Skip to content

chore(ci): swap release-please path to step-security fork on node 24#41

Merged
nexx88 merged 1 commit into
circlefin:masterfrom
shanesavoie:chore/release-please-oss-v6-node24
Jul 1, 2026
Merged

chore(ci): swap release-please path to step-security fork on node 24#41
nexx88 merged 1 commit into
circlefin:masterfrom
shanesavoie:chore/release-please-oss-v6-node24

Conversation

@shanesavoie

@shanesavoie shanesavoie commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Replaces google-github-actions/release-please-action@v3.7.13 (Node 16, archived upstream) with step-security/release-please-action-oss@v6.0.2 (Node 24, StepSecurity-maintained fork of release-please-oss v6.0.2) in the release: job of conventional-commit-release.yaml. Eliminates the last Node 16 runtime dependency in this workflow.

Why

Every downstream call to this reusable workflow emits a "Node 20 is being deprecated" warning today because GitHub is force-upgrading the release-please-action's Node 16 runtime to Node 24 during the deprecation grace period. Once GitHub retires the auto-upgrade path (see https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/), those runs will fail hard.

Example downstream run: https://github.com/circlefin/circle-ooak/actions/runs/28517949604 — the log shows Node 16 → 24 auto-forcing on this workflow.

Why this specific action

step-security/release-please-action-oss@v6.0.2 is a security-maintained direct fork of release-please-oss/release-please-action@v6.0.2:

  • same v6.0.2 tag, same JS source
  • comm diff of action.yml inputs → zero drift (including config-overrides-json, the input needed to preserve v3-era inline calls)
  • Node 24 runtime
  • covered by the org-wide step-security/* wildcard allowlist in the StepSecurity actions policy — no allowlist PR needed

What changes for callers

Zero workflow-input changes. Every v3 inline action input (changelog-types, include-v-in-tag, pull-request-title-pattern, extra-files, package-name) is preserved as a reusable-workflow input and translated into a single config-overrides-json JSON string built in a new build-config-overrides step. The four downstream callers (circle-nodejs-sdk, buidl-wallet-contracts, terraform-provider-quicknode, circle-ooak) need no changes.

Translation table

v3 input v6 destination
default-branch target-branch (renamed in v6)
changelog-types config-overrides-json.changelog-sections
include-v-in-tag config-overrides-json.include-v-in-tag
pull-request-title-pattern config-overrides-json.pull-request-title-pattern
extra-files (string) config-overrides-json.extra-files (JSON array — normalized in-workflow with per-entry whitespace trim)
package-name config-overrides-json.package-name
release-type, token same-name v6 native inputs

release-type + config-overrides-json puts release-please in inline-config mode (Manifest.fromConfig), preserving v3 behavior without requiring callers to commit a release-please-config.json file.

Output compatibility

For a single-component (root path .) release, per-path outputs (release_created, tag_name, major, minor, pr) are emitted unprefixed at the step level via setPathOutput('.', key, val)core.setOutput(key, val), matching the v3 shape. That preserves:

  • The job-level release_created output → workflow-level release_created output → consumer references like needs.release-please.outputs.release_created.
  • Create additional tags step's steps.release.outputs.major / .minor references.
  • Checkout Release Branch step's fromJson(steps.release.outputs.pr).headBranchName parse — pr is the first PullRequest object from release-please core, which still defines headBranchName.

Test plan

  • CI green
  • After merge, one of the four downstream callers runs release-please and produces an equivalent release PR / tag shape
  • Deprecation warning gone from downstream runs

Replaces `google-github-actions/release-please-action@v3.7.13` (node 16,
archived upstream) with `step-security/release-please-action-oss@v6.0.2`
(node 24, step-security-maintained fork of release-please-oss v6.0.2)
in the `release:` job of `conventional-commit-release.yaml`. Eliminates
the last node 16 runtime dependency in this workflow, which today
surfaces as a "node 20 is being deprecated" warning on every downstream
call because github is force-upgrading the node 16 runtime to node 24
during the deprecation grace period.

why this action:

- `step-security/release-please-action-oss@v6.0.2` is a direct fork of
  `release-please-oss/release-please-action@v6.0.2` — same v6.0.2 tag,
  same JS source, `comm` diff of `action.yml` inputs shows zero drift,
  including the `config-overrides-json` input we need.
- covered by the org-wide `step-security/*` wildcard allowlist in
  stepsecurity policy — no policy PR needed.

what changes for callers:

- zero workflow-input changes. every v3 inline action input
  (`changelog-types`, `include-v-in-tag`, `pull-request-title-pattern`,
  `extra-files`, `package-name`) is preserved as a reusable-workflow
  input and translated into a single `config-overrides-json` JSON string
  built in a new `build-config-overrides` step.
- the four downstream callers (`circle-nodejs-sdk`,
  `buidl-wallet-contracts`, `terraform-provider-quicknode`,
  `circle-ooak`) need no changes.

translation mechanics:

- `default-branch` -> `target-branch` (renamed in v6).
- `changelog-types` -> `config-overrides-json.changelog-sections`.
- `include-v-in-tag`, `pull-request-title-pattern`, `extra-files`,
  `package-name` -> same keys under `config-overrides-json`.
- `extra_files` (newline- or comma-separated string in v3) is normalized
  to a JSON array via a jq pipeline that trims per-entry whitespace and
  drops blank entries, so both v3 input shapes stay compatible.

`release-type` + `config-overrides-json` puts release-please in
inline-config mode (`Manifest.fromConfig`), preserving v3 behavior
without requiring callers to commit a `release-please-config.json`
file.

outputs unchanged. for a single-component (root path '.') release, the
per-path outputs (`release_created`, `tag_name`, `major`, `minor`,
`pr`) are emitted unprefixed at the step level via
`setPathOutput('.', key, val)` -> `core.setOutput(key, val)`, matching
the v3 output shape that the `create additional tags` and `checkout
release branch` steps consume.
@shanesavoie shanesavoie force-pushed the chore/release-please-oss-v6-node24 branch from 43baa22 to 7723721 Compare July 1, 2026 16:27
@shanesavoie shanesavoie changed the title chore(ci): swap release-please to release-please-oss v6 (Node 24) chore(ci): swap release-please path to step-security fork on node 24 Jul 1, 2026
@shanesavoie shanesavoie closed this Jul 1, 2026
@shanesavoie shanesavoie reopened this Jul 1, 2026
@nexx88 nexx88 merged commit a0f2042 into circlefin:master Jul 1, 2026
10 of 11 checks passed
nexx88 pushed a commit that referenced this pull request Jul 1, 2026
🤖 I have created a release *beep* *boop*
---


##
[1.3.8](v1.3.7...v1.3.8)
(2026-07-01)


### Miscellaneous Chores

* **ci:** swap release-please path to step-security fork on node 24
([#41](#41))
([a0f2042](a0f2042))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants