ci(l1,l2): bump deprecated GitHub Actions to v6

[avilagaston9]

Motivation

Silence the Node.js 20 deprecation warnings emitted on every workflow run. GitHub forces Node.js 24 on June 2nd, 2026 and removes the Node.js 20 runner on September 16th, 2026.

Description

Bumps every first-party actions/* reference still on Node 20 to its latest Node-24 major:

Action	From	To	Refs
actions/checkout	v4	v6	66
actions/download-artifact	v4	v6	24
actions/upload-artifact	v4	v6	17
actions/github-script	v7	v8	4
actions/setup-node	v4	v6	2
actions/cache/restore	v3	v5	2
actions/cache	v4	v5	1
actions/cache/restore	v4	v5	1
actions/cache/save	v4	v5	1
actions/create-github-app-token	v2	v3	1

119 references → 0 for first-party actions on Node 20. Third-party actions still on Node 20 (dorny/paths-filter@v3, docker/{build-push,login,setup-buildx,setup-qemu}-action, softprops/action-gh-release@v2, peter-evans/*, etc.) are deliberately out of scope — separate upstreams, separate breaking-change review.

Breaking-change check (all verified safe for our usage):

• Artifact actions v5+: artifacts are now immutable. Every upload-artifact name: is unique or matrix-templated.
• setup-node v5/v6: auto-cache only triggers when package.json has a packageManager field. Ours doesn't.
• github-script v8: pure runtime bump (v9 changes getOctokit/require('@actions/github') — held back).
• create-github-app-token v3: removes custom proxy handling; we don't set HTTP_PROXY.
• actions/cache v5: pure runtime bump.

Checklist

• Updated STORE_SCHEMA_VERSION (crates/storage/lib.rs) — N/A

[github-actions]

🤖 Kimi Code Review

Critical Issue: Non-existent Action Versions

The PR upgrades actions/checkout, actions/upload-artifact, and actions/download-artifact from v4 to v6. These versions do not exist in the official GitHub Actions marketplace (latest stable is v4). This will cause all workflows to fail immediately with "unable to find version" errors.

• File: .github/actions/snapsync-run/action.yml, line 38
• File: .github/workflows/common_failure_alerts.yaml, line 47
• File: .github/workflows/daily_hive_report.yaml, lines 109, 180, 193, 229, 248, 251
• (And 30+ other locations)

Recommendation: Verify the target version. If upgrading artifact actions, note that v4 introduced breaking changes (artifacts are immutable by default; distinct upload/download artifacts cannot share the same name). If intending to upgrade to v5 (when available), ensure workflows don't rely on overwriting existing artifacts.

Pre-existing Typo (Not Critical)

The typo "etherex" (instead of "ethrex") persists in .github/workflows/pr-main_l1.yaml line 178. This was not introduced by this PR but remains uncorrected.

---

Automated review by Kimi (Moonshot AI) · kimi-k2.5 · custom prompt

[github-actions]

🤖 Claude Code Review

Here is the review for PR #6554:

---

PR #6554 — ci(l1,l2): bump deprecated GitHub Actions to v6

Overview

A pure CI maintenance PR that mechanically updates 107 references across 27 files, bumping three first-party GitHub Actions from @v4 to @v6 to migrate from Node.js 20 to Node.js 24 before GitHub forces the change on June 2, 2026.

---

Correctness & Breaking Change Analysis

The PR description does a thorough job analyzing the v4→v6 breaking changes. The key risk is the immutable artifact constraint introduced in v5 (and carried into v6): a second upload-artifact step with the same name in the same run now fails hard. The author checked every upload site; verification:

• tag_release.yaml — artifact names use matrix variables (${{ matrix.l2_suffix }}-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.gpu_suffix }}, ${{ matrix.zkvm }}_verification_keys, ${{ env.ELF_ARTIFACT }}), ensuring uniqueness per matrix cell. The single verification_keys upload is gated with if: ${{ matrix.platform == 'ubuntu-22.04' && matrix.stack == 'l2_gpu' }}, so it fires exactly once.
• All other workflows upload to unique static names or matrix-scoped names.

No duplicates found. The analysis holds.

---

Security Observation

All actions are pinned to floating major-version tags (@v6) rather than immutable commit SHAs. This is a pre-existing pattern throughout the repo, not introduced by this PR, but worth noting:

# current (after this PR)
uses: actions/checkout@v6

# more supply-chain-hardened alternative
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v6.1.7

If a tag were moved (e.g., via a compromised release), CI would silently run the new code. For a consensus-critical project like an Ethereum execution client, SHA pinning is a stronger posture. Tools like pin-github-actions or Dependabot's update-type: version-only mode can automate this. This is low urgency since these are first-party GitHub-owned actions, but it's a separate follow-up worth filing.

