From 73c2c68e3281a77af689ed0d23462b558cefe79e Mon Sep 17 00:00:00 2001 From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com> Date: Wed, 6 May 2026 10:50:15 +0100 Subject: [PATCH] ci: pin actions to node20-safe tags + runner sock pass-through MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit forgejo-runner v6.4.0 ships a node20 javascript engine. v4.2+ of actions/checkout and v2.0.5+ of softprops/action-gh-release moved to node24, which the runner refuses to exec. Pin both to last node20 release. Pairs with a runner-side config change (separately deployed on nullstone /home/docker/forgejo-runner/conf/config.yaml) that adds `-v /var/run/docker.sock:/var/run/docker.sock` to per-job container options + whitelists the socket via valid_volumes — without that addnab/docker-run-action@v3 inside the catthehacker/ubuntu job container can't reach the docker engine. - actions/checkout v4 -> v4.1.7 - softprops/action-gh-release v2 -> v2.0.4 - addnab/docker-run-action v3 unchanged (composite/docker, no node) - ludeeus/action-shellcheck@master unchanged (docker-based) Co-Authored-By: Claude Opus 4.7 --- .github/workflows/build-iso.yml | 13 ++++++++++--- .github/workflows/lint.yml | 9 ++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml index 8a5fc2e..968a2e3 100644 --- a/.github/workflows/build-iso.yml +++ b/.github/workflows/build-iso.yml @@ -30,7 +30,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships + # node24 which forgejo-runner v6.4.0 (node20) cannot exec. + uses: actions/checkout@v4.1.7 - name: Free up disk run: | @@ -39,6 +41,9 @@ jobs: df -h - name: Run build inside Fedora 43 container + # v3 is composite/docker-based — no node runtime in the action + # itself. Safe under node20 forgejo-runner. TODO(infra): consider + # SHA pinning in a follow-up sweep. uses: addnab/docker-run-action@v3 with: image: registry.fedoraproject.org/fedora:43 @@ -199,7 +204,8 @@ jobs: - name: Publish to ci-latest rolling prerelease if: success() && github.ref == 'refs/heads/main' - uses: softprops/action-gh-release@v2 + # Pinned to last v2 tag confirmed to ship on node20. + uses: softprops/action-gh-release@v2.0.4 with: tag_name: ci-latest name: "ci-latest (auto)" @@ -233,7 +239,8 @@ jobs: - name: Attach to release on tag if: github.event_name == 'release' - uses: softprops/action-gh-release@v2 + # Pinned to last v2 tag confirmed to ship on node20. + uses: softprops/action-gh-release@v2.0.4 with: files: | build/out/*.iso diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ee790bd..51a4bd0 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,7 +12,8 @@ jobs: container: image: registry.fedoraproject.org/fedora:43 steps: - - uses: actions/checkout@v4 + # Pinned to last v4 tag confirmed to ship on node20. + - uses: actions/checkout@v4.1.7 - run: dnf -y install pykickstart - run: ksvalidator kickstart/veilor-os.ks @@ -20,7 +21,8 @@ jobs: name: Shell scripts runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + # Pinned to last v4 tag confirmed to ship on node20. + - uses: actions/checkout@v4.1.7 - uses: ludeeus/action-shellcheck@master with: severity: warning @@ -30,7 +32,8 @@ jobs: name: No personal/onyx leaks runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + # Pinned to last v4 tag confirmed to ship on node20. + - uses: actions/checkout@v4.1.7 - name: Grep for leaks run: | set -e