From fed500a819301af4ec51da61c8e4fdb20614fc76 Mon Sep 17 00:00:00 2001 From: Michael Yankelev Date: Mon, 30 Mar 2026 02:30:09 +0200 Subject: [PATCH 1/3] chore(ci): update GitHub Actions to Node.js 24 compatible versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Node.js 20 actions are deprecated (forced to Node 24 starting June 2026, removed September 2026). Updated all actions to latest major versions: - actions/checkout v4 → v6 - actions/setup-node v4 → v6 - actions/cache v4 → v5 - actions/upload-artifact v4 → v7 - actions/download-artifact v4 → v8 - actions/create-github-app-token v1 → v3 - docker/login-action v3 → v4 - docker/build-push-action v5 → v7 - dorny/paths-filter v3 → v4 - codecov/codecov-action v5 → v6 - pnpm/action-setup v4 → v5 Co-Authored-By: Claude Opus 4.6 (1M context) Entire-Checkpoint: 39e772685498 --- .github/workflows/ci-e2e.yml | 4 +- .github/workflows/ci.yml | 70 ++++++++++++++-------------- .github/workflows/codecov-base.yml | 4 +- .github/workflows/deploy-staging.yml | 52 ++++++++++----------- .github/workflows/desktop-e2e.yml | 10 ++-- .github/workflows/load-test.yml | 8 ++-- .github/workflows/release-gate.yml | 2 +- .github/workflows/release-please.yml | 2 +- .github/workflows/tag-staging.yml | 4 +- .github/workflows/web-e2e.yml | 8 ++-- 10 files changed, 82 insertions(+), 82 deletions(-) diff --git a/.github/workflows/ci-e2e.yml b/.github/workflows/ci-e2e.yml index dcb0b2fa02..8e05fb1343 100644 --- a/.github/workflows/ci-e2e.yml +++ b/.github/workflows/ci-e2e.yml @@ -13,11 +13,11 @@ jobs: web: ${{ steps.filter.outputs.web }} desktop: ${{ steps.filter.outputs.desktop }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 0 - - uses: dorny/paths-filter@v3 + - uses: dorny/paths-filter@v4 id: filter with: base: ${{ (github.event.before != '' && github.event.before != '0000000000000000000000000000000000000000' && github.event.before) || 'HEAD~1' }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8ff581318..8db9070e54 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,8 +14,8 @@ jobs: src: ${{ steps.filter.outputs.src }} desktop: ${{ steps.filter.outputs.desktop }} steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 + - uses: actions/checkout@v6 + - uses: dorny/paths-filter@v4 id: filter with: filters: | @@ -44,13 +44,13 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -67,13 +67,13 @@ jobs: if: needs.changes.outputs.src == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -115,13 +115,13 @@ jobs: --health-retries 10 --health-start-period 30s steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -185,13 +185,13 @@ jobs: --health-timeout 5s --health-retries 5 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -285,13 +285,13 @@ jobs: --health-retries 10 --health-start-period 30s steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -336,7 +336,7 @@ jobs: run: pnpm --filter @cipherbox/api-client test:coverage - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@v6 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./apps/api/coverage/lcov.info,./packages/crypto/coverage/lcov.info,./packages/core/coverage/lcov.info,./packages/sdk-core/coverage/lcov.info,./packages/sdk/coverage/lcov.info,./packages/api-client/coverage/lcov.info @@ -344,7 +344,7 @@ jobs: fail_ci_if_error: false - name: Cache coverage for base branch upload - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: coverage-lcov path: | @@ -401,13 +401,13 @@ jobs: --health-retries 5 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -500,13 +500,13 @@ jobs: if: needs.changes.outputs.src == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -532,7 +532,7 @@ jobs: needs.changes.outputs.desktop == 'true' runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Install WinFsp shell: powershell @@ -552,7 +552,7 @@ jobs: - name: Install Rust toolchain run: rustup default stable - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: | ~/.cargo/registry @@ -575,7 +575,7 @@ jobs: needs.changes.outputs.desktop == 'true' runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Install FUSE-T run: | @@ -595,7 +595,7 @@ jobs: - name: Install Rust toolchain run: rustup default stable - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: | ~/.cargo/registry @@ -622,7 +622,7 @@ jobs: needs.changes.outputs.desktop == 'true' runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Install system dependencies run: | @@ -640,7 +640,7 @@ jobs: - name: Install Rust toolchain run: rustup default stable - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: | ~/.cargo/registry @@ -665,7 +665,7 @@ jobs: --lcov --output-path desktop-lcov.info - name: Upload desktop coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@v6 with: token: ${{ secrets.CODECOV_TOKEN }} files: desktop-lcov.info @@ -680,7 +680,7 @@ jobs: (needs.changes.outputs.desktop == 'true' || needs.changes.outputs.src == 'true') runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Install system dependencies run: | @@ -693,12 +693,12 @@ jobs: run: rustup default stable - name: Install Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: 22 - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@v5 with: version: 10 diff --git a/.github/workflows/codecov-base.yml b/.github/workflows/codecov-base.yml index 96e30f206b..f42117cf1f 100644 --- a/.github/workflows/codecov-base.yml +++ b/.github/workflows/codecov-base.yml @@ -17,7 +17,7 @@ jobs: name: Upload base coverage to Codecov runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Download coverage from latest CI run env: @@ -49,7 +49,7 @@ jobs: - name: Upload coverage to Codecov if: hashFiles('**/lcov.info') != '' - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@v6 with: token: ${{ secrets.CODECOV_TOKEN }} files: apps/api/coverage/lcov.info,packages/crypto/coverage/lcov.info,packages/core/coverage/lcov.info,packages/sdk-core/coverage/lcov.info,packages/sdk/coverage/lcov.info,packages/api-client/coverage/lcov.info diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml index 6d35e4844a..2ed412ccbc 100644 --- a/.github/workflows/deploy-staging.yml +++ b/.github/workflows/deploy-staging.yml @@ -23,20 +23,20 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ inputs.staging_tag || github.ref_name }} - name: Set lowercase image name run: echo "API_IMAGE=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/cipherbox-api" >> "$GITHUB_ENV" - - uses: docker/login-action@v3 + - uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/build-push-action@v5 + - uses: docker/build-push-action@v7 with: context: . file: apps/api/Dockerfile @@ -52,20 +52,20 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ inputs.staging_tag || github.ref_name }} - name: Set lowercase image name run: echo "TEE_IMAGE=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/cipherbox-tee-worker" >> "$GITHUB_ENV" - - uses: docker/login-action@v3 + - uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/build-push-action@v5 + - uses: docker/build-push-action@v7 with: context: . file: apps/tee-worker/Dockerfile @@ -80,11 +80,11 @@ jobs: runs-on: ubuntu-latest environment: staging steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ inputs.staging_tag || github.ref_name }} - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' @@ -120,15 +120,15 @@ jobs: runs-on: ubuntu-latest environment: staging steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ inputs.staging_tag || github.ref_name }} - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -156,7 +156,7 @@ jobs: GRAFANA_STACK_ID: ${{ vars.GRAFANA_STACK_ID }} - name: Upload web dist as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: web-dist path: apps/web/dist/ @@ -191,7 +191,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ inputs.staging_tag || github.ref_name }} @@ -201,11 +201,11 @@ jobs: sudo mkdir -p /usr/local/lib/pkgconfig sudo ln -sf "/Library/Application Support/fuse-t/pkgconfig/fuse-t.pc" /usr/local/lib/pkgconfig/fuse.pc - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -251,7 +251,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ inputs.staging_tag || github.ref_name }} @@ -290,7 +290,7 @@ jobs: - name: Install Rust toolchain run: rustup default stable - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: | ~/.cargo/registry @@ -299,11 +299,11 @@ jobs: key: windows-cargo-${{ hashFiles('apps/desktop/src-tauri/Cargo.lock') }} restore-keys: windows-cargo- - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -350,7 +350,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ inputs.staging_tag || github.ref_name }} @@ -370,7 +370,7 @@ jobs: - name: Install Rust toolchain run: rustup default stable - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: | ~/.cargo/registry @@ -379,11 +379,11 @@ jobs: key: linux-cargo-${{ hashFiles('apps/desktop/src-tauri/Cargo.lock') }} restore-keys: linux-cargo- - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -431,12 +431,12 @@ jobs: contents: read packages: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ inputs.staging_tag || github.ref_name }} - name: Download web dist artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v8 with: name: web-dist path: web-dist/ @@ -571,7 +571,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: ref: ${{ inputs.staging_tag || github.ref_name }} diff --git a/.github/workflows/desktop-e2e.yml b/.github/workflows/desktop-e2e.yml index 9d8c55591b..a8acc89b13 100644 --- a/.github/workflows/desktop-e2e.yml +++ b/.github/workflows/desktop-e2e.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: ${{ inputs.ref || github.sha }} @@ -95,11 +95,11 @@ jobs: # --- Setup Node.js + pnpm (needed for frontend build before cargo) --- - - uses: pnpm/action-setup@v4 + - uses: pnpm/action-setup@v5 with: version: 10 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -127,7 +127,7 @@ jobs: - name: Install Rust toolchain run: rustup default stable - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: | ~/.cargo/registry @@ -498,7 +498,7 @@ jobs: - name: Upload logs on failure if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: desktop-e2e-logs-${{ matrix.platform }} path: | diff --git a/.github/workflows/load-test.yml b/.github/workflows/load-test.yml index 79635d7c98..360599a6cc 100644 --- a/.github/workflows/load-test.yml +++ b/.github/workflows/load-test.yml @@ -97,15 +97,15 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@v5 with: version: 10 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -224,7 +224,7 @@ jobs: - name: Upload metrics report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: load-test-metrics-${{ inputs.scenario }}-${{ inputs.client_count }}clients path: tests/load/metrics-*.json diff --git a/.github/workflows/release-gate.yml b/.github/workflows/release-gate.yml index 08d4e2d41c..b549d50f24 100644 --- a/.github/workflows/release-gate.yml +++ b/.github/workflows/release-gate.yml @@ -28,7 +28,7 @@ jobs: echo "Not a release PR — skipping change detection" fi - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 if: steps.release-check.outputs.is_release == 'true' with: fetch-depth: 0 diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index f96b6a9965..c3d816c679 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -13,7 +13,7 @@ jobs: release-please: runs-on: ubuntu-latest steps: - - uses: actions/create-github-app-token@v1 + - uses: actions/create-github-app-token@v3 id: app-token with: app-id: ${{ vars.RELEASE_BOT_APP_ID }} diff --git a/.github/workflows/tag-staging.yml b/.github/workflows/tag-staging.yml index da07561828..445a4c8c65 100644 --- a/.github/workflows/tag-staging.yml +++ b/.github/workflows/tag-staging.yml @@ -13,7 +13,7 @@ jobs: name: Validate Release Tag runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 0 @@ -53,7 +53,7 @@ jobs: outputs: staging_tag: ${{ steps.rc.outputs.staging_tag }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/.github/workflows/web-e2e.yml b/.github/workflows/web-e2e.yml index 36269140f7..fc4dd353ab 100644 --- a/.github/workflows/web-e2e.yml +++ b/.github/workflows/web-e2e.yml @@ -54,17 +54,17 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: ${{ inputs.ref || github.sha }} - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@v5 with: version: 10 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: '22' cache: 'pnpm' @@ -170,7 +170,7 @@ jobs: - name: Upload Playwright report on failure if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: playwright-report path: | From 25c728515447cf83bc9f7c1c526572e5927a4f95 Mon Sep 17 00:00:00 2001 From: Michael Yankelev Date: Mon, 30 Mar 2026 02:34:31 +0200 Subject: [PATCH 2/3] docs: capture todo - Check remaining GitHub Actions for Node 24 updates before June deadline Entire-Checkpoint: 729a21f8bc6d --- ...or-node-24-updates-before-june-deadline.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .planning/todos/pending/2026-03-30-check-remaining-github-actions-for-node-24-updates-before-june-deadline.md diff --git a/.planning/todos/pending/2026-03-30-check-remaining-github-actions-for-node-24-updates-before-june-deadline.md b/.planning/todos/pending/2026-03-30-check-remaining-github-actions-for-node-24-updates-before-june-deadline.md new file mode 100644 index 0000000000..74aa6d9ec4 --- /dev/null +++ b/.planning/todos/pending/2026-03-30-check-remaining-github-actions-for-node-24-updates-before-june-deadline.md @@ -0,0 +1,33 @@ +--- +created: 2026-03-30T01:30:00.000Z +title: Check remaining GitHub Actions for Node 24 updates before June deadline +area: ci +files: + - .github/workflows/deploy-staging.yml + - .github/workflows/release-please.yml + - .github/workflows/desktop-e2e.yml +--- + +## Problem + +GitHub forces Node.js 24 for all actions starting 2026-06-02. PR #402 updated 11 actions but these remain on older versions without Node 24 support: + +- `googleapis/release-please-action@v4` — currently at v4.4.0 +- `tauri-apps/tauri-action@v0` — currently at action-v0.6.2 +- `ikalnytskyi/action-setup-postgres@v8` — currently at v8 +- `appleboy/scp-action@v0.1.7` +- `appleboy/ssh-action@v1.2.0` + +These may publish Node 24-compatible releases before the deadline. + +## Solution + +Before 2026-06-01, check each action for new releases: + +```bash +for action in googleapis/release-please-action tauri-apps/tauri-action ikalnytskyi/action-setup-postgres appleboy/scp-action appleboy/ssh-action; do + gh api "repos/${action}/releases/latest" --jq '.tag_name' +done +``` + +Update any that have new major versions. If any haven't released Node 24 support by then, set `FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true` in the workflow env as a workaround and monitor for breakage. From 0d6c5cb1f93495b3d509b587adc7c4592df84416 Mon Sep 17 00:00:00 2001 From: Michael Yankelev Date: Mon, 30 Mar 2026 02:40:24 +0200 Subject: [PATCH 3/3] chore(ci): add Dependabot for GitHub Actions version management Weekly checks for action updates on Mondays. PRs are labeled with dependencies + ci and use conventional commit prefix. Co-Authored-By: Claude Opus 4.6 (1M context) Entire-Checkpoint: a23ee7b7e888 --- .github/dependabot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..a911819b58 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +updates: + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'weekly' + day: 'monday' + labels: + - 'dependencies' + - 'ci' + commit-message: + prefix: 'chore(ci)'