---

Completeness

• All 107 @v4 references across all 27 files are updated. No partial upgrades, no leftover @v3 or @v4 references in .github/ per the PR description.
• The composite action (.github/actions/snapsync-run/action.yml) is included, which is easy to miss in bulk find-and-replace.
• The release workflow (tag_release.yaml) cannot be exercised on this PR branch directly (triggers only on v*.*.*-* tags); the PR description correctly calls this out.
• actionlint passes with 0 errors.

---

Summary

The change is correct, complete, and well-analyzed. The immutable-artifact constraint is the only meaningful behavioral change and the author has verified it does not affect any existing workflow. No blocking issues.

The only actionable suggestion is a follow-up task (not blocking this PR): consider SHA-pinning all GitHub Actions references for stronger supply-chain security, tracked separately from this maintenance bump.

Verdict: Approve. This is a safe, necessary, and well-reasoned maintenance change.

---

Automated review by Claude (Anthropic) · sonnet · custom prompt

[greptile-apps]

Greptile Summary

This PR is a mechanical CI maintenance update that bumps three GitHub Actions from @v4 to @v6 across 107 references in 27 files: actions/checkout, actions/upload-artifact, and actions/download-artifact. The PR description thoroughly analyzes the v5/v6 breaking change (artifact immutability) and confirms no workflows produce duplicate artifact names within a run.

Confidence Score: 5/5

Safe to merge — purely mechanical version bump with no logic changes.

All 107 changes are identical find-and-replace version bumps. The PR description correctly identifies and dismisses the only relevant v5/v6 breaking change (artifact immutability) by auditing every artifact name. No duplicate artifact names exist within any single run.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/tag_release.yaml	9 action bumps (checkout×4, upload-artifact×5, download-artifact×6); all artifact names are unique or matrix-templated, so immutability constraint is satisfied.
.github/workflows/pr-main_l2.yaml	Most-changed workflow file; checkout, upload-artifact, and download-artifact all bumped to v6 with no logic changes.
.github/workflows/pr-main_l1.yaml	Routine bump of checkout×5, upload-artifact×2, download-artifact×2; artifact names are unique per run.
.github/actions/snapsync-run/action.yml	Single checkout bump inside the composite action; no issues.
.github/workflows/pr_loc.yaml	Three separate checkout steps all bumped to v6; no behavior change expected.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["GitHub Actions Runner\n(Node.js 24 enforced Jun 2026)"] --> B{Action version}
    B -- "v4 (before)" --> C["⚠️ Node.js 20 deprecation warning\nRemoved Sep 16 2026"]
    B -- "v6 (after)" --> D["✅ Node.js 24 compatible\nNo deprecation warning"]
    D --> E["actions/checkout@v6\n66 refs → 24 files"]
    D --> F["actions/upload-artifact@v6\n17 refs → immutable backend"]
    D --> G["actions/download-artifact@v6\n24 refs → immutable backend"]
    F --> H{Artifact names unique\nper run?}
    H -- "Yes (matrix-templated or\nconditional)" --> I["✅ No immutability conflict"]
    H -- "No" --> J["❌ Workflow would fail"]

Loading

_{Reviews (1): Last reviewed commit: "Bump GitHub Actions checkout, upload-art..." | Re-trigger Greptile}

[Copilot]

Pull request overview

Updates GitHub Actions workflow dependencies to eliminate Node.js 20 deprecation warnings and ensure compatibility with the upcoming default switch to Node.js 24 on GitHub-hosted runners.

Changes:

• Bump actions/checkout from @v4 to @v6 across workflows and a composite action.
• Bump actions/upload-artifact and actions/download-artifact from @v4 to @v6 across workflows.

