ci: upgrade GitHub Actions to Node 24-compatible versions#30824
Merged
Conversation
Updates 1 occurrence across 1 workflow file from v4 to v6. v6 runs on Node 24; v4 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/actions/checkout/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 4 occurrences across 1 workflow file from v4 to v8. v8 runs on Node 24; v4 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/actions/download-artifact/releases/tag/v8.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 2 occurrences across 2 workflow files from v7 to v8. v8 runs on Node 24; v7 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/actions/github-script/releases/tag/v8 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 1 occurrence across 1 workflow file from v5 to v6. v6 runs on Node 24; v5 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/actions/labeler/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 8 occurrences across 4 workflow files from v5 to v6. v6 runs on Node 24; v5 runs on Node 20 which is being deprecated on GitHub Actions runners. v6 defaults GOTOOLCHAIN=local, so the transform-sdk-build integration-test build (whose tests module needs a newer Go than the pinned GO_VERSION) gets GOTOOLCHAIN=auto to keep fetching the toolchain as before. See https://github.com/actions/setup-go/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 2 occurrences across 2 workflow files from v4 to v6. v6 runs on Node 24; v4 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/actions/setup-node/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 2 occurrences across 2 workflow files from v5 to v6. v6 runs on Node 24; v5 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/actions/setup-python/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 1 occurrence across 1 workflow file from v9 to v10. v10 runs on Node 24; v9 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/actions/stale/releases/tag/v10.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 1 occurrence across 1 workflow file from v4 to v7. v7 runs on Node 24; v4 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/actions/upload-artifact/releases/tag/v7.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 2 occurrences across 1 workflow file from v3 to v4.0.0. v4.0.0 runs on Node 24; v3 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/astral-sh/ruff-action/releases/tag/v4.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 2 occurrences across 2 workflow files from v6 to v8.2.0. v8.2.0 runs on Node 24; v6 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/astral-sh/setup-uv/releases/tag/v8.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 12 occurrences across 10 workflow files from v2 to v3. v3 runs on Node 24; v2 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/aws-actions/aws-secretsmanager-get-secrets/releases/tag/v3.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 13 occurrences across 11 workflow files from v4 to v6. v6 runs on Node 24; v4 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/aws-actions/configure-aws-credentials/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 3 occurrences across 3 workflow files from 0.15.0 to 0.19.0. 0.19.0 runs on Node 24; 0.15.0 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/bazel-contrib/setup-bazel/releases/tag/0.19.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 1 occurrence across 1 workflow file from v6 to v7. v7 runs on Node 24; v6 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/docker/build-push-action/releases/tag/v7.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 1 occurrence across 1 workflow file from v3 to v4. v4 runs on Node 24; v3 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/docker/setup-buildx-action/releases/tag/v4.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 2 occurrences across 2 workflow files from v6 and v8 to v9. v9 runs on Node 24; v6 and v8 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/golangci/golangci-lint-action/releases/tag/v9.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 1 occurrence across 1 workflow file from v5 to v7. v7 runs on Node 24; v5 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/goreleaser/goreleaser-action/releases/tag/v7.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 4 occurrences across 2 workflow files from v4 to v5. v5 runs on Node 24; v4 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/peter-evans/create-or-update-comment/releases/tag/v5.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 2 occurrences across 1 workflow file from v3 to v4. v4 runs on Node 24; v3 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/peter-evans/repository-dispatch/releases/tag/v4.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Updates 1 occurrence across 1 workflow file from v4 to v5. v5 runs on Node 24; v4 runs on Node 20 which is being deprecated on GitHub Actions runners. See https://github.com/peter-evans/slash-command-dispatch/releases/tag/v5.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
actions-rs/toolchain and actions-rs/cargo run on Node 12 and the actions-rs org has been archived since 2023, so they will never ship a Node 24 release. Replace them in rp-storage-tool-checks with the maintained dtolnay/rust-toolchain (a composite action, no Node runtime) and direct cargo invocations. See https://github.com/dtolnay/rust-toolchain Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest Buf updates on your PR. Results from workflow Buf CI / validate (pull_request).
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates GitHub Actions workflow dependencies to versions compatible with GitHub-hosted runners’ move to Node 24 for JavaScript actions, and removes reliance on archived Node 12-based actions.
Changes:
- Bump many third-party GitHub Actions across
.github/workflows/to Node 24-ready major versions (checkout, setup-*, artifact actions, AWS actions, golangci-lint, goreleaser, docker, stale, peter-evans actions, etc.). - Add a targeted
GOTOOLCHAIN: autooverride for the transform SDK integration-test build to preserve toolchain auto-download behavior underactions/setup-go@v6. - Replace archived
actions-rs/*Rust actions withdtolnay/rust-toolchainand directcargoinvocations in the rp-storage-tool checks workflow.
