Skip to content

ci: update workflow actions for Node 24#98

Merged
zouyonghe merged 1 commit intoAstrBotDevs:mainfrom
zouyonghe:node24-actions-pr
Mar 19, 2026
Merged

ci: update workflow actions for Node 24#98
zouyonghe merged 1 commit intoAstrBotDevs:mainfrom
zouyonghe:node24-actions-pr

Conversation

@zouyonghe
Copy link
Member

@zouyonghe zouyonghe commented Mar 19, 2026
edited by sourcery-ai bot
Loading

Summary

GitHub Actions is warning that this workflow still depends on JavaScript actions that declare a Node 20 runtime. The desktop build matrix reports the warning for pnpm/action-setup@v4.2.0, and the release publishing job reports the same deprecation for softprops/action-gh-release@v2.5.0.

The immediate user-facing effect is noisy CI across all desktop targets and a clear upgrade deadline from GitHub Actions. Left unchanged, these jobs will eventually be forced onto Node 24 by the runner platform anyway, which increases the risk of surprise behavior changes landing at the same time as a release build.

The root cause is that the workflow pins an older pnpm/action-setup release that still declares runs.using: node20, and softprops/action-gh-release does not currently publish a released tag with a Node 24 runtime. That means a version bump alone is enough for pnpm setup, but not for the release publishing step.

This PR applies the smallest safe fix for both cases. It upgrades both pnpm/action-setup call sites to v4.4.0, whose published action metadata switches to node24, and it sets FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true at the build-desktop-tauri workflow level so the remaining softprops/action-gh-release step runs under Node 24 until that action ships a released Node 24 build.

Verification

  • confirmed both pnpm/action-setup references now point at v4.4.0
  • confirmed pnpm/action-setup@v4.4.0 publishes runs: using: node24
  • confirmed the latest released and default-branch metadata for softprops/action-gh-release still publish runs: using: node20
  • ran git diff --check

Summary by Sourcery

Update CI workflows to run JavaScript GitHub Actions on Node 24 for desktop builds and releases.

CI:

  • Set FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 at the build-desktop-tauri workflow level so remaining JavaScript actions run on Node 24.
  • Bump pnpm/action-setup from v4.2.0 to v4.4.0 in desktop build workflows to use an action version that targets Node 24.

@gemini-code-assist
Copy link

gemini-code-assist bot commented Mar 19, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses deprecation warnings from GitHub Actions regarding JavaScript actions still relying on Node 20. The changes proactively update CI workflows to utilize Node 24, either by upgrading action versions that support it or by explicitly forcing Node 24 runtime for actions that haven't yet released a compatible version. This ensures future stability and prevents potential breaking changes when GitHub Actions eventually enforces Node 24.

Highlights

  • GitHub Actions Workflow Update: Upgraded the pnpm/action-setup action to version v4.4.0 in the setup-desktop-build workflow, which declares a Node 24 runtime.
  • Node.js Runtime Enforcement: Introduced FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true at the workflow level to ensure softprops/action-gh-release runs under Node 24, mitigating deprecation warnings until an official Node 24 release is available for that action.
Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/build-desktop-tauri.yml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 19, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the pnpm/action-setup GitHub Action from v4.2.0 to v4.4.0 in the .github/actions/setup-desktop-build/action.yml file. This change addresses the GitHub Actions deprecation warning for the Node 20 runtime by moving to a version that supports Node 24. The update is a necessary maintenance task to ensure the CI pipeline remains stable. The change is correct and I have no suggestions for improvement.

sourcery-ai[bot]
sourcery-ai bot reviewed Mar 19, 2026
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • If FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 is only required for the softprops/action-gh-release usage, consider scoping it to the specific job or step instead of setting it as a workflow-wide env var to reduce unintended coupling with other jobs.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- If `FORCE_JAVASCRIPT_ACTIONS_TO_NODE24` is only required for the `softprops/action-gh-release` usage, consider scoping it to the specific job or step instead of setting it as a workflow-wide env var to reduce unintended coupling with other jobs.

## Individual Comments

### Comment 1
<location path=".github/workflows/build-desktop-tauri.yml" line_range="112" />
<code_context>

     - name: Setup pnpm
-      uses: pnpm/action-setup@v4.2.0
+      uses: pnpm/action-setup@v4.4.0
       with:
         version: ${{ inputs.pnpm-version }}
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Pin `pnpm/action-setup` to a full commit SHA for better supply-chain security

Using a mutable tag means this workflow could change behavior without any code change here. To improve supply-chain security, pin this to the exact commit SHA for `v4.4.0` (e.g., `pnpm/action-setup@<sha>`) and optionally add a comment noting it corresponds to `v4.4.0`.

Suggested implementation:

```
      - name: Setup pnpm
        # pnpm/action-setup v4.4.0
        uses: pnpm/action-setup@<pnpm-action-setup-v4.4.0-commit-sha>
        with:
          version: 10.28.2

```

Replace `<pnpm-action-setup-v4.4.0-commit-sha>` with the actual commit SHA of the `v4.4.0` tag from https://github.com/pnpm/action-setup (e.g., run `git ls-remote https://github.com/pnpm/action-setup refs/tags/v4.4.0` or check the tag in the GitHub UI and copy the full 40‑char SHA). Keep the comment in sync if you later bump the version.
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

.github/workflows/build-desktop-tauri.yml

- name: Setup pnpm
uses: pnpm/action-setup@v4.2.0
uses: pnpm/action-setup@v4.4.0
Copy link

@sourcery-ai sourcery-ai bot Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Pin pnpm/action-setup to a full commit SHA for better supply-chain security

Using a mutable tag means this workflow could change behavior without any code change here. To improve supply-chain security, pin this to the exact commit SHA for v4.4.0 (e.g., pnpm/action-setup@<sha>) and optionally add a comment noting it corresponds to v4.4.0.

Suggested implementation:

      - name: Setup pnpm
        # pnpm/action-setup v4.4.0
        uses: pnpm/action-setup@<pnpm-action-setup-v4.4.0-commit-sha>
        with:
          version: 10.28.2

Replace <pnpm-action-setup-v4.4.0-commit-sha> with the actual commit SHA of the v4.4.0 tag from https://github.com/pnpm/action-setup (e.g., run git ls-remote https://github.com/pnpm/action-setup refs/tags/v4.4.0 or check the tag in the GitHub UI and copy the full 40‑char SHA). Keep the comment in sync if you later bump the version.

@zouyonghe zouyonghe merged commit 4da6363 into AstrBotDevs:main Mar 19, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zouyonghe