkout@v5 reference by pinning to the specific commit SHA for
actions/checkout, and add a with: persist-credentials: false block so the
checkout step (uses: actions/checkout@v5) is pinned to a commit SHA and will not
persist credentials.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: e066ed69-24e2-44b5-ac66-03aa6c73f05e
📒 Files selected for processing (7)
.github/actions/prepare/action.yml.github/workflows/build.yml.github/workflows/e2e.yml.github/workflows/fallow.yml.github/workflows/lint.yml.github/workflows/test.yml.github/workflows/typecheck.yml
…ence Address CodeRabbit/zizmor SAST findings (unpinned-uses + artipacked) across all 5 workflows: pin actions/checkout@v5 to 93cb6ef and add persist-credentials: false. Verified safe — no workflow reuses git credentials after checkout (the only token use is CODECOV_TOKEN passed directly to codecov-action).
Contributor
Author
|
Applied in |
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/test.yml (1)
22-27: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick winキャッシュアクションをコミットSHA固定することを推奨
actions/cache@v5はタグ参照のままです。チェックアウトと同様に、キャッシュアクションもコミットSHAで固定すると供給チェーン攻撃面を削減できます。この変更は今後の強化ステップとして検討してください。提案される修正
- name: Cache Playwright browsers id: playwright-cache - uses: actions/cache@v5 + uses: actions/cache@704facf57c5d97d75bc9913a4caf61d562658cdf # v5 with:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/test.yml around lines 22 - 27, The workflow step "Cache Playwright browsers" currently references the cache action by tag (uses: actions/cache@v5); pin this to a specific commit SHA instead to reduce supply-chain risk — update the uses value for the step with id playwright-cache (the "Cache Playwright browsers" step) from actions/cache@v5 to actions/cache@<commit-sha> where <commit-sha> is the full commit SHA for the actions/cache release you'd like to pin (obtain from the actions/cache repository), leaving the rest of the step (path, key) unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/test.yml:
- Around line 22-27: The workflow step "Cache Playwright browsers" currently
references the cache action by tag (uses: actions/cache@v5); pin this to a
specific commit SHA instead to reduce supply-chain risk — update the uses value
for the step with id playwright-cache (the "Cache Playwright browsers" step)
from actions/cache@v5 to actions/cache@<commit-sha> where <commit-sha> is the
full commit SHA for the actions/cache release you'd like to pin (obtain from the
actions/cache repository), leaving the rest of the step (path, key) unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: b40fb540-5c99-41e2-9fc8-caba2d97a501
📒 Files selected for processing (5)
.github/workflows/build.yml.github/workflows/fallow.yml.github/workflows/lint.yml.github/workflows/test.yml.github/workflows/typecheck.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
GitHub forces node20 JavaScript actions onto the Node 24 runner starting 2026-06-16, and removes Node 20 from runners on 2026-09-16. CI currently pins six actions whose
action.ymldeclaresruns.using: node20, which already emits deprecation annotations and breaks once Node 20 is removed.What
Bumped every repo-owned action to the lowest major that declares
runs.using: node24, verified against each action's rawaction.ymlat the pinned tag (binding evidence — not release notes):runs.usingat targetactions/checkoutnode24actions/cachenode24actions/upload-artifactnode24— v5 is stillnode20, so v6 is the lowest node24 majorpnpm/action-setupprepare)node24actions/setup-nodeprepare)node24codecov/codecov-actioncompositewrapper — exempt from the node20 JS-action deprecation; no node24 major existsNotes
node-version: '22'in thepreparecomposite is the build toolchain Node, unrelated to the action-runtime deprecation — left unchanged.codecov-action@v5transitively pinsactions/github-script@v7(node20).codecov@v6(also composite) updates that leaf togithub-script@v8(node24) if zero transitive node20 noise is later desired.runs.using: node24re-confirmed by fetching each pinned tag. The deprecation annotation is eliminated by construction for all repo-owned refs — this PR's own CI run is the live confirmation.🤖 Generated with Claude Code
Summary by CodeRabbit