Skip to content

ci(release): bump Node 20 actions to Node 24-compatible pins before GitHub force-migration #46

Description

@ernestprovo23

Context

The v1.0.0 release ran clean, but release.yml emitted Node 20 deprecation annotations. GitHub force-migrates these actions to Node 24 on 2026-06-16 (and removes Node 20 from runners 2026-09-16), so the SHA pins should be bumped to Node 24-compatible releases proactively.

Affected pins (.github/workflows/release.yml)

  • actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2)
  • actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 (v5.6.0)
  • actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 (v4.6.2)
  • actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 (v4.3.0)

Also worth checking ci.yml / any other workflow for the same actions/* pins.

Task

  • Bump each to the latest Node 24-supporting release, re-pinned to the new full commit SHA (keep the # vX.Y.Z comment for readability).
  • Confirm pypa/gh-action-pypi-publish and sigstore/gh-action-sigstore-python pins are already Node 24-clean (they did not appear in the annotations).
  • Verify with a no-op workflow run or a dry build job that the annotations are gone.

Severity

Low / housekeeping. Non-blocking — the release published and signed fine. Forced migration is automatic; this is to remove the warnings and stay ahead of the Node 20 runner removal.

Refs

Metadata

Metadata

Assignees

No one assigned

    Labels

    ciCI/CD, test infra, lint, secret-scan

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions