Skip to content

ci: upgrade actions, pin to SHAs, and harden workflows#1766

Merged
jeanduplessis merged 8 commits intomainfrom
ci/upgrade-actions-node24
Mar 31, 2026
Merged

ci: upgrade actions, pin to SHAs, and harden workflows#1766
jeanduplessis merged 8 commits intomainfrom
ci/upgrade-actions-node24

Conversation

@jeanduplessis
Copy link
Copy Markdown
Contributor

@jeanduplessis jeanduplessis commented Mar 31, 2026
edited
Loading

Summary

Problem

GitHub Actions warned that actions/setup-node@v4 and dorny/paths-filter@v3 run on the deprecated Node.js 20 runtime. Node 20 actions will be forced to Node 24 starting June 2, 2026, and removed from runners September 16, 2026. Additionally, several other actions were outdated, none were pinned to commit SHAs, and multiple workflows had security and reliability gaps.

Solution

  • Upgrade all actions to their latest Node 24-compatible versions.
  • Pin every action reference to its commit SHA with a version comment for auditability.
  • Add explicit cache: 'pnpm' to deploy workflows where setup-node@v6 dropped implicit pnpm caching.
  • Standardize pnpm/action-setup on v4.4.0 across all workflows (was split between v2 and v4), removing the now-conflicting version: latest parameter.
  • Add least-privilege permissions: contents: read to 5 workflows that were missing explicit permissions blocks.
  • Add timeout-minutes to every job to prevent hung runners from burning minutes indefinitely.
  • Remove dead deploy-gateway job (disabled with if: false due to missing R2_ACCOUNT_ID secret).
  • Replace manual pnpm cache logic in chromatic's second job with setup-node's built-in cache: 'pnpm'.
  • Standardize node-version quoting (remove unnecessary quotes in chromatic.yml).

Actions upgraded:

Action Old New
actions/setup-node v4 v6.3.0
actions/cache v4 v5.0.4
actions/checkout v4 v6.0.2
actions/upload-artifact v4 v5.0.0
actions/download-artifact v4 v5.0.0
dorny/paths-filter v3 v4.0.1
docker/login-action v3 v4.0.0
pnpm/action-setup v2 / v4 v4.4.0
chromaui/action @latest v16.0.0

Why this approach

Pinning to commit SHAs prevents a compromised or hijacked tag from injecting malicious code into CI. The version comment after each SHA preserves readability. All actions are official major version bumps from their maintainers — no behavioral changes beyond the runtime upgrade. Adding permissions and timeouts are low-risk hardening measures recommended by GitHub's security best practices.

Verification

  • Verified no remaining unpinned action references via grep
  • Verified no remaining version: latest in pnpm/action-setup steps
  • Pre-push hooks passed (typecheck, format, lint)

Visual Changes

N/A

Reviewer Notes

  • actions/setup-node skipped v5 and went straight to v6.
  • chromaui/action was previously pinned to @latest (mutable) — now pinned to v16.0.0 SHA.
  • setup-node@v6 drops implicit pnpm caching; explicit cache: 'pnpm' was added where missing.
  • pnpm/action-setup@v4 errors when both version is specified in the workflow and packageManager is set in package.json — all version: latest parameters were removed.
  • The dead deploy-gateway job in deploy-production.yml was removed entirely. If it needs to be restored, the R2_ACCOUNT_ID secret must be configured first.
  • trufflehog.yml intentionally keeps actions/checkout instead of useblacksmith/checkout for security scanning integrity.