Reviewed changes

Copilot reviewed 27 out of 27 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/tag_release.yaml	Bump checkout/upload/download artifact actions to @v6 in the release workflow.
.github/workflows/pr_upgradeability.yaml	Bump actions/checkout to @v6.
.github/workflows/pr_perf_levm.yaml	Bump checkout/upload/download artifact actions to @v6 for perf benchmarking workflows.
.github/workflows/pr_perf_build_block_bench.yml	Bump actions/checkout to @v6.
.github/workflows/pr_perf_blocks_exec.yaml	Bump checkout/upload-artifact actions to @v6.
.github/workflows/pr_nostd.yaml	Bump actions/checkout to @v6.
.github/workflows/pr_loc.yaml	Bump actions/checkout to @v6 for all checkouts used in LOC reporting.
.github/workflows/pr_lint_readme.yaml	Bump actions/checkout to @v6.
.github/workflows/pr_lint_license.yaml	Bump actions/checkout to @v6.
.github/workflows/pr_lint_gha.yaml	Bump actions/checkout to @v6.
.github/workflows/pr_github_status_l1.yaml	Bump actions/checkout to @v6.
.github/workflows/pr_github_metadata.yaml	Bump actions/checkout to @v6.
.github/workflows/pr_check_l2_genesis.yml	Bump actions/checkout to @v6.
.github/workflows/pr-main_mdbook.yml	Bump checkout/upload/download artifact actions to @v6 for docs build/deploy.
.github/workflows/pr-main_levm.yaml	Bump checkout/upload/download artifact actions to @v6 for LEVM PR/main comparison.
.github/workflows/pr-main_l2_tdx_build.yaml	Bump actions/checkout to @v6.
.github/workflows/pr-main_l2_prover.yaml	Bump actions/checkout to @v6 across L2 prover jobs.
.github/workflows/pr-main_l2.yaml	Bump checkout/upload/download artifact actions to @v6 across L2 workflow jobs.
.github/workflows/pr-main_l1_l2_dev.yaml	Bump actions/checkout to @v6.
.github/workflows/pr-main_l1.yaml	Bump checkout/upload/download artifact actions to @v6 across L1 workflow jobs.
.github/workflows/manual_docker_performance_publish.yaml	Bump actions/checkout to @v6.
.github/workflows/main_prover.yaml	Bump actions/checkout to @v6.
.github/workflows/daily_snapsync.yaml	Bump actions/checkout to @v6.
.github/workflows/daily_loc_report.yaml	Bump actions/checkout to @v6.
.github/workflows/daily_hive_report.yaml	Bump checkout/upload/download artifact actions to @v6 for daily hive reporting.
.github/workflows/common_failure_alerts.yaml	Bump actions/checkout to @v6.
.github/actions/snapsync-run/action.yml	Bump actions/checkout to @v6 inside the composite action.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🤖 Codex Code Review

1. Medium: daily_snapsync.yaml, snapsync-run/action.yml, and main_prover.yaml move the ethrex-sync and gpu jobs to actions/checkout@v6, but the repo only identifies those pools as self-hosted in actionlint.yaml. checkout@v6 inherits the Node 24 runtime change from v5 and requires Actions Runner v2.327.1+; if those runners are not already upgraded, the snapsync/prover workflows will fail before any tests start. I’d either keep the self-hosted jobs on the previous major or land an explicit runner-fleet upgrade/validation in the same PR. (github.com)

Assuming gpu and ethrex-sync are already on a compatible runner version, I don’t see other blocking issues. This is a CI-only diff, so I have no EVM, consensus, trie, RLP, or transaction-validation findings beyond that compatibility risk.

---

Automated review by OpenAI Codex · gpt-5.4 · custom prompt

[github-actions]

Benchmark Results Comparison

No significant difference was registered for any benchmark run.

Detailed Results

Benchmark Results: BubbleSort

Command	Mean [s]	Min [s]	Max [s]	Relative
main_revm_BubbleSort	3.009 ± 0.026	2.978	3.049	1.13 ± 0.01
main_levm_BubbleSort	2.668 ± 0.015	2.654	2.696	1.00
pr_revm_BubbleSort	3.023 ± 0.027	2.998	3.080	1.13 ± 0.01
pr_levm_BubbleSort	2.673 ± 0.014	2.655	2.693	1.00 ± 0.01

Benchmark Results: ERC20Approval

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_ERC20Approval	984.1 ± 9.5	968.0	998.2	1.00
main_levm_ERC20Approval	1017.6 ± 8.4	1007.2	1031.4	1.03 ± 0.01
pr_revm_ERC20Approval	992.1 ± 6.1	984.7	1002.5	1.01 ± 0.01
pr_levm_ERC20Approval	1020.2 ± 11.1	1010.3	1048.0	1.04 ± 0.02

Benchmark Results: ERC20Mint

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_ERC20Mint	135.7 ± 1.3	133.5	137.2	1.00
main_levm_ERC20Mint	148.5 ± 2.7	146.3	155.7	1.09 ± 0.02
pr_revm_ERC20Mint	137.1 ± 2.3	135.0	142.9	1.01 ± 0.02
pr_levm_ERC20Mint	149.3 ± 1.1	147.6	151.6	1.10 ± 0.01

