ci: bump JS actions to Node 24 majors (incl. CodeQL v4 + WIF auth v3)#4933
Merged
Conversation
…ql v4, auth v3, goreleaser v7, mikepenz v6, jaxxstorm v3.0.0, docker login/qemu v4) Made-with: Cursor
dustin-decker
approved these changes
May 1, 2026
Contributor
dustin-decker
left a comment
dustin-decker
left a comment
There was a problem hiding this comment.
Approved: Node action/runtime upgrade with passing CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps every Node-20-era action ref across 9 workflow files to its Node-24 major. Part of the org-wide Node 24 baseline cleanup ahead of GitHub's 2026-09-16 Node 20 removal deadline.
Action bumps
actions/checkout@v4@v6actions/setup-go@v5@v6mikepenz/action-junit-report@v5@v6goreleaser/goreleaser-action@v6@v7docker/login-action@v3@v4docker/setup-qemu-action@v3@v4github/codeql-action/init@v3@v4github/codeql-action/analyze@v3@v4google-github-actions/auth@v2@v3jaxxstorm/action-install-gh-release@v1.14.0@v3.0.0(immutable patch pin)sigstore/cosign-installer@<SHA>is SHA-pinned, untouched.buildpulse/buildpulse-action@mainis@main-tracking (separate hygiene followup, not in scope). Out-of-scope:golangci/golangci-lint-action@v7(deferred to sweep),rwx-research/setup-captain@v1.Per-PR preflight
de0fac2e, setup-go4a360112, mikepenzbccf2e31, goreleaser1a80836c, docker/login4907a6dd, docker/setup-qemuce360397, codeqlv4(latest patch v4.31.11), google-github-actions/auth7c6bc770.jaxxstorm/action-install-gh-releaseships immutable releases — pinned to@v3.0.0with inline comment.aws-sdk-go-v2, not actions).Risk
Highest. Two Higher-risk bumps requiring focused review:
CodeQL v3 -> v4 changes default query packs and SARIF emission. Post-merge: confirm the GHAS Security tab still populates with the expected alert categories and the alert count is in the expected range. This is the most common failure mode for CodeQL major bumps.
google-github-actions/auth v2 -> v3 is a major version jump. Verify the GCP workload-identity-pool + provider config still authenticates against
auth@v3(used intest.ymlandrelease-bot.yml— both reference"google-github-actions/auth@v2"with double-quoted YAML).goreleaser v7 — pin GoReleaser binary version explicitly if relying on a specific binary semver.
Other bumps are Low/Medium risk: pure Node-runtime bumps (checkout, setup-go, mikepenz, docker login/qemu) plus jaxxstorm v1->v3.
Validation
PR-time CI exercises most workflows.
release.ymlandrelease-bot.ymlwon't fire on PR; the next release will validate. Confirm via:```
gh run view --repo trufflesecurity/trufflehog --log 2>/dev/null | \
grep -E "Node\.js (16|20) actions are deprecated"
```
Post-merge, also verify:
auth@v3step authenticates successfully.Empty grep output = green for the bumped refs (the
buildpulse/buildpulse-action@maindeprecation warning will still appear if the action is still on Node 20 — out of this PR's scope).References
Made with Cursor
Note
High Risk
Upgrades CodeQL (v3→v4) and GCP OIDC auth (v2→v3), which can break security scanning output or CI/release authentication; releases are affected but won’t be exercised until the next tag/published release.
Overview
Updates GitHub Actions across the CI/release workflows to newer major versions, primarily to move off Node 20-era actions (e.g.,
actions/checkout@v6,actions/setup-go@v6, Docker actions v4,mikepenz/action-junit-report@v6, andgoreleaser/goreleaser-action@v7).The security- and release-critical workflows are also bumped: CodeQL is upgraded from v3 to v4 (
codeql-action/init/analyze), and GCP Workload Identity auth moves fromgoogle-github-actions/auth@v2to@v3(used intest.ymlandrelease-bot.yml).detector-tests.ymladditionally updatesjaxxstorm/action-install-gh-releasetov3.0.0and pins it to that immutable version.Reviewed by Cursor Bugbot for commit ac1f504. Bugbot is set up for automated code reviews on this repo. Configure here.