ci: upgrade github actions to node24 runtime#437
Open
arabold wants to merge 1 commit into
Open
Conversation
Bump all JS-based GitHub Actions to their latest majors so none run on the deprecated node20 action runtime. This is purely the action execution runtime; the app's own Node stays on 22 (node-version, .nvmrc, Dockerfile, engines unchanged) because better-sqlite3 ships an ABI-pinned native binary. - actions/checkout v4 -> v6 - actions/setup-node v4 -> v6 - actions/cache v4 -> v5 - actions/upload-artifact v4 -> v7 - docker/setup-buildx-action v3 -> v4 - docker/login-action v3 -> v4 - docker/metadata-action v5 -> v6 - docker/build-push-action v6 -> v7 - softprops/action-gh-release v2 -> v3 - actions/attest-build-provenance v1 -> v4 - cycjimmy/semantic-release-action v4 -> v6 (bundles semantic-release 25, matching the semantic-release ^25 already in package.json devDependencies) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s GitHub Actions workflow dependencies to newer major versions so that JS-based actions run on GitHub’s newer node24 action runtime, avoiding upcoming deprecations, while keeping the project’s own Node version pinned to 22.x.
Changes:
- Upgraded core GitHub Actions used across CI workflows (
checkout,setup-node,cache,upload-artifact) to their newer major versions. - Upgraded Docker-related actions used for image build/push in CI and release workflows to newer major versions.
- Upgraded release-related actions (
semantic-release-action,action-gh-release,attest-build-provenance) to newer major versions.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/ci.yml | Bumps checkout/setup-node and Docker build actions used in PR CI. |
| .github/workflows/eval.yml | Bumps checkout/setup-node/cache/upload-artifact for scheduled/manual benchmark workflow. |
| .github/workflows/release.yml | Bumps checkout/setup-node/semantic-release action versions, Docker build/push stack, and provenance attestation action for manual releases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
GitHub is retiring the
node20action runtime. An audit of our three workflows found that every JS-based action we pin currently executes onnode20, so the whole CI surface is on the deprecated runtime today. This bumps each action to its latest major to move them onto thenode24runtime before the deprecation bites.What changed
Bumped 11 actions across
ci.yml,release.yml, andeval.yml:Notes for reviewers
node-version: "22.x",.nvmrc, thenode:22Docker base, andengines: ">=22"are all intentionally unchanged. We stay on Node 22 becausebetter-sqlite3ships an ABI-pinned native binary.semantic-release-actionv4 -> v6 is the only bump with a meaningful payload change: v6 bundles semantic-release 25. This aligns the action with thesemantic-release@^25already declared inpackage.jsondevDependencies, so there is no config migration.release.ymlonly runs onworkflow_dispatch, so it is not exercised by this PR; the dry-run step validates the path before anything publishes.ci.ymlandeval.ymlexercise the bumped actions automatically on this PR.