Skip to content

chore: update GitHub Actions versions#486

Open
noritaka1166 wants to merge 1 commit into
ts-safeql:mainfrom
noritaka1166:update-github-actions
Open

chore: update GitHub Actions versions#486
noritaka1166 wants to merge 1 commit into
ts-safeql:mainfrom
noritaka1166:update-github-actions

Conversation

@noritaka1166

@noritaka1166 noritaka1166 commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR updates the GitHub Actions version in the workflow files to the latest stable releases.

Changed Files

  • .github/workflows/release.yml
  • .github/workflows/ci.yml

What was updated

  • actions/checkoutv6
  • actions/setup-nodev6

Summary by CodeRabbit

  • Chores
    • Updated internal build and release automation workflows to use the latest versions of development tooling.

@changeset-bot

changeset-bot Bot commented Jun 14, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: bde045a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel

vercel Bot commented Jun 14, 2026

Copy link
Copy Markdown

@noritaka1166 is attempting to deploy a commit to the newbie012's projects Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Both .github/workflows/ci.yml and .github/workflows/release.yml are updated to use actions/checkout@v6 and actions/setup-node@v6, replacing the previous @v4 pins. The pnpm/action-setup step remains at @v6 in both workflows. No other workflow logic, triggers, permissions, concurrency settings, or job steps are changed.

Poem

🐇 Hoppin' through the action lanes,
From v4 to v6 the rabbit trains,
checkout and setup-node now gleam,
Fresh major versions join the team,
The warren's CI hums along — supreme! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore: update GitHub Actions versions' clearly and concisely summarizes the main change—updating GitHub Actions to newer versions across workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps

greptile-apps Bot commented Jun 14, 2026

Copy link
Copy Markdown

Greptile Summary

This PR bumps actions/checkout and actions/setup-node from v4 to v6 in both workflow files. Both v6 releases are valid and published; no workflow logic is changed.

  • actions/checkout@v6 introduces improved credential security (credentials stored in $RUNNER_TEMP instead of .git/config), but git fetch/git push continue to work automatically with no workflow changes required — including the Changesets action in release.yml.
  • actions/setup-node@v6 adds automatic package-manager detection caching, but the explicit cache: "pnpm" already set in both workflows takes precedence and avoids any ambiguity from that breaking change.

Confidence Score: 5/5

Safe to merge — purely a version bump of two well-maintained actions with no workflow logic changes.

Both target versions (actions/checkout@v6 and actions/setup-node@v6) are published stable releases. The credential-storage change in checkout v6 does not break the Changesets release flow, and the setup-node v6 caching behavior change is neutralised by the explicit cache: pnpm already present in both workflows.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/ci.yml Updates actions/checkout and actions/setup-node from v4 to v6; both versions are valid published releases.
.github/workflows/release.yml Same v4→v6 bump as ci.yml; credential storage change in checkout v6 does not affect the Changesets action since it is a Node.js action, not a Docker container action.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Workflow trigger] --> B[checkout v6]
    B --> C[pnpm action-setup v6]
    C --> D[setup-node v6]
    D --> E{Which workflow?}
    E -->|ci.yml| F[install → build → typecheck → lint → format → test]
    E -->|release.yml| G[install → changesets action v1]
    G --> H[Create Release PR or Publish to npm]
Loading

Reviews (1): Last reviewed commit: "chore: update GitHub Actions versions" | Re-trigger Greptile

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 38-40: The upgrade to v6 versions of actions/checkout and
actions/setup-node introduces breaking changes that need to be addressed. First,
verify your Actions Runner is version 2.329.0 or later to support the new
credential storage mechanism in actions/checkout@v6. Second, since this workflow
uses pnpm rather than npm, the actions/setup-node@v6 action no longer
automatically enables caching for pnpm—you must explicitly add the `cache:
'pnpm'` input to the actions/setup-node step if caching is desired.
Additionally, remove any `always-auth` input from the actions/setup-node step if
it exists, as this input has been removed in v6.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4b17140a-e17a-47a8-a1bd-bd05ba13e765

📥 Commits

Reviewing files that changed from the base of the PR and between db181a8 and bde045a.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • .github/workflows/release.yml

Comment thread .github/workflows/ci.yml
Comment on lines +38 to +40
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v4
- uses: actions/setup-node@v6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What are the latest stable versions of actions/checkout and actions/setup-node GitHub Actions? Are v6 releases available and stable?

💡 Result:

As of June 14, 2026, the latest stable versions for both GitHub Actions are in the v6 major release line. Both v6 versions are fully released and stable [1][2][3]. For actions/checkout, the latest stable release is v6.0.3, published on June 2, 2026 [1][2]. For actions/setup-node, the latest stable release is v6.4.0, which was published following the v6.3.0 release [4][3]. The v6 major versions for both actions are considered standard stable releases [1][5]. Users are encouraged to use them as they represent the current supported major line for these actions [2][3].

Citations:


🌐 Web query:

What are the breaking changes between v4 and v6 for actions/checkout and actions/setup-node?

💡 Result:

The transition from v4 to v6 for both actions/checkout and actions/setup-node includes significant changes, primarily focused on security and performance. ### actions/checkout The transition to v6 introduces a major security improvement regarding credential handling, with no required changes to existing workflows [1][2]. * Credential Persistence: In v6, the persist-credentials feature has been updated to store credentials in a separate file under $RUNNER_TEMP instead of directly in the local .git/config file [1][3]. * Runner Requirements: For workflows that use Docker container actions and require authenticated Git commands, you must use Actions Runner v2.329.0 or later to support this new credential storage mechanism [2][3]. * Note on v5: Between v4 and v6, v5 was released with an update to the Node.js 24 runtime, which requires Actions Runner v2.327.1 or later [2][3]. ### actions/setup-node The v6 release for actions/setup-node includes two primary breaking changes [4][5]: * Automatic Caching Limits: Caching is now automatically enabled only for npm projects when the devEngines.packageManager or top-level packageManager field is set to npm in package.json [4][6]. For other package managers (e.g., Yarn, pnpm), caching is disabled by default and must be explicitly configured using the cache input [5]. * Removal of always-auth: The always-auth input has been removed entirely as it is deprecated. You should remove any references to this input from your workflow files to avoid errors [4][5]. * Note on v5: Similar to the checkout action, v5 of setup-node transitioned to the Node.js 24 runtime and enabled automatic caching by default [4][5]. If you are migrating from v4, be aware that these cache-related changes in v5 and v6 may affect your workflows [4][5].

Citations:


Review breaking changes introduced by the v4→v6 upgrade for both actions.

v6 versions are stable and available. However, two breaking changes require attention:

  1. actions/checkout@v6: Credential handling changed; requires Actions Runner v2.329.0+ to support the new credential storage mechanism in $RUNNER_TEMP.

  2. actions/setup-node@v6: Automatic caching is now limited to npm-only (when packageManager is set to npm in package.json). Since this workflow uses pnpm, caching must be explicitly enabled via the cache input if needed. Also, the always-auth input has been removed.

Verify that your Actions Runner meets the minimum version requirement and that the pnpm caching behavior aligns with your needs.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 38-38: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 38-38: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 39-39: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 38 - 40, The upgrade to v6 versions of
actions/checkout and actions/setup-node introduces breaking changes that need to
be addressed. First, verify your Actions Runner is version 2.329.0 or later to
support the new credential storage mechanism in actions/checkout@v6. Second,
since this workflow uses pnpm rather than npm, the actions/setup-node@v6 action
no longer automatically enables caching for pnpm—you must explicitly add the
`cache: 'pnpm'` input to the actions/setup-node step if caching is desired.
Additionally, remove any `always-auth` input from the actions/setup-node step if
it exists, as this input has been removed in v6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant