chore(ci): bump GitHub Actions off Node 20 runtimes#1209
Conversation
Node 20 reached EOL on 2026-04-30. Pin all first- and third-party GitHub Actions to current stable releases by full commit SHA, with the target tag in a trailing comment. Updated: - actions/checkout: v4 -> v6.0.2 - actions/download-artifact: v4 -> v8.0.1 - actions/setup-python: v5 -> v6.2.0 - actions/upload-artifact: v4 -> v7.0.1
clo-ciq
requested review from
PlaidCat,
bmastbergen,
kerneltoast and
shreeya-patel98
as code owners
There was a problem hiding this comment.
Pull request overview
Updates this repo’s CI workflows to use newer, SHA-pinned GitHub Actions releases (notably checkout, setup-python, and artifact upload/download) in response to Node 20 reaching EOL, aiming to keep CI executions compatible with GitHub’s evolving runtime requirements.
Changes:
- Pin
actions/checkouttov6.0.2commit SHA across workflows. - Pin
actions/setup-pythontov6.2.0commit SHA where used. - Bump artifact actions to
upload-artifact@v7.0.1anddownload-artifact@v8.0.1commit SHAs.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-kernel-commits.yml | Pins checkout/setup-python/upload-artifact to newer SHA-pinned releases for the validation workflow. |
| .github/workflows/validate-kernel-commits-comment.yml | Pins download-artifact/checkout/setup-python to newer SHA-pinned releases for the comment-posting workflow. |
| .github/workflows/sync.yml | Pins checkout to a newer SHA-pinned release for scheduled/manual sync automation. |
| .github/workflows/lt-rebase-merge.yml | Pins checkout to a newer SHA-pinned release for LT rebase/merge automation. |
| .github/workflows/kernel-build-and-test-multiarch.yml | Pins checkout/upload-artifact/download-artifact to newer SHA-pinned releases across the multi-arch pipeline. |
| .github/workflows/kernel-build-and-test-multiarch-trigger.yml | Pins upload-artifact to a newer SHA-pinned release for passing trigger metadata via artifacts. |
| .github/workflows/clk-rebase.yml | Pins checkout to a newer SHA-pinned release for CLK rebase automation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
We will approve this but we want to hold off until we're through DirtyFrag |
PlaidCat
left a comment
PlaidCat
left a comment
There was a problem hiding this comment.
blocking until we're through current crisis.
|
i'd rather see us carve this up and slowly address it. |
|
@PlaidCat Can do, would you rather see a PR per workflow file, or a PR per Action upgrade (e.g. PR for UploadArtifact across all workflows)? |
@clo-ciq We also have a lot of Leaf branches that have workflows so there is more than just main. |
|
@PlaidCat you're free to handle this as you'd like. No mandates. There's a risk that the actions will start to fail because they were written against v20 and the GH hosted runners will use v24. The hash pinning is supply chain security. |
Summary
Node 20 reached EOL on 2026-04-30. This PR bumps GitHub Actions to current stable releases, pinned by full commit SHA with the target tag in a trailing comment.
Warning
Artifact actions changed semantics — review your upload/download steps before merging.
The breaking changes landed in
upload-artifactv4 anddownload-artifactv4 and still apply through v7/v8. Bumps in this PR:actions/download-artifact: v4 -> v8.0.1actions/upload-artifact: v4 -> v7.0.1Common gotchas to verify in this repo:
name:collide; v4+ no longer auto-merges. Interpolate (name: build-${{ matrix.os }}) or setoverwrite: true.name:all collide on the defaultartifactname..coverage,.next/,.cache/) are excluded by default in v4+ — setinclude-hidden-files: trueif you upload dotfiles.download-artifactno longer flattens by default — without aname:, it creates a subdir per artifact. Setmerge-multiple: trueif a downstreamrun:step expects a flat path.github-token:andrun-id:.Changes
actions/checkoutv4v6.0.2actions/download-artifactv4v8.0.1actions/setup-pythonv5v6.2.0actions/upload-artifactv4v7.0.1Files touched: 7 workflow file(s), 43 line change(s).
Test plan
workflow_dispatch.Part of an org-wide bulk update across ~135 ctrliq repos to escape Node 20 EOL.