Context
The v1.0.0 release ran clean, but release.yml emitted Node 20 deprecation annotations. GitHub force-migrates these actions to Node 24 on 2026-06-16 (and removes Node 20 from runners 2026-09-16), so the SHA pins should be bumped to Node 24-compatible releases proactively.
Affected pins (.github/workflows/release.yml)
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2)
actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 (v5.6.0)
actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 (v4.6.2)
actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 (v4.3.0)
Also worth checking ci.yml / any other workflow for the same actions/* pins.
Task
- Bump each to the latest Node 24-supporting release, re-pinned to the new full commit SHA (keep the
# vX.Y.Z comment for readability).
- Confirm
pypa/gh-action-pypi-publish and sigstore/gh-action-sigstore-python pins are already Node 24-clean (they did not appear in the annotations).
- Verify with a no-op workflow run or a dry build job that the annotations are gone.
Severity
Low / housekeeping. Non-blocking — the release published and signed fine. Forced migration is automatic; this is to remove the warnings and stay ahead of the Node 20 runner removal.
Refs
Context
The v1.0.0 release ran clean, but
release.ymlemitted Node 20 deprecation annotations. GitHub force-migrates these actions to Node 24 on 2026-06-16 (and removes Node 20 from runners 2026-09-16), so the SHA pins should be bumped to Node 24-compatible releases proactively.Affected pins (
.github/workflows/release.yml)actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683(v4.2.2)actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065(v5.6.0)actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02(v4.6.2)actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093(v4.3.0)Also worth checking
ci.yml/ any other workflow for the sameactions/*pins.Task
# vX.Y.Zcomment for readability).pypa/gh-action-pypi-publishandsigstore/gh-action-sigstore-pythonpins are already Node 24-clean (they did not appear in the annotations).Severity
Low / housekeeping. Non-blocking — the release published and signed fine. Forced migration is automatic; this is to remove the warnings and stay ahead of the Node 20 runner removal.
Refs