ci: bump GitHub Actions to Node 24 compatible versions

[George-RD]

Summary

• Bumps all GitHub Actions to Node 24 compatible versions, silencing the deprecation warning
• actions/checkout v4 → v5, upload/download-artifact v4 → v5, setup-node v4 → v5, setup-python v5 → v6
• Both ci.yml and release.yml updated

Node.js 20 removal deadline is September 2026 — this gets ahead of it.

https://claude.ai/code/session_01G9KJ8D8R2m6ZMTz5MjVvrt

Summary by CodeRabbit

• Chores
  • Updated CI/CD actions to newer versions for improved stability.
  • Added a preflight step to resolve the release tag and prerelease status; downstream jobs now consume that output.
  • Reworked release gating and conditional tag creation to make publishing more reliable and explicit.
  • Adjusted publishing checkouts to use the resolved tag and added retry logic for external checksum downloads.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4454346f-e9e5-402c-b555-c7137f9aee7f

📥 Commits

Reviewing files that changed from the base of the PR and between 8c29213 and 800aab6.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

CI workflow: bumped actions/checkout from v4 to v5. Release workflow: replaced ensure-tag with a preflight job that resolves and exports tag and is_prerelease, conditionally creates the git tag via gh api, updates job dependencies and checkout refs, gates publish jobs on prerelease status, and bumps several action versions plus Homebrew retry logic.

Changes

Cohort / File(s)	Summary
CI Workflow ​.github/workflows/ci.yml	Updated checkout actions in "Check & Lint" and "Test" jobs from actions/checkout@v4 to actions/checkout@v5.
Release Workflow ​.github/workflows/release.yml	Replaced ensure-tag job with preflight that computes/exports tag and is_prerelease, uses gh api to check/create tags, wires needs.preflight.outputs.* across jobs, sets downstream checkout steps to ref: ${{ needs.preflight.outputs.tag }}, gates publish jobs on is_prerelease == 'false', bumped multiple action versions, added Homebrew checksum download retry and adjusted Homebrew update/tag vars.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant Workflow
  participant Preflight
  participant GH_API as "GitHub API (gh)"
  participant Build
  participant Release
  participant Publish as "Publish Jobs"

  User->>Workflow: trigger (push / workflow_dispatch)
  Workflow->>Preflight: run preflight (resolve `tag`, `is_prerelease`)
  Preflight->>GH_API: check/create tag via `gh api`
  GH_API-->>Preflight: tag exists / created
  Preflight-->>Workflow: outputs `tag`, `is_prerelease`
  Workflow->>Build: checkout `ref=preflight.tag` and build
  Build-->>Workflow: artifacts / success
  alt is_prerelease == 'false'
    Workflow->>Release: create GitHub Release (tag=preflight.tag, prerelease=false)
    Release->>Publish: trigger publish jobs (crates / npm / pypi / homebrew)
  else prerelease
    Workflow-->>Publish: skip gated publish jobs
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Poem

🐰 I hopped the workflow, checked the tag,

preflight whispered, "Is it draft or flag?"
The API sighed, the refs aligned,
checkouts leapt to v5—how neatly timed.
Carrots for CI and a retry or two—hop! 🥕

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
All Comments Resolved	❓ Inconclusive	Project workflow documentation requires all reviewer comments on PRs to be resolved before merging, but comment resolution status for PR #185 cannot be verified from repository codebase alone.	Directly examine GitHub PR #185 at #185 to confirm all comments are marked as resolved.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references bumping GitHub Actions to Node 24 compatible versions, which aligns with the primary objective of upgrading action versions to silence deprecation warnings. However, the raw_summary shows substantial changes to release.yml beyond version bumps—including a major refactor replacing ensure-tag with preflight job, restructured dependencies, and enhanced prerelease detection—which are not captured in the title.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/complete-release-workflow-EQF6s

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Line 100: Update the GitHub Actions artifact steps to use the newer action
versions to avoid Node 20 deprecation warnings: replace uses:
actions/upload-artifact@v5 with uses: actions/upload-artifact@v6 and replace
uses: actions/download-artifact@v5 with uses: actions/download-artifact@v7
(these are the unique identifiers to find in the workflow: upload-artifact and
download-artifact uses entries).
- Around line 34-46: The release workflow currently creates TAG locally but
doesn't export it as RELEASE_TAG and doesn't pass it into
softprops/action-gh-release.tag_name, and the publish job guards still inspect
github.ref; update the workflow so the created TAG is exported/assigned to
env.RELEASE_TAG (derive from github.event.inputs.tag), pass that env.RELEASE_TAG
into softprops/action-gh-release via tag_name, and change the publish job
conditional checks (publish-crates, publish-npm, publish-pypi, update-homebrew)
to use !contains(env.RELEASE_TAG, '-') instead of !contains(github.ref, '-') so
prerelease tags like v0.1.0-rc1 are evaluated correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 74dfe541-44aa-4b21-ac01-9f6507e824f9

📥 Commits

Reviewing files that changed from the base of the PR and between 4fbed7e and 7ad4068.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

253-256: ⚠️ Potential issue | 🔴 Critical

x86_64-apple-darwin checksum update will fail — target is not built.

