ci(bluebuild): pin actions to node20-safe tags #9

Merged

s8n merged 1 commit from feat/runner-fix-node20-pinning into v0.7-bluebuild-spike

2026-05-06 13:54:31 +01:00

s8n commented

2026-05-06 10:52:34 +01:00

Owner

Summary

Spike-branch counterpart to #8. forgejo-runner v6.4.0 javascript runtime is node20; v4.2+ of actions/checkout (and recent rolling tags of several other javascript actions) ship node24 and abort with ERR_INVALID_ARG_TYPE / Cannot find module ... node24 on this runner.

Pins all javascript actions on the spike branch to last-known node20 tag:

actions/checkout → v4.1.7 (build-iso, lint, build-bluebuild — 3 files)
softprops/action-gh-release → v2.0.4 (build-iso)
anchore/sbom-action → v0.17.2 (build-bluebuild)
actions/attest-build-provenance → v2.2.3 (build-bluebuild)
blue-build/github-action@v1 left unchanged (TODO comment added)
addnab/docker-run-action@v3 left unchanged (composite/docker)
ludeeus/action-shellcheck@master left unchanged (docker-based)

Test plan

Operator triggers build-bluebuild.yml on this branch via Forgejo workflow_dispatch.
Confirm checkout step succeeds without node24 binary error.
Confirm SBOM + provenance steps run to completion (these only fire on push/dispatch).

Out of scope

SHA pinning (separate hardening sweep).
blue-build/github-action SHA pin — flagged with TODO inline.
The runner-side docker.sock pass-through fix — already deployed on nullstone, no source-tree change in this branch.

## Summary Spike-branch counterpart to #8. forgejo-runner v6.4.0 javascript runtime is node20; v4.2+ of `actions/checkout` (and recent rolling tags of several other javascript actions) ship node24 and abort with `ERR_INVALID_ARG_TYPE` / `Cannot find module ... node24` on this runner. Pins all javascript actions on the spike branch to last-known node20 tag: - `actions/checkout` → `v4.1.7` (build-iso, lint, build-bluebuild — 3 files) - `softprops/action-gh-release` → `v2.0.4` (build-iso) - `anchore/sbom-action` → `v0.17.2` (build-bluebuild) - `actions/attest-build-provenance` → `v2.2.3` (build-bluebuild) - `blue-build/github-action@v1` left unchanged (TODO comment added) - `addnab/docker-run-action@v3` left unchanged (composite/docker) - `ludeeus/action-shellcheck@master` left unchanged (docker-based) ## Test plan - [ ] Operator triggers `build-bluebuild.yml` on this branch via Forgejo workflow_dispatch. - [ ] Confirm checkout step succeeds without node24 binary error. - [ ] Confirm SBOM + provenance steps run to completion (these only fire on push/dispatch). ## Out of scope - SHA pinning (separate hardening sweep). - `blue-build/github-action` SHA pin — flagged with TODO inline. - The runner-side docker.sock pass-through fix — already deployed on nullstone, no source-tree change in this branch.

s8n added 1 commit 2026-05-06 10:52:34 +01:00

ci(bluebuild): pin actions to node20-safe tags

Build veilor-os OCI (BlueBuild) / Build + sign + push OCI (pull_request) Failing after 0s

Details

Lint / Kickstart syntax (pull_request) Failing after 0s

Details

Lint / Shell scripts (pull_request) Failing after 0s

Details

Lint / No personal/onyx leaks (pull_request) Failing after 0s

Details

8c55802514

forgejo-runner v6.4.0 javascript runtime is node20. Pin every
javascript action used in the spike branch's workflows to the last
release that ships node20.

- actions/checkout v4 -> v4.1.7 (3 files)
- softprops/action-gh-release v2 -> v2.0.4 (build-iso)
- anchore/sbom-action v0 -> v0.17.2
- actions/attest-build-provenance v2 -> v2.2.3
- blue-build/github-action@v1 unchanged (TODO: SHA pin)

This is the spike-branch counterpart of the main-branch fix in
feat/runner-fix-docker-sock-and-node20.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

s8n force-pushed feat/runner-fix-node20-pinning from 8c55802514 to 04aa56a865

2026-05-06 13:54:17 +01:00

Compare