[CHORE] Upgrade GitHub Actions to Node.js 24 compatible versions#1883
Merged
jaseemjaskp merged 6 commits intomainfrom Apr 1, 2026
Merged
[CHORE] Upgrade GitHub Actions to Node.js 24 compatible versions#1883jaseemjaskp merged 6 commits intomainfrom
jaseemjaskp merged 6 commits intomainfrom
Conversation
Node.js 20 actions are deprecated and will be forced to Node.js 24 by June 2, 2026. Update all affected actions to their latest major versions that support Node.js 24.
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughMultiple GitHub Actions workflows were updated to newer action versions ( Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
|
| Filename | Overview |
|---|---|
| .github/workflows/ci-test.yaml | Upgrades checkout@v4→v6, setup-uv@v5→v7 (PR description says v8), cache@v4→v5, sticky-comment to SHA-pinned v3.0.2; also changes tox install from uv pip install to uv tool install |
| .github/workflows/uv-lock-automation.yaml | Upgrades checkout@v4→v6 and setup-uv@v5→v7 (mismatches PR description's stated v8 target) |
| .github/workflows/ci-frontend-lint.yaml | Upgrades checkout@v4→v6 and pins sticky-comment to full commit SHA for v3.0.2, addressing the prior supply-chain concern |
| .github/workflows/ci-container-build.yaml | Upgrades checkout@v4→v6 and docker/login-action@v3→v4; straightforward and correct |
| .github/workflows/docker-tools-build-push.yaml | Upgrades checkout, setup-qemu, setup-buildx, docker/login-action, and build-push-action across major versions; all consistent |
| .github/workflows/production-build.yaml | Upgrades checkout (2×), setup-qemu, setup-buildx, docker/login-action, bake-action, upload-artifact@v7, and download-artifact@v8; compatible pairing confirmed |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[PR Trigger] --> B{Workflow}
B --> C[ci-test.yaml]
B --> D[ci-frontend-lint.yaml]
B --> E[ci-container-build.yaml]
B --> F[production-build.yaml]
B --> G[docker-tools-build-push.yaml]
B --> H[uv-lock-automation.yaml]
C --> C1["checkout@v6 ✅"]
C --> C2["setup-uv@v7 ⚠️ (desc says v8)"]
C --> C3["cache@v5 ✅"]
C --> C4["sticky-comment SHA-pinned v3 ✅"]
D --> D1["checkout@v6 ✅"]
D --> D2["sticky-comment SHA-pinned v3 ✅"]
E --> E1["checkout@v6 ✅"]
E --> E2["docker/login-action@v4 ✅"]
F --> F1["checkout@v6 ✅"]
F --> F2["docker actions v4/v7 ✅"]
F --> F3["upload-artifact@v7 ✅"]
F --> F4["download-artifact@v8 ✅"]
G --> G1["checkout@v6 ✅"]
G --> G2["docker actions v4/v7 ✅"]
H --> H1["checkout@v6 ✅"]
H --> H2["setup-uv@v7 ⚠️ (desc says v8)"]
Prompt To Fix All With AI
This is a comment left during a code review.
Path: .github/workflows/ci-test.yaml
Line: 28
Comment:
**`setup-uv` version mismatch with PR description**
The PR description's version table states `astral-sh/setup-uv` is being upgraded to **v8**, but both `ci-test.yaml` (here) and `uv-lock-automation.yaml` (line 32) actually pin to **v7**. The GitHub Marketplace confirms `v8.0.0` is available and is listed as the latest release from `astral-sh`.
Since the stated goal of this PR is upgrading to the latest Node.js 24–compatible versions, the intended target should be verified. If `v8` was intended, both files need updating:
```suggestion
uses: astral-sh/setup-uv@v8
```
The same applies to `uv-lock-automation.yaml` at line 32.
How can I resolve this? If you propose a fix, please make it concise.Reviews (5): Last reviewed commit: "[CHORE] Upgrade Docker and artifact acti..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/ci-frontend-lint.yaml:
- Line 57: Replace the floating tag usage "uses:
marocchino/sticky-pull-request-comment@v3" with the immutable commit SHA for
release v3.0.2 in both workflow files where that line appears; locate the "uses:
marocchino/sticky-pull-request-comment@v3" entries and change them to "uses:
marocchino/sticky-pull-request-comment@<COMMIT_SHA>" using the SHA from the
v3.0.2 release page so the action is pinned to a specific commit.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: cf262ba5-35c3-4c75-914f-fa0fb3f5525e
📒 Files selected for processing (6)
.github/workflows/ci-container-build.yaml.github/workflows/ci-frontend-lint.yaml.github/workflows/ci-test.yaml.github/workflows/docker-tools-build-push.yaml.github/workflows/production-build.yaml.github/workflows/uv-lock-automation.yaml
setup-uv v7 installs a uv-managed Python that isn't recognized as a system Python. Use uv tool install which manages its own environment.
