ci(bluebuild): pin actions to node20-safe tags

forgejo-runner v6.4.0 javascript runtime is node20. Pin every javascript action used in the spike branch's workflows to the last release that ships node20. - actions/checkout v4 -> v4.1.7 (3 files) - softprops/action-gh-release v2 -> v2.0.4 (build-iso) - anchore/sbom-action v0 -> v0.17.2 - actions/attest-build-provenance v2 -> v2.2.3 - blue-build/github-action@v1 unchanged (TODO: SHA pin) This is the spike-branch counterpart of the main-branch fix in feat/runner-fix-docker-sock-and-node20. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 10:50:24 +01:00
3 changed files with 25 additions and 9 deletions
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@ -48,7 +48,9 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
+        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
+        uses: actions/checkout@v4.1.7

      - name: Free up disk
        run: |
@ -62,6 +64,9 @@ jobs:
      # 2026-05-05 wave).
      - name: Build + push veilor-os OCI
        id: bluebuild
+        # TODO(infra): pin to specific node20-safe tag once confirmed. v1
+        # is the upstream-recommended floating tag; runner is currently on
+        # node20 so any recent v1.x SHA should still work.
        uses: blue-build/github-action@v1
        with:
          recipe: bluebuild/recipe.yml
@ -85,7 +90,10 @@ jobs:

      - name: SBOM (SPDX)
        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: anchore/sbom-action@v0
+        # Pinned to last v0 tag confirmed to ship on node20. The `@v0`
+        # floating tag rolls forward and will eventually pull a node24
+        # release. TODO(infra): SHA pin in a follow-up sweep.
+        uses: anchore/sbom-action@v0.17.2
        with:
          image: ${{ env.OCI_IMAGE }}:${{ env.OCI_TAG }}
          format: spdx-json
@ -93,7 +101,8 @@ jobs:

      - name: Build provenance attestation
        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: actions/attest-build-provenance@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: actions/attest-build-provenance@v2.2.3
        with:
          subject-name: ${{ env.OCI_IMAGE }}
          subject-digest: ${{ steps.bluebuild.outputs.digest }}
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@ -30,7 +30,9 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        # Pinned to last v4 tag confirmed to ship on node20. v4.2+ ships
+        # node24 which forgejo-runner v6.4.0 (node20) cannot exec.
+        uses: actions/checkout@v4.1.7

      - name: Free up disk
        run: |
@ -199,7 +201,8 @@ jobs:

      - name: Publish to ci-latest rolling prerelease
        if: success() && github.ref == 'refs/heads/main'
-        uses: softprops/action-gh-release@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: softprops/action-gh-release@v2.0.4
        with:
          tag_name: ci-latest
          name: "ci-latest (auto)"
@ -233,7 +236,8 @@ jobs:

      - name: Attach to release on tag
        if: github.event_name == 'release'
-        uses: softprops/action-gh-release@v2
+        # Pinned to last v2 tag confirmed to ship on node20.
+        uses: softprops/action-gh-release@v2.0.4
        with:
          files: |
            build/out/*.iso
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -12,7 +12,8 @@ jobs:
    container:
      image: registry.fedoraproject.org/fedora:43
    steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
      - run: dnf -y install pykickstart
      - run: ksvalidator kickstart/veilor-os.ks

@ -20,7 +21,8 @@ jobs:
    name: Shell scripts
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
      - uses: ludeeus/action-shellcheck@master
        with:
          severity: warning
@ -30,7 +32,8 @@ jobs:
    name: No personal/onyx leaks
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@v4
+      # Pinned to last v4 tag confirmed to ship on node20.
+      - uses: actions/checkout@v4.1.7
      - name: Grep for leaks
        run: |
          set -e