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/type-check-python.yaml | Bump Docker build actions used for Python type-check container build. |
| .github/workflows/trigger-snyk.yml | Bump AWS credential + secrets actions used to trigger downstream Snyk workflow. |
| .github/workflows/transform-sdk-release.yml | Bump setup-go / setup-node / github-script / AWS actions for transform SDK release workflows. |
| .github/workflows/transform-sdk-build.yml | Bump setup-go / artifact actions / golangci-lint / setup-node; add GOTOOLCHAIN=auto for integration-test module. |
| .github/workflows/stale.yml | Bump actions/stale to the next major version. |
| .github/workflows/slash-commands.yml | Bump AWS actions and peter-evans/slash-command-dispatch. |
| .github/workflows/rpk-build.yml | Bump actions/setup-go to v6 in rpk build/test jobs. |
| .github/workflows/rp-storage-tool-checks.yml | Replace archived actions-rs/* with dtolnay/rust-toolchain + direct cargo commands. |
| .github/workflows/render-pr-body-release-notes.yml | Bump actions/setup-python to v6. |
| .github/workflows/release-rp-storage-tool.yml | Bump AWS credentials action for release uploads. |
| .github/workflows/publish-apache-polaris-python-client.yml | Bump setup-python and setup-uv actions used for client build/publish. |
| .github/workflows/promote.yml | Bump AWS actions used to retrieve Buildkite token and trigger promote pipeline. |
| .github/workflows/pr-labeler.yml | Bump actions/labeler to v6. |
| .github/workflows/lint-python.yml | Bump astral-sh/ruff-action to v4.0.0. |
| .github/workflows/lint-golang.yml | Bump setup-go, golangci-lint action, and goreleaser action. |
| .github/workflows/lint-cpp.yml | Bump bazel-contrib/setup-bazel pin. |
| .github/workflows/lint-bazel-pkg-tool.yml | Bump setup-go and golangci-lint action. |
| .github/workflows/lint-bazel-dependency-graph.yml | Bump bazel-contrib/setup-bazel pin. |
| .github/workflows/dispatch-docs-updates.yml | Bump AWS actions and repository-dispatch action. |
| .github/workflows/cloud-installpack-bk-trigger.yml | Bump AWS actions used to fetch bot + Buildkite tokens. |
| .github/workflows/close-backport-issues.yml | Bump actions/github-script to v8. |
| .github/workflows/check-ducktape-protos.yml | Bump checkout, setup-bazel, and setup-uv actions. |
| .github/workflows/buildkite-slash-commands.yml | Bump AWS actions and create-or-update-comment action. |
| .github/workflows/buf.yml | Bump AWS credential + secrets actions in the push job. |
| .github/workflows/backport-on-merge.yml | Bump AWS credential + secrets actions used by backport automation. |
| .github/workflows/backport-command.yml | Bump AWS actions and create-or-update-comment action used by the backport bot workflow. |
clee
approved these changes
Jun 19, 2026
Collaborator
|
/backport v26.1.x |
Collaborator
|
/backport v25.3.x |
Collaborator
|
/backport v25.2.x |
Collaborator
|
Failed to create a backport PR to v25.3.x branch. I tried: |
Collaborator
|
Failed to create a backport PR to v25.2.x branch. I tried: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GitHub is deprecating Node 20 on Actions runners — JavaScript actions are forced onto Node 24 by default starting 2026-06-16, and Node 20 is removed from runners on 2026-09-16. This upgrades every external action in
.github/workflows/that still declared a Node 20 (or older) runtime to a Node 24-ready version — one commit per action so each can be reviewed and reverted independently. Each commit body links the upstream release notes.After this PR, a scan of every referenced action's
action.ymlshows nonode20/node12actions remain.Upgrades
actions/checkoutv4v6actions/download-artifactv4v8actions/github-scriptv7v8actions/labelerv5v6actions/setup-gov5v6actions/setup-nodev4v6actions/setup-pythonv5v6actions/stalev9v10actions/upload-artifactv4v7astral-sh/ruff-actionv3v4.0.0astral-sh/setup-uvv6v8.2.0aws-actions/aws-secretsmanager-get-secretsv2v3aws-actions/configure-aws-credentialsv4v6bazel-contrib/setup-bazel0.15.00.19.0docker/build-push-actionv6v7docker/setup-buildx-actionv3v4golangci/golangci-lint-actionv6&v8v9goreleaser/goreleaser-actionv5v7peter-evans/create-or-update-commentv4v5peter-evans/repository-dispatchv3v4peter-evans/slash-command-dispatchv4v5Plus two changes that aren't plain version bumps:
actions/setup-go@v6defaultsGOTOOLCHAIN=local. Thetransform-sdk-buildintegration-test build runs in a module whosego.modrequires a newer Go than the pinnedGO_VERSION, and its sibling TinyGo jobs must stay on Go 1.22 — so that one step getsGOTOOLCHAIN: autoto keep fetching the toolchain as it did under v5. (Rides in thesetup-gocommit.)actions-rs/toolchain+actions-rs/cargo(Node 12; theactions-rsorg has been archived since 2023, so no Node 24 release will ever ship) are replaced inrp-storage-tool-checks.ymlwith the maintaineddtolnay/rust-toolchain(a composite action, no Node runtime) plus directcargoinvocations.Pinning notes
astral-sh/ruff-action(@v4.0.0) andastral-sh/setup-uv(@v8.2.0) use full semver pins — Astral stopped publishing floating major tags at these majors.bazel-contrib/setup-bazel(@0.19.0) has always used a full version pin.Review focus
These bumps carry behavior changes beyond the Node runtime; CI on this branch is the real test:
golangci/golangci-lint-actionv6→v9 intransform-sdk-buildcrosses golangci-lint v1→v2 for that module (version: latest, no.golangci.yml). The rest of the repo already runs golangci-lint v2 (lint-golang, rpk), so this completes the migration — but watch for new lint findings on the transform-sdk Go module.goreleaser/goreleaser-actionv5→v7 — the step pinsversion: v1.24.0against a v1-format config, which overrides v6's new~> v2default, socheckshould still validate the v1 config.aws-actions/configure-aws-credentialsv4→v6 /aws-secretsmanager-get-secretsv2→v3 — verify OIDC/role-assumption still works across the 11 workflows that use them.Verification
verify_actions.py .github/workflows: 0 version-mismatches. The 15unknownentries are actions absent from that tool's allowlist (github-script,setup-node,labeler,docker/*,bufbuild/buf-action,jwalton/gh-find-current-pr,pypa/gh-action-pypi-publish,dtolnay/rust-toolchain), each independently verified Node 24 / composite / docker.🤖 Generated with Claude Code
Backports Required
Release Notes