Skip to content

🔒 Upgrade + Pin GitHub Actions Workflows#268

Merged
Robdel12 merged 2 commits into
mainfrom
rd/workflow-node24-hardening
May 19, 2026
Merged

🔒 Upgrade + Pin GitHub Actions Workflows#268
Robdel12 merged 2 commits into
mainfrom
rd/workflow-node24-hardening

Conversation

@Robdel12
Copy link
Copy Markdown
Contributor

@Robdel12 Robdel12 commented May 19, 2026
edited
Loading

Why

We wanted to fix the Node 20 deprecation path correctly, not paper over it.

The initial env override (FORCE_JAVASCRIPT_ACTIONS_TO_NODE24) was a temporary safety net. This PR replaces that approach with proper action upgrades and immutable action pinning for workflow supply-chain hardening.

What Changed

  • Removed the temporary workflow env override:
    • FORCE_JAVASCRIPT_ACTIONS_TO_NODE24
  • Upgraded core workflow actions to current majors that run on modern runtimes:
    • actions/checkout -> v6
    • actions/setup-node -> v6
    • actions/cache -> v5
    • dorny/paths-filter -> v4
    • browser-actions/setup-chrome -> v2
  • Replaced legacy actions/create-release@v1 in release-beta.yml with:
    • softprops/action-gh-release@v2
  • Pinned all workflow uses: references to immutable commit SHAs, with inline version comments for readability.

Verification

  • npm run lint
  • Manual workflow diff review across all touched files in .github/workflows to confirm:
    • no remaining version-tag refs for upgraded actions in this change set
    • no remaining FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 usage
    • release-beta now uses softprops/action-gh-release

Notes

This keeps behavior explicit and reviewable while reducing surprise CI drift and improving workflow security posture.

@Robdel12
🔧 Force GitHub Actions JS runtime to Node 24
b2db07f 
Why: GitHub is deprecating Node 20 for JavaScript actions. Setting FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 prevents avoidable CI churn while we keep action versions stable.

What changed: added top-level workflow env FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true across active CI/release/test workflows.
@vizzly-testing

This comment has been minimized.

Sign in to view
@Robdel12
🔒 Pin workflow actions to immutable SHAs
897a8f4 
Why: replace version-tag action refs with commit SHAs for supply-chain hardening, and remove the temporary Node24 env override in favor of proper action upgrades.

What changed: upgraded checkout/setup-node/cache/paths-filter/setup-chrome majors, replaced release-beta create-release action, and pinned all workflow uses refs to exact commits.
@vizzly-testing
Copy link
Copy Markdown

vizzly-testing Bot commented May 19, 2026

Vizzly - Visual Test Results

CLI Reporter - Processing...

Build in progress...

CLI TUI - Approved

5 comparisons, no changes detected.

View build

rd/workflow-node24-hardening · 897a8f4b

@Robdel12 Robdel12 changed the title 🔧 Force GitHub Actions JS runtime to Node 24 🔒 Upgrade + Pin GitHub Actions Workflows May 19, 2026
@Robdel12 Robdel12 merged commit 9ec9d12 into main May 19, 2026
36 of 37 checks passed
@Robdel12 Robdel12 deleted the rd/workflow-node24-hardening branch May 19, 2026 02:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Robdel12