chore: update all GitHub Actions to latest major versions#4
Conversation
Bump 17 actions to their latest major versions: - actions/checkout: v4 -> v6 (latest: v6.0.2) - actions/upload-artifact: v4 -> v7 (latest: v7.0.1) - actions/download-artifact: v4 -> v8 (latest: v8.0.1) - actions/setup-go: v5 -> v6 (latest: v6.4.0) - docker/login-action: v3 -> v4 (latest: v4.1.0) - docker/setup-qemu-action: v3 -> v4 (latest: v4.0.0) - docker/setup-buildx-action: v3 -> v4 (latest: v4.0.0) - docker/metadata-action: v5 -> v6 (latest: v6.0.0) - docker/build-push-action: v5 -> v7 (latest: v7.1.0) - oxsecurity/megalinter: v8.8.0 -> v9.4.0 (SHA-pinned) - peter-evans/dockerhub-description: v3 -> v5 (latest: v5.0.0) - softprops/action-gh-release: v2 -> v3 (latest: v3.0.0) - sersoft-gmbh/running-release-tags-action: v3 -> v4 (latest: v4.0.1) - tailscale/github-action: v3 -> v4 (latest: v4.1.2) - Justintime50/homebrew-releaser: v2.0.3 -> v3.3.0 (SHA-pinned) - niniyas/ntfy-action: pinned SHA -> V1.0.5 (SHA-pinned) All Docker actions now use Node 24 (requires Actions Runner v2.327.1+, provided by default on GitHub-hosted runners). No breaking changes affecting this workflow's usage patterns.
WalkthroughMultiple GitHub Actions and third-party workflow actions have been upgraded to newer major versions across the CI pipeline. Changes include updating Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 1 | 0 | 0 | 0.07s | |
| ✅ BASH | bash-exec | 2 | 0 | 0 | 0.01s | |
| ✅ BASH | shellcheck | 2 | 0 | 0 | 0.05s | |
| ✅ BASH | shfmt | 2 | 1 | 0 | 0 | 0.05s |
| ✅ COPYPASTE | jscpd | yes | no | no | 1.8s | |
| ✅ DOCKERFILE | hadolint | 1 | 0 | 0 | 0.04s | |
| ✅ DOCKERFILELINT | dockerfilelint | 1 | 0 | 0 | 0.28s | |
| ✅ GO | golangci-lint | yes | yes | no | no | 11.17s |
| ✅ GO | revive | 1 | 0 | 0 | 2.34s | |
| ✅ MARKDOWN | markdownlint | 1 | 1 | 0 | 0 | 0.73s |
| ✅ MARKDOWN | markdown-table-formatter | 1 | 1 | 0 | 0 | 0.48s |
| isort | 1 | 0 | 1 | 0 | 0.45s | |
| ✅ YAML | prettier | 2 | 1 | 0 | 0 | 0.67s |
| ✅ YAML | v8r | 2 | 0 | 0 | 5.75s | |
| ✅ YAML | yamllint | 2 | 0 | 0 | 1.04s |
Detailed Issues
⚠️ PYTHON / isort - 1 error
ERROR: No valid encodings.
See detailed reports in MegaLinter artifacts
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters PYTHON_ISORT,ACTION_ACTIONLINT,BASH_EXEC,BASH_SHELLCHECK,BASH_SHFMT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,DOCKERFILELINT_DOCKERFILELINT,GO_GOLANGCI_LINT,GO_REVIVE,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R
Show us your support by starring ⭐ the repository
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/main.yml:
- Line 352: Update the pinned commit for the GitHub Action usage: the line
referencing niniyas/ntfy-action@2ebc39afb288e8b01804a6ec1be0db2e7a458387 should
be changed to use the actual v1.0.5 commit SHA
(41df2f98dfd43da872e8aea19baacbdde43740d3) or swap to the tag form
niniyas/ntfy-action@v1.0.5 to ensure the workflow points to the intended
release; verify the chosen SHA/tag corresponds to the intended release commit
before committing the change.
- Line 183: The workflow currently uses peter-evans/dockerhub-description@v5
which introduces breaking changes (Node.js 24 runtime, GitHub Actions runner
v2.327.1+ for self-hosted, changed Docker Hub auth endpoint, and dependency
upgrades); either pin the step back to a compatible release (e.g.,
peter-evans/dockerhub-description@v4) or update your CI environment and related
actions to satisfy v5's requirements: ensure self-hosted runners are >=
v2.327.1, confirm any Node tooling supports Node.js 24, update dependent steps
to actions/checkout@v5 and actions/setup-node@v5 if adopting v5, and adjust
Docker Hub auth flows to use /v2/auth/token as needed before merging.
- Line 292: The workflow currently uses the action reference "uses:
tailscale/github-action@v4" which requires you to either (A) explicitly pin to a
known non-breaking release (e.g., v4.1.2) or (B) update the workflow environment
and inputs to be compatible with v4: ensure runners provide Node.js 24 before
invoking the action, review and set the new "ping" input if you need
connectivity verification, and account for the new automatic logout behavior
(tailscale logout runs at workflow end) and default binary caching by adjusting
any stateful steps or reauth flows that relied on v3 behavior; make these
changes around the "uses: tailscale/github-action@v4" reference and test the
workflow end-to-end.
- Line 143: The workflow currently uses docker/setup-qemu-action@v4 which
requires GitHub Actions runners with Node.js 24 (runner v2.327.1+); either
update your runner to v2.327.1 or newer to satisfy docker/setup-qemu-action@v4's
Node 24 requirement, or pin the action to docker/setup-qemu-action@v3.7.0 in the
workflow to retain Node 20 compatibility.
- Line 202: The workflow currently uses actions/setup-go@v6 which has breaking
changes; update the workflow to ensure the runner meets v2.327.1+ (upgrade the
GitHub Actions runner or set runs-on to a compatible image), explicitly set
cache-dependency-path if you need the cache to key off go.sum (add
cache-dependency-path: go.sum), and if you depend on a specific Go toolchain
behavior, explicitly set the action's toolchain input or add a toolchain
directive to go.mod to control the Go version; also review any Node.js tooling
steps for compatibility with the action's implicit upgrade to Node 24 and adjust
those steps accordingly.
- Line 149: Update the workflow to accommodate docker/setup-buildx-action@v4 by
auditing any usage of the action reference docker/setup-buildx-action@v4 and
replacing removed inputs/outputs: change any uses of inputs config ->
buildkitd-config, config-inline -> buildkitd-config-inline, and install -> set
BUILDX_BUILDER via env; replace any reads of output flags with the nodes output;
and ensure the GitHub Actions runner specified for this job meets v2.327.1 or
later (or remove pins that would run older runners) so Node 24 runtime
requirements are satisfied.
- Line 169: The workflow upgrade to uses: docker/build-push-action@v7 introduces
breaking changes; update the workflow to either pin a compatible v6 release or
adopt v7 by ensuring your runners support Node 24 (GitHub Actions Runner
v2.327.1+ or GitHub-hosted runners), remove any uses of the deprecated
environment variables DOCKER_BUILD_NO_SUMMARY and
DOCKER_BUILD_EXPORT_RETENTION_DAYS, and remove/replace any legacy export-build
tool or build-summary usage; locate the step referencing
docker/build-push-action@v7 in the main.yml and either revert the action version
or adjust runner settings and environment variables accordingly to restore
compatibility.
- Line 244: Update the GitHub Action usage of actions/download-artifact@v8 to
handle v8 breaking changes: either verify the uploaded artifacts won’t trigger
digest mismatches or decompression issues, or explicitly add the download inputs
to preserve v4 behavior—set digest-mismatch: warn if you want to ignore hash
mismatches and set skip-decompress: true if you need non-zipped artifacts
downloaded as-is; locate the uses: actions/download-artifact@v8 step in the
workflow to apply these inputs or confirm the upload step produces compatible
artifacts.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 6fb48e06-8aea-4e82-bf65-5e03b43bffc6
📒 Files selected for processing (1)
.github/workflows/main.yml
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| uses: docker/setup-qemu-action@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the latest version of docker/setup-qemu-action and what breaking changes exist between v3 and v4?
💡 Result:
The latest version of docker/setup-qemu-action is v4.0.0, released on 2026-03-04. Breaking changes between v3 (latest v3.7.0) and v4: - Node.js runtime changed from 20 to 24 (requires GitHub Actions runner v2.327.1+) - Switched to ESM (ECMAScript Modules) - Updated @actions/core to ^3.0.0 (major version bump, potential API changes but action updated successfully) - Updated @docker/actions-toolkit to ^0.77.0 - Other dependency updates and internal tooling changes (eslint, vitest, etc.) No explicit migration guide found; changes are primarily internal with no documented user-facing API alterations. Usage remains the same: uses: docker/setup-qemu-action@v4. Ensure runner supports Node 24.
Citations:
- 1: https://github.com/docker/setup-qemu-action/releases
- 2: https://github.com/docker/setup-qemu-action
- 3: https://github.com/docker/setup-qemu-action?search=1
- 4: https://github.com/marketplace/actions/docker-setup-qemu
- 5: https://github.com/docker/setup-qemu-action/releases/tag/v4.0.0
- 6: https://github.com/docker/setup-qemu-action/releases/tag/v3.7.0
- 7: docker/setup-qemu-action@v3.7.0...v4.0.0
- 8: node 24 as default runtime docker/setup-qemu-action#245
docker/setup-qemu-action@v4.0.0 requires GitHub Actions runners with Node.js 24 support.
The upgrade to v4.0.0 changes the Node.js runtime from 20 to 24, requiring GitHub Actions runner v2.327.1 or later. Verify that your runner configuration meets this requirement, or pin to v3.7.0 if upgrading the runner is not feasible.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/main.yml at line 143, The workflow currently uses
docker/setup-qemu-action@v4 which requires GitHub Actions runners with Node.js
24 (runner v2.327.1+); either update your runner to v2.327.1 or newer to satisfy
docker/setup-qemu-action@v4's Node 24 requirement, or pin the action to
docker/setup-qemu-action@v3.7.0 in the workflow to retain Node 20 compatibility.
| - name: Set up Docker Buildx | ||
| id: buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
| uses: docker/setup-buildx-action@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the latest version of docker/setup-buildx-action and what breaking changes exist between v3 and v4?
💡 Result:
The latest version of docker/setup-buildx-action is v4.0.0, released on 2026-03-05. Breaking changes between v3 (v3.12.0) and v4.0.0: - Node.js runtime upgraded to Node 24 (requires GitHub Actions Runner v2.327.1+). - Removed deprecated inputs: config, config-inline (use buildkitd-config and buildkitd-config-inline instead), and install (use BUILDX_BUILDER env var or direct docker buildx commands). - Removed deprecated outputs: flags (use nodes output instead). - Internal changes: Switched to ESM, updated dependencies like @actions/core to 3.0.0 and @docker/actions-toolkit to 0.79.0, updated testing framework. No further releases after v4.0.0 as of 2026-04-27 (repo last push 2026-04-24, but latest tagged release is v4.0.0).
Citations:
- 1: https://github.com/docker/setup-buildx-action
- 2: https://github.com/marketplace/actions/docker-setup-buildx
- 3: https://github.com/docker/setup-buildx-action/releases
- 4: https://github.com/docker/setup-buildx-action/releases/tag/v4.0.0
- 5: docker/setup-buildx-action@v3.12.0...v4.0.0
- 6: chore(deps): Bump docker/setup-buildx-action from 3 to 4 docker/build-push-action#1478
Review the breaking changes between v3 and v4 to ensure workflow compatibility.
The update to docker/setup-buildx-action@v4.0.0 introduces significant breaking changes:
- Node.js runtime upgrade to Node 24 (requires GitHub Actions Runner v2.327.1 or later)
- Removed deprecated inputs:
config,config-inline,install(usebuildkitd-config,buildkitd-config-inline, andBUILDX_BUILDERenv var instead) - Removed deprecated outputs:
flags(usenodesoutput instead)
Verify that the workflow does not rely on these removed inputs/outputs and that the GitHub Actions runner version meets the new requirements.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/main.yml at line 149, Update the workflow to accommodate
docker/setup-buildx-action@v4 by auditing any usage of the action reference
docker/setup-buildx-action@v4 and replacing removed inputs/outputs: change any
uses of inputs config -> buildkitd-config, config-inline ->
buildkitd-config-inline, and install -> set BUILDX_BUILDER via env; replace any
reads of output flags with the nodes output; and ensure the GitHub Actions
runner specified for this job meets v2.327.1 or later (or remove pins that would
run older runners) so Node 24 runtime requirements are satisfied.
|
|
||
| - name: Build and push | ||
| uses: docker/build-push-action@v5 | ||
| uses: docker/build-push-action@v7 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the latest version of docker/build-push-action and what breaking changes exist between v5 and v7?
💡 Result:
The latest version of docker/build-push-action is v7.1.0, released on 2026-04-10.
Citations:
- 1: https://github.com/docker/build-push-action
- 2: https://github.com/marketplace/actions/build-and-push-docker-images
- 3: https://github.com/docker/build-push-action/tags
🌐 Web query:
docker/build-push-action v7 migration guide breaking changes from v5
💡 Result:
There is no official dedicated migration guide from v5 to v7 for docker/build-push-action. Breaking changes and migration steps must be derived from release notes and changelogs across v5.x, v6.x, and v7.0.0. Key breaking changes in v7.0.0 (released 2026-03-05) from prior versions (including v5 and v6): 1. Node 24 as default runtime - Requires GitHub Actions Runner v2.327.1 or later. Update your runner if using self-hosted, or use GitHub-hosted runners which support it. 2. Removed deprecated environment variables: - DOCKER_BUILD_NO_SUMMARY (use DOCKER_BUILD_SUMMARY=false instead, deprecated earlier in v6.3.0) - DOCKER_BUILD_EXPORT_RETENTION_DAYS 3. Removed legacy export-build tool support for build summary (build record now uses buildx history export since v6.17.0). Other notable changes from v5 to v6/v7 (non-breaking but require awareness): - Switch to ESM (internal, should not affect users). - Dependency bumps: @actions/core to 3.0.0 (may have breaking changes in error handling/logging), @docker/actions-toolkit to 0.79.0. - Git context improvements (e.g., auth token scoping to github.com in v6.19.0). - New inputs like secret-envs, annotations added in v5.1.0+. Migration steps: - Update uses: docker/build-push-action@v7 in your workflow YAML. - Ensure GitHub-hosted runner ubuntu-latest (Node 24 supported) or compatible self-hosted runner. - Remove any usage of removed env vars DOCKER_BUILD_NO_SUMMARY, DOCKER_BUILD_EXPORT_RETENTION_DAYS. - If using build summary with legacy tools, update to use modern buildx history export. - Test workflows thoroughly, especially error handling due to @actions/core v3. - No changes needed for core inputs like context, tags, push, platforms, cache-from/to, etc. - fully backward compatible for standard usage. - Review full changelog: https://github.com/docker/build-push-action/releases/tag/v7.0.0 (compare v6.19.2...v7.0.0), releases page https://github.com/docker/build-push-action/releases, and v5 tag https://github.com/docker/build-push-action/tree/v5 for inputs reference. Example v5 to v7 workflow update: v5: uses: docker/build-push-action@v5 with: push: true tags: user/app:latest v7: (unchanged) uses: docker/build-push-action@v7 with: push: true tags: user/app:latest Primary sources: GitHub release notes for v7.0.0, v6.x, v5.x; compare views v5...v6, v5.0.0...v5.1.0 etc.
Citations:
- 1: https://github.com/docker/build-push-action/releases/tag/v7.0.0
- 2: https://github.com/docker/build-push-action
- 3: Bump docker/build-push-action from 6 to 7 actions/container-prebuilt-action#34
- 4: https://github.com/docker/build-push-action/releases
- 5: https://github.com/docker/build-push-action/tree/v5/
- 6: https://github.com/docker/build-push-action/releases/tag/v5.2.0
- 7: docker/build-push-action@v5...v6
- 8: docker/build-push-action@v5.0.0...v5.1.0
- 9: https://togithub.com/docker/build-push-action/releases/tag/v5.1.0
- 10: https://github.com/docker/build-push-action/releases/tag/v6.3.0
Review breaking changes before updating to docker/build-push-action@v7.