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/ci-test.yaml (1)
26-36: Pin all GitHub Actions to immutable commit SHAs for consistent supply-chain hardening.
marocchino/sticky-pull-request-commentis pinned to a commit SHA (line 57), butactions/checkout@v6,astral-sh/setup-uv@v7, andactions/cache@v5remain on mutable tags. To maintain consistent security hardening across the workflow, pin the remaining actions to their full commit SHAs as well.Current pinned versions are v6.0.2, v7.6.0, and v5.0.4. You can find the corresponding commit SHAs in each repository's release page and update the
usesdirectives accordingly.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci-test.yaml around lines 26 - 36, Replace the mutable tags for GitHub Actions with their immutable commit SHAs: locate the current uses lines for actions/checkout@v6, astral-sh/setup-uv@v7 (version "0.6.14"/python-version 3.12.9), and actions/cache@v5, look up the corresponding full commit SHA for the exact release (v6.0.2, v7.6.0, v5.0.4 respectively) in each action's release/tags page, and update the uses directives to the form actions/checkout@<full-sha>, astral-sh/setup-uv@<full-sha>, and actions/cache@<full-sha> so all actions are pinned to immutable SHAs (leave the existing marocchino/sticky-pull-request-comment SHA as-is).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/ci-test.yaml:
- Around line 26-36: Replace the mutable tags for GitHub Actions with their
immutable commit SHAs: locate the current uses lines for actions/checkout@v6,
astral-sh/setup-uv@v7 (version "0.6.14"/python-version 3.12.9), and
actions/cache@v5, look up the corresponding full commit SHA for the exact
release (v6.0.2, v7.6.0, v5.0.4 respectively) in each action's release/tags
page, and update the uses directives to the form actions/checkout@<full-sha>,
astral-sh/setup-uv@<full-sha>, and actions/cache@<full-sha> so all actions are
pinned to immutable SHAs (leave the existing
marocchino/sticky-pull-request-comment SHA as-is).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: bd9ffc8c-ae67-4f70-b90b-4ae1a89c29bb
📒 Files selected for processing (2)
.github/workflows/ci-frontend-lint.yaml.github/workflows/ci-test.yaml
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/ci-frontend-lint.yaml
- docker/login-action v3 → v4 - docker/setup-qemu-action v3 → v4 - docker/setup-buildx-action v3 → v4 - docker/build-push-action v5 → v7 - docker/bake-action v5 → v7 - actions/upload-artifact v4 → v7 - actions/download-artifact v4 → v8 No deprecated features were in use; upgrades are drop-in compatible.
|
Contributor
Test ResultsSummary
Runner Tests - Full Report
SDK1 Tests - Full Report
|
vishnuszipstack
approved these changes
Apr 1, 2026
muhammad-ali-e
approved these changes
Apr 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Why
How
Updated the following actions across 6 workflow files:
actions/checkoutactions/cacheastral-sh/setup-uvmarocchino/sticky-pull-request-commentdocker/login-actiondocker/setup-qemu-actiondocker/setup-buildx-actiondocker/build-push-actiondocker/bake-actionactions/upload-artifactactions/download-artifactAdditional change:
uv pip install tox tox-uv→uv tool install tox --with tox-uvin ci-test.yaml (required for setup-uv v7 compatibility, which no longer auto-creates a virtual environment)Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)
workdir,list-targets,DOCKER_BUILD_NO_SUMMARY,DOCKER_BUILD_EXPORT_RETENTION_DAYS) are used in any workflow.marocchino/sticky-pull-request-commentremains pinned to an immutable commit SHA for supply-chain security.Database Migrations
Env Config
Relevant Docs
Related Issues or PRs
Dependencies Versions
actions/checkoutv6.0.2actions/cachev5.0.4astral-sh/setup-uvv7.6.0marocchino/sticky-pull-request-commentv3.0.2docker/login-actionv4.0.0docker/setup-qemu-actionv4.0.0docker/setup-buildx-actionv4.0.0docker/build-push-actionv7.0.0docker/bake-actionv7.0.0actions/upload-artifactv7.0.0actions/download-artifactv8.0.1Notes on Testing
Checklist
I have read and understood the Contribution Guidelines.