ci: update third-party actions to node 24

[estebany-qd]

Update all third-party GitHub Actions to Node 24-compatible versions before the June 2 deadline.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the pinned version of the pypa/gh-action-pypi-publish action used in the GitHub Actions workflow to v1.14.0. This action is responsible for publishing the package to PyPI during automated releases. The version update changes the commit hash reference while preserving all workflow inputs and configuration.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• joein

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title references updating actions to Node 24, but the changeset only updates a pypi-publish action version without evidence of Node 24 compatibility being the primary driver.	Clarify whether this PR updates all third-party actions or only the pypi-publish action, and confirm if Node 24 compatibility is the actual requirement being addressed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is related to the changeset as it mentions updating third-party GitHub Actions, which aligns with the pypi-publish action version update shown in the changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/estebany/update-all-actions-node24-3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/python-publish.yml (1)

36-39: Consider migrating to trusted publishing.

PyPI supports trusted publishing (also known as OIDC publishing), which eliminates the need for API tokens and provides stronger security guarantees. This is flagged by the zizmor static analysis tool.

While not required for the Node 24 update, consider migrating to trusted publishing as described in the PyPI documentation. The action supports this via the ACTIONS_ID_TOKEN_REQUEST_TOKEN permission instead of password-based authentication.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-publish.yml around lines 36 - 39, Replace
password-based PyPI publishing with OIDC trusted publishing: in the workflow
that uses pypa/gh-action-pypi-publish@cef221092ed1... remove the password: ${{
secrets.PYPI_API_TOKEN }} (and user: __token__) input, add workflow permissions
to enable OIDC (e.g. id-token: write / ACTIONS_ID_TOKEN_REQUEST_TOKEN
permission) and update the action invocation to consume the OIDC token per the
action’s trusted-publishers docs (acquire and pass the ID token to the action as
its token input instead of using the secret). Ensure you follow the
pypa/gh-action-pypi-publish OIDC usage guide when updating the inputs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/python-publish.yml:
- Line 36: The workflow pins pypa/gh-action-pypi-publish to an incorrect commit
(uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b)
which does not match the v1.14.0 tag and may pull an implementation incompatible
with Node 24; update the uses entry so it either references the exact v1.14.0
tag commit (6733eb7d741f0b11ec6a39b58540dab7590f9b7d) or, preferably, switch to
a newer release/tag of pypa/gh-action-pypi-publish that is confirmed Node
24–compatible, and then verify its nested actions (like actions/setup-python)
are also pinned to Node 24-compatible commits.

---

Nitpick comments:
In @.github/workflows/python-publish.yml:
- Around line 36-39: Replace password-based PyPI publishing with OIDC trusted
publishing: in the workflow that uses
pypa/gh-action-pypi-publish@cef221092ed1... remove the password: ${{
secrets.PYPI_API_TOKEN }} (and user: __token__) input, add workflow permissions
to enable OIDC (e.g. id-token: write / ACTIONS_ID_TOKEN_REQUEST_TOKEN
permission) and update the action invocation to consume the OIDC token per the
action’s trusted-publishers docs (acquire and pass the ID token to the action as
its token input instead of using the secret). Ensure you follow the
pypa/gh-action-pypi-publish OIDC usage guide when updating the inputs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 673205f2-84f5-452f-bfbb-965f0b6397c0

📥 Commits

Reviewing files that changed from the base of the PR and between a499c31 and 8f423f1.

📒 Files selected for processing (1)

• .github/workflows/python-publish.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify commit hash and Node 24 compatibility for pypa/gh-action-pypi-publish

# Check if commit hash corresponds to v1.14.0
echo "Checking if commit cef221092ed1bacb1cc03d23a2d87d1d172e277b corresponds to v1.14.0..."
gh api repos/pypa/gh-action-pypi-publish/git/refs/tags/v1.14.0 --jq '.object.sha'

# Check the action.yml to see what Node version it runs on
echo -e "\nChecking Node version used by v1.14.0..."
gh api repos/pypa/gh-action-pypi-publish/contents/action.yml?ref=v1.14.0 --jq '.content' | base64 -d | grep -A2 "runs:"

Repository: qdrant/fastembed

Length of output: 263

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
REPO="pypa/gh-action-pypi-publish"
TAG="v1.14.0"

echo "1) Tag -> SHA check (v1.14.0 expected vs pinned SHA)"
gh api repos/$REPO/git/refs/tags/$TAG --jq '.object.sha'

echo
echo "2) Determine what tag(s) point to the pinned SHA"
gh api repos/$REPO/git/refs/tags --paginate --jq --arg SHA "$SHA" '.[] | select(.object.sha==$SHA) | .ref' || true

echo
echo "3) Inspect action.yml runtime for v1.14.0"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | rg -n "runs:|using:|node|node-version" || true

Repository: qdrant/fastembed

Length of output: 325

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
REPO="pypa/gh-action-pypi-publish"
TAG="v1.14.0"

echo "1) Check tags -> SHA match for pinned SHA (which tag(s), if any, point to it)"
gh api repos/$REPO/git/refs/tags --paginate --jq ".[] | select(.object.sha==\"$SHA\") | .ref"

echo
echo "2) action.yml content summary for $TAG (search for nested actions / node runtimes)"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | nl -ba | rg -n "^( *[0-9]+\\s+)?runs:|^( *[0-9]+\\s+)?using:|node-version|\\bnode\\b|^\\s*uses:|^\\s*run:"

Repository: qdrant/fastembed

Length of output: 285

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
REPO="pypa/gh-action-pypi-publish"
SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

echo "A) Inspect response shape for refs/tags (per_page=1)"
gh api repos/$REPO/git/refs/tags?per_page=1 | python3 - <<'PY'
import sys, json
data=json.load(sys.stdin)
print(type(data))
print(data.keys() if isinstance(data, dict) else "not-a-dict")
PY

echo
echo "B) Find tag(s) pointing to pinned SHA"
# Try common GitHub API shape: { refs: [...] }
gh api repos/$REPO/git/refs/tags --paginate | python3 - <<'PY'
import sys, json
data=json.load(sys.stdin)
# If paginated, gh api outputs concatenated JSON objects; handle by reading line by line
PY

Repository: qdrant/fastembed

Length of output: 852

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="pypa/gh-action-pypi-publish"
SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
TAG="v1.14.0"

echo "1) Tags pointing to pinned SHA ($SHA):"
gh api repos/$REPO/git/refs/tags --paginate --jq ".. | objects | select(.object?.sha? == \"$SHA\") | .ref" || true

echo
echo "2) action.yml runs.using for tag $TAG:"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | rg -n "^\s*runs:|^\s*using:|^\s*steps:" -n

echo
echo "3) action.yml runs.using for pinned ref (SHA):"
gh api repos/$REPO/contents/action.yml?ref=$SHA --jq '.content' | base64 -d | rg -n "^\s*runs:|^\s*using:|^\s*steps:" -n

echo
echo "4) action.yml at $TAG: list of nested action references (uses@...)"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | rg -n "^\s*uses:\s" || true

echo
echo "5) action.yml at $TAG: show lines around nested uses (if any)"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | rg -n -C2 "^\s*uses:\s" || true

Repository: qdrant/fastembed

Length of output: 1073

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

echo "1) Find tag(s) that point to pinned SHA using matching-refs (pypa/gh-action-pypi-publish)"
# Try to find any v1.* tags that resolve to the pinned SHA.
gh api repos/$REPO/git/matching-refs/tags/v1.* --paginate --jq ".[] | select(.object.sha==\"$PINNED_SHA\") | .ref" || true
echo
echo "2) Get v1.14.* tags SHAs to see where pinned SHA would land"
gh api repos/$REPO/git/matching-refs/tags/v1.14.* --paginate --jq ".[] | {ref:.ref, sha:.object.sha}" || true

echo
echo "3) Inspect actions/setup-python action.yml for its runs.using (ref from nested uses)"
SETUP_PY_REF="a26af69be951a213d495a4c3e4e4022e16d87065"
gh api repos/actions/setup-python/contents/action.yml?ref=$SETUP_PY_REF --jq '.content' | base64 -d | rg -n "^\s*runs:|^\s*using:|node-version|node\d+|^\\s*steps:|^\\s*uses:" -n

Repository: qdrant/fastembed

Length of output: 327

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

echo "1) Find any tag(s) that point to pinned SHA across all v* tags"
gh api repos/$REPO/git/matching-refs/tags/v* --paginate --jq ".[] | select(.object.sha==\"$PINNED_SHA\") | .ref" || true

echo
echo "2) Inspect nested local action runs.using for v1.14.0 (run-pypi-publish-in-docker-container)"
# Path referenced in action.yml at v1.14.0
NESTED_PATH=".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container"
gh api repos/$REPO/contents/$NESTED_PATH?ref=v1.14.0 --jq '.content' | base64 -d | rg -n "^\s*runs:|^\s*using:|node-version|node\d+|^\s*steps:|^\s*uses:" -n || true

Repository: qdrant/fastembed

Length of output: 282

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="pypa/gh-action-pypi-publish"
TAG="v1.14.0"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

# v1.14.0 commit sha (what GitHub tag resolves to)
TAG_SHA="$(gh api repos/$REPO/git/refs/tags/$TAG --jq '.object.sha')"
echo "v1.14.0 resolves to commit: $TAG_SHA"
echo

echo "1) Files under .github/.tmp/.generated-actions (v1.14.0 commit) containing run-pypi-publish-in-docker-container"
gh api repos/$REPO/git/trees/$TAG_SHA --recursive --jq '
  [.tree[]
    | select(.path | test("\\.github/\\.tmp/\\.generated-actions/.*run-pypi-publish-in-docker-container"))
    | {path, type}
  ][0:50]
'

echo
echo "2) Files under .github/.tmp/.generated-actions (pinned commit) containing run-pypi-publish-in-docker-container"
gh api repos/$REPO/git/trees/$PINNED_SHA --recursive --jq '
  [.tree[]
    | select(.path | test("\\.github/\\.tmp/\\.generated-actions/.*run-pypi-publish-in-docker-container"))
    | {path, type}
  ][0:50]
'

echo
echo "3) For any discovered action.yml under those paths, print runs.using/node runtime (try common action.yml locations)"
# Try a couple likely paths; if none exist, step 4 will show what exists.
for ref in "$TAG" "$PINNED_SHA"; do
  echo "--- Inspect runs.using for candidate nested action.yml at ref=$ref ---"
  for candidate in \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/action.yml" \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container.yml" \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container.yaml" \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/index.js" \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/dist/action.yml"
  do
    out="$(gh api repos/$REPO/contents/$candidate?ref=$ref --jq '.content' 2>/dev/null | base64 -d 2>/dev/null || true)"
    if [ -n "$out" ]; then
      echo "Found content at: $candidate (ref=$ref)"
      echo "$out" | rg -n "^\s*runs:|^\s*using:|node-version|node[0-9]+|^\s*steps:|^\s*inputs:" || true
      break
    fi
  done
done

echo
echo "4) If 3 found nothing, show exact action.yml files under .github/.tmp/.generated-actions/run-pypi-publish-in-docker-container* (v1.14.0)."
gh api repos/$REPO/git/trees/$TAG_SHA --recursive --jq '
  [.tree[] | select(.path | test("\\.github/\\.tmp/\\.generated-actions/.*run-pypi-publish-in-docker-container") and (.path|test("action\\.ya?ml$"))) | .path][0:30]
'

Repository: qdrant/fastembed

Length of output: 1679

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
TAG="v1.14.0"

echo "1) What tag does v1.14.0 resolve to?"
gh api repos/$REPO/git/refs/tags/$TAG --jq '.object.sha'

echo
echo "2) Does pinned SHA map to any v1.14.* tag?"
gh api repos/$REPO/git/matching-refs/tags/v1.14.* --paginate --jq ".[] | select(.object.sha==\"$PINNED_SHA\") | .ref" || true

echo
echo "3) pypa/gh-action-pypi-publish@PINNED_SHA: runs.using + nested action versions"
gh api repos/$REPO/contents/action.yml?ref=$PINNED_SHA --jq '.content' | base64 -d \
  | rg -n "runs:|using:|^\\s*uses:\\s|setup-python@|checkout@|node(1|2|3|4)\\d|node-version" || true

echo
echo "4) actions/checkout@de0fac... runs.using"
CHECKOUT_SHA="de0fac2e4500dabe0009e67214ff5f5447ce83dd"
gh api repos/actions/checkout/contents/action.yml?ref=$CHECKOUT_SHA --jq '.content' | base64 -d \
  | rg -n "runs:|using:|node-version|node(1|2|3|4)\\d" || true

echo
echo "5) actions/setup-python@a309ff... runs.using"
SETUP_PY_SHA="a309ff8b426b58ec0e2a45f0f869d46889d02405"
gh api repos/actions/setup-python/contents/action.yml?ref=$SETUP_PY_SHA --jq '.content' | base64 -d \
  | rg -n "runs:|using:|node-version|node(1|2|3|4)\\d" || true

Repository: qdrant/fastembed

Length of output: 614

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

echo "1) Show the exact line(s) where the local nested action is referenced (from action.yml at pinned SHA)"
gh api repos/$REPO/contents/action.yml?ref=$PINNED_SHA --jq '.content' | base64 -d | sed -n '150,190p'

echo
echo "2) List the directory contents for .github/.tmp/.generated-actions/run-pypi-publish-in-docker-container at pinned SHA"
LOCAL_DIR=".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container"
gh api repos/$REPO/contents/$LOCAL_DIR?ref=$PINNED_SHA || true

echo
echo "3) If action.yml exists inside that directory, print its runs.using"
for f in "action.yml" "action.yaml" "runs/action.yml" "dist/action.yml"; do
  gh api repos/$REPO/contents/$LOCAL_DIR/$f?ref=$PINNED_SHA --jq '.content' 2>/dev/null \
    | base64 -d 2>/dev/null | rg -n "runs:|using:|node-version|node(1|2|3|4|20|24)" && exit 0
done
echo "No action.yml/action.yaml found at common locations under $LOCAL_DIR (or contents API didn’t return content)."

Repository: qdrant/fastembed

Length of output: 2020

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
SETUP_PY_SHA_NESTED="a26af69be951a213d495a4c3e4e4022e16d87065"

echo "1) actions/setup-python@a26af... runs.using (node runtime)"
gh api repos/actions/setup-python/contents/action.yml?ref=$SETUP_PY_SHA_NESTED --jq '.content' | base64 -d \
  | rg -n "^\s*runs:|^\s*using:" -n || true
echo
gh api repos/actions/setup-python/contents/action.yml?ref=$SETUP_PY_SHA_NESTED --jq '.content' | base64 -d \
  | rg -n "node(1|2|3|4|16|20|24)|node-version" || true

echo
echo "2) Does .github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/* exist in pinned SHA tree?"
# List matching paths in the git tree (recursive=1 is a query param, not a gh flag)
gh api "repos/$REPO/git/trees/$PINNED_SHA?recursive=1" --jq '
  [.tree[] | select(.path | test("^\\.github/\\.tmp/\\.generated-actions/run-pypi-publish-in-docker-container/")) | .path] | .[0:50]
'

echo
echo "3) If action.yml exists inside that directory, print its runs.using"
# Try common action.yml locations under that directory
for p in \
  ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/action.yml" \
  ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/action.yaml" \
  ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/dist/action.yml"
do
  echo "--- Trying $p"
  out="$(gh api repos/$REPO/contents/$p?ref=$PINNED_SHA --jq '.content' 2>/dev/null | base64 -d 2>/dev/null || true)"
  if [ -n "$out" ]; then
    echo "$out" | rg -n "^\s*runs:|^\s*using:|node(1|2|3|4|16|20|24)|node-version" || true
  fi
done

Repository: qdrant/fastembed

Length of output: 628

---

Fix the pypa/gh-action-pypi-publish pin + ensure Node 24 compatibility

• The commit you pinned (cef221092ed1bacb1cc03d23a2d87d1d172e277b) does not match the v1.14.0 tag commit (the v1.14.0 tag resolves to 6733eb7d741f0b11ec6a39b58540dab7590f9b7d).
• At v1.14.0, pypa/gh-action-pypi-publish is runs: using: composite, but it internally uses actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 (v5.6.0), whose action.yml runs on node20—so the publish action isn’t fully Node 24–compatible.
• Your workflow’s direct actions/checkout@de0fac... and actions/setup-python@a309ff... pins are node24, so the Node 24 issue is specifically inside pypa/gh-action-pypi-publish.

🧰 Tools

🪛 zizmor (1.25.2)

[info] 36-36: prefer trusted publishing for authentication (use-trusted-publishing): this step

(use-trusted-publishing)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-publish.yml at line 36, The workflow pins
pypa/gh-action-pypi-publish to an incorrect commit (uses:
pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b) which does
not match the v1.14.0 tag and may pull an implementation incompatible with Node
24; update the uses entry so it either references the exact v1.14.0 tag commit
(6733eb7d741f0b11ec6a39b58540dab7590f9b7d) or, preferably, switch to a newer
release/tag of pypa/gh-action-pypi-publish that is confirmed Node 24–compatible,
and then verify its nested actions (like actions/setup-python) are also pinned
to Node 24-compatible commits.