ci: update GitHub Actions to Node 24-compatible versions#1476
ci: update GitHub Actions to Node 24-compatible versions#1476kolipakakondal wants to merge 3 commits into
Conversation
📝 WalkthroughWalkthroughThis PR upgrades GitHub Actions step versions across repository workflows: ChangesGitHub Actions Modernization
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/ci_windows.yml (1)
49-49:⚠️ Potential issue | 🟠 Major | ⚡ Quick winInconsistent setup-java version across workflows.
This workflow still uses
actions/setup-java@v4, while.github/workflows/ci.yml(line 73) and.github/workflows/ci_release.yml(line 26) upgrade to@v5. For consistency and to align with the Node 24 compatibility goal, please upgrade this to@v5as well.🔄 Proposed fix
- name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: java-version: '21' distribution: 'temurin'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci_windows.yml at line 49, Update the GitHub Actions step that currently uses "uses: actions/setup-java@v4" to the same major version used in other workflows by changing the reference to "`@v5`"; locate the line that declares uses: actions/setup-java@v4 in this workflow and replace the version tag to actions/setup-java@v5 so all CI workflows consistently use v5 of setup-java.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 27: Update the GitHub Actions workflow to use a setup-python action that
supports Node.js 24 by replacing the old actions/setup-python@v5 reference with
actions/setup-python@v6 (or later); locate the step that uses
"actions/setup-python@v5" in the CI workflow and update its version tag to "`@v6`"
(or a newer stable major) so the runner dependencies are compatible with Node
24.
In @.github/workflows/nightly.yml:
- Line 19: Confirm that actions/checkout@v6 is compatible with our workflow
runner and Node requirements: review the v6 release notes for any breaking
changes from v2→v6, verify the minimum supported GitHub runner image and Node.js
versions against our workflow's runner configuration (including any self-hosted
runners), and if incompatibilities are found either pin to a compatible checkout
version (e.g., v3/v4/v5) or update runner/Node images and document the change;
also run the workflow on the target runner(s) to validate and add a short
comment in the workflow explaining the chosen checkout version for future
audits.
In @.github/workflows/update-site-test.yml:
- Line 99: Verify that the workflow reference actions/upload-artifact@v7 is
compatible with our runner Node expectations by inspecting the action's
action.yml (check the runs.using field for the Node version or
composite/JavaScript runner) and confirm it supports Node 24 or the GitHub
hosted runner environment we use; if the action targets an older Node or has
breaking changes, either pin to a known-compatible release (e.g., v6.x) or
update the workflow to use an alternative/upload strategy, and document any
v4→v7 migration notes found in the action changelog to ensure behavior hasn't
changed for the upload behavior referenced in the workflow.
---
Outside diff comments:
In @.github/workflows/ci_windows.yml:
- Line 49: Update the GitHub Actions step that currently uses "uses:
actions/setup-java@v4" to the same major version used in other workflows by
changing the reference to "`@v5`"; locate the line that declares uses:
actions/setup-java@v4 in this workflow and replace the version tag to
actions/setup-java@v5 so all CI workflows consistently use v5 of setup-java.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 79b1ae2a-7234-4ab7-bdb9-a406bbda4ef4
📒 Files selected for processing (14)
.github/workflows/bump-version.yml.github/workflows/ci.yml.github/workflows/ci_release.yml.github/workflows/ci_uploads.yml.github/workflows/ci_windows.yml.github/workflows/docs_build.yml.github/workflows/docs_production.yml.github/workflows/issue_comment.yml.github/workflows/new_issues.yml.github/workflows/new_prs.yml.github/workflows/nightly.yml.github/workflows/pr-comment.yml.github/workflows/pre-commit.yml.github/workflows/update-site-test.yml
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/ci.yml (1)
45-45:⚠️ Potential issue | 🟠 Major | ⚡ Quick winInconsistent update: Linux job uses
@v4while macOS job uses@v5.The
build_linuxjob at line 45 still usesactions/setup-java@v4, but thebuild_macosjob at line 73 in this same file was updated toactions/setup-java@v5. According to the past review,actions/setup-java@v5is required for Node.js 24 runtime compatibility. This inconsistency leaves the Linux CI job vulnerable to the Node 20 deprecation on June 16, 2026.🔧 Proposed fix
- name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: java-version: '21' distribution: 'temurin' cache: 'maven'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 45, The Linux CI job uses actions/setup-java@v4 while macOS uses `@v5`; update the setup action in the build_linux job (the step that currently uses actions/setup-java@v4) to actions/setup-java@v5 to match the build_macos job and ensure Node.js 24 runtime compatibility and avoid Node 20 deprecation issues..github/workflows/ci_windows.yml (1)
49-49:⚠️ Potential issue | 🟠 MajorBump
actions/setup-javato@v5to keep CI on the Node 24 runtime
.github/workflows/ci_windows.ymlstill usesactions/setup-java@v4(Node 20 runtime), while other jobs/workflows already useactions/setup-java@v5(Node 24 runtime), leaving Windows (and also.github/workflows/ci.ymlon the v4 line) out of sync and at risk as GitHub deprecates Node 20.🔧 Proposed fix
- name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: java-version: '21' distribution: 'temurin'Update the remaining
actions/setup-java@v4usage(s) in workflows (including the one in.github/workflows/ci.yml) to@v5as well.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci_windows.yml at line 49, The workflow uses the deprecated actions/setup-java@v4 which pins the runner to the Node 20 runtime; update every occurrence of actions/setup-java@v4 (e.g., the usage line in the Windows workflow and the similar entry in ci.yml) to actions/setup-java@v5 so those jobs use the Node 24 runtime, commit the updated workflow files, and run CI to verify there are no runtime incompatibilities.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/ci_windows.yml:
- Line 49: The workflow uses the deprecated actions/setup-java@v4 which pins the
runner to the Node 20 runtime; update every occurrence of actions/setup-java@v4
(e.g., the usage line in the Windows workflow and the similar entry in ci.yml)
to actions/setup-java@v5 so those jobs use the Node 24 runtime, commit the
updated workflow files, and run CI to verify there are no runtime
incompatibilities.
In @.github/workflows/ci.yml:
- Line 45: The Linux CI job uses actions/setup-java@v4 while macOS uses `@v5`;
update the setup action in the build_linux job (the step that currently uses
actions/setup-java@v4) to actions/setup-java@v5 to match the build_macos job and
ensure Node.js 24 runtime compatibility and avoid Node 20 deprecation issues.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 2455eb60-30a9-4062-823b-b0718eee40f1
📒 Files selected for processing (5)
.github/workflows/ci.yml.github/workflows/ci_windows.yml.github/workflows/docs_build.yml.github/workflows/docs_production.yml.github/workflows/pre-commit.yml
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci_windows.yml:
- Line 49: Replace the loose tag "actions/setup-java@v5" with the exact
40-character commit SHA to prevent tag drift; locate the "uses:
actions/setup-java@v5" entry in ci_windows.yml and swap the tag for the
corresponding full commit hash from the actions/setup-java repository (ensure
it's the commit that matches v5 you intended), so the workflow references
actions/setup-java@<40-char-SHA> instead of the moving tag.
In @.github/workflows/ci.yml:
- Line 45: The workflow currently references the mutable action tag
actions/setup-java@v5; replace both occurrences (the uses entries that reference
actions/setup-java@v5) with the action pinned to a specific commit SHA
(actions/setup-java@<commit-sha>) to ensure immutability—find the two "uses:
actions/setup-java@v5" lines and update them to use the corresponding release
commit SHA from the actions/setup-java repository.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 941eba94-e446-49b6-b062-6f94f43d6338
📒 Files selected for processing (2)
.github/workflows/ci.yml.github/workflows/ci_windows.yml
|
|
||
| - name: Set up JDK 21 | ||
| uses: actions/setup-java@v4 | ||
| uses: actions/setup-java@v5 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Re-check workflow action pinning across all workflows.
# Expected: only SHA-pinned uses remain for external actions.
rg -nP --type=yaml '^\s*uses:\s*[^@\s]+@(?!(?:[0-9a-f]{40})\b).+$' .github/workflowsRepository: espressif/idf-eclipse-plugin
Length of output: 3971
Pin actions/setup-java to an immutable commit SHA in ci_windows.yml
.github/workflows/ci_windows.yml line 49 uses actions/setup-java@v5 by moving tag; replace it with the exact 40-char commit SHA to prevent tag drift/supply-chain risk.
uses: actions/setup-java@v5🧰 Tools
🪛 zizmor (1.25.2)
[error] 49-49: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci_windows.yml at line 49, Replace the loose tag
"actions/setup-java@v5" with the exact 40-character commit SHA to prevent tag
drift; locate the "uses: actions/setup-java@v5" entry in ci_windows.yml and swap
the tag for the corresponding full commit hash from the actions/setup-java
repository (ensure it's the commit that matches v5 you intended), so the
workflow references actions/setup-java@<40-char-SHA> instead of the moving tag.
Source: Linters/SAST tools
|
|
||
| - name: Set up JDK 21 | ||
| uses: actions/setup-java@v4 | ||
| uses: actions/setup-java@v5 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify all workflow action refs that are not pinned to a full commit SHA.
# Expected: no matches after remediation.
rg -nP --type=yaml '^\s*uses:\s*[^@\s]+@(?!(?:[0-9a-f]{40})\b).+$' .github/workflowsRepository: espressif/idf-eclipse-plugin
Length of output: 3971
Pin actions/setup-java to a commit SHA in CI
.github/workflows/ci.yml uses the mutable tag actions/setup-java@v5 (also referenced at the same file around line 73), weakening CI supply-chain integrity and conflicting with unpinned-action policies.
Suggested change
- uses: actions/setup-java@v5
+ uses: actions/setup-java@<full_commit_sha_for_v5>🧰 Tools
🪛 zizmor (1.25.2)
[error] 45-45: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 45-45: runtime artifacts potentially vulnerable to a cache poisoning attack (cache-poisoning): this step
(cache-poisoning)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 45, The workflow currently references the
mutable action tag actions/setup-java@v5; replace both occurrences (the uses
entries that reference actions/setup-java@v5) with the action pinned to a
specific commit SHA (actions/setup-java@<commit-sha>) to ensure
immutability—find the two "uses: actions/setup-java@v5" lines and update them to
use the corresponding release commit SHA from the actions/setup-java repository.
Source: Linters/SAST tools
kolipakakondal
force-pushed
the
node_update
branch
from
7330814 to
f646b9c
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/nightly.yml (1)
19-26:⚠️ Potential issue | 🟠 MajorAccount for breaking/runtime requirements in actions/checkout@v6 and actions/setup-java@v5
actions/setup-java: v4.0.0 includes a breaking change upgrading the action’s Node runtime to 20; v5.0.0 includes breaking changes upgrading to Node 24.actions/checkout: v5.0.0 requires a minimum compatible runner version (v2.327.1) and also updates the action to use Node 24—ensure any self-hosted runners are new enough.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/nightly.yml around lines 19 - 26, Update the workflow to avoid unexpected runtime breaks by pinning compatible action versions or ensuring runner compatibility: for actions/setup-java use a specific v4 tag (e.g., actions/setup-java@v4) if you need Node 20 instead of Node 24, and for actions/checkout either pin to actions/checkout@v5 only if your runners meet the minimum runner version (>= v2.327.1) or keep actions/checkout@v6 but ensure all self-hosted runners are upgraded; adjust the uses entries for actions/setup-java and actions/checkout accordingly and document the runner requirement.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/new_issues.yml:
- Line 17: The actions/checkout@v6 step is persisting GitHub credentials by
default; update the checkout step (the step using "uses: actions/checkout@v6")
to include persist-credentials: false in its action inputs so credentials are
not stored in the local git config, while ensuring subsequent steps that require
GITHUB_TOKEN continue to receive it via their explicit env/GITHUB_TOKEN
settings.
In @.github/workflows/pr-comment.yml:
- Line 16: The workflow currently references the mutable tag
"actions/github-script@v9"; replace that with the full commit SHA for the v9
release (e.g., "actions/github-script@<full-commit-sha>") to pin the action and
prevent supply-chain changes, verify v9 compatibility after pinning, and update
the "uses: actions/github-script@v9" line accordingly.
- Line 16: The workflow currently references actions/github-script@v9 which
appears compatible with the inline script, but you should pin the action to a
full commit SHA for supply-chain security; replace the usage of
actions/github-script@v9 with actions/github-script@<full-commit-sha> (obtain
the SHA from the actions/github-script repo for the v9 release) and keep the
existing inline script/API usage as-is (it relies on injected
github/core/context and github.rest/paginate), ensuring no code changes to the
script or require('`@actions/github`') calls are needed.
---
Outside diff comments:
In @.github/workflows/nightly.yml:
- Around line 19-26: Update the workflow to avoid unexpected runtime breaks by
pinning compatible action versions or ensuring runner compatibility: for
actions/setup-java use a specific v4 tag (e.g., actions/setup-java@v4) if you
need Node 20 instead of Node 24, and for actions/checkout either pin to
actions/checkout@v5 only if your runners meet the minimum runner version (>=
v2.327.1) or keep actions/checkout@v6 but ensure all self-hosted runners are
upgraded; adjust the uses entries for actions/setup-java and actions/checkout
accordingly and document the runner requirement.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4fa7ebef-88be-4575-b9a4-8031128d9902
📒 Files selected for processing (14)
.github/workflows/bump-version.yml.github/workflows/ci.yml.github/workflows/ci_release.yml.github/workflows/ci_uploads.yml.github/workflows/ci_windows.yml.github/workflows/docs_build.yml.github/workflows/docs_production.yml.github/workflows/issue_comment.yml.github/workflows/new_issues.yml.github/workflows/new_prs.yml.github/workflows/nightly.yml.github/workflows/pr-comment.yml.github/workflows/pre-commit.yml.github/workflows/update-site-test.yml
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@master | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
Add persist-credentials: false to reduce security exposure.
The actions/checkout step persists GitHub credentials in the local git config by default. Since the subsequent Jira sync step at line 19 explicitly passes GITHUB_TOKEN via environment variables, the persisted credentials are unnecessary and expand the attack surface.
🔒 Recommended security fix
- - uses: actions/checkout@v6
+ - uses: actions/checkout@v6
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v6 | |
| - uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/new_issues.yml at line 17, The actions/checkout@v6 step is
persisting GitHub credentials by default; update the checkout step (the step
using "uses: actions/checkout@v6") to include persist-credentials: false in its
action inputs so credentials are not stored in the local git config, while
ensuring subsequent steps that require GITHUB_TOKEN continue to receive it via
their explicit env/GITHUB_TOKEN settings.
Source: Linters/SAST tools
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/github-script@v7 | ||
| - uses: actions/github-script@v9 |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win
Consider pinning action to commit hash for security.
Using a mutable tag (@v9) allows the action maintainer to update the code without warning. For workflows with write permissions (this workflow has issues: write), GitHub security best practices recommend pinning to a full-length commit SHA to prevent supply-chain attacks.
🔒 Example: Pin to commit hash
- - uses: actions/github-script@v9
+ - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v9.0.0Note: Replace the hash with the actual commit SHA for the v9.0.0 release once v9 compatibility is verified.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/github-script@v9 | |
| - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v9.0.0 |
🧰 Tools
🪛 zizmor (1.25.2)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-comment.yml at line 16, The workflow currently
references the mutable tag "actions/github-script@v9"; replace that with the
full commit SHA for the v9 release (e.g.,
"actions/github-script@<full-commit-sha>") to pin the action and prevent
supply-chain changes, verify v9 compatibility after pinning, and update the
"uses: actions/github-script@v9" line accordingly.
Source: Linters/SAST tools
🧩 Analysis chain
🌐 Web query:
actions/github-script v9 release notes breaking changes compatibility with v7
💡 Result:
The release of actions/github-script v9.0.0, published on April 9, 2026, introduces several breaking changes that affect compatibility with v7 [1][2]. Users upgrading from v7 should be aware of the following primary changes: Breaking Changes in v9: - require('@actions/github') is removed: Because v9 upgrades to @actions/github v9 (which is ESM-only), using require('@actions/github') will now fail at runtime [1][3]. - Replacement for secondary clients: If you previously used require('@actions/github') to initialize additional Octokit clients, you must now use the new getOctokit function, which is injected directly into the script context [1][4]. - getOctokit Scope and Syntax: The getOctokit function is provided as an injected function parameter [1][5]. Consequently, you cannot redeclare it using const or let, as this will trigger a SyntaxError. You should either use the injected function directly or use var if redeclaration is strictly necessary [1][3]. - Internal references: Scripts that rely on internal details of the @actions/github package beyond the standard client may require manual updates to ensure compatibility with the updated dependency [1][6]. Compatibility Note: The transition from v7 to v9 includes the cumulative impact of v8. Specifically, v8 moved the runtime to Node 24 [7][8][9], whereas v7 was running on Node 20 [7][9]. When migrating directly from v7, scripts will also be subject to any environmental changes resulting from the Node.js runtime upgrade from Node 20 to Node 24 [7][9].
Citations:
- 1: https://github.com/actions/github-script/releases/tag/v9.0.0
- 2: https://github.com/actions/github-script/tree/181dcc219c4b6631bb79d68844fc12df4b7cdf2e
- 3: actions/github-script@v8...v9
- 4: https://github.com/actions/github-script/releases
- 5: actions/github-script@3a2844b
- 6: actions/github-script@3953caf
- 7: https://github.com/actions/github-script/blob/main/README.md
- 8: https://github.com/marketplace/actions/github-script
- 9: https://github.com/actions/github-script?tab=readme-ov-file
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/pr-comment.yml"
if [ ! -f "$FILE" ]; then
echo "Missing: $FILE" >&2
exit 1
fi
nl -ba "$FILE" | sed -n '1,120p'Repository: espressif/idf-eclipse-plugin
Length of output: 115
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/pr-comment.yml"
echo "== File head =="
cat -n "$FILE" | sed -n '1,120p'
echo "== Context around github-script =="
line_match=$(rg -n "actions/github-script@v" "$FILE" | head -n 1 | cut -d: -f1 || true)
if [ -z "${line_match}" ]; then
echo "No actions/github-script@v* found in $FILE" >&2
exit 1
fi
start=$((line_match-40))
end=$((line_match+80))
if [ $start -lt 1 ]; then start=1; fi
cat -n "$FILE" | sed -n "${start},${end}p"Repository: espressif/idf-eclipse-plugin
Length of output: 6479
🌐 Web query:
actions/github-script v9 documentation injected parameters github core context github.paginate
💡 Result:
In actions/github-script v9, the script context provides several key injected parameters to your asynchronous JavaScript function [1][2]. These parameters are injected directly into the script scope, meaning they are available for immediate use without requiring imports [1]. Injected Parameters in v9: - github: A pre-authenticated Octokit client (using @octokit/rest.js) that includes pagination plugins [1][2]. The methods github.request, github.paginate, and github.graphql remain available for use [2]. - context: An object containing the context information of the current workflow run [1][2]. - core: A reference to the @actions/core package [1][2]. - getOctokit: A new factory function injected in v9 [3][4]. It allows you to create additional authenticated Octokit clients with different tokens for scenarios like multi-token workflows or GitHub App token usage [4][5]. - glob, io, exec: References to their respective @actions packages (@actions/glob, @actions/io, @actions/exec) [1][2]. - require: A proxy wrapper around Node.js's native require, enabling the loading of relative files and npm packages installed in the working directory [1]. Critical v9 Migration Note: - You cannot import @actions/github using require('@actions/github') in v9, as it is now an ESM-only package [3][6]. Instead, use the injected getOctokit function to create secondary clients [3][4]. - Because getOctokit is an injected function parameter, you cannot redeclare it using const or let within your script, as this will trigger a SyntaxError [3][5]. If you must redeclare it, use var [3][4]. [3][4][1][2]
Citations:
- 1: https://github.com/actions/github-script?tab=readme-ov-file
- 2: https://github.com/actions/github-script/blob/b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c/README.md
- 3: https://github.com/actions/github-script/releases/tag/v9.0.0
- 4: https://github.com/actions/github-script?azure-portal=true
- 5: https://github.com/marketplace/actions/github-script
- 6: https://github.com/actions/github-script/releases
Confirm actions/github-script@v9 compatibility for this workflow
actions/github-script@v9injectsgithub,core, andcontext, and exposesgithub.rest.*andgithub.paginate, which matches how the inline script uses the API.- The v7→v9 breaking changes (e.g.,
require('@actions/github')removal /getOctokitinjection rules) don’t apply here since the script doesn’t userequire('@actions/github')or redeclaregetOctokit. - Consider pinning
actions/github-script@v9to a full commit SHA for supply-chain security (current@v9tag is not hash-pinned).
🧰 Tools
🪛 zizmor (1.25.2)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-comment.yml at line 16, The workflow currently
references actions/github-script@v9 which appears compatible with the inline
script, but you should pin the action to a full commit SHA for supply-chain
security; replace the usage of actions/github-script@v9 with
actions/github-script@<full-commit-sha> (obtain the SHA from the
actions/github-script repo for the v9 release) and keep the existing inline
script/API usage as-is (it relies on injected github/core/context and
github.rest/paginate), ensuring no code changes to the script or
require('`@actions/github`') calls are needed.
1 participant
Description
https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
Bump official actions ahead of the Node 20 deprecation on GitHub runners (June 16, 2026)
Fixes # (IEP-XXX)
Type of change
Please delete options that are not relevant.
How has this been tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Test Configuration:
Dependent components impacted by this PR:
Checklist
Summary by CodeRabbit