Line 254 updates the checksum for x86_64-apple-darwin, but this target is commented out of the build matrix (lines 77-79). The checksums.txt won't contain this entry, so get_sha x86_64-apple-darwin returns empty, and the sed command will set an empty sha256 in the Homebrew formula.

Either remove line 254 to match the current build matrix, or add a guard to skip missing targets gracefully.

🐛 Proposed fix: Remove x86_64-apple-darwin update

          # Update checksums using URL context to match the right sha256 line
          # Each sha256 line follows its URL line, so we match by the target in the URL
          sed -i "/aarch64-apple-darwin/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha aarch64-apple-darwin)\"/;}" "$FORMULA"
-          sed -i "/x86_64-apple-darwin/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha x86_64-apple-darwin)\"/;}" "$FORMULA"
          sed -i "/aarch64-unknown-linux-gnu/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha aarch64-unknown-linux-gnu)\"/;}" "$FORMULA"
          sed -i "/x86_64-unknown-linux-gnu/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha x86_64-unknown-linux-gnu)\"/;}" "$FORMULA"

Note: The Homebrew formula itself (homebrew-tap/Formula/mag.rb) may also need to be updated to remove the x86_64-apple-darwin resource block, since binaries are no longer published for Intel Macs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 253 - 256, The sed invocation
that updates the x86_64-apple-darwin checksum (the line calling get_sha
x86_64-apple-darwin against "$FORMULA") will set an empty sha256 because that
target is not built; either remove that sed line entirely to match the build
matrix, or wrap it with a guard that calls get_sha first and only runs the sed
replacement if the returned value is non-empty (i.e., check the output of
get_sha x86_64-apple-darwin before invoking the sed against "$FORMULA").

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/release.yml:
- Around line 253-256: The sed invocation that updates the x86_64-apple-darwin
checksum (the line calling get_sha x86_64-apple-darwin against "$FORMULA") will
set an empty sha256 because that target is not built; either remove that sed
line entirely to match the build matrix, or wrap it with a guard that calls
get_sha first and only runs the sed replacement if the returned value is
non-empty (i.e., check the output of get_sha x86_64-apple-darwin before invoking
the sed against "$FORMULA").

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ec5e25b2-5899-4030-b6d3-6559a5bd5deb

📥 Commits

Reviewing files that changed from the base of the PR and between 7ad4068 and d02fc27.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

253-254: ⚠️ Potential issue | 🟠 Major

Checksum update for non-existent build target will corrupt the Homebrew formula.

Line 254 updates the sha256 for x86_64-apple-darwin, but this target was removed from the build matrix (see lines 77-79). The get_sha x86_64-apple-darwin returns empty, resulting in sha256 "" in the formula.

Either remove this line (if the Homebrew formula no longer supports Intel Mac) or handle the missing checksum gracefully.

🔧 Option 1: Remove the line if Intel Mac is no longer supported in the formula

          sed -i "/aarch64-apple-darwin/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha aarch64-apple-darwin)\"/;}" "$FORMULA"
-          sed -i "/x86_64-apple-darwin/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha x86_64-apple-darwin)\"/;}" "$FORMULA"
          sed -i "/aarch64-unknown-linux-gnu/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha aarch64-unknown-linux-gnu)\"/;}" "$FORMULA"

🔧 Option 2: Skip update if checksum is missing

          sed -i "/aarch64-apple-darwin/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha aarch64-apple-darwin)\"/;}" "$FORMULA"
-          sed -i "/x86_64-apple-darwin/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha x86_64-apple-darwin)\"/;}" "$FORMULA"
+          X86_DARWIN_SHA="$(get_sha x86_64-apple-darwin)"
+          if [ -n "$X86_DARWIN_SHA" ]; then
+            sed -i "/x86_64-apple-darwin/{n;s/sha256 \"[^\"]*\"/sha256 \"$X86_DARWIN_SHA\"/;}" "$FORMULA"
+          fi
          sed -i "/aarch64-unknown-linux-gnu/{n;s/sha256 \"[^\"]*\"/sha256 \"$(get_sha aarch64-unknown-linux-gnu)\"/;}" "$FORMULA"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 253 - 254, The sed invocation
that updates the x86_64-apple-darwin checksum will insert an empty sha256
because get_sha x86_64-apple-darwin returns nothing; either remove the second
sed line that references x86_64-apple-darwin from the release.yml (if Intel Mac
is no longer supported) or wrap the update so it only runs when get_sha
x86_64-apple-darwin returns a non-empty value (call get_sha first, check the
result, and only run the sed that edits FORMULA when the checksum is present) to
avoid producing sha256 "" in the Homebrew formula.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/release.yml:
- Around line 253-254: The sed invocation that updates the x86_64-apple-darwin
checksum will insert an empty sha256 because get_sha x86_64-apple-darwin returns
nothing; either remove the second sed line that references x86_64-apple-darwin
from the release.yml (if Intel Mac is no longer supported) or wrap the update so
it only runs when get_sha x86_64-apple-darwin returns a non-empty value (call
get_sha first, check the result, and only run the sed that edits FORMULA when
the checksum is present) to avoid producing sha256 "" in the Homebrew formula.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 25adffb6-2134-4b4f-b8d3-79e185cf3a31

📥 Commits

Reviewing files that changed from the base of the PR and between d02fc27 and 8c29213.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml