chore(ci): swap release-please path to step-security fork on node 24#41
Merged
nexx88 merged 1 commit intoJul 1, 2026
Merged
Conversation
Replaces `google-github-actions/release-please-action@v3.7.13` (node 16,
archived upstream) with `step-security/release-please-action-oss@v6.0.2`
(node 24, step-security-maintained fork of release-please-oss v6.0.2)
in the `release:` job of `conventional-commit-release.yaml`. Eliminates
the last node 16 runtime dependency in this workflow, which today
surfaces as a "node 20 is being deprecated" warning on every downstream
call because github is force-upgrading the node 16 runtime to node 24
during the deprecation grace period.
why this action:
- `step-security/release-please-action-oss@v6.0.2` is a direct fork of
`release-please-oss/release-please-action@v6.0.2` — same v6.0.2 tag,
same JS source, `comm` diff of `action.yml` inputs shows zero drift,
including the `config-overrides-json` input we need.
- covered by the org-wide `step-security/*` wildcard allowlist in
stepsecurity policy — no policy PR needed.
what changes for callers:
- zero workflow-input changes. every v3 inline action input
(`changelog-types`, `include-v-in-tag`, `pull-request-title-pattern`,
`extra-files`, `package-name`) is preserved as a reusable-workflow
input and translated into a single `config-overrides-json` JSON string
built in a new `build-config-overrides` step.
- the four downstream callers (`circle-nodejs-sdk`,
`buidl-wallet-contracts`, `terraform-provider-quicknode`,
`circle-ooak`) need no changes.
translation mechanics:
- `default-branch` -> `target-branch` (renamed in v6).
- `changelog-types` -> `config-overrides-json.changelog-sections`.
- `include-v-in-tag`, `pull-request-title-pattern`, `extra-files`,
`package-name` -> same keys under `config-overrides-json`.
- `extra_files` (newline- or comma-separated string in v3) is normalized
to a JSON array via a jq pipeline that trims per-entry whitespace and
drops blank entries, so both v3 input shapes stay compatible.
`release-type` + `config-overrides-json` puts release-please in
inline-config mode (`Manifest.fromConfig`), preserving v3 behavior
without requiring callers to commit a `release-please-config.json`
file.
outputs unchanged. for a single-component (root path '.') release, the
per-path outputs (`release_created`, `tag_name`, `major`, `minor`,
`pr`) are emitted unprefixed at the step level via
`setPathOutput('.', key, val)` -> `core.setOutput(key, val)`, matching
the v3 output shape that the `create additional tags` and `checkout
release branch` steps consume.
43baa22 to
7723721
Compare
nexx88
approved these changes
Jul 1, 2026
nexx88
pushed a commit
that referenced
this pull request
Jul 1, 2026
🤖 I have created a release *beep* *boop* --- ## [1.3.8](v1.3.7...v1.3.8) (2026-07-01) ### Miscellaneous Chores * **ci:** swap release-please path to step-security fork on node 24 ([#41](#41)) ([a0f2042](a0f2042)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces
google-github-actions/release-please-action@v3.7.13(Node 16, archived upstream) withstep-security/release-please-action-oss@v6.0.2(Node 24, StepSecurity-maintained fork of release-please-oss v6.0.2) in therelease:job ofconventional-commit-release.yaml. Eliminates the last Node 16 runtime dependency in this workflow.Why
Every downstream call to this reusable workflow emits a "Node 20 is being deprecated" warning today because GitHub is force-upgrading the release-please-action's Node 16 runtime to Node 24 during the deprecation grace period. Once GitHub retires the auto-upgrade path (see https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/), those runs will fail hard.
Example downstream run: https://github.com/circlefin/circle-ooak/actions/runs/28517949604 — the log shows Node 16 → 24 auto-forcing on this workflow.
Why this specific action
step-security/release-please-action-oss@v6.0.2is a security-maintained direct fork ofrelease-please-oss/release-please-action@v6.0.2:commdiff ofaction.ymlinputs → zero drift (includingconfig-overrides-json, the input needed to preserve v3-era inline calls)step-security/*wildcard allowlist in the StepSecurity actions policy — no allowlist PR neededWhat changes for callers
Zero workflow-input changes. Every v3 inline action input (
changelog-types,include-v-in-tag,pull-request-title-pattern,extra-files,package-name) is preserved as a reusable-workflow input and translated into a singleconfig-overrides-jsonJSON string built in a newbuild-config-overridesstep. The four downstream callers (circle-nodejs-sdk,buidl-wallet-contracts,terraform-provider-quicknode,circle-ooak) need no changes.Translation table
default-branchtarget-branch(renamed in v6)changelog-typesconfig-overrides-json.changelog-sectionsinclude-v-in-tagconfig-overrides-json.include-v-in-tagpull-request-title-patternconfig-overrides-json.pull-request-title-patternextra-files(string)config-overrides-json.extra-files(JSON array — normalized in-workflow with per-entry whitespace trim)package-nameconfig-overrides-json.package-namerelease-type,tokenrelease-type+config-overrides-jsonputs release-please in inline-config mode (Manifest.fromConfig), preserving v3 behavior without requiring callers to commit arelease-please-config.jsonfile.Output compatibility
For a single-component (root path
.) release, per-path outputs (release_created,tag_name,major,minor,pr) are emitted unprefixed at the step level viasetPathOutput('.', key, val)→core.setOutput(key, val), matching the v3 shape. That preserves:release_createdoutput → workflow-levelrelease_createdoutput → consumer references likeneeds.release-please.outputs.release_created.Create additional tagsstep'ssteps.release.outputs.major/.minorreferences.Checkout Release Branchstep'sfromJson(steps.release.outputs.pr).headBranchNameparse —pris the firstPullRequestobject from release-please core, which still definesheadBranchName.Test plan