fix(#445): upgrade Windows checkout v4→v5.0.1 + audit other @v4 floats (silence Node 20 deprecation warnings)#446
Merged
Conversation
…PT_ACTIONS_TO_NODE24 (node20 EOL) Problem: Node 20 deprecation warnings fired on every CI run. Despite FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true in test.yml (added in PR #350), the warning is not silenced — the env var only changes which warning fires (both paths call context.Warning()). The only silent path is for the action itself to declare `using: node24`. Ref: https://github.com/actions/runner/blob/main/src/Runner.Common/Util/NodeUtil.cs Ref: https://github.com/actions/runner/blob/main/src/Runner.Worker/JobExtension.cs Three locations used @v4 actions (node20 runtime): 1. test.yml — Windows lanes (test + test-full jobs) pinned to actions/checkout@11bd719 (v4.2.2). Original pin rationale (PR #162 / issue #161): v6 uses includeIf.gitdir: for auth injection, which is unreliable on Windows git 2.54. v5 never used includeIf, so it is safe for Windows. Upstream confirmation: actions/checkout#2425 v5 action.yml declares `using: node24`: https://raw.githubusercontent.com/actions/checkout/v5/action.yml 2. changeset-required.yml — floating actions/checkout@v4 + actions/setup-node@v4 3. docs-required.yml — same floating @v4 pattern Changes: - test.yml: both Windows checkout steps v4.2.2 → v5.0.1 (SHA 11bd71901bbe5b1630ceea73d27597364c9af683 → 93cb6efe18208431cddfb8368fd83d5badbf9bfd) - test.yml: update comment on Windows checkout to reflect v5 rationale - test.yml: no FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 was present on origin/next (already absent; the env block was on the main-branch version only) - changeset-required.yml: actions/checkout@v4 → @93cb6efe18208431cddfb8368fd83d5badbf9bfd (v5.0.1) - changeset-required.yml: actions/setup-node@v4 → @a0853c24544627f65ddf259abe73b1d18a591444 (v5.0.0) - docs-required.yml: same as changeset-required.yml SHAs resolved from upstream tags: - checkout v5.0.1: gh api repos/actions/checkout/git/ref/tags/v5.0.1 → 93cb6efe18208431cddfb8368fd83d5badbf9bfd - setup-node v5.0.0: gh api repos/actions/setup-node/git/ref/tags/v5.0.0 → a0853c24544627f65ddf259abe73b1d18a591444 Closes #445
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix PR
Linked Issue
Fixes #445
What was broken
GitHub Actions emitted Node 20 deprecation warnings on every CI run despite PR #350 setting
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: truein test.yml. Per actions/runner src/Runner.Worker/JobExtension.cs, that env var doesn't silence the warning — it changes which warning fires (from 'running on Node.js 20' to 'target Node.js 20 but being forced to run on Node.js 24'). Both callcontext.Warning(). The only mechanism that fully silences is the action's ownaction.ymldeclaringusing: node24.What this fix does
11bd71901bbe5b1630ceea73d27597364c9af683(v4.2.2) →93cb6efe18208431cddfb8368fd83d5badbf9bfd(v5.0.1). Per v5 action.yml, v5 declaresusing: node24. Per upstream PR #2425, v5 does NOT useincludeIf— auth-bug-free.@v4→ SHA-pinned v5.0.1 (checkout) and v5.0.0 (setup-node SHAa0853c24544627f65ddf259abe73b1d18a591444).FORCE_JAVASCRIPT_ACTIONS_TO_NODE24was already absent fromorigin/next's test.yml (only existed onmain), so no env var removal was needed. Worth investigating why fix: opt test workflow JS actions into Node 24 #350 didn't land cleanly — surfaced as separate concern.Root cause
Three workflow files referenced
@v4actions whoseaction.ymldeclaresusing: node20:.github/workflows/test.yml:138 + :234(Windows lane intestjob +test-fulljob) — pinnedactions/checkout@v4.2.2(SHA11bd71901bbe5b1630ceea73d27597364c9af683). Per commit925e8d953(PR fix(ci): pin actions/checkout@v4 on Windows to bypass v6 includeIf auth bug #162) + issue bug(ci): actions/checkout@v6 fails on windows-latest with "could not read Username" #161 rationale: 'v6 usesincludeIf.gitdir:to inject the auth token, but on Windows git 2.54 the gitdir path comparison fails non-deterministically, leaving the fetch unauthenticated.' Upstream confirms: actions/checkout#2425 — 'This was introduced in v6 with the move to credential isolation viaincludeIf(#2286). v5 did not useincludeIfso it was never an issue.'.github/workflows/changeset-required.yml:19,22— floatingactions/checkout@v4+actions/setup-node@v4..github/workflows/docs-required.yml:19,22— same.Testing
How I verified the fix
actionlinton all three workflow files: exit 0.gsd-test-summary --both -base nextagainst commitcbbd9fe0: Mac 0 failed, Docker 0 failed.Regression test added?
Platforms tested
Runtimes tested
Checklist
Fixes #NNN— PR will be auto-closed if missingconfirmed-buglabelnpm test).changeset/fragment added if this is a user-facing fix (npm run changeset -- --type Fixed --pr <NNN> --body "...") — orno-changeloglabel appliedBreaking changes
None
References
Need help on this PR? Tag
@codesmithwith what you need. Autofix is disabled.