Skip to content

fix(workflow): bump create-github-app-token v2 → v3 (Node.js 24)#7773

Merged
BYK merged 1 commit into
mainfrom
fix/node20-deprecation
Apr 10, 2026
Merged

fix(workflow): bump create-github-app-token v2 → v3 (Node.js 24)#7773
BYK merged 1 commit into
mainfrom
fix/node20-deprecation

Conversation

@BYK

@BYK BYK commented Apr 10, 2026

Copy link
Copy Markdown
Member

Summary

Bump actions/create-github-app-token from v2 to v3 across all workflow files to resolve the Node.js 20 deprecation warning.

Node.js 24 will be forced starting June 2, 2026. Node.js 20 removed from runners September 16, 2026.

Files changed

  • publish.yml (was pinned to SHA @29824e69... with # v2 comment)
  • ci-pending.yml (@v2.2.1)
  • ci-poller.yml (@v2.2.1)
  • auto-approve.yml (@v2.2.1)

Breaking changes in v3 (no impact)

  • Proxy support now requires NODE_USE_ENV_PROXY=1 — not used in this repo
  • Requires Actions Runner v2.327.1+ for self-hosted runners — N/A (GitHub-hosted)

v2 runs on deprecated Node.js 20. Node.js 24 will be forced starting
June 2, 2026, and Node.js 20 removed from runners September 16, 2026.

v3 breaking changes (no impact on this repo):
- Proxy support requires NODE_USE_ENV_PROXY=1 (not used here)
- Requires Actions Runner v2.327.1+ for self-hosted runners (N/A)
@BYK BYK marked this pull request as ready for review April 10, 2026 21:57
@BYK BYK requested a review from a team as a code owner April 10, 2026 21:57
@BYK BYK merged commit 61fd401 into main Apr 10, 2026
10 checks passed
@BYK BYK deleted the fix/node20-deprecation branch April 10, 2026 21:57

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 52727ee. Configure here.

- name: Get Release Bot auth token
id: token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
uses: actions/create-github-app-token@v3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SHA-pinned action replaced with floating major tag

Low Severity

The create-github-app-token action in publish.yml was previously pinned to a specific commit SHA (@29824e69...), which protects against supply-chain attacks by ensuring the exact code is known and immutable. It's now changed to a floating major version tag (@v3), which can be moved to point to different code at any time. This workflow runs in the production environment and has access to many sensitive secrets (NPM tokens, Docker credentials, GPG keys, PyPI tokens, etc.), so the original SHA pinning was presumably a deliberate security measure. The other three workflow files were already using floating tags, but publish.yml has a significantly higher blast radius.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 52727ee. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant