Upgrade GitHub Actions for Node 24 compatibility#558
Upgrade GitHub Actions for Node 24 compatibility#558salmanmkc wants to merge 1 commit intouber:masterfrom
Conversation
Signed-off-by: Salman Muin Kayser Chishti <13schishti@gmail.com>
|
|
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions workflow dependencies to newer major versions to ensure runner compatibility as GitHub Actions transitions from Node 20 to Node 24.
Changes:
- Upgraded
actions/checkoutfromv4tov6across workflows. - Upgraded
actions/setup-gofromv5tov6in build jobs. - Upgraded
actions/setup-pythonfromv5tov6for integration tests.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/build-and-test.yaml | Bumps checkout, setup-go, and setup-python major versions used by lint/build/test jobs. |
| .github/workflows/vulnerability-check.yaml | Bumps checkout major version used by Trivy scan/report jobs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - uses: actions/checkout@v6 | ||
| - uses: actions/setup-go@v6 |
There was a problem hiding this comment.
The PR description says actions are pinned to immutable commit SHAs, but this workflow references major tags (e.g., actions/checkout@v6, actions/setup-go@v6). Either update the workflows to pin these actions to specific release SHAs, or adjust the PR description/security note to match what’s actually being used.
| trivy_scan: | ||
| name: Trivy Vulnerability Scan | ||
| runs-on: ubuntu-latest | ||
| if: github.event_name == 'pull_request' | ||
|
|
||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 | ||
|
|
There was a problem hiding this comment.
trivy_report explicitly sets minimal job permissions, but trivy_scan does not. To keep least-privilege consistent (and avoid relying on repo default permissions), add an explicit permissions: block for trivy_scan (at least contents: read for checkout).
Summary
Upgrade GitHub Actions to their latest versions to ensure compatibility with Node 24, as Node 20 will reach end-of-life in April 2026.
Changes
actions/checkoutv4v6actions/setup-gov5v6actions/setup-pythonv5v6Context
Per GitHub's announcement, Node 20 is being deprecated and runners will begin using Node 24 by default starting March 4th, 2026.
Why this matters
Security Note
Actions that were previously pinned to commit SHAs remain pinned to SHAs (updated to the latest release SHA) to maintain the security benefits of immutable references.
Testing
These changes only affect CI/CD workflow configurations and should not impact application functionality. The workflows should be tested by running them on a branch before merging.