Update GitHub Actions versions for Node20 deprecation#28
Conversation
john-clarke
left a comment
john-clarke
left a comment
There was a problem hiding this comment.
@m-morton thanks for being proactive about this. Should we consider testing Node 24 already before it rolls over? I'm concerned we might forget and then when we need to build be pressed for time. Perhaps I've misunderstood the timeline.
Just one comment regarding hashes versus version tags.
|
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
There was a problem hiding this comment.
@m-morton Is there a reason we can't use version numbers instead of hashes?
There was a problem hiding this comment.
Pinning the action version to a full SHA can help prevent supply chain attacks. Because tags are mutable, if an actions repo is compromised, a malicious actor could delete the version tag and create a new one pointing at a different commit with malicious code. GitHub has introduced immutable releases that can help prevent supply chain attacks too, though they are not being used in all of the actions repos we're using in these workflows.
These updates to the versions of the actions will ensure that they run with Node24. Actions define the Node.js runtime that they run in in their |
|
@m-morton Thanks for these clarifications. Review + |
2 participants
This PR bumps the versions of GitHub Actions marketplace actions used in the workflows to versions that support Node24. These versions are being bumped because GitHub Actions is deprecating Node20 on runners in June. The action versions were pinned to full SHAs following the guidance in the GitHub Docs: Using third-party actions.