From 6619a591efbea7a4ccafc86b0e6a1668438e0364 Mon Sep 17 00:00:00 2001 From: Bryan Beverly Date: Tue, 21 Apr 2026 14:39:38 -0700 Subject: [PATCH 1/2] ci: bump JS actions to Node 24 majors across PR labeling/hygiene workflows Bumps the four Node-20 JS actions used by the PR Labeling & Hygiene system to their Node 24 majors ahead of the deprecation deadlines: - actions/checkout v4 -> v6 (4 files; v6.0.0, 2025-12-02) - actions/setup-python v5 -> v6 (test-scripts.yml; v6.0.0, 2025-09-04) - actions/stale v9 -> v10 (stale-reusable.yml; v10.0.0, 2025-09-04) - astral-sh/ruff-action v3 -> v4 (lint.yml, 2x; v4.0.0, 2026-04-12) Files touched: - .github/workflows/pr-labeler-reusable.yml (checkout) - .github/workflows/label-sync-reusable.yml (checkout) - .github/workflows/stale-reusable.yml (stale) - .github/workflows/lint.yml (checkout x1, ruff-action x2) - .github/workflows/test-scripts.yml (checkout, setup-python) Why now: - 2026-06-02: GitHub flips runner default to Node 24 - 2026-09-16: Node 20 removed from runners (hard cutoff) PR-time CI (lint + test-scripts) validates checkout/setup-python/ruff end-to-end. The three reusable workflows are workflow_call-only and need post-merge validation against a downstream caller (interservice- contracts is the smoke-test target per the plan). stale@v10 release notes verified: only "Upgrade to node 24" breaking change + new sort-by enhancement; all 12 inputs we configure remain unchanged. All 7 caller repos reference the reusables by @main, so the bump auto-propagates on next invocation. Plan: /Users/bryan.beverly/.cursor/plans/node24_actions_bump_200bd169.plan.md Made-with: Cursor --- .github/workflows/label-sync-reusable.yml | 2 +- .github/workflows/lint.yml | 8 ++++---- .github/workflows/pr-labeler-reusable.yml | 2 +- .github/workflows/stale-reusable.yml | 2 +- .github/workflows/test-scripts.yml | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/label-sync-reusable.yml b/.github/workflows/label-sync-reusable.yml index f1b2a15..e0b9e59 100644 --- a/.github/workflows/label-sync-reusable.yml +++ b/.github/workflows/label-sync-reusable.yml @@ -16,7 +16,7 @@ jobs: # so that the caller's GITHUB_TOKEN (which is scoped to the caller, not # this repo) can check them out without a PAT or GitHub App credential. - name: Checkout shared labels and script - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: trufflesecurity/.github ref: main diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 9bb4ef1..b698cec 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,12 +14,12 @@ jobs: name: Python (ruff) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: astral-sh/ruff-action@v3 + - uses: actions/checkout@v6 + - uses: astral-sh/ruff-action@v4 with: src: '.github/scripts' args: 'check' - - uses: astral-sh/ruff-action@v3 + - uses: astral-sh/ruff-action@v4 with: src: '.github/scripts' args: 'format --check' @@ -28,7 +28,7 @@ jobs: name: Workflows (actionlint) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Run actionlint run: | bash <(curl -sSL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) diff --git a/.github/workflows/pr-labeler-reusable.yml b/.github/workflows/pr-labeler-reusable.yml index 0cd219c..2633358 100644 --- a/.github/workflows/pr-labeler-reusable.yml +++ b/.github/workflows/pr-labeler-reusable.yml @@ -27,7 +27,7 @@ jobs: # caller's GITHUB_TOKEN (which is scoped to the caller, not this repo) # can check them out without a PAT or GitHub App credential. - name: Checkout shared scripts - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: repository: trufflesecurity/.github ref: main diff --git a/.github/workflows/stale-reusable.yml b/.github/workflows/stale-reusable.yml index fcedc76..045c724 100644 --- a/.github/workflows/stale-reusable.yml +++ b/.github/workflows/stale-reusable.yml @@ -21,7 +21,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@v10 with: # PR thresholds days-before-pr-stale: ${{ inputs.days-before-stale }} diff --git a/.github/workflows/test-scripts.yml b/.github/workflows/test-scripts.yml index 329b977..a5b7ac3 100644 --- a/.github/workflows/test-scripts.yml +++ b/.github/workflows/test-scripts.yml @@ -15,8 +15,8 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@v6 + - uses: actions/setup-python@v6 with: python-version: '3.12' - run: pip install pytest pyyaml From fde5dc236132e751da69c290d75c7c5fcd60ac9e Mon Sep 17 00:00:00 2001 From: Bryan Beverly Date: Tue, 21 Apr 2026 14:42:12 -0700 Subject: [PATCH 2/2] ci: pin astral-sh/ruff-action to @v4.0.0 (no rolling @v4 tag) CI revealed `Unable to resolve action astral-sh/ruff-action@v4`. The v4.0.0 release introduced immutable releases as a deliberate model change; the maintainers no longer publish a rolling `v4` tag. Pin to the explicit patch instead. Future v4.0.x patches will need an explicit bump (or migration to a SHA pin), but that's the trade-off for using this action's new immutable-only release model. Made-with: Cursor --- .github/workflows/lint.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b698cec..c3e6ff9 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,11 +15,12 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - - uses: astral-sh/ruff-action@v4 + # ruff-action v4+ ships immutable tags only (no rolling @v4); pin to the patch. + - uses: astral-sh/ruff-action@v4.0.0 with: src: '.github/scripts' args: 'check' - - uses: astral-sh/ruff-action@v4 + - uses: astral-sh/ruff-action@v4.0.0 with: src: '.github/scripts' args: 'format --check'