Pin GitHub Actions to commit SHAs and bump to Node 24-compatible versions#18
Open
AevumDecessus wants to merge 1 commit into
Open
Pin GitHub Actions to commit SHAs and bump to Node 24-compatible versions#18AevumDecessus wants to merge 1 commit into
AevumDecessus wants to merge 1 commit into
Conversation
GitHub deprecated Node.js 20 actions and is forcing Node.js 24 starting June 2nd, 2026 (https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/). Both workflows now print a deprecation warning on every run. Bump every third-party action reference to its latest major (all on Node.js 24) and pin each to a commit SHA, with the human-readable version in a trailing comment. SHA-pinning prevents a compromised maintainer or repo takeover from substituting malicious code under an existing tag. Per-action notes: - actions/checkout v4 -> v6.0.2: internal credential-handling refactor, transparent for default usage. - actions/setup-go v5 -> v6.4.0: now sets GOTOOLCHAIN=local. Safe for our go.mod which has no toolchain directive (just go 1.25.4). - docker/setup-buildx-action v3 -> v4.0.0: removes deprecated config/config-inline/install inputs (none in use). - docker/login-action v3 -> v4.1.0: Node 24 + ESM rewrite, no API changes. - docker/metadata-action v5 -> v6.0.0: now preserves # in tag values; we have none. - docker/build-push-action v5 -> v7.1.0: build summary now generated by default in the Actions UI; can be opted out via DOCKER_BUILD_SUMMARY: false if undesired.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
GitHub deprecated Node.js 20 actions (changelog). Both workflows currently emit a deprecation warning on every run:
This PR upgrades all six referenced actions to their latest majors, all of which run on Node.js 24, and pins each to a commit SHA so we have an immutable reference.
Pinning to SHAs
Pinning by tag (
@v6) means the tag could be moved by a compromised maintainer or a takeover of the action's repo. Pinning by commit SHA (@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2) means the action ref is immutable - GitHub will refuse to run anything else under that ref.This is the GitHub-recommended hardening for third-party actions and is consistent with what
dependabotproduces when it bumps action versions.The
# vX.Y.Ztrailing comment keeps the version readable in code review.Version table
actions/checkoutactions/setup-goGOTOOLCHAIN=local, safe for ourgo 1.25.4go.mod with notoolchaindirectivedocker/setup-buildx-actionconfig,config-inline,installinputs (we use none)docker/login-actiondocker/metadata-action#parsing change in tag values (we have no#in our tags)docker/build-push-actionDOCKER_BUILD_SUMMARY: falseif undesiredNotes for review
docker/build-push-action@v6+) is purely additive to the GitHub Actions UI - no behavior change in what gets pushed to ghcr or how. If the maintainer prefers to suppress it, addDOCKER_BUILD_SUMMARY: falseto the env block.ubuntu-latest; the v2.327.1+ runner version requirement stated in the action release notes is already covered byubuntu-latest.Verification
The CI ran the new versions on the PR itself - if this PR's lint and docker-build jobs both pass green, the upgrade has succeeded. If anything fails, the per-action breaking-change notes above are the place to start.