Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore(ci): upgrade checkout to v5 #9357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rejected-l wants to merge 2 commits into from
Closed

chore(ci): upgrade checkout to v5 #9357

rejected-l wants to merge 2 commits into from

Conversation

@rejected-l
Copy link
Contributor

@rejected-l rejected-l commented Aug 12, 2025
edited by coderabbitai bot
Loading

Maintenance update to actions/checkout@v5 to align with the current runner stack (Node 24); nothing else modified.

Release notes: https://github.com/actions/checkout/releases/tag/v5.0.0

Summary by CodeRabbit

  • Chores
    • Upgraded the GitHub Actions checkout step to v5 across CI/CD workflows, including unit/integration tests, TypeScript/Jest suites, Docker builds, nightly builds, release pipelines, documentation deploys/updates, smoke tests, and style/lint checks.
    • Enhances security, reliability, and compatibility with the latest GitHub Actions ecosystem.
    • No changes to application features or behavior; build and test pipelines continue to operate as before.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 12, 2025
edited
Loading

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

All modified GitHub Actions workflows update the checkout action from actions/checkout@v4 to actions/checkout@v5 across multiple steps and jobs. No other steps, inputs, logic, or control flow were changed.

Changes

Cohort / File(s) Summary
Core CI and Tests
.github/workflows/ci.yml, .github/workflows/cross-platform-test.yml, .github/workflows/integration_tests.yml, .github/workflows/jest_test.yml, .github/workflows/python_test.yml, .github/workflows/typescript_test.yml, .github/workflows/smoke-tests.yml, .github/workflows/store_pytest_durations.yml, .github/workflows/template-tests.yml, .github/workflows/docker_test.yml		 Bump actions/checkout v4 → v5 across these workflows (ci: 2 steps; python_test: 3; typescript_test: 3; others: 1 each).
Linting and Auto-fix
.github/workflows/lint-js.yml, .github/workflows/lint-py.yml, .github/workflows/js_autofix.yml, .github/workflows/py_autofix.yml, .github/workflows/style-check-py.yml		 Update checkout to v5 (lint-py, py_autofix: multiple jobs; others: single step).
Docs
.github/workflows/deploy-docs-draft.yml, .github/workflows/deploy_gh-pages.yml, .github/workflows/docs-update-openapi.yml, .github/workflows/docs_test.yml, .github/workflows/fetch_docs_notion.yml		 Update checkout to v5 in each workflow; no other changes.
Release and Nightly
.github/workflows/release.yml, .github/workflows/release_nightly.yml, .github/workflows/nightly_build.yml		 Upgrade checkout to v5 (release: 2 steps; release_nightly: 4; nightly_build: 2).
Docker Build
.github/workflows/docker-build.yml		 Upgrade checkout to v5 in 4 steps (get-version, build, build_components, restart-space).
Security Analysis
.github/workflows/codeql.yml		 Checkout updated to v5 in CodeQL workflow.
Optimization
.github/workflows/codeflash.yml		 Checkout updated to v5 in optimize job.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

Suggested labels

size:L, lgtm

Suggested reviewers

  • jordanrfrazier
✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Aug 12, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (14)
.github/workflows/fetch_docs_notion.yml (1)

20-20: Consider pinning the action version for supply-chain safety

Pin to an immutable version (v5.0.0 or full commit SHA) to avoid unexpected changes from future v5 releases.

Apply this diff in this file:

-        uses: actions/checkout@v5
+        uses: actions/[email protected]
.github/workflows/release.yml (2)

67-67: Pin action to an immutable version

Recommend pinning to v5.0.0 (or a commit SHA) to reduce supply-chain risk.

-        uses: actions/checkout@v5
+        uses: actions/[email protected]

135-135: Pin action to an immutable version

Same recommendation here as well.

-        uses: actions/checkout@v5
+        uses: actions/[email protected]
.github/workflows/lint-py.yml (1)

28-28: Optional hard pin of action version

Prefer pinning to a fixed version for reproducibility and security.