Benchmark Results: ERC20Transfer

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_ERC20Transfer	233.3 ± 1.2	231.8	235.3	1.00
main_levm_ERC20Transfer	250.0 ± 1.3	248.1	252.0	1.07 ± 0.01
pr_revm_ERC20Transfer	236.3 ± 1.0	235.1	238.9	1.01 ± 0.01
pr_levm_ERC20Transfer	251.5 ± 1.8	248.6	253.9	1.08 ± 0.01

Benchmark Results: Factorial

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_Factorial	222.6 ± 1.4	219.9	225.6	1.00
main_levm_Factorial	252.1 ± 7.2	247.5	271.0	1.13 ± 0.03
pr_revm_Factorial	224.5 ± 1.6	223.2	228.4	1.01 ± 0.01
pr_levm_Factorial	249.4 ± 1.7	247.2	252.9	1.12 ± 0.01

Benchmark Results: FactorialRecursive

Command	Mean [s]	Min [s]	Max [s]	Relative
main_revm_FactorialRecursive	1.628 ± 0.047	1.535	1.714	1.06 ± 0.03
main_levm_FactorialRecursive	1.580 ± 0.014	1.564	1.607	1.02 ± 0.02
pr_revm_FactorialRecursive	1.605 ± 0.075	1.417	1.678	1.04 ± 0.05
pr_levm_FactorialRecursive	1.542 ± 0.019	1.514	1.570	1.00

Benchmark Results: Fibonacci

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_Fibonacci	204.4 ± 2.4	202.4	210.7	1.00
main_levm_Fibonacci	233.0 ± 8.5	223.3	252.0	1.14 ± 0.04
pr_revm_Fibonacci	204.9 ± 1.0	204.0	207.2	1.00 ± 0.01
pr_levm_Fibonacci	224.8 ± 2.9	222.8	232.5	1.10 ± 0.02

Benchmark Results: FibonacciRecursive

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_FibonacciRecursive	843.9 ± 10.9	827.3	863.2	1.22 ± 0.02
main_levm_FibonacciRecursive	690.9 ± 7.1	682.0	704.2	1.00 ± 0.01
pr_revm_FibonacciRecursive	844.6 ± 6.9	835.5	858.8	1.22 ± 0.01
pr_levm_FibonacciRecursive	690.9 ± 5.4	686.1	700.9	1.00

Benchmark Results: ManyHashes

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_ManyHashes	8.3 ± 0.0	8.3	8.4	1.00
main_levm_ManyHashes	9.9 ± 0.2	9.8	10.5	1.19 ± 0.03
pr_revm_ManyHashes	8.4 ± 0.1	8.3	8.6	1.01 ± 0.01
pr_levm_ManyHashes	9.8 ± 0.1	9.7	9.9	1.18 ± 0.01

Benchmark Results: MstoreBench

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_MstoreBench	256.9 ± 1.8	255.1	260.9	1.11 ± 0.01
main_levm_MstoreBench	232.4 ± 1.2	230.1	234.3	1.00
pr_revm_MstoreBench	263.1 ± 10.8	256.8	290.3	1.13 ± 0.05
pr_levm_MstoreBench	234.8 ± 3.1	231.5	240.9	1.01 ± 0.01

Benchmark Results: Push

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_Push	286.7 ± 1.2	285.1	288.8	1.01 ± 0.02
main_levm_Push	283.9 ± 4.8	281.3	297.2	1.00
pr_revm_Push	286.3 ± 1.7	284.7	290.8	1.01 ± 0.02
pr_levm_Push	285.2 ± 6.3	281.2	302.5	1.00 ± 0.03

Benchmark Results: SstoreBench_no_opt

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
main_revm_SstoreBench_no_opt	175.3 ± 5.8	169.7	189.4	1.75 ± 0.06
main_levm_SstoreBench_no_opt	100.0 ± 1.1	99.3	101.8	1.00 ± 0.02
pr_revm_SstoreBench_no_opt	173.0 ± 1.7	168.3	174.4	1.73 ± 0.03
pr_levm_SstoreBench_no_opt	99.9 ± 1.1	99.2	102.0	1.00

[iovoid]

RE: Codex's review
The runner updates are not only automatic, but an out-of-date runner will stop getting jobs after 30 days. v2.327.1 was released several months ago, so this isn't a problem.