The upgrade from v5 to v7.1.0 introduces breaking changes:
- Node 24 runtime required (GitHub Actions Runner v2.327.1+ or use GitHub-hosted runners)
- Removed deprecated environment variables:
DOCKER_BUILD_NO_SUMMARYandDOCKER_BUILD_EXPORT_RETENTION_DAYS - Removed legacy export-build tool support for build summaries
Ensure your workflow and self-hosted runners (if applicable) are compatible with these changes. Standard workflow inputs remain backward compatible.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/main.yml at line 169, The workflow upgrade to uses:
docker/build-push-action@v7 introduces breaking changes; update the workflow to
either pin a compatible v6 release or adopt v7 by ensuring your runners support
Node 24 (GitHub Actions Runner v2.327.1+ or GitHub-hosted runners), remove any
uses of the deprecated environment variables DOCKER_BUILD_NO_SUMMARY and
DOCKER_BUILD_EXPORT_RETENTION_DAYS, and remove/replace any legacy export-build
tool or build-summary usage; locate the step referencing
docker/build-push-action@v7 in the main.yml and either revert the action version
or adjust runner settings and environment variables accordingly to restore
compatibility.
| - name: Update Docker Hub description | ||
| if: needs.meta.outputs.is_release == 'true' | ||
| uses: peter-evans/dockerhub-description@v3 | ||
| uses: peter-evans/dockerhub-description@v5 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the latest version of peter-evans/dockerhub-description and what breaking changes exist between v3 and v5?
💡 Result:
The latest version of peter-evans/dockerhub-description is v5.0.0, released on 2025-10-01. Breaking changes between v3 and v5 primarily involve runtime updates and dependency changes that require updated GitHub Actions runner versions: - v4.0.0 (from v3.4.2): Updated runtime to Node.js 20, requiring Actions runner v2.308.0 or later. - v5.0.0 (from v4.0.2): Updated runtime to Node.js 24, requiring Actions runner v2.327.1 or later (for self-hosted runners). Also updated Docker Hub auth endpoint from /v2/users/login (deprecated) to /v2/auth/token, switched to native fetch, bumped actions/checkout, actions/setup-node, etc. from v4 to v5. No explicit API/input breaking changes listed in release notes; action inputs appear consistent (e.g., username, password, repository, short-description, readme-filepath, enable-url-completion, image-extensions). Users on older runners may need updates for compatibility. Last repo push was 2026-04-01, but no newer release.
Citations:
- 1: https://github.com/peter-evans/dockerhub-description/releases/tag/v5.0.0
- 2: https://github.com/peter-evans/dockerhub-description/releases
- 3: https://github.com/peter-evans/dockerhub-description
- 4: https://github.com/peter-evans/dockerhub-description/releases/tag/v4.0.0
- 5: v5 peter-evans/dockerhub-description#327
- 6: https://github.com/peter-evans/dockerhub-description/
- 7: https://github.com/peter-evans/dockerhub-description/tags
- 8: https://github.com/peter-evans/dockerhub-description/blob/main/action.yml
Verify GitHub Actions runner compatibility with v5.0.0's breaking changes.
peter-evans/dockerhub-description@v5.0.0 exists and is the latest version. However, it includes breaking changes from v3:
- Node.js 24 runtime (up from Node.js 20 in v4)
- GitHub Actions runner v2.327.1+ required for self-hosted runners
- Docker Hub auth endpoint changed from
/v2/users/login(deprecated) to/v2/auth/token - Dependency updates: actions/checkout and actions/setup-node upgraded from v4 to v5
Ensure your CI/CD runners meet the new version requirements before merging.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/main.yml at line 183, The workflow currently uses
peter-evans/dockerhub-description@v5 which introduces breaking changes (Node.js
24 runtime, GitHub Actions runner v2.327.1+ for self-hosted, changed Docker Hub
auth endpoint, and dependency upgrades); either pin the step back to a
compatible release (e.g., peter-evans/dockerhub-description@v4) or update your
CI environment and related actions to satisfy v5's requirements: ensure
self-hosted runners are >= v2.327.1, confirm any Node tooling supports Node.js
24, update dependent steps to actions/checkout@v5 and actions/setup-node@v5 if
adopting v5, and adjust Docker Hub auth flows to use /v2/auth/token as needed
before merging.
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@v5.5.0 | ||
| uses: actions/setup-go@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the latest version of actions/setup-go and what breaking changes exist between v5 and v6?
💡 Result:
Latest version: v6.4.0 (released 2026-03-30). Breaking changes between v5 and v6: 1) Node.js runtime upgrade for the action: v6 upgrades the action runtime from Node 20 to Node 24. It also notes an action-required requirement that runners be on v2.327.1 or later for compatibility. 2) Enhanced Go toolchain handling: v6 supports reading both go and toolchain directives from go.mod; if the toolchain directive is present, v6 uses that exact version. (V5 did not have this toolchain-directive behavior.) 3) Cache key change for Go modules: v6 changes the default cache key inputs so Go module caching is based on go.mod by default; if you want to use go.sum instead, you must set cache-dependency-path accordingly. 4) Version resolution behavior improvements: v6 documents an updated resolution order (local cache → go-versions repository → direct download from go.dev) and uses the toolchain directive version (when present) as part of version resolution.
Citations:
- 1: https://github.com/actions/setup-go/releases
- 2: https://redirect.github.com/actions/setup-go/releases/tag/v6.0.0
- 3: https://github.com/actions/setup-go/releases/tag/v6.0.0
- 4: https://github.com/actions/setup-go/releases/tag/v6.4.0
- 5: actions/setup-go@f3787be
Address breaking changes in actions/setup-go@v6 upgrade.
Upgrading from v5 to v6.4.0 introduces multiple breaking changes:
- Node.js runtime upgraded from Node 20 to Node 24 (action-required)
- Requires GitHub Actions runners v2.327.1 or later
- Cache key now defaults to go.mod instead of go.sum; override with
cache-dependency-pathif needed - Enhanced Go toolchain handling: v6 reads and uses
toolchaindirective from go.mod if present
Verify your environment meets the runner version requirement and adjust cache configuration if necessary.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/main.yml at line 202, The workflow currently uses
actions/setup-go@v6 which has breaking changes; update the workflow to ensure
the runner meets v2.327.1+ (upgrade the GitHub Actions runner or set runs-on to
a compatible image), explicitly set cache-dependency-path if you need the cache
to key off go.sum (add cache-dependency-path: go.sum), and if you depend on a
specific Go toolchain behavior, explicitly set the action's toolchain input or
add a toolchain directive to go.mod to control the Go version; also review any
Node.js tooling steps for compatibility with the action's implicit upgrade to
Node 24 and adjust those steps accordingly.
| steps: | ||
| - name: Download binaries & packages | ||
| uses: actions/download-artifact@v4 | ||
| uses: actions/download-artifact@v8 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the latest version of actions/download-artifact and what breaking changes exist between v4 and v8?
💡 Result:
Latest version (as of 2026-04-27): actions/download-artifact@v8.0.1. Breaking changes between v4 and v8: 1) v4 -> v8 are incompatible with each other’s artifact formats: artifacts created with versions v3 and below are not compatible with v4 actions (so upgrading only download may break). This is explicitly called out in the v4 release notes. 2) ESM migration (breaking/behavior change for forks): v8 migrates to an ESM module; callers should be unaffected, but forks might need significant changes. 3) Hash/digest mismatch enforcement (breaking): in v8, hash mismatches now error by default (previously they were warnings). You can override via the digest-mismatch parameter. 4) “Direct downloads” / decompression behavior change (breaking): v8 will check Content-Type before attempting to unzip downloaded content; it skips non-zipped files. A new skip-decompress parameter was added to control downloading zipped files “as-is”.
Citations:
- 1: https://github.com/actions/download-artifact/releases/tag/v4.0.0
- 2: https://github.com/actions/download-artifact/releases/tag/v8.0.0
- 3: https://github.com/actions/download-artifact/releases/tag/v8.0.1
- 4: https://github.blog/changelog/2026-02-26-github-actions-now-supports-uploading-and-downloading-non-zipped-artifacts/
🏁 Script executed:
cat -n .github/workflows/main.yml | sed -n '240,250p'Repository: cdzombak/gallerygen
Length of output: 457
🏁 Script executed:
cat -n .github/workflows/main.yml | sed -n '279,289p'Repository: cdzombak/gallerygen
Length of output: 493
🌐 Web query:
actions/download-artifact v8 name parameter breaking changes compatibility with v4
💡 Result:
There are no breaking changes to the 'name' parameter itself between actions/download-artifact v4 and v8. The 'name' input remains optional, used to specify the artifact name to download (or all artifacts if unspecified), with the same description and behavior in both versions. Key v8 changes (released Feb 2026) are: - Default digest mismatch behavior changed to 'error' (new 'digest-mismatch' input: ignore/info/warn/error). - Skips unzipping non-zipped files based on Content-Type (to support upload-artifact direct uploads); new 'skip-decompress' input to download zips as-is. - Migrated to ESM module (transparent to users). Earlier changes (v5, 2025): Fixed path for single artifact by ID to be direct (not nested), but does not affect 'name'. The 'name' parameter is fully compatible. Workflows using 'name' in v4 will work unchanged in v8, except potential impacts from new defaults if hash mismatches occur or non-zipped artifacts are downloaded.
Citations:
- 1: https://github.com/actions/download-artifact/releases/tag/v8.0.0
- 2: actions/download-artifact@v4...v8
- 3: https://github.com/actions/download-artifact/tree/v4.1.8
- 4: https://github.com/actions/download-artifact/blob/974686ed5098c7f9c9289ec946b9058e496a2561/README.md
- 5: https://github.com/actions/download-artifact
- 6: https://github.com/actions/download-artifact/releases/tag/v5.0.0
The name parameter has no breaking changes between v4 and v8; however, verify handling of other v8 breaking changes.
actions/download-artifact@v8 exists and is stable, but v4→v8 introduces breaking changes unrelated to the name parameter:
- Digest mismatch handling: v8 errors on hash mismatches by default (v4 warned). If artifacts have hash issues, add
digest-mismatch: warnto maintain previous behavior. - Decompression behavior: v8 skips unzipping non-zipped files based on Content-Type. If non-zipped artifacts are expected to be decompressed, add
skip-decompress: trueto download as-is.
Verify the artifacts produced by the upload step don't trigger either scenario.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/main.yml at line 244, Update the GitHub Action usage of
actions/download-artifact@v8 to handle v8 breaking changes: either verify the
uploaded artifacts won’t trigger digest mismatches or decompression issues, or
explicitly add the download inputs to preserve v4 behavior—set digest-mismatch:
warn if you want to ignore hash mismatches and set skip-decompress: true if you
need non-zipped artifacts downloaded as-is; locate the uses:
actions/download-artifact@v8 step in the workflow to apply these inputs or
confirm the upload step produces compatible artifacts.
|
|
||
| - name: Login to Tailscale | ||
| uses: tailscale/github-action@v3 | ||
| uses: tailscale/github-action@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the latest version of tailscale/github-action and what breaking changes exist between v3 and v4?
💡 Result:
Latest version (as of 2026-04-27): tailscale/github-action v4.1.2. Breaking changes between v3 and v4: 1) Action implementation/runtime changed: v4 is a TypeScript-based GitHub Action (not the prior bash-based runner). This also means the action requires runners capable of installing Node.js 24. 2) New/changed behavior at workflow end: v4 automatically runs tailscale logout when the workflow completes (enabled by default), which was not available in bash-based actions. 3) New functionality: v4 adds a ping input/parameter to block the workflow until connectivity and DNS resolution for specified tailnet devices is ready. 4) Caching behavior: v4 enables binary caching by default (speed/reliability improvement vs the bash-based implementation).
