feat: upgrade to Node 24 and modernize build toolchain

[rathpc]

Summary

Upgrade module-install to Node 24, ESLint 10, latest @actions/* packages, and semantic-release 25. Adds floating major/minor tag flow so consumers can pin to @v2 and ride patch updates.

What changed

• Runtime: engines.node set to >=24; CI workflow now installs Node 24
• Dependencies bumped to latest stable:
  • @actions/github 6.0.1 → 9.1.1 (now pure-ESM; consumed via dynamic await import() since this library publishes as CJS)
  • @actions/io 2.0.0 → dropped entirely (replaced with native fs.promises.rename and fs.promises.rm; the v3 ESM package was overkill for the actual use)
  • eslint 9 → 10 (ESLint 10 flat config; dropped FlatCompat)
  • @eslint/js companion pinned to ^10.0.1 (latest published — versioned independently from eslint)
  • jest 30.2 → 30.3
  • semantic-release 19 → 25
  • Other @semantic-release/* plugins refreshed; @semantic-release/npm now an explicit devDep
• Tests: existing integration tests now skip cleanly when GITHUB_TOKEN / YONTRACK_* env vars are absent (instead of throwing). PR CI without secrets passes. The unauthenticated fixed-version download test still runs.
• Release rules: every conventional-commit type now triggers at least a patch release; BREAKING CHANGE: footer always forces major.
• Floating tags: new CI step pushes/force-updates vX and vX.Y tags after each release, mirroring how actions/checkout etc. publish themselves.
• CI: actions/checkout@v4 → @v6. actions/setup-node@v6 (already current).
• Docs: new CLAUDE.md.

Why this is breaking

engines.node >= 24 and the CI runner switching to Node 24 mean self-hosted runners on older Node will fail. GitHub-hosted runners support Node 24 natively. Hence the BREAKING CHANGE: footer in the squash-merge commit, which semantic-release will use to bump the published package to 2.0.0.

Test plan

• CI passes on this PR (lint + tests, with secrets.GITHUB_TOKEN available so the latest-version test runs too)
• After merge, the main build runs semantic-release and publishes 2.0.0 to GH Packages
• After release, floating tags v2 and v2.0 exist and point at the new release SHA
• The CHANGELOG.md reflects the breaking change

Known follow-up risk

The token-gated test downloading the CLI using the latest version exercises await import('@actions/github') (since v9 is pure ESM). Modern Jest 30 + Node 24 should handle dynamic ESM imports natively, but if CI surfaces an issue, the fix is to add --experimental-vm-modules to the npm test invocation in .github/workflows/build.yml. Not addressed proactively since it's easy to fix in a follow-up commit if needed.

Squash-merge commit message

When merging, please use this exact commit body:

feat: upgrade to Node 24 and modernize build toolchain

- Replace eslintrc/FlatCompat with ESLint 10 flat config
- Bump @actions/* and semantic-release to latest stable
- Skip integration tests when secrets are absent
- Standardize release rules (patch on every commit type)
- Add floating major/minor tag step in CI
- Add CLAUDE.md for AI-assisted development

BREAKING CHANGE: Now requires Node 24 runtime. Self-hosted runners
must have Node 24 available; GitHub-hosted runners support this
natively.

[rathpc]

@dcoraboeuf I am working on making updates to this and several of the other ontrack-github-actions-* repos. This one will need to have the workflow run to verify if we need to add --experimental-vm-modules for the jest tests. Once everything passes this will have to get merged first before the others can be opened that rely on the new version this will produce.

[dcoraboeuf]

@rathpc , when launching the GH workflow on the PR, I get:

  ● downloading the CLI using the latest version

    TypeError: A dynamic import callback was invoked without --experimental-vm-modules

      90 |             throw "GitHub token must be provided in order to get the latest version of the CLI."
      91 |         }
    > 92 |         const github = await import('@actions/github');
         |                        ^
      93 |         const octokit = github.getOctokit(githubToken)
      94 |         const releases = await octokit.rest.repos.listReleases({
      95 |             owner: "nemerosa",

      at downloadCLI (index.js:92:24)
      at Object.downloadCLI [as install] (index.js:211:64)
      at Object.install (index.test.js:21:44)

https://github.com/nemerosa/ontrack-github-actions-module-install/actions/runs/25269405182/job/74095812347

Can you have a look?

[dcoraboeuf]

@rathpc , I just saw your comment above :) So yes, it seems we need --experimental-vm-modules.

[rathpc]

Ok not a problem I will add that later today, thanks!

[rathpc]

@dcoraboeuf updated, please try running the workflow again. Thank you!

[rathpc]

@dcoraboeuf Would you be able to grant my user rathpc read access on the package for this project so that I can actually update the lock file in the cli-config and cli-install updates I am making?

It would let the cli-config and cli-install PRs build, test, and pass CI from a fork. Until then, those two repos can only be upgraded by someone with org-level access.

[dcoraboeuf]

@rathpc , the PR build passes now. I'll merge and also grant you read-only access to the packages of this repo.

[dcoraboeuf]

Available in v2.0.0

[dcoraboeuf]

@rathpc , I've granted you a Read role on this repository. It should grant you the read-access to the packages. Can you confirm everything is alright?

And big thanks for the contribution ❤️