@jeanduplessis
ci: upgrade GitHub Actions to Node 24-compatible versions
e9c7ab5 
Upgrade actions/setup-node from v4 to v6 and dorny/paths-filter from
v3 to v4 to resolve the Node.js 20 deprecation warning. Both updated
versions ship with Node 24 runtimes.
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 31, 2026
View reviewed changes
kilo-code-bot[bot]
kilo-code-bot bot reviewed Mar 31, 2026
View reviewed changes
@kilo-code-bot
Copy link
Copy Markdown
Contributor

kilo-code-bot bot commented Mar 31, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (9 files)
  • .github/workflows/bump-openclaw.yml
  • .github/workflows/chromatic.yml
  • .github/workflows/ci.yml
  • .github/workflows/deploy-kiloclaw.yml
  • .github/workflows/deploy-production.yml
  • .github/workflows/deploy-workers.yml
  • .github/workflows/kilo-app-ci.yml
  • .github/workflows/kilo-app-release.yml
  • .github/workflows/trufflehog.yml

Reviewed by gpt-5.4-20260305 · 212,321 tokens

@jeanduplessis
ci: pin dorny/paths-filter to commit SHA for security scanning
a532cbc
@jeanduplessis
ci: upgrade remaining actions to latest versions with SHA pinning
c32ffd6 
- actions/checkout v4 → v6 (trufflehog.yml)
- actions/cache v4 → v5 (ci.yml, deploy-production.yml, chromatic.yml)
- actions/upload-artifact v4 → v5 (chromatic.yml)
- actions/download-artifact v4 → v5 (chromatic.yml)
- docker/login-action v3 → v4 (deploy-kiloclaw.yml)

All pinned to commit SHAs for supply-chain security.
@jeanduplessis
ci: add pnpm cache config for setup-node@v6 in deploy workflows
f42e54c 
setup-node@v6 no longer auto-caches pnpm. Add explicit cache: 'pnpm'
to deploy-kiloclaw and deploy-workers to avoid full reinstalls.
@jeanduplessis
ci: pin all GitHub Actions to commit SHAs for supply-chain security
b32ec68 
Pin every action reference to its commit SHA with a version comment:
- actions/setup-node → v6.3.0
- actions/cache → v5.0.4
- actions/checkout → v6.0.2
- actions/upload-artifact → v5.0.0
- actions/download-artifact → v5.0.0
- pnpm/action-setup → v2.4.1 / v4.4.0
- useblacksmith/checkout → v1
- useblacksmith/build-push-action → v2.1.0
- useblacksmith/setup-docker-builder → v1.6.0
- cloudflare/wrangler-action → v3.14.1
- slackapi/slack-github-action → v2.1.1
- oven-sh/setup-bun → v2.2.0
- chromaui/action → v16.0.0 (was @latest)
- trufflesecurity/trufflehog → v3.93.0
- dorny/paths-filter → v4.0.1
- docker/login-action → v4.0.0
@jeanduplessis
ci: standardize pnpm/action-setup on v4.4.0 across all workflows
2b36abf 
Chromatic was already on v4 while everything else was on v2. Align
all workflows on the same version to reduce maintenance surface.
@jeanduplessis
ci: remove version: latest from pnpm/action-setup v4
51242d0 
pnpm/action-setup v4 errors when both 'version' is specified in the
workflow config and 'packageManager' is set in package.json. Remove
the explicit version so v4 auto-detects from packageManager.
@jeanduplessis
ci: harden workflows with permissions, timeouts, and cleanup
c9d3ae0 
- Add least-privilege permissions: contents: read to 5 workflows that
  were missing explicit permissions blocks (bump-openclaw, chromatic,
  deploy-kiloclaw, deploy-production, deploy-workers)
- Add timeout-minutes to all jobs to prevent hung runners from burning
  minutes indefinitely (5-30 min depending on job type)
- Remove dead deploy-gateway job (disabled with if: false due to
  missing R2_ACCOUNT_ID secret)
- Replace manual pnpm cache logic in chromatic job with setup-node's
  built-in cache: 'pnpm'
- Standardize node-version quoting (remove unnecessary quotes in
  chromatic.yml)
@jeanduplessis jeanduplessis changed the title ci: upgrade GitHub Actions to Node 24-compatible versions ci: upgrade actions, pin to SHAs, and harden workflows Mar 31, 2026
@jeanduplessis jeanduplessis merged commit 862caba into main Mar 31, 2026
19 checks passed
@jeanduplessis jeanduplessis deleted the ci/upgrade-actions-node24 branch March 31, 2026 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@iscekic iscekic iscekic approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jeanduplessis @iscekic @github-advanced-security