ci: update GitHub Actions to Node.js 24 compatible versions#5713
ci: update GitHub Actions to Node.js 24 compatible versions#5713rucoder wants to merge 1 commit intolf-edge:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates CI GitHub Actions to Node.js 24–compatible versions and pins them to commit SHAs to reduce supply-chain risk ahead of GitHub’s Node 20 deprecation timeline.
Changes:
- Bump and SHA-pin core Actions (checkout, cache, upload/download artifact, setup-go) across workflows.
- Update security/scanning actions (CodeQL, Codecov, OSV Scanner, Zizmor) to newer SHA-pinned revisions.
- Update Docker actions (login, setup-buildx) to newer pinned revisions used by build/publish workflows and the local composite action.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/zizmor.yml | Updates checkout + zizmor action revisions. |
| .github/workflows/yetus.yml | Updates checkout + artifact upload revisions. |
| .github/workflows/spdx.yml | Updates checkout revision. |
| .github/workflows/rerun-ci.yml | Updates checkout revision. |
| .github/workflows/request_codeowners_review.yml | Updates checkout revision. |
| .github/workflows/publish.yml | Updates checkout + docker/login-action revisions in publish pipeline. |
| .github/workflows/pr-gate.yml | Updates artifact upload revision. |
| .github/workflows/osv-scanner.yml | Updates OSV reusable workflow refs to newer pinned revision. |
| .github/workflows/go-tests.yml | Updates checkout + artifact upload + Codecov action revisions. |
| .github/workflows/eden-trusted.yml | Updates artifact download revision. |
| .github/workflows/commit-messages.yml | Updates checkout revision. |
| .github/workflows/codeql.yml | Updates checkout + CodeQL init/autobuild/analyze revisions. |
| .github/workflows/check-docker-hashes-consistency.yml | Updates checkout + cache revisions. |
| .github/workflows/buildyetusondemand.yml | Updates checkout + setup-buildx + docker/login-action revisions (pins buildx). |
| .github/workflows/buildondemand.yml | Updates checkout + cache/restore revisions. |
| .github/workflows/build.yml | Updates checkout + cache/restore + artifact upload revisions. |
| .github/workflows/assets.yml | Updates checkout + docker/login-action revisions. |
| .github/workflows/ascii-check.yml | Updates checkout + setup-go revisions. |
| .github/actions/run-make/action.yml | Updates docker/login-action revision in composite action. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/assets.yml
Outdated
| @@ -88,7 +88,7 @@ jobs: | |||
| rm -rf assets && mkdir -p assets | |||
| - name: Login to Docker Hub | |||
| if: ${{ github.event.repository.full_name }} == 'lf-edge/eve' | |||
There was a problem hiding this comment.
The if: expression is syntactically invalid: if: ${{ github.event.repository.full_name }} == 'lf-edge/eve' places == ... outside the ${{ }} block. This will cause the workflow to fail to parse/run. Move the entire comparison inside ${{ }} (or drop ${{ }} entirely and use the plain expression form).
| if: ${{ github.event.repository.full_name }} == 'lf-edge/eve' | |
| if: github.event.repository.full_name == 'lf-edge/eve' |
There was a problem hiding this comment.
Good catch — this was a pre-existing bug (the comparison was outside the ${{ }} block). Fixed in the amended commit.
| - name: Checkout | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| path: src | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
This workflow still uses an unpinned third-party action (rene/yetus-test-patch-action@eve, later in the job). That conflicts with the PR goal of pinning actions to commit SHAs for supply-chain security, and also risks breaking when GitHub switches default action runtime to Node.js 24 if that action isn't compatible. Pin that action to a specific commit SHA (and update the version comment accordingly) or vendor it if it must track a moving ref.
There was a problem hiding this comment.
This is intentional — rene/yetus-test-patch-action@eve tracks a project-specific branch maintained for EVE. It's a composite action that runs shell scripts, not a Node.js action, so it's not affected by the Node.js 20 deprecation.
GitHub is deprecating Node.js 20 actions. Starting June 2nd, 2026, actions will be forced to run with Node.js 24 by default, and Node.js 20 will be removed from runners on September 16th, 2026. Update all GitHub Actions in CI workflows to the latest versions that support Node.js 24 and pin them to commit SHAs for supply-chain security: - actions/checkout v5.0.0 -> v6.0.2 - actions/cache v4.3.0 -> v5.0.4 - actions/upload-artifact v5.0.0 -> v7.0.0 - actions/download-artifact v6.0.0 -> v8.0.1 - actions/setup-go v6.0.0 -> v6.3.0 - docker/login-action v3.6.0 -> v4.0.0 - docker/setup-buildx-action v3 (unpinned) -> v4.0.0 (pinned) - github/codeql-action v4.31.3 -> v4.35.1 - codecov/codecov-action v5.5.1 -> v6.0.0 - zizmorcore/zizmor-action v0.2.0 -> v0.5.2 - google/osv-scanner-action v1.9.2 -> v2.3.5 Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
rucoder
force-pushed
the
rucoder/update-actions-node24
branch
from
bab28a2 to
bdfbdad
Compare
Description
@europaul @rene i did not test it on standalone repo however I tested checkout and docker-login in eve-kernel repo
GitHub is deprecating Node.js 20 actions. Starting June 2nd, 2026, actions will be forced to run with Node.js 24 by default, and Node.js 20 will be removed from runners on September 16th, 2026.
Update all GitHub Actions in CI workflows to the latest versions that support Node.js 24 and pin them to commit SHAs for supply-chain security.
Also fix a pre-existing bug in
assets.ymlwhere theif:condition had the comparison outside the${{ }}block.actions/checkoutv5.0.0(Node 20)v6.0.2→de0fac2e...actions/cachev4.3.0(Node 20)v5.0.4→668228422a...actions/upload-artifactv5.0.0(Node 20)v7.0.0→bbbca2ddaa...actions/download-artifactv6.0.0(Node 20)v8.0.1→3e5f45b2cf...actions/setup-gov6.0.0(Node 20)v6.3.0→4b73464bb3...docker/login-actionv3.6.0(Node 20)v4.0.0→b45d80f862...docker/setup-buildx-actionv3(unpinned!)v4.0.0→4d04d5d948...github/codeql-action/*v4.31.3v4.35.1→c10b8064de...codecov/codecov-actionv5.5.1v6.0.0→57e3a136b7...zizmorcore/zizmor-actionv0.2.0v0.5.2→71321a20a9...google/osv-scanner-actionv1.9.2v2.3.5→c51854704019...Left unchanged (already current or project-specific):
actions/github-script@v8.0.0— already at latest with pinned hashguyarb/golang-test-annoations@v0.8.0— already at latest (no Node 24 update available)rene/yetus-test-patch-action@eve— composite action on project-specific branch, not affectedshjala/eve-cvewatch@v0.0.2— project-specific reusable workflowlf-edge/edenworkflows — pinned to specific version tags for compatibilityHow to test and validate this PR
are exercised by the PR checks.
bumps.
Changelog notes
No user-facing changes.
PR Backports
Checklist
I've provided a proper description
I've added the proper documentation
I've tested my PR on amd64 device
I've tested my PR on arm64 device
I've written the test verification instructions
I've set the proper labels to this PR
I've checked the boxes above, or I've provided a good reason why I didn't check them. (No device testing needed — CI-only changes.)