Bump Node-20 action pins to Node-24-compatible majors#101
Open
joshkautz wants to merge 1 commit intoanthropics:mainfrom
Open
Bump Node-20 action pins to Node-24-compatible majors#101joshkautz wants to merge 1 commit intoanthropics:mainfrom
joshkautz wants to merge 1 commit intoanthropics:mainfrom
Conversation
GitHub is deprecating Node 20 on Actions runners: forced to Node 24 by default starting June 2nd 2026 and Node 20 removed entirely on September 16th 2026. Workflows that consume this action currently see warnings like: > Node.js 20 actions are deprecated. The following actions are running > on Node.js 20 and may not work as expected: > actions/cache@0057852, > actions/setup-python@a26af69, > actions/upload-artifact@ea165f8 The pinned-by-SHA approach is correct hygiene (prevents tag-rewrite supply-chain attacks), but it means each new major release of an upstream action needs a manual SHA bump here. Updated pins (action.yml): - actions/setup-python: v5.6.0 -> v6.2.0 - actions/cache: v4.3.0 -> v5.0.5 - actions/cache/save: v4.3.0 -> v5.0.5 - actions/setup-node: v4.4.0 -> v6.4.0 - actions/upload-artifact: v4.6.2 -> v5.0.0 Updated pins (.github/workflows/test-claudecode.yml): - actions/checkout: v4.3.1 -> v6.0.2 - actions/setup-python: v4.9.1 -> v6.2.0 - actions/setup-node: v4.4.0 -> v6.4.0 Updated pins (.github/workflows/sast.yml): - actions/checkout: v4.3.1 -> v6.0.2 All replacement SHAs were resolved from the current major-version tag of each upstream repo. Per-action verification: - actions/setup-python@v6 (v6.2.0): https://github.com/actions/setup-python/releases/tag/v6.2.0 - actions/cache@v5 (v5.0.5): https://github.com/actions/cache/releases/tag/v5.0.5 - actions/setup-node@v6 (v6.4.0): https://github.com/actions/setup-node/releases/tag/v6.4.0 - actions/upload-artifact@v5 (v5.0.0): https://github.com/actions/upload-artifact/releases/tag/v5.0.0 - actions/checkout@v6 (v6.0.2): https://github.com/actions/checkout/releases/tag/v6.0.2 Out of scope: - The `node-version: '18'` runtime in action.yml and `node-version: '20'` in test-claudecode.yml were left as-is. Those install a specific Node for ClaudeCode to run against; they're independent of the action runner's Node version. Bump separately if/when the bundled CLI's supported runtime changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps every
actions/*reference pinned by SHA inaction.ymland the repo's CI workflows from its Node-20-based major release to the corresponding Node-24-compatible major release. Consumers of this action currently see GitHub's deprecation warning on every run:GitHub's timeline:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=truePinning by SHA is correct hygiene (it blocks tag-rewrite supply-chain attacks), but it means every new major release of a transitive dependency needs a manual bump here. This PR catches up.
Pin updates
action.ymlactions/setup-pythona26af69…(v5.6.0)a309ff8…(v6.2.0)action.ymlactions/cache0057852…(v4.3.0)27d5ce7…(v5.0.5)action.ymlactions/cache/save0057852…(v4.3.0)27d5ce7…(v5.0.5)action.ymlactions/setup-node49933ea…(v4.4.0)48b55a0…(v6.4.0)action.ymlactions/upload-artifactea165f8…(v4.6.2)330a01c…(v5.0.0).github/workflows/test-claudecode.ymlactions/checkout34e1148…(v4.3.1)de0fac2…(v6.0.2).github/workflows/test-claudecode.ymlactions/setup-python7f4fc3e…(v4.9.1)a309ff8…(v6.2.0).github/workflows/test-claudecode.ymlactions/setup-node49933ea…(v4.4.0)48b55a0…(v6.4.0).github/workflows/sast.ymlactions/checkout34e1148…(v4.3.1)de0fac2…(v6.0.2)Each replacement SHA was resolved from the current major-version tag of the upstream repo:
actions/setup-pythonv6.2.0actions/cachev5.0.5actions/setup-nodev6.4.0actions/upload-artifactv5.0.0actions/checkoutv6.0.2Out of scope (intentionally not changed)
node-version: '18'runtime inaction.ymlandnode-version: '20'intest-claudecode.yml. Those install a specific Node for ClaudeCode to run against; they're orthogonal to the runner's Node version. Bump separately when/if the bundled CLI's supported runtime changes.claude-code-security-reviewuses these actions (the inputs / outputs we use here haven't changed). Worth confirming in CI.Test plan
test-claudecode.ymlandsast.ymlworkflows) passes — that exercises the bumped checkout / setup-python / setup-node pins directly.anthropics/claude-code-security-review@mainshould see the deprecation warning disappear.Filed because we're a downstream consumer (we use this action in our PR pipeline) and noticed the warning. Happy to iterate if you'd prefer different versions or want to split the PR.