From 82bbd2be0ea76ef868664988dfd432824a6d44ca Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:39:06 -0700 Subject: [PATCH 01/10] ci: upgrade actions/cache to v5 Updates 4 occurrences across 4 workflow files. v5 runs on Node 24; v4 runs on Node 20, which is being deprecated on GitHub Actions runners. The only change is the runtime bump -- no input or API changes. See https://github.com/actions/cache/releases/tag/v5.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/changelog.yml | 2 +- .github/workflows/frontend-react-doctor.yml | 2 +- .github/workflows/frontend-verify.yml | 2 +- .github/workflows/proto-generate.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index c0ea059898..7ff717e0fc 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -39,7 +39,7 @@ jobs: - name: Cache Claude Code id: cache-claude - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: ~/.npm key: claude-code-${{ runner.os }} diff --git a/.github/workflows/frontend-react-doctor.yml b/.github/workflows/frontend-react-doctor.yml index 50c6d0ffd0..fa2a7bfc65 100644 --- a/.github/workflows/frontend-react-doctor.yml +++ b/.github/workflows/frontend-react-doctor.yml @@ -25,7 +25,7 @@ jobs: - name: Setup Bun uses: oven-sh/setup-bun@v2 - name: Cache dependencies - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: ~/.bun/install/cache key: ${{ runner.os }}-bun-cache-${{ env.BUN_CACHE_SALT }}-${{ hashFiles('frontend/bun.lock') }} diff --git a/.github/workflows/frontend-verify.yml b/.github/workflows/frontend-verify.yml index 3417325aa5..d5a5a9f5d5 100644 --- a/.github/workflows/frontend-verify.yml +++ b/.github/workflows/frontend-verify.yml @@ -68,7 +68,7 @@ jobs: - name: Install dependencies run: bun install --frozen-lockfile - name: Restore Rspack build cache - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: frontend/node_modules/.cache key: ${{ runner.os }}-rspack-${{ env.BUN_CACHE_SALT }}-${{ hashFiles('frontend/bun.lock', 'frontend/package.json', 'frontend/src/**', 'frontend/rsbuild.config.ts') }} diff --git a/.github/workflows/proto-generate.yml b/.github/workflows/proto-generate.yml index b5cf132be3..0520c1a575 100644 --- a/.github/workflows/proto-generate.yml +++ b/.github/workflows/proto-generate.yml @@ -47,7 +47,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Cache proto tools - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: build key: proto-tools-${{ runner.os }}-go${{ hashFiles('backend/go.mod') }}-${{ hashFiles('taskfiles/proto.yaml') }} From 4185a9d4c23f4805f67c64522d4e495cb5f38cab Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:39:31 -0700 Subject: [PATCH 02/10] ci: upgrade actions/checkout to v6 Updates 9 occurrences across 4 workflow files. v5 and v6 both run on Node 24, so this is not a runtime change -- it aligns the pin with the current major. v6 persists the auth token to a separate file instead of .git/config; our checkout and build steps don't read .git/config, so the change is transparent. (buf.yml's checkout bump is handled separately in #2512.) See https://github.com/actions/checkout/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/backend-lint-test.yml | 4 ++-- .github/workflows/frontend-react-doctor.yml | 2 +- .github/workflows/frontend-verify.yml | 10 +++++----- .github/workflows/proto-generate.yml | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/backend-lint-test.yml b/.github/workflows/backend-lint-test.yml index bf7dc07679..0f3ce9f45f 100644 --- a/.github/workflows/backend-lint-test.yml +++ b/.github/workflows/backend-lint-test.yml @@ -9,7 +9,7 @@ jobs: name: Lint Backend runs-on: blacksmith-4vcpu-ubuntu-2404 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: go-version-file: 'backend/go.mod' @@ -25,7 +25,7 @@ jobs: name: Test Backend runs-on: blacksmith-8vcpu-ubuntu-2404 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - uses: actions/setup-go@v6 with: go-version-file: 'backend/go.mod' diff --git a/.github/workflows/frontend-react-doctor.yml b/.github/workflows/frontend-react-doctor.yml index fa2a7bfc65..4e1c2e631e 100644 --- a/.github/workflows/frontend-react-doctor.yml +++ b/.github/workflows/frontend-react-doctor.yml @@ -21,7 +21,7 @@ jobs: working-directory: frontend steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 - name: Cache dependencies diff --git a/.github/workflows/frontend-verify.yml b/.github/workflows/frontend-verify.yml index d5a5a9f5d5..3036939c8c 100644 --- a/.github/workflows/frontend-verify.yml +++ b/.github/workflows/frontend-verify.yml @@ -14,7 +14,7 @@ jobs: working-directory: frontend steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 - name: Install dependencies @@ -46,7 +46,7 @@ jobs: working-directory: frontend steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 - name: Install dependencies @@ -62,7 +62,7 @@ jobs: working-directory: frontend steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 - name: Install dependencies @@ -96,7 +96,7 @@ jobs: working-directory: frontend steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 - name: Install dependencies @@ -122,7 +122,7 @@ jobs: working-directory: frontend steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Setup Bun uses: oven-sh/setup-bun@v2 - name: Install dependencies diff --git a/.github/workflows/proto-generate.yml b/.github/workflows/proto-generate.yml index 0520c1a575..13a03e3a6a 100644 --- a/.github/workflows/proto-generate.yml +++ b/.github/workflows/proto-generate.yml @@ -22,7 +22,7 @@ jobs: env: CI: "true" steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - uses: aws-actions/configure-aws-credentials@v4 with: From e311d08d219e0c8d2aef8a18a42f6812b4aeb993 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:39:50 -0700 Subject: [PATCH 03/10] ci: upgrade actions/github-script to v9 Updates 5 occurrences across 4 workflow files. v9 runs on Node 24 (switched at v8); v7 runs on Node 20, which is being deprecated on GitHub Actions runners. v9 makes the bundled packages ESM-only: require('@actions/github') no longer works inside scripts, and getOctokit is now an injected parameter (redeclaring it with const/let throws). All of our scripts use only the pre-injected github, context, and core objects to call createCommitStatus / core.setOutput, so none are affected. See https://github.com/actions/github-script/releases/tag/v9.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/changelog.yml | 2 +- .github/workflows/enterprise-ci-skip.yml | 2 +- .github/workflows/fork-pr-dispatch.yml | 4 ++-- .github/workflows/repository-dispatch.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 7ff717e0fc..52eb22426a 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -98,7 +98,7 @@ jobs: # the PR mergeable — mirrors enterprise-ci-skip.yml. - name: Post Enterprise CI skip status if: ${{ steps.changelog_pr.outputs.created == 'true' }} - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: github-token: ${{ github.token }} script: | diff --git a/.github/workflows/enterprise-ci-skip.yml b/.github/workflows/enterprise-ci-skip.yml index 640f805cb3..6ecbc95ba6 100644 --- a/.github/workflows/enterprise-ci-skip.yml +++ b/.github/workflows/enterprise-ci-skip.yml @@ -33,7 +33,7 @@ jobs: ,sdlc/prod/github/actions_bot_token parse-json-secrets: true - name: Set success enterprise CI status - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: github-token: ${{ env.ACTIONS_BOT_TOKEN }} script: | diff --git a/.github/workflows/fork-pr-dispatch.yml b/.github/workflows/fork-pr-dispatch.yml index 777878e11a..ad9665085b 100644 --- a/.github/workflows/fork-pr-dispatch.yml +++ b/.github/workflows/fork-pr-dispatch.yml @@ -31,7 +31,7 @@ jobs: HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} HEAD_SHA: ${{ github.event.workflow_run.head_sha }} HEAD_REPO: ${{ github.event.workflow_run.head_repository.full_name }} - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: script: | const payload = { @@ -52,7 +52,7 @@ jobs: - name: Set pending enterprise CI status env: HEAD_SHA: ${{ steps.payload.outputs.sha }} - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: github-token: ${{ env.ACTIONS_BOT_TOKEN }} script: | diff --git a/.github/workflows/repository-dispatch.yml b/.github/workflows/repository-dispatch.yml index 5d5b5eed98..7b289e6c37 100644 --- a/.github/workflows/repository-dispatch.yml +++ b/.github/workflows/repository-dispatch.yml @@ -65,7 +65,7 @@ jobs: client-payload: '{"branch": "${{ github.ref_name }}", "commit_sha": "${{ github.sha }}"}' - name: Set pending enterprise CI status if: ${{ !startsWith(github.ref, 'refs/tags/') }} - uses: actions/github-script@v7 + uses: actions/github-script@v9 with: github-token: ${{ env.ACTIONS_BOT_TOKEN }} script: | From 68cfb2865142556eb6f6bc0e3b620b6ed4c24527 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:40:07 -0700 Subject: [PATCH 04/10] ci: upgrade actions/setup-node