ci: bump GitHub Actions to Node.js 24 runtimes#2
Conversation
The v0.3.0 release run warned that checkout@v4 / setup-go@v5 / upload-artifact@v4 / download-artifact@v4 run on Node.js 20, which the runner forces to Node 24 on 2026-06-16 and removes on 2026-09-16. Bump to the latest majors (all Node 24 based): - actions/checkout v4 -> v6 - actions/setup-go v5 -> v6 - actions/upload-artifact v4 -> v7 - actions/download-artifact v4 -> v8 upload/download-artifact crossed major versions, so the build->release artifact handoff (merge-multiple) should be confirmed on the next tag release.
WalkthroughGitHub Actions workflows in ChangesGitHub Actions Workflow Dependency Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 12: Verify compatibility before upgrading the workflow actions: review
the actions/checkout@v6 change and ensure any use of persist-credentials is
adjusted for its new $RUNNER_TEMP behavior and, if running git auth inside
Docker, require Runner v2.329.0+; for actions/setup-go@v6, update runner
requirement to v2.327.1+ and confirm the Node runtime change (Node 20→24) is
acceptable, then adjust go/toolchain usage and cache settings—explicitly set
cache-dependency-path or include toolchain in the cache key to match the new
cache-key behavior; after making these changes around the actions/checkout@v6
and actions/setup-go@v6 entries, run CI on the required runner versions to
validate authentication and caching behave as expected.
In @.github/workflows/release.yml:
- Line 27: Update the release workflow to document and safeguard the
compatibility note between actions/checkout@v6 and actions/setup-go@v6: add a
clear comment or job-level note mentioning that actions/setup-go@v6 requires
runner v2.327.1+ (breaking change due to Node runtime change) and that runs-on:
ubuntu-latest currently satisfies this, and if switching to self-hosted runners
you must verify the runner version; also consider adding an explicit
runner-version check or matrix entry to enforce/validate runner v2.327.1+ when
using actions/setup-go@v6 and call out any relevant credential/tag/SHA-256
considerations for actions/checkout@v6.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: bc62b9ba-5f43-4782-83f7-18d994d05d8f
📒 Files selected for processing (2)
.github/workflows/ci.yml.github/workflows/release.yml
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
actions/checkout v6 release notes breaking changes
💡 Result:
The release of actions/checkout v6 does not introduce breaking changes that require modifications to existing workflow YAML files [1][2]. Users can continue to use the action as they did with previous versions [1]. Key updates and requirements for v6 include: - Improved Credential Security: The persist-credentials feature has been updated to store credentials in a separate file under $RUNNER_TEMP instead of directly in the local.git/config file [1][2]. - Minimum Runner Version: When running authenticated git commands from within a Docker container action, the workflow requires an Actions Runner version of v2.329.0 or later to access these credentials correctly [1][2]. For context, v6 was released on November 20, 2025 [3]. As of June 3, 2026, the latest release is v6.0.3 [4].
Citations:
- 1: actions/checkout@v4.2.0...v6.0.2
- 2: https://github.com/actions/checkout
- 3: https://github.com/actions/checkout/releases/tag/v6.0.0
- 4: https://github.com/actions/checkout/releases/tag/v6.0.3
🌐 Web query:
actions/setup-go v6 release notes breaking changes
💡 Result:
The release of actions/setup-go v6 introduced several breaking changes and updates to improve reliability and performance [1][2]. The primary breaking changes are as follows: Node.js Runtime Upgrade The action's underlying Node.js runtime was upgraded from Node 20 to Node 24 [1][3]. To ensure compatibility with this release, users must ensure that their GitHub Actions runners are on version v2.327.1 or later [1][2]. Enhanced Go Toolchain Management V6 improved Go toolchain handling to ensure more consistent version selection [1][2]. The action now correctly interprets both the go and toolchain directives from go.mod files [3][4]. If a toolchain directive is present, its version is used; otherwise, the action falls back to the go directive [3][2]. This change may affect workflows where previous toolchain behavior relied on automatic downloads triggered by go commands [5]. To manage this, the action sets the GOTOOLCHAIN environment variable to local, preventing unexpected toolchain downloads during execution [5]. Cache Key Updates The default behavior for caching Go modules was updated [3][6]. Cache keys now rely on go.mod by default [3][2]. Additionally, cache keys now incorporate the version specified in the toolchain directive when present, which helps prevent cache conflicts when switching between different toolchain versions within the same Go minor release [4]. If users need to use go.sum for caching, they must explicitly configure the cache-dependency-path input [3][2].
Citations:
- 1: https://github.com/actions/setup-go/releases/tag/v6.0.0
- 2: https://github.com/actions/setup-go/tree/v6.3.0
- 3: https://github.com/actions/setup-go/blob/main/README.md
- 4: actions/setup-go@f3787be
- 5: actions/setup-go@1d76b95
- 6: https://github.com/actions/setup-go/releases/tag/v6.3.0
.github/workflows/ci.yml の actions/checkout@v6 / actions/setup-go@v6 互換性を確認(setup-go v6は破壊的変更あり)
actions/checkout@v6(12行目): 既存workflow YAMLの修正が必要な破壊的変更は報告なし。ただしpersist-credentialsの挙動変更($RUNNER_TEMP配下への分離)や、Docker内で認証git操作を行う場合は Runner v2.329.0+ が必要。actions/setup-go@v6(14行目): 破壊的変更あり。Node実行環境が Node 20→24、必要Runner v2.327.1+。加えてgo/toolchain解釈とキャッシュキー(デフォルトでgo.mod依存、toolchain指定時はキャッシュキーに反映)の変更により、既存のキャッシュ設定・前提動作への影響があり得るため、ランナー要件とキャッシュ設定(cache-dependency-path等)を見直してから反映する。
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 12-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 12, Verify compatibility before upgrading
the workflow actions: review the actions/checkout@v6 change and ensure any use
of persist-credentials is adjusted for its new $RUNNER_TEMP behavior and, if
running git auth inside Docker, require Runner v2.329.0+; for
actions/setup-go@v6, update runner requirement to v2.327.1+ and confirm the Node
runtime change (Node 20→24) is acceptable, then adjust go/toolchain usage and
cache settings—explicitly set cache-dependency-path or include toolchain in the
cache key to match the new cache-key behavior; after making these changes around
the actions/checkout@v6 and actions/setup-go@v6 entries, run CI on the required
runner versions to validate authentication and caching behave as expected.
| goarch: amd64 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
actions/checkout v6 release notes
💡 Result:
actions/checkout v6 release notes (what changed across the v6.x releases) v6.0.0 (released 2025-11-20) - Update README to include Node.js 24 support details and requirements. [1] - Persist credentials to a separate file. [1] v6.0.1 (released 2025-12-02) - Update all references from v5 and v4 to v6 in the repo. [2] - Add worktree support for persist-credentials includeIf. [2] - Clarify v6 README. [2] v6.0.2 (released 2026-01-09) - Add orchestration_id to the git user-agent when ACTIONS_ORCHESTRATION_ID is set. [3] - Fix tag handling: preserve annotations and explicit fetch-tags. [3] v6.0.3 (released 2026-06-02) - Fix expand merge commit SHA regex and add SHA-256 test cases. [4] - Fix checkout init for SHA-256 repositories. [4] Primary release-note sources: - v6.0.0: https://github.com/actions/checkout/releases/tag/v6.0.0 [1] - v6.0.1: https://github.com/actions/checkout/releases/tag/v6.0.1 [2] - v6.0.2: https://github.com/actions/checkout/releases/tag/v6.0.2 [3] - v6.0.3: https://github.com/actions/checkout/releases/tag/v6.0.3 [4]
Citations:
- 1: https://github.com/actions/checkout/releases/tag/v6.0.0
- 2: https://github.com/actions/checkout/releases/tag/v6.0.1
- 3: https://github.com/actions/checkout/releases/tag/v6.0.2
- 4: https://github.com/actions/checkout/releases/tag/v6.0.3
🌐 Web query:
actions/setup-go v6 release notes
💡 Result:
actions/setup-go v6 release notes (key items) 1) v6.0.0 (released 2025-09-04) - Breaking changes: - Improved Go toolchain handling for more reliable and consistent toolchain selection and management [1]. - Upgraded the action’s Node.js runtime from node20 to node24, with an action-required runner requirement: runner v2.327.1 or later [1]. - Dependency updates included upgrades such as actions/checkout 4→5 [1]. 2) v6.1.0 (released 2025-11-20) - Enhancements: - Fall back to downloading Go from go.dev/dl instead of storage.googleapis.com/golang [2]. - Added support for.tool-versions [2]. - Added comprehensive breaking changes documentation for v6 [2]. 3) v6.2.0 (released 2026-01-13) - Enhancements/documentation and dependency updates (no additional v6-breaking items called out in the short release highlights) [3]. 4) v6.3.0 (released 2026-02-26) - Changes: - Updated default Go module caching to use go.mod [4][5]. - Fixed Go download URL to go.dev [4]. General v6 breaking-change behavior summarized in the project README - Node.js runtime upgraded from node20 to node24, and you must use runner version v2.327.1 or later for compatibility [6]. - Toolchain directive support: the action supports both go and toolchain directives in go.mod; if toolchain is present it’s used, otherwise it falls back to the go directive [6]. - Cache key update: by default, the module cache key is based on go.mod (use cache-dependency-path to use go.sum instead) [6].
Citations:
- 1: https://github.com/actions/setup-go/releases/tag/v6.0.0
- 2: https://github.com/actions/setup-go/releases/tag/v6.1.0
- 3: https://github.com/actions/setup-go/releases/tag/v6.2.0
- 4: https://github.com/actions/setup-go/releases/tag/v6.3.0
- 5: actions/setup-go@v6.2.0...v6.3.0
- 6: https://github.com/actions/setup-go?tab=readme-ov-file
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# 該当行付近を表示
sed -n '1,120p' .github/workflows/release.yml | nl -ba | sed -n '15,60p'Repository: uzulla/shpool-launch
Length of output: 107
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# nlが無いのでawkで行番号付けして該当範囲を表示
awk '{printf "%6d %s\n", NR, $0}' .github/workflows/release.yml | sed -n '20,45p'Repository: uzulla/shpool-launch
Length of output: 914
🏁 Script executed:
#!/bin/bash
set -euo pipefail
awk '{printf "%6d %s\n", NR, $0}' .github/workflows/release.yml | sed -n '1,35p'Repository: uzulla/shpool-launch
Length of output: 956
actions/checkout@v6 と actions/setup-go@v6 の互換性観点(破壊的変更)を workflow 設定に紐づけて整理
- actions/checkout@v6 は v6.0.0〜v6.0.3 のリリースがあり、変更点は主に credentials/タグ処理/SHA-256 対応など。
- actions/setup-go@v6 は v6.0.0 にて Node runtime(node20→node24)と runner v2.327.1 以降要件 が破壊的変更として明記されている。今回 runs-on: ubuntu-latest なので要件は満たす可能性が高いが、もし self-hosted runner に切り替わる場合は runner バージョン要件を追加確認する必要がある。
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 27-27: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml at line 27, Update the release workflow to
document and safeguard the compatibility note between actions/checkout@v6 and
actions/setup-go@v6: add a clear comment or job-level note mentioning that
actions/setup-go@v6 requires runner v2.327.1+ (breaking change due to Node
runtime change) and that runs-on: ubuntu-latest currently satisfies this, and if
switching to self-hosted runners you must verify the runner version; also
consider adding an explicit runner-version check or matrix entry to
enforce/validate runner v2.327.1+ when using actions/setup-go@v6 and call out
any relevant credential/tag/SHA-256 considerations for actions/checkout@v6.
1 participant
概要
v0.3.0 のリリース run で出ていた Node.js 20 deprecation 警告への対応です。GitHub ランナーは Node.js 20 を 2026-06-16 に Node 24 へ強制切替、2026-09-16 に削除予定のため、JavaScript アクションを最新メジャー(いずれも Node 24 ベース)へ更新します。
変更
対象:
.github/workflows/ci.yml,.github/workflows/release.yml動作確認について
upload-artifact(v4→v7) とdownload-artifact(v4→v8) はメジャーをまたぐので、build→release 間の artifact 受け渡し(merge-multiple: trueでのdist/shp-*収集)が通るかは 次回タグリリース時に確認する想定です。もし壊れた場合は artifact 周りのメジャーだけ戻す/調整します。Summary by CodeRabbit
Chores