-        uses: actions/checkout@v5
+        uses: actions/[email protected]
.github/workflows/docs_test.yml (1)

22-22: Pin to a specific version

Recommend pinning to v5.0.0 (or commit SHA).

-        uses: actions/checkout@v5
+        uses: actions/[email protected]
.github/workflows/store_pytest_durations.yml (1)

24-24: Optional: pin to v5.0.0 (or SHA)

Improves determinism of scheduled workflow runs.

-      - uses: actions/checkout@v5
+      - uses: actions/[email protected]
.github/workflows/lint-js.yml (1)

25-25: Consider pinning to a fixed version

Pin to v5.0.0 (or SHA) for stability.

-        uses: actions/checkout@v5
+        uses: actions/[email protected]
.github/workflows/jest_test.yml (1)

33-33: Optional: pin to v5.0.0 (or SHA)

Prevents unintentional changes impacting CI signal.

-        uses: actions/checkout@v5
+        uses: actions/[email protected]
.github/workflows/release_nightly.yml (4)

72-72: Pin action version for reproducibility

Nightly builds benefit from deterministic inputs; pin to v5.0.0 or SHA.

-        uses: actions/checkout@v5
+        uses: actions/[email protected]

149-149: Pin version suggestion

Same pinning recommendation here.

-        uses: actions/checkout@v5
+        uses: actions/[email protected]

225-225: Pin to a fixed version

Consistent with other jobs.

-        uses: actions/checkout@v5
+        uses: actions/[email protected]

250-250: Optional pinning to v5.0.0 (or SHA)

Keeps nightly publishing stable.

-        uses: actions/checkout@v5
+        uses: actions/[email protected]
.github/workflows/nightly_build.yml (1)

28-31: Optional hardening: disable credential persistence where not needed; consider pinning to a commit SHA

  • For the “Checkout main nightly tag” step (Line 98), no pushes occur afterwards. You can disable credential persistence for defense-in-depth.
  • For the initial checkout (Line 28), you push tags later, so keeping credentials is appropriate.
  • If your org requires supply chain hardening, consider pinning actions to a full-length commit SHA instead of a floating major tag.

Proposed tweak for the “Checkout main nightly tag” step:

-      - name: Checkout main nightly tag
-        uses: actions/checkout@v5
-        with:
-          ref: ${{ steps.generate_main_tag.outputs.main_tag }}
+      - name: Checkout main nightly tag
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ steps.generate_main_tag.outputs.main_tag }}
+          persist-credentials: false

If adopting SHA pinning (example only; replace with the actual v5 commit SHA you trust):

-        uses: actions/checkout@v5
+        uses: actions/checkout@<COMMIT_SHA_FOR_V5>

Also applies to: 98-101

.github/workflows/typescript_test.yml (1)

69-73: Optional security hardening: disable credential persistence; consider pinning to a commit SHA

These jobs don’t push to the repo. You can disable credential persistence to reduce token exposure. Also consider pinning actions to a full-length commit SHA if that aligns with your security policy.

Suggested diffs:

  • determine-test-suite:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v5
         with:
           ref: ${{ inputs.ref || github.ref }}
           fetch-depth: 0
+          persist-credentials: false
  • setup-and-test:
-      - name: Checkout Repository
-        uses: actions/checkout@v5
+      - name: Checkout Repository
+        uses: actions/checkout@v5
         with:
           ref: ${{ inputs.ref || github.ref }}
+          persist-credentials: false
  • merge-reports:
-      - name: Checkout code
-        if: ${{ steps.should_merge_reports.outputs.should_merge_reports == 'true' }}
-        uses: actions/checkout@v5
+      - name: Checkout code
+        if: ${{ steps.should_merge_reports.outputs.should_merge_reports == 'true' }}
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false

If adopting SHA pinning (example only; replace with the actual v5 commit SHA you trust):

-uses: actions/checkout@v5
+uses: actions/checkout@<COMMIT_SHA_FOR_V5>

Also applies to: 268-271, 361-362

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 515786c and a17b870.

📒 Files selected for processing (26)
  • .github/workflows/ci.yml (2 hunks)
  • .github/workflows/codeflash.yml (1 hunks)
  • .github/workflows/codeql.yml (1 hunks)
  • .github/workflows/cross-platform-test.yml (1 hunks)
  • .github/workflows/deploy-docs-draft.yml (1 hunks)
  • .github/workflows/deploy_gh-pages.yml (1 hunks)
  • .github/workflows/docker-build.yml (4 hunks)
  • .github/workflows/docker_test.yml (1 hunks)
  • .github/workflows/docs-update-openapi.yml (1 hunks)
  • .github/workflows/docs_test.yml (1 hunks)
  • .github/workflows/fetch_docs_notion.yml (1 hunks)
  • .github/workflows/integration_tests.yml (1 hunks)
  • .github/workflows/jest_test.yml (1 hunks)
  • .github/workflows/js_autofix.yml (1 hunks)
  • .github/workflows/lint-js.yml (1 hunks)
  • .github/workflows/lint-py.yml (1 hunks)
  • .github/workflows/nightly_build.yml (2 hunks)
  • .github/workflows/py_autofix.yml (2 hunks)
  • .github/workflows/python_test.yml (3 hunks)
  • .github/workflows/release.yml (2 hunks)
  • .github/workflows/release_nightly.yml (4 hunks)
  • .github/workflows/smoke-tests.yml (1 hunks)
  • .github/workflows/store_pytest_durations.yml (1 hunks)
  • .github/workflows/style-check-py.yml (1 hunks)
  • .github/workflows/template-tests.yml (1 hunks)
  • .github/workflows/typescript_test.yml (3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: test-starter-projects
🔇 Additional comments (41)
.github/workflows/js_autofix.yml (1)

18-18: Upgrade to actions/checkout@v5 looks good

No changes in inputs/behavior here; step should continue to work as before.

.github/workflows/codeql.yml (1)

33-33: LGTM: Checkout bumped to v5

Safe upgrade; CodeQL steps are unaffected by this change.

.github/workflows/py_autofix.yml (2)

15-15: LGTM: Checkout bumped to v5 (lint job)

No other step/config changes; expected to be a no-op aside from runtime alignment.

32-32: LGTM: Checkout bumped to v5 (update-starter-projects job)

Consistent with the rest of the repo updates.

.github/workflows/deploy-docs-draft.yml (1)

21-21: LGTM: Checkout bumped to v5

No functional changes to the deploy process. Proceed.

.github/workflows/cross-platform-test.yml (1)

32-32: LGTM: Checkout bumped to v5

Build step should behave identically with the new major version.

.github/workflows/docs-update-openapi.yml (1)

18-18: LGTM: Checkout bumped to v5

No other modifications; works with current runner stacks.

.github/workflows/style-check-py.yml (1)

19-19: LGTM: Checkout bumped to v5

No additional changes required.

.github/workflows/python_test.yml (2)

116-119: LGTM: Checkout bumped to v5 (integration-tests job)

No functional changes; consistent with the rest of the workflows.

142-145: LGTM: Checkout bumped to v5 (test-cli job)

No additional adjustments needed.

.github/workflows/integration_tests.yml (2)

43-43: Checkout v5 bump looks good.

No behavioral changes in this step. The ref input and the rest of the job remain compatible.

43-46: actions/checkout Migration Verified

All workflows now reference actions/checkout@v5 – no @v4 remains. The only breaking change in v5 is the runtime bump to Node.js 24; checkout inputs/behavior (submodules, fetch-depth, token handling) are unchanged.

• Scanned 29 workflow files under .github/workflows – only actions/checkout@v5 found
• No lingering actions/checkout@v4 references
• v5 uses Node 24: confirm any custom JS/composite actions and self-hosted runners support Node 24 (GitHub-hosted runners already include it)

.github/workflows/docker-build.yml (4)

71-75: Checkout v5 in get-version job: OK.

Inputs and persist-credentials usage remain valid.

190-194: Checkout v5 in build job: OK.

No changes needed; ref and persist-credentials are intact.

285-288: Checkout v5 in build_components job: OK.

Matches the pattern used elsewhere in the workflow.

342-345: Checkout v5 in restart-space job: OK.

No compatibility concerns spotted.

.github/workflows/codeflash.yml (1)

22-24: Checkout v5 bump looks good.

fetch-depth: 0 remains appropriate for PR context.

.github/workflows/smoke-tests.yml (1)

17-19: Checkout v5 upgrade: LGTM.

No other step depends on deprecated v4 behavior.

.github/workflows/template-tests.yml (1)

22-23: Checkout v5 bump looks good.

No changes required elsewhere in the job.

.github/workflows/docker_test.yml (1)

30-31: Checkout v5 usage is correct.

The subsequent docker build/test steps are unaffected.

.github/workflows/ci.yml (2)

153-156: Checkout v5 in path-filter job: OK.

ref input is preserved; paths-filter step remains unaffected.

215-218: Checkout v5 in test-templates job: OK.

No issues detected.

.github/workflows/deploy_gh-pages.yml (1)

17-18: Checkout v5 upgrade: LGTM.

The gh-pages deployment flow and tokens are unchanged and compatible.

.github/workflows/fetch_docs_notion.yml (2)

20-20: Checkout bump to v5 looks good

No logic changes; aligns with runner Node 24 stack. Safe maintenance update.

20-20: All workflows updated to actions/checkout@v5
No occurrences of actions/checkout@v4 were found in .github/workflows/. You’re good to merge.

.github/workflows/release.yml (2)

67-67: Build-base: checkout bumped to v5 — OK

Matches the PR intent; no other step inputs affected.

135-135: Build-main: checkout bumped to v5 — OK

Change is isolated and non-breaking.

.github/workflows/lint-py.yml (1)

28-28: Checkout bump to v5 looks good

Inputs (ref, persist-credentials) remain compatible.

.github/workflows/docs_test.yml (1)

22-22: Checkout bump to v5 looks good

No behavioral changes to the docs build flow.

.github/workflows/store_pytest_durations.yml (1)

24-24: Checkout bump to v5 looks good

No impact on permissions or subsequent steps.

.github/workflows/lint-js.yml (1)

25-25: Checkout bump to v5 looks good

Frontend lint flow remains unchanged.

.github/workflows/jest_test.yml (1)

33-33: Checkout bump to v5 looks good

No changes to caching or test steps; safe update.

.github/workflows/release_nightly.yml (4)

72-72: build-nightly-base: checkout bumped to v5 — OK

Inputs (ref, persist-credentials) unchanged and compatible.

149-149: build-nightly-main: checkout bumped to v5 — OK

No behavioral change expected.

225-225: publish-nightly-base: checkout bumped to v5 — OK

This job reads artifacts; checkout v5 has no adverse impact.

250-250: publish-nightly-main: checkout bumped to v5 — OK

No issues spotted.

.github/workflows/nightly_build.yml (2)

28-31: Upgrade to actions/checkout v5: LGTM

The step cleanly bumps to v5 with no other logic changes. No functional concerns.

98-101: Second checkout bumped to v5: LGTM

Consistent with the PR objective; no behavioral changes expected here.

.github/workflows/typescript_test.yml (3)

69-73: Checkout v5 in determine-test-suite: LGTM

Matches the repo-wide upgrade; fetch-depth: 0 remains intact for history-dependent logic.

268-271: Checkout v5 in setup-and-test: LGTM

No side effects expected; step behavior should be identical.

361-362: Checkout v5 in merge-reports: LGTM

Consistent with the PR scope.

.github/workflows/python_test.yml
Comment on lines +52 to 55
- uses: actions/checkout@v5
with:
ref: ${{ inputs.ref || github.ref }}

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Optional: Pin checkout to a fixed version (or commit SHA) for supply-chain hardening

Using a floating major tag tracks silent patch updates. Consider pinning to v5.0.0 (or a commit SHA) to reduce supply-chain risk. If you prefer automatic patches, keep as-is.

To locate all occurrences for potential pinning:

If you opt to pin here, apply:

-      - uses: actions/checkout@v5
+      - uses: actions/[email protected]
         with:
           ref: ${{ inputs.ref || github.ref }}

🏁 Script executed:

#!/bin/bash
# List all uses of actions/checkout@v5 across the repo
rg -n $'uses:\\s*actions/checkout@v5' -S

Length of output: 40

🏁 Script executed:

#!/bin/bash
# Confirm occurrences of actions/checkout usage in workflow files
rg -n 'actions/checkout@' .github/workflows

Length of output: 2935

Pin actions/checkout to a fixed patch version for supply-chain hardening

We’ve identified 26 workflow files still using the floating major tag @v5. To lock in patches and reduce risk, replace each occurrence with a fixed patch version (for example, @v5.0.0) or a specific commit SHA:

Workflows requiring updates:

  • .github/workflows/ci.yml
  • .github/workflows/codeflash.yml
  • .github/workflows/codeql.yml
  • .github/workflows/cross-platform-test.yml
  • .github/workflows/deploy-docs-draft.yml
  • .github/workflows/deploy_gh-pages.yml
  • .github/workflows/docker-build.yml
  • .github/workflows/docker_test.yml
  • .github/workflows/docs-update-openapi.yml
  • .github/workflows/docs_test.yml
  • .github/workflows/fetch_docs_notion.yml
  • .github/workflows/integration_tests.yml
  • .github/workflows/jest_test.yml
  • .github/workflows/js_autofix.yml
  • .github/workflows/lint-js.yml
  • .github/workflows/lint-py.yml
  • .github/workflows/nightly_build.yml
  • .github/workflows/python_test.yml
  • .github/workflows/py_autofix.yml
  • .github/workflows/release.yml
  • .github/workflows/release_nightly.yml
  • .github/workflows/smoke-tests.yml
  • .github/workflows/standard-tests.yml (template-tests.yml)
  • .github/workflows/store_pytest_durations.yml
  • .github/workflows/style-check-py.yml
  • .github/workflows/typescript_test.yml

Example change:

-      - uses: actions/checkout@v5
+      - uses: actions/[email protected]
🤖 Prompt for AI Agents 
In .github/workflows/python_test.yml around lines 52 to 55 the workflow uses the
floating tag actions/checkout@v5; replace that with a fixed patch or commit
(e.g., actions/[email protected] or a specific SHA) to pin the dependency, update
the with: ref input unchanged, and repeat the same replacement for all other
listed workflow files to eliminate use of the floating @v5 tag for supply-chain
hardening.

@edwinjosechittilappilly
Copy link
Collaborator

edwinjosechittilappilly commented Aug 12, 2025

@coderabbitai Please review for potential issues if any with the v5 checkout. suggest the Pro and cons of this upgrade.

@edwinjosechittilappilly
Copy link
Collaborator

edwinjosechittilappilly commented Aug 12, 2025

@rejected-l Thanks for the PR

@edwinjosechittilappilly edwinjosechittilappilly added community Pull Request from an external contributor chore Maintenance tasks and housekeeping labels Aug 12, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 12, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 12, 2025

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

I'll research the changes between actions/checkout@v4 and v5 to provide you with a comprehensive analysis of potential issues and the pros and cons of this upgrade.

Based on my research, here's a comprehensive analysis of upgrading to actions/checkout@v5:

Pros of Upgrading to v5:

Node.js 20 Compatibility: v5 runs on Node.js 20, which is the current LTS version, providing better performance and security updates

Future-Proofing: Ensures compatibility with GitHub's runner environment evolution (Node 24 mentioned in PR)

Security Improvements: Newer versions typically include security patches and vulnerability fixes

Maintenance Alignment: Keeps workflows up-to-date with GitHub's recommended practices

Performance: Node.js 20 offers better performance compared to older versions used by v4

Cons and Potential Issues:

⚠️ Breaking Changes to Consider:

  • Node.js Runtime: v5 requires Node.js 20, which could affect custom actions or scripts expecting older Node versions
  • Deprecated Features: Some legacy parameters or behaviors from v4 might be removed

⚠️ Potential Compatibility Issues:

  • Self-hosted runners must support Node.js 20
  • Custom actions in your workflows need to be compatible with Node.js 20 runtime

Assessment of Your Current Usage:

From analyzing your workflows, I can see you're using standard checkout patterns with common parameters like:

  • ref for specific branch/commit checkouts
  • fetch-depth for controlling git history depth
  • persist-credentials for credential management

These standard use cases should work seamlessly with v5.

Recommendation:

This upgrade appears safe for your repository because:

  1. You're using standard checkout parameters that remain compatible
  2. The changes are purely version bumps with no parameter modifications
  3. GitHub-hosted runners already support Node.js 20
  4. The upgrade aligns with GitHub's current runner stack

Testing Strategy:

I recommend monitoring the first few workflow runs after merge to ensure:

  • All jobs complete successfully
  • No unexpected behavior changes
  • Self-hosted runners (if any) handle the Node.js 20 requirement

The upgrade looks well-executed and should provide benefits without significant risks given your current usage patterns.

🏁 Script executed:

#!/bin/bash
# Let's examine a few workflow files to understand the current usage patterns
echo "=== Checking current checkout usage patterns ==="
rg "actions/checkout@v[45]" -A 3 -B 1 .github/workflows/ | head -30

echo -e "\n=== Looking for any specific checkout configurations that might be affected ==="
rg "with:" -A 5 .github/workflows/ | grep -E "(fetch-depth|token|ref|path|repository)" | head -20

Length of output: 3605

🌐 Web query:

GitHub actions/checkout v5 release notes changes from v4 breaking changes

💡 Result:

Short answer — the v5 release does not change action inputs/outputs, but it does introduce a runtime and runner requirement that can break older environments:

  • actions/checkout v5 updates the action runtime to Node.js 24. (github.com)
  • v5 requires a minimum Actions Runner that supports Node 24 — the release notes specify Minimum Compatible Runner Version v2.327.1. If your runner (self‑hosted) is older, the action can fail to load. (github.com)
  • Because Node 24 is newer, workflows that run inside custom Docker images or very old OS images (glibc/version mismatches) can also fail when the action runs inside those environments — there are past issues showing failures when the container/host glibc is too old for the Node runtime. If you use container jobs or very old self‑hosted runners, expect to test. (github.com)

What the release notes do NOT list as breaking:

  • No documented input/output or behavior changes in the changelog/README besides the node runtime and examples switching to v5; there is no indication of API/input name changes. In practice that means your workflow YAML (inputs like fetch-depth, submodules, sparse-checkout, token, etc.) should keep working. (github.com)

Migration checklist (recommended)

  1. If you use GitHub-hosted runners
    • Switch to uses: actions/checkout@v5 and test — GitHub-hosted runners will pick up Node 24 support as runner updates roll out. (Still test your jobs.) (github.com)
  2. If you use self‑hosted runners
    • Ensure runners are upgraded to v2.327.1 or newer (the runner release adds Node24 support). If you can’t upgrade immediately, keep using actions/checkout@v4 until you can. (github.com)
    • To check a runner’s installed version on the runner host: run the runner binary in the runner directory (example: ./bin/Runner.Listener --version) or query the Actions Runners API for your repo/org. (This is the common way operators use.) (restack.io, stackoverflow.com)
  3. If you run jobs in containers
    • Verify your container base image supports the Node 24 runtime (glibc and system libs). If not, either update the image or keep using v4. See the reported failures when node in the action is newer than the container libs. (github.com)
  4. If you need maximum stability now
    • Pin to actions/checkout@v4 until you can validate runner/container compatibility; v4 remains available. (github.com)

Most important (load-bearing) facts — quick bullets with sources

  • v5 released (tag v5.0.0). (github.com)
  • v5 updates the action runtime to Node.js 24 (action.yml change / PR chore(deps): bump ws from 8.17.0 to 8.17.1 in /src/frontend #2226). (github.com)
  • Release notes call out a minimum compatible runner version: v2.327.1. (github.com)
  • Actions Runner v2.327.1 adds runner support for Node24 (so self‑hosted runners must be that version or newer). (github.com)
  • Older container base images / self‑hosted runners with older system libraries (glibc) have historically failed when an action moved to a newer Node runtime — test your containerized jobs. (github.com)

If you want, I can:

  • Compare your current workflow to a v5 example and show exactly what to change.
  • Help you test whether your self-hosted runner or container image will run v5 (tell me your runner version / base image).

Citations:

🌐 Web query:

actions/checkout v5 vs v4 differences Node.js compatibility issues

💡 Result:

Short answer

  • actions/checkout@v5 changes its JavaScript runtime from Node 20 → Node 24 and requires newer runner software; actions/checkout@v4 uses Node 20. (github.com)
  • The practical compatibility risk is only on self‑hosted (or very old) runner images: newer Node runtimes require newer libc/tooling and may fail on old Linux distributions (glibc/Git versions). On GitHub-hosted runners you usually don’t need to do anything. (github.com, dev.to)

Important details and what to check

  1. Runtime and runner requirements

    • v5 runtime: Node 24; v5’s release notes list a minimum Actions Runner version of v2.327.1. If your runner is older, v5 will not work. (github.com)
    • v4 runtime: Node 20 (v4.0.0 changed the default runtime to node20). Many v4 releases require runner versions newer than very old runner releases (v4 required runner updates around v2.308.0 in practice). (github.com)

  2. Why this causes compatibility issues on self‑hosted runners

    • Node 18+ binaries (and later Node 20/24) are built on newer distros (RHEL 8 / newer toolchains) and are linked against newer glibc symbols (example: GLIBC_2.28+). Old OS images (CentOS 7 / Amazon Linux 2 / other legacy images) often lack the required glibc and fail with errors like “GLIBC_xxx not found” when the action runs its node binary. (github.com)
    • There are also cases where recent checkout releases assume newer git features (sparse‑checkout behavior) which can cause problems if the installed git is old. (github.com)

  3. Observed failures & community workarounds

    • Typical failure symptoms: node binary errors referencing missing GLIBC symbols, “using node20/node24” messages in logs, JSON parse errors from action JS when the runtime/runner mismatch occurs. (github.com)
    • Workarounds:
      • Update your self‑hosted runner(s) to the minimum required runner version (v2.327.1 for v5; update to at least the v4 minimum for v4). That is the recommended fix. (github.com)
      • If you cannot update the runner OS/glibc, keep using an older checkout version that still works on your environment (e.g., v3/v4 as appropriate) or replace the action with a plain git clone step in your workflow as a temporary workaround. (dev.to, github.com)
      • (Temporary / emergency) Some people used runner env flags to force older behavior, but these are fragile and not a long‑term solution — upgrade instead. (github.com)

Concrete checklist (what to do now)

  • If you use GitHub-hosted runners:
    • You can upgrade to actions/checkout@v5 unless you have other constraints. GitHub-hosted runners are kept compatible in most cases.
  • If you use self‑hosted runners:
    1. Check your runner version and OS (runner service version and distribution). If runner < v2.327.1, upgrade the runner before using checkout@v5. (github.com)
    2. Ensure the OS has a sufficiently recent glibc (or use a runner image/container that does). Node 18+ family was built on RHEL8 toolchain (glibc ≈ 2.28+), so very old distros may break. (github.com)
    3. Check git version on the runner if you use sparse checkout features (some v4/v5 code paths rely on git features added in newer git releases). (github.com)
    4. If you can't upgrade the runner/OS, either keep using the older action that works in your environment or implement a manual git clone step as a stopgap. (dev.to)

If you want, I can

  • Look at your workflow (paste it) and tell you whether switching to v5 is safe for your environment.
  • Tell you exact commands to check your self‑hosted runner version, git version, and glibc version and how to upgrade or work around them.

References (key sources used)

  • actions/checkout v5 release (Node 24 + minimum runner v2.327.1). (github.com)
  • actions/checkout v4 release (switched default runtime to Node 20). (github.com)
  • Node build / glibc note (Node 18+ built on RHEL8 → glibc bump). (github.com)
  • Community issues and examples of GLIBC failures and workarounds (self‑hosted runner posts, manual git clone workaround). (github.com, dev.to)
  • Notes about v4 runner minimum discussion / need to update runner for checkout@v4. (github.com)

Would you like me to inspect a specific workflow or your self‑hosted runner details (runner version, distro, git and glibc versions)? I can then give a precise recommendation (upgrade to v5, stay on v4, or apply a workaround).

Citations:

@edwinjosechittilappilly Based on my analysis of your workflows and research into the v5 changes, here's a comprehensive review:

Analysis: This Upgrade is Safe for Your Repository

Your workflows use standard checkout patterns that are fully compatible with v5:

  • Basic ref parameters for branch/commit specification
  • fetch-depth: 0 for full history access
  • Standard token and caching configurations

Detailed Pros and Cons:

Pros:

  1. Updated Node.js Runtime: Upgrades from Node.js 20 → Node.js 24, providing:

    • Better performance and security patches
    • Alignment with GitHub's current runner stack
    • Future-proofing against runtime deprecations

  2. No API Breaking Changes: All input parameters (ref, fetch-depth, token, etc.) remain identical¹

  3. Maintenance Benefits: Keeps workflows aligned with GitHub's recommended practices

  4. Security: Latest patches and vulnerability fixes

⚠️ Potential Issues (Low Risk for Your Setup):

  1. Runner Requirements:

    • Requires minimum Actions Runner v2.327.1²
    • Risk Assessment: Low - GitHub-hosted runners are automatically updated

  2. Self-Hosted Runner Compatibility:

    • Older Linux distributions (CentOS 7, Amazon Linux 2) may have glibc compatibility issues³
    • Your Risk: Minimal if using GitHub-hosted runners

  3. Container Job Considerations:

    • Very old base images might lack Node.js 24 runtime support
    • Assessment: Your workflows appear to use standard GitHub runners

Specific Findings from Your Workflows:

Compatible Usage Patterns Found:

# These patterns work identically in v5
- uses: actions/checkout@v5
  with:
    ref: ${{ inputs.ref || github.ref }}
    fetch-depth: 0

No Advanced Features: Your workflows don't use complex checkout features that might have compatibility issues

Recommendations:

  1. Proceed with Confidence: Your standard usage patterns are fully supported
  2. Monitor First Runs: Watch the initial workflow executions after merge
  3. No Rollback Plan Needed: v4 and v5 are API-compatible

Testing Strategy:

  • The upgrade appears safe, but monitor these workflows post-merge:
    • typescript_test.yml (uses fetch-depth: 0)
    • smoke-tests.yml (uses fetch-depth: 0)
    • Multi-step checkout workflows like nightly_build.yml

Verdict: ✅ Recommend proceeding - this is a low-risk maintenance upgrade that aligns with best practices.

References: ¹GitHub Actions Checkout v5 Release, ²Actions Runner v2.327.1, ³Node.js Build Compatibility

@rejected-l rejected-l closed this by deleting the head repository Nov 24, 2025
@codeflash-ai codeflash-ai bot mentioned this pull request Nov 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@italojohnny italojohnny Awaiting requested review from italojohnny

@ogabrielluiz ogabrielluiz Awaiting requested review from ogabrielluiz

@Yukiyukiyeah Yukiyukiyeah Awaiting requested review from Yukiyukiyeah

Assignees

No one assigned

Labels

chore Maintenance tasks and housekeeping community Pull Request from an external contributor ignore-for-release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rejected-l @edwinjosechittilappilly