to v6 v6 runs on Node 24 (switched at v5); v4 runs on Node 20, which is being deprecated on GitHub Actions runners. v5+ adds automatic dependency caching (narrowed to npm in v6) when package.json declares a packageManager field. Our step sets only node-version and then installs a global npm package -- no project dependencies and no `cache:` input -- so the new auto-caching has no effect here. See https://github.com/actions/setup-node/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 52eb22426a..14f96c2d30 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -33,7 +33,7 @@ jobs: git checkout -b "changelog/${{ steps.tag.outputs.name }}" - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: '22' From c2aa335a08d5fc6a98ae92679a8c10a581cdca47 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:40:21 -0700 Subject: [PATCH 05/10] ci: upgrade actions/upload-artifact to v7 Updates 3 occurrences in frontend-verify.yml. v7 runs on Node 24 (switched at v6); v4 runs on Node 20, which is being deprecated on GitHub Actions runners. v7 ships the action as ESM (internal to the action -- no effect on YAML usage) and adds an opt-in `archive` input. Our uploads pass only name / path / retention-days, and the matrix job already uses a unique artifact name per shard, so no input or behavior changes apply. See https://github.com/actions/upload-artifact/releases/tag/v7.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/frontend-verify.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/frontend-verify.yml b/.github/workflows/frontend-verify.yml index 3036939c8c..0d424b2500 100644 --- a/.github/workflows/frontend-verify.yml +++ b/.github/workflows/frontend-verify.yml @@ -82,7 +82,7 @@ jobs: REACT_APP_DEV_HINT=true bun run build - name: Upload frontend build artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: frontend-build path: frontend/build @@ -103,7 +103,7 @@ jobs: run: bun install --frozen-lockfile - name: Run unit tests run: bun run test:unit - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v7 if: failure() with: name: unit-test-results @@ -129,7 +129,7 @@ jobs: run: bun install --frozen-lockfile - name: Run integration tests run: bun run test:integration -- --shard=${{ matrix.shard }} - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@v7 if: failure() with: name: integration-test-results-${{ matrix.shard }} From 81726ca1f202f2fe276de21977da6560dfa83da1 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:40:35 -0700 Subject: [PATCH 06/10] ci: upgrade arduino/setup-task to v2 Updates 2 occurrences (backend-lint-test, proto-generate). v1 runs on Node 16, which has already been removed from GitHub Actions runners; v2 runs on Node 20. arduino/setup-task has no Node 24 release yet, so v2 is the newest available -- this gets the action off Node 16 now, and a Node 24 bump can follow once upstream ships one. The `version: 3.x` and repo-token inputs are unchanged between v1 and v2. See https://github.com/arduino/setup-task/releases/tag/v2.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/backend-lint-test.yml | 2 +- .github/workflows/proto-generate.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/backend-lint-test.yml b/.github/workflows/backend-lint-test.yml index 0f3ce9f45f..593bddcbe8 100644 --- a/.github/workflows/backend-lint-test.yml +++ b/.github/workflows/backend-lint-test.yml @@ -33,7 +33,7 @@ jobs: - name: Setup Docker Builder uses: useblacksmith/setup-docker-builder@v1 - name: Install Task - uses: arduino/setup-task@v1 + uses: arduino/setup-task@v2 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/proto-generate.yml b/.github/workflows/proto-generate.yml index 13a03e3a6a..a2c0a8cf1b 100644 --- a/.github/workflows/proto-generate.yml +++ b/.github/workflows/proto-generate.yml @@ -41,7 +41,7 @@ jobs: cache-dependency-path: 'backend/go.sum' - name: Install Task - uses: arduino/setup-task@v1 + uses: arduino/setup-task@v2 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} From 34d3bc294d651f183ca99de6c7e9a7e723a3b21e Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:40:59 -0700 Subject: [PATCH 07/10] ci: upgrade aws-actions/aws-secretsmanager-get-secrets to v3 Updates 4 occurrences across 4 workflow files. v3 runs on Node 24; v2 runs on Node 20, which is being deprecated on GitHub Actions runners. No input changes affect our usage (secret-ids + parse-json-secrets). (buf.yml's bump is handled separately in #2512.) See https://github.com/aws-actions/aws-secretsmanager-get-secrets/releases/tag/v3.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/enterprise-ci-skip.yml | 2 +- .github/workflows/fork-pr-dispatch.yml | 2 +- .github/workflows/proto-generate.yml | 2 +- .github/workflows/repository-dispatch.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/enterprise-ci-skip.yml b/.github/workflows/enterprise-ci-skip.yml index 6ecbc95ba6..6ef8d0942b 100644 --- a/.github/workflows/enterprise-ci-skip.yml +++ b/.github/workflows/enterprise-ci-skip.yml @@ -27,7 +27,7 @@ jobs: with: aws-region: ${{ vars.RP_AWS_CRED_REGION }} role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} - - uses: aws-actions/aws-secretsmanager-get-secrets@v2 + - uses: aws-actions/aws-secretsmanager-get-secrets@v3 with: secret-ids: | ,sdlc/prod/github/actions_bot_token diff --git a/.github/workflows/fork-pr-dispatch.yml b/.github/workflows/fork-pr-dispatch.yml index ad9665085b..411c17b246 100644 --- a/.github/workflows/fork-pr-dispatch.yml +++ b/.github/workflows/fork-pr-dispatch.yml @@ -20,7 +20,7 @@ jobs: with: aws-region: ${{ vars.RP_AWS_CRED_REGION }} role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} - - uses: aws-actions/aws-secretsmanager-get-secrets@v2 + - uses: aws-actions/aws-secretsmanager-get-secrets@v3 with: secret-ids: | ,sdlc/prod/github/actions_bot_token diff --git a/.github/workflows/proto-generate.yml b/.github/workflows/proto-generate.yml index a2c0a8cf1b..b1f4503d79 100644 --- a/.github/workflows/proto-generate.yml +++ b/.github/workflows/proto-generate.yml @@ -29,7 +29,7 @@ jobs: aws-region: ${{ vars.RP_AWS_CRED_REGION }} role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} - - uses: aws-actions/aws-secretsmanager-get-secrets@v2 + - uses: aws-actions/aws-secretsmanager-get-secrets@v3 with: secret-ids: | ,sdlc/prod/github/buf_token diff --git a/.github/workflows/repository-dispatch.yml b/.github/workflows/repository-dispatch.yml index 7b289e6c37..84f74de468 100644 --- a/.github/workflows/repository-dispatch.yml +++ b/.github/workflows/repository-dispatch.yml @@ -42,7 +42,7 @@ jobs: with: aws-region: ${{ vars.RP_AWS_CRED_REGION }} role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} - - uses: aws-actions/aws-secretsmanager-get-secrets@v2 + - uses: aws-actions/aws-secretsmanager-get-secrets@v3 with: secret-ids: | ,sdlc/prod/github/actions_bot_token From 449f8e0a753ac9faa2130facc3ee23bccecd0e9c Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:41:17 -0700 Subject: [PATCH 08/10] ci: upgrade aws-actions/configure-aws-credentials to v6 Updates 4 occurrences across 4 workflow files. v6 runs on Node 24; v4 runs on Node 20, which is being deprecated on GitHub Actions runners. Our usage only sets aws-region and role-to-assume (string inputs), so the v5 input-validation change (invalid booleans now throw instead of coercing to false) does not affect us. (buf.yml's bump is handled separately in #2512.) See https://github.com/aws-actions/configure-aws-credentials/releases/tag/v6.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/enterprise-ci-skip.yml | 2 +- .github/workflows/fork-pr-dispatch.yml | 2 +- .github/workflows/proto-generate.yml | 2 +- .github/workflows/repository-dispatch.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/enterprise-ci-skip.yml b/.github/workflows/enterprise-ci-skip.yml index 6ef8d0942b..2cd943e330 100644 --- a/.github/workflows/enterprise-ci-skip.yml +++ b/.github/workflows/enterprise-ci-skip.yml @@ -23,7 +23,7 @@ jobs: skip-enterprise-ci: runs-on: blacksmith-2vcpu-ubuntu-2404 steps: - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v6 with: aws-region: ${{ vars.RP_AWS_CRED_REGION }} role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} diff --git a/.github/workflows/fork-pr-dispatch.yml b/.github/workflows/fork-pr-dispatch.yml index 411c17b246..593e84808e 100644 --- a/.github/workflows/fork-pr-dispatch.yml +++ b/.github/workflows/fork-pr-dispatch.yml @@ -16,7 +16,7 @@ jobs: github.event.workflow_run.head_repository.fork == true runs-on: blacksmith-2vcpu-ubuntu-2404 steps: - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v6 with: aws-region: ${{ vars.RP_AWS_CRED_REGION }} role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} diff --git a/.github/workflows/proto-generate.yml b/.github/workflows/proto-generate.yml index b1f4503d79..5db6ea3aeb 100644 --- a/.github/workflows/proto-generate.yml +++ b/.github/workflows/proto-generate.yml @@ -24,7 +24,7 @@ jobs: steps: - uses: actions/checkout@v6 - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v6 with: aws-region: ${{ vars.RP_AWS_CRED_REGION }} role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} diff --git a/.github/workflows/repository-dispatch.yml b/.github/workflows/repository-dispatch.yml index 84f74de468..158bd858cf 100644 --- a/.github/workflows/repository-dispatch.yml +++ b/.github/workflows/repository-dispatch.yml @@ -38,7 +38,7 @@ jobs: if: "!failure() && !cancelled()" runs-on: blacksmith-2vcpu-ubuntu-2404 steps: - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v6 with: aws-region: ${{ vars.RP_AWS_CRED_REGION }} role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} From ddac2ef5bcb6e7657f7ecdb2c5c2b3800e3c51da Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:41:31 -0700 Subject: [PATCH 09/10] ci: upgrade golangci/golangci-lint-action to v9 v9 runs on Node 24; v8 runs on Node 20, which is being deprecated on GitHub Actions runners. v8 -> v9 stays within the golangci-lint v2.x era -- the v1 -> v2 binary fork happened at v7, not here. Our step pins `version: v2.10` and an explicit `--config=.golangci.yaml`, so the action neither resolves a floating binary version nor changes the default linter set; this is a runtime-only bump for us. See https://github.com/golangci/golangci-lint-action/releases/tag/v9.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/backend-lint-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/backend-lint-test.yml b/.github/workflows/backend-lint-test.yml index 593bddcbe8..ae764cec37 100644 --- a/.github/workflows/backend-lint-test.yml +++ b/.github/workflows/backend-lint-test.yml @@ -15,7 +15,7 @@ jobs: go-version-file: 'backend/go.mod' cache-dependency-path: 'backend/go.sum' - name: golangci-lint - uses: golangci/golangci-lint-action@v8 + uses: golangci/golangci-lint-action@v9 with: version: v2.10 working-directory: backend From 82f7df07b520c0e2856a5cc432ca72129182b211 Mon Sep 17 00:00:00 2001 From: Andrew Hsu Date: Tue, 16 Jun 2026 13:41:51 -0700 Subject: [PATCH 10/10] ci: upgrade peter-evans/repository-dispatch to v4 Updates 3 occurrences across 2 workflow files. The pinned commit (caebe2a7) is an untagged v2.x-era build that runs on Node 16, which has already been removed from GitHub Actions runners. v4 runs on Node 24. Pinned to the floating v4 tag (currently v4.0.1) rather than v4.0.0, whose action.yml declared the wrong Node version (fixed in v4.0.1). The token / repository / event-type / client-payload inputs we pass are unchanged. See https://github.com/peter-evans/repository-dispatch/releases/tag/v4.0.0 Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/fork-pr-dispatch.yml | 2 +- .github/workflows/repository-dispatch.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/fork-pr-dispatch.yml b/.github/workflows/fork-pr-dispatch.yml index 593e84808e..c838afac4f 100644 --- a/.github/workflows/fork-pr-dispatch.yml +++ b/.github/workflows/fork-pr-dispatch.yml @@ -43,7 +43,7 @@ jobs: core.setOutput('json', JSON.stringify(payload)); core.setOutput('sha', process.env.HEAD_SHA); - name: Repository dispatch for fork PR - uses: peter-evans/repository-dispatch@caebe2a7c967e9f927ff8780fea8e16e50b5ce40 + uses: peter-evans/repository-dispatch@v4 with: token: ${{ env.ACTIONS_BOT_TOKEN }} repository: redpanda-data/console-enterprise diff --git a/.github/workflows/repository-dispatch.yml b/.github/workflows/repository-dispatch.yml index 158bd858cf..816da660cf 100644 --- a/.github/workflows/repository-dispatch.yml +++ b/.github/workflows/repository-dispatch.yml @@ -48,7 +48,7 @@ jobs: ,sdlc/prod/github/actions_bot_token parse-json-secrets: true - name: Repository Dispatch on Release - uses: peter-evans/repository-dispatch@caebe2a7c967e9f927ff8780fea8e16e50b5ce40 + uses: peter-evans/repository-dispatch@v4 if: ${{ startsWith(github.ref, 'refs/tags/v') }} with: token: ${{ env.ACTIONS_BOT_TOKEN }} @@ -56,7 +56,7 @@ jobs: event-type: release client-payload: '{"branch": "master", "commit_sha": "${{ github.sha }}", "tag_name": "${{ github.event.release.tag_name }}"}' - name: Repository Dispatch on push - uses: peter-evans/repository-dispatch@caebe2a7c967e9f927ff8780fea8e16e50b5ce40 + uses: peter-evans/repository-dispatch@v4 if: ${{ !startsWith(github.ref, 'refs/tags/v') }} with: token: ${{ env.ACTIONS_BOT_TOKEN }}