Citations:
- 1: https://github.com/tailscale/github-action/releases/tag/v4.1.2
- 2: https://tailscale.com/blog/github-action-v4
- 3: https://tailscale.com/changelog
Verify tailscale/github-action v4 breaking changes and compatibility.
v4.1.2 exists (confirmed). Review these breaking changes:
- Runtime changed: v4 is TypeScript-based and requires Node.js 24 (previously bash-based)
- Automatic logout: v4 runs
tailscale logoutby default at workflow end (new behavior) - Binary caching: Now enabled by default (behavior change from v3)
- New input parameter:
pingparameter added for connectivity verification
Ensure your workflow and runners support Node.js 24 and review whether automatic logout and caching changes affect your use case.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/main.yml at line 292, The workflow currently uses the
action reference "uses: tailscale/github-action@v4" which requires you to either
(A) explicitly pin to a known non-breaking release (e.g., v4.1.2) or (B) update
the workflow environment and inputs to be compatible with v4: ensure runners
provide Node.js 24 before invoking the action, review and set the new "ping"
input if you need connectivity verification, and account for the new automatic
logout behavior (tailscale logout runs at workflow end) and default binary
caching by adjusting any stateful steps or reauth flows that relied on v3
behavior; make these changes around the "uses: tailscale/github-action@v4"
reference and test the workflow end-to-end.
| steps: | ||
| - name: Send success notification | ||
| uses: niniyas/ntfy-action@9c6dc60073292f562769f83df2ace9f64ab31c78 | ||
| uses: niniyas/ntfy-action@2ebc39afb288e8b01804a6ec1be0db2e7a458387 # V1.0.5 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify ntfy-action SHA matches the v1.0.5 tag
git clone --depth 1 --branch v1.0.5 https://github.com/niniyas/ntfy-action.git /tmp/ntfy-action 2>/dev/null
cd /tmp/ntfy-action
git rev-parse HEADRepository: cdzombak/gallerygen
Length of output: 189
SHA for ntfy-action does not match v1.0.5 release tag.
The workflow file pins niniyas/ntfy-action to SHA 2ebc39afb288e8b01804a6ec1be0db2e7a458387, but the actual v1.0.5 release tag points to 41df2f98dfd43da872e8aea19baacbdde43740d3. Update the SHA to match the correct v1.0.5 tag or verify the intended commit.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/main.yml at line 352, Update the pinned commit for the
GitHub Action usage: the line referencing
niniyas/ntfy-action@2ebc39afb288e8b01804a6ec1be0db2e7a458387 should be changed
to use the actual v1.0.5 commit SHA (41df2f98dfd43da872e8aea19baacbdde43740d3)
or swap to the tag form niniyas/ntfy-action@v1.0.5 to ensure the workflow points
to the intended release; verify the chosen SHA/tag corresponds to the intended
release commit before committing the change.
There was a problem hiding this comment.
Manually confirmed that this PR is correct: https://github.com/NiNiyas/ntfy-action/releases/tag/V1.0.5
There was a problem hiding this comment.
@cdzombak, thank you for verifying! My analysis was incorrect — the false positive was caused by a case sensitivity issue in my verification script. I used --branch v1.0.5 (lowercase v) when cloning, but the actual release tag is V1.0.5 (uppercase V), so my script resolved to the wrong commit and reported a mismatch. The pinned SHA 2ebc39afb288e8b01804a6ec1be0db2e7a458387 is indeed correct for the V1.0.5 release. Apologies for the noise!
✏️ Learnings added
Learnt from: cdzombak
Repo: cdzombak/gallerygen PR: 4
File: .github/workflows/main.yml:352-352
Timestamp: 2026-04-27T15:47:04.943Z
Learning: The `niniyas/ntfy-action` GitHub Action (repo: NiNiyas/ntfy-action) uses uppercase-V release tags (e.g., `V1.0.5`, not `v1.0.5`). The SHA `2ebc39afb288e8b01804a6ec1be0db2e7a458387` corresponds to the `V1.0.5` release. When verifying SHAs for this action, use `--branch V1.0.5` (capital V) in git commands.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
1 participant
Bump 17 actions to their latest major versions:
All Docker actions now use Node 24 (requires Actions Runner v2.327.1+, provided by default on GitHub-hosted runners). No breaking changes affecting this workflow's usage patterns.
Summary